by SC Media – 14 November 2018
You might have already heard of Magecart, the e-commerce payment card-skimming threat. Recently, it has recently vtargeted Ticketmaster, British Airways, and Newegg. Now, the next victim in the row is InfoWars online store: this time, the malware has been disclosed by the Dutch researcher Willem De Groot. InfoWars is operated by the radio show host Alex Jones who informed ZDNet about the incident, as a result of which 1,600 of his clients were affected. According to ZDNet, a card skimmer is a generic Magecart variety hidden in the site’s Google Analytics code. It was active for some 24 hours starting on November 11. The affected customers were informed soon after that about the possible compromise of their payment card data.
by The Verge – 17 November 2018
Some Instagram lovers have been notified about a probable data exposure. The accident was caused by a security bug. The officials of the social network commented that the exposure was “discovered internally and affected a very small number of people.” The bug has probably was a result of a feature that the company introduced in April that allowed users to download their data. People that used the new feature had their passwords included in a URL in their web browsers; also the passwords were stored on Facebook’s servers, which is the Instagram’s parent company. A security researcher commented that such incident was only possible if Instagram stored its passwords in plain text – and this could be a large security issue for the company. Instagram officials denied this claiming that the network hashes and salts its stored passwords.
Facebook disclosed a vulnerability
by The Hacker News – 13 November 2018
However, Facebook that has been mentioned above also could have suffered due to a bug in its system. A reported vulnerability could give attackers an access to personal data of its users meaning that their information was potentially put at risk. The vuln was discovered by cybersecurity researchers from Imperva and resided in the way Facebook search feature displayed results for entered queries. The page with search results should include iFrame elements associated with each outcome. Here, the endpoint URLs of the iFrames did not have any protection mechanisms against cross-site request forgery (CSRF) attacks. It is worth mentioning that the newly reported vulnerability has already been patched. It also turned out that it is not that difficult to exploit the vuln: the malefactor just needs to trick users into visiting a malicious site on their web browser with their Facebook accounts logged in.
Another accidental leakage
by SC Media – 14 November 2018
Well, unfortunately, these were not the only recent accidental leakages. A misconfigured MongoDB made publicly accessible data of thousands of Kars4Kids donors and customers. 21,612 records that contained emails and personal information were found open to the public by Bob Diachenko, HackenProof’s director of cyber risk research. Also, the exposed data gave access to the information on the vacation vouchers provided to people who had donated their vehicles and receipts with like emails, home addresses, and phone numbers. But this was not the only trouble: the researcher also found evidence of a ransom note. “We cannot confirm or deny that cybercriminals have downloaded the entire Kars4Kids’ database, but the ransom note provides reasonable suspicion that it is a possibility. It is unclear how long the data was exposed or how many others gained have access to it before the notification was sent and ultimately secured,” commented the researcher.