All posts in “hacking”

Facebook says there’s no evidence ‘so far’ that hackers accessed third-party apps

Facebook's initial investigation hasn't turned up any evidence that hackers got into third-party apps — yet.
Facebook’s initial investigation hasn’t turned up any evidence that hackers got into third-party apps — yet.

Image: brittany herbert / mashable

Less than a week after revealing that 50 million Facebook users may have had their accounts compromised by hackers, the company is trying to allay concerns that the massive hack could get even worse. 

The worry — which has been raised by a number of security professionals in recent days — is that hackers who were able to get into users’ Facebook accounts would also have been able to get into any account that uses Facebook Login.

Think about that for a second: Thousands of apps use Facebook Login, including many containing sensitive personal and financial information, like Tinder, Uber, Venmo, and, yes, Instagram. If hackers were indeed able to access those accounts, it would make an already massive hack exponentially worse.

The good news for now: Facebook says it hasn’t uncovered any evidence “so far” that hackers accessed third-party apps. 

“We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” Facebook’s VP of Product Management Guy Rosen wrote in a statement.

Of course, the key phrase there is “so far.” The investigation is still ongoing, and there’s always a chance things could change as the company learns more. 

In any case, the Facebook attack highlights just how serious the consequences could be. For years, the company has touted Facebook Login as an invaluable tool for developers and users alike. Now, developers are scrambling to figure out if their users were impacted by the hack.

Rosen also said Facebook is, “out of an abundance of caution,” also working on a new tool that will allow developers “to manually identify the users of their apps who may have been affected.” Just in case. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86739%2ffff40801 feb9 4a93 bf54 5f1d3bf294cf

Facebook: 50 million accounts could have been hacked

A million hacked Facebook accounts isn’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.

A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them might have been. 

The so-called “security update” is light on specifics, but what it does include is extremely troubling. 

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” reads the statement. “[It’s] clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.

That’s right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited? Well, Facebook isn’t sure. 

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” continues the statement. “We also don’t know who’s behind these attacks or where they’re based.”

Facebook says it’s fixed the vulnerability, and that 90 million people may suddenly find themselves logged out of their accounts or various Facebooks apps as a result.  

So, yeah, this is big. 

Facebook is working with law enforcement, and, at least for now, says you don’t need to change your password. But maybe go ahead and log out of your account, everywhere, just to be safe. 

“[If] anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login‘ section in settings,” advises the warning. “It lists the places people are logged into Facebook with a one-click option to log out of them all.”

So yeah, click through that link and log out of your account on every service at once. After that, maybe think long and hard about whether it’s even worth logging back in. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2018%2f4%2f5a47408e 9fd0 ca38%2fthumb%2f00001

Cryptocurrency exchange claimed it was ‘practically impossible’ to hack. It was hacked.

Whoops.
Whoops.

Image: Ladislav Kubeš/getty

I guess we shouldn’t be all that surprised. But still, they did say it would be practically impossible. 

The Japan-based cryptocurrency exchange Zaif suffered a major hack last week. It issued a statement on Thursday stating that approximately $59 million worth of bitcoin, bitcoin cash, and MONAcoin had been stolen by unidentified criminals. This, obviously, is not good. What makes it perhaps worse is the company’s past insistence that it applied the “maximum effort” possible to keep its customers’ funds safe — and that hacking it would be “practically impossible.”

Like many exchanges, Zaif has a page on its website where it details the precautions taken to secure customer funds. With tens (or potentially hundreds) of millions of dollars worth of cryptocurrency at stake, it makes sense to let everyone know that you’re taking this security stuff seriously. 

Take, for example, the webpage titled “About the Zaif usage risk and security system.” It lays out six points “in order to ensure maximum safety and security.”

Under the third point, “Reinforcement of system infrastructure robustness,” we are given the following bit of reassurance. 

“We externally block the exchange system at multiple levels, and we are building a system security environment where hacking into the internal system is practically impossible. Therefore, all outside access to the database, etc. is impossible.”

According to a company statement detailing the hack, translated from the original Japanese (via Google translate), “it turned out that some of the deposits and withdrawal hot wallets were hacked by unauthorized access from the outside, and part of the virtual currency managed by us was illegally discharged to the outside.”

Hmm.

Now, the crypto that was stolen was reportedly in a so-called “hot wallet” — a wallet that is connected online which allows customers to withdraw or transfer funds immediately — and not a more secure cold wallet. Perhaps it was the company’s cold wallet that’s “practically impossible” to hack?

This Zaif debacle is just another in a long line of breached exchanges. The most notable of which, the 2014 Mt. Gox hack, resulted in the theft of around 850,000 bitcoins. In January of this year, another Japan-based exchange, Coincheck, was also hacked for roughly 500 million NEM — worth approximately $424 million at the time. 

It’s almost as if it’s not practically impossible to hack an exchange at all. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f85075%2fabccb23e dace 4f3b a350 3066c988a87a

Password bypass flaw in Western Digital My Cloud drives puts data at risk

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.

Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.

The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.

The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and that it was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices are. He posted a proof-of-concept video on Twitter.

Details of the bug were also independently found by another security team, which released its own exploit code.

Vermeulen reported the bug over a year ago in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.

A year later, WD still hasn’t release a patch.

The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”

WD said that several of its My Cloud products are vulnerable — including the EX2, EX4, and Mirror, but not My Cloud Home.

In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

False alarm: DNC backtracks on voter database hacking attempt claim

Whoops! One day after reports broke about a hacking attempt targeting the Democratic National Committee’s voter database, the DNC is admitting the whole incident was a false alarm.

Reported yesterday by CNN, the DNC reached out to the FBI for assistance after cybersecurity firm Lookout warned party officials of an extremely convincing fake login page it discovered that appeared to be part of a spear phishing operation. Lookout also reached out to the NGP Van, the DNC voter database management company and DigitalOcean, the web host that was hosting the fake site.

However, it turns out the alleged hacking attempt was just a test.

DNC chief security officer Bob Lord released a statement explaining the situation. “We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder,” said Lord. He also pointed out where the confusion on the fake login site came from. “The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors.”

It turns out that the Michigan Democratic Party had retained the services of a third-party in order to run a phishing simulation. The Michigan Dems never sought authorization from the DNC to conduct such a test.

“In an abundance of caution, our digital partners ran tests that followed extensive training. Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked,” Michigan Democratic Party chair Brandon Dillon said in a released statement.

While the false alarm may be a slight embarrassment for the party, Dillon’s assessment of the actual security measures certainly seem legit.

In Mashable’s conversation with a Lookout spokesperson while reporting on the story yesterday, the cybersecurity firm pointed out how its AI detection system discovered a custom phishing kit on a domain meant to look like the VoteBuilder website, which is where the Democratic Party’s voter database login resides. The uniqueness of the phishing kit as well as how closely the site resembled the authentic login page are partially the reason the fake site was flagged.

Later in a blog post, the cybersecurity firm laid out its process for discovering the fake login page and shared the domain, verifyauth.com, the operation was hosted on. 

A look at the Whois information shows the domain was registered no more than 24 hours prior to Lookout’s discovery of the site.

The type of spear phishing campaign this unauthorized simulation attempted to mimic are similar to the real things previously used to trick Democratic staffers into submitting their usernames and passwords, giving Russian hackers access to the DNC emails that were leaked during the 2016 election. Microsoft has reported on two separate incidents this summer where the company intervened to stop Russia-linked spear phishing attacks on U.S. political targets such as Congresspeople and think tanks.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f86462%2ffcea79d6 81b1 423f 9eff 803a9eb7ff1b