Facebook

A Facebook Bug Exposed Anonymous Admins of Pages (wired.com) 17

An anonymous reader quotes a report from Wired: Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one -- but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves.

Facebook says the bug was the result of a code update that it pushed Thursday evening. Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

Mozilla

Mozilla Says a New Firefox Security Bug is Under Active Attack (techcrunch.com) 68

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.
Security

Starbucks Devs Leave API Key in GitHub Public Repo (bleepingcomputer.com) 26

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

Education

How Should Students Respond To Their School's Surveillance Systems? (gizmodo.com.au) 138

Hundreds of thousands of American students are being tracked by their colleges to monitor attendance, analyze behavior and assess their mental health, the Washington Post reported this week. That article has now provoked some responses...

Jay Balan, chief security researcher at Bitdefender, told Gizmodo that the makers of the student-tracking apps should at least offer bug bounties and disclose their source code -- while rattling off easily foreseeable scenarios like the stalking of students. Gizmodo notes one app's privacy policy actually allows them to "collect or infer" students' approximate location -- even when students have turned off location tracking -- and allows third parties to "set and access their own tracking technologies on your devices."

And cypherpunk Lance R. Vick tweeted in response to the article, "If you are at one of these schools asking you to install apps on your phone to track you, hit me up for some totally hypothetical academic ideas..."

Gizmodo took him up on his offer -- and here's a bit of what he said: Students could reverse engineer the app to develop their own app beacon emulators to tell the tracking beacons that all students are present all the time. They could also perhaps deploy their own rogue tracking beacons to publish the anonymised attendance data for all students to show which teachers are the most boring as evidenced by lack of attendance. If one was hypothetically in an area without laws against harmful radio interference (like outside the U.S.) they could use one of many devices on the market to disrupt all Bluetooth communications in a target area so no one gets tracked... If nothing else, you could potentially just find a call in the API that takes a bit longer to come back than the rest. This tells you it takes some amount of processing on their side. What happens if you run that call a thousand times a second? Or only call it partway over and over again? This often brings poorly designed web services to a halt very quickly...

Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own.

Anyone doing this sort of thing should check their local and federal laws and approach it with caution. But these exact sorts of situations can, for some, be the start of a different type of education path -- a path into security research. Bypassing annoying digital restrictions at colleges was a part of how I got my start, so maybe a new generation can do similar. :)

Gizmodo calls his remarks "hypothetical hacking that you (a student with a bright future who doesn't want any trouble) should probably not do because you might be breaking the law."

But then how should students respond to their school's surveillance systems?
Transportation

Mazda3 Bug Activates Emergency Brake System For No Reason (engadget.com) 55

Mazda says "incorrect programming" in its Smart Braking System (SBS) can make fourth-generation Mazda 3 vehicles falsely detect on object in their path while driving and automatically apply the brakes while driving. "The problem affects 35,390 2019 and 2020 model year cars in the U.S., but Mazda says it is not aware of any injuries or deaths as a result of the defect," reports Engadget. From the report: If the issue occurs, the driver will notice because their car has suddenly stopped, and also as an alarm sounds and a message is displayed on the in-car warning screen. Some Reddit posters report experiencing situations of the system activating while driving with nothing around, and note that while the system can be disabled, it appears to re-enable itself every time the car starts.

Autoblog reports that while some vehicles will simply need to have the system updated or reprogrammed, certain cars with early build dates might need to have their entire instrument cluster replaced or reprogrammed. It's a scary issue, but we've seen Mazda update its cars software to deal with real-life bugs, and the newly-redesigned Mazda3 has already seen a recall to make sure its wheels don't fall off.

Bug

A Twitter App Bug Was Used To Match 17 Million Phone Numbers To User Accounts (techcrunch.com) 5

Security researcher Ibrahim Balic said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app. TechCrunch reports: Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch. He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format -- likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users -- including politicians and officials -- to a WhatsApp group in an effort to warn users directly.
A Twitter spokesperson told TechCrunch the company was working to "ensure this bug cannot be exploited again."

"Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs," the spokesperson said.
Social Networks

Twitter Bans Animated PNG Files After Online Attackers Targeted Users With Epilepsy (theverge.com) 78

Twitter is banning animated PNG image files (APNGs) from its platform, after an attack on the Epilepsy Foundation's Twitter account sent out similar animated images that could potentially cause seizures in photosensitive people. The Verge reports: Twitter discovered a bug that allowed users to bypass its autoplay settings, and allow several animated images in a single tweet using the APNG file format. "We want everyone to have a safe experience on Twitter," the company says in a tweet from the Twitter Accessibility handle. "APNGs were fun, but they don't respect autoplay settings, so we're removing the ability to add them to Tweets. This is for the safety of people with sensitivity to motion and flashing imagery, including those with epilepsy."

Tweets with existing APNG images won't be deleted from the platform, but only GIFs will be able to animate images moving forward. According to Yahoo, Twitter has further clarified that APNG files were not used to target the Epilepsy Foundation, but the bug meant such files could have been used to do so in the future had Twitter not moved to squash it. The attacks on the Epilepsy Foundation's Twitter handle occurred last month -- National Epilepsy Awareness Month -- with trolls using its hashtags and Twitter handle to post animated images with strobing light effects. It's not clear how many people may have been affected by the attack, but the foundation said it's cooperating with law enforcement officials and has filed criminal complaints against accounts believed to have been involved.

The Internet

DNS Over HTTPS: Not As Private As Some Think? (sans.edu) 83

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.

Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
Bug

Apple Opens Public Bug Bounty Program, Publishes Official Rules (zdnet.com) 10

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. From a report: Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs. Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain's complexity and severity.
Security

Npm Team Warns of New 'Binary Planting' Bug (zdnet.com) 17

The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.
Chrome

Google Halts Chrome 79 Rollout After It Breaks Some Android Apps (9to5google.com) 19

Chrome 79 is creating an issue with WebView (the Android component that allows apps to display content from the web), reports 9to5Google: On Friday morning, Android developers reliant on WebView and local storage began encountering an issue where their apps lost data after users updated to version 79 of WebView. Those affected took to Chromium's bug tracker, and have described the incident as a "catastrophe" and "major issue." To end users, it's as if apps were entirely reset and just downloaded for the first time. This includes saved data disappearing or being logged out. Given the level of system opacity, most will blame developers for a problem that's out of their hands.

By that afternoon, Google engineers responded and isolated the issue to "profile layout changes" where "local storage was missed off the list of files migrated." A member of the Chromium team apologized Saturday morning, with the Chrome/WebView rollout halted after 50% of devices already received the update. At the highest priority level (P0), Google is currently "working on a solution that minimizes the data loss, and that can be rolled out safely." The last guidance for a patch is 5-7 days.

Books

Do You Remember the Y2K Bug? (fastcompany.com) 241

harrymcc writes: In the late 1990s, lots of people were concerned that the Y2K bug could lead to power outages, financial collapse, riots, and worse when the clock rolled over to January 1, 2000. Hundreds of books about the problem and suggestions on how to respond (quit your job, move to the country, stockpile food) not only capitalized on this fear but helped to spread it.

Over at Fast Company, I marked the 20th anniversary of the "crisis" with a retrospective on the survival guides and what we can learn from them.

The article calls them "an eternally useful guide to how not to give people advice about technology and its role in their lives... They provided a brief layperson's guide to the origins of the problem, and then segued into nightmare scenarios."
They had scary titles like Time Bomb 2000 and The Millennium Meltdown. Their covers featured grim declarations such as "The illusion of social stability is about to be shattered... and nothing can stop it" and garish artwork of the earth aflame and bombs tumbling toward skylines. Inside, they told readers that the bug could lead to a decade or more of calamity, and advised them to stockpile food, cash, and (sometimes) weapons. There were hundreds of these books from publishers large and small, some produced by people who turned the topic into mini-media empires...

Spoiler alert: When January 1, 2000, rolled around, nothing terrible happened. By then, techies had spent years patching up creaky code so it could deal with 21st-century dates, and the billions invested in the effort paid off. Some problems did crop up, but even alarming-sounding ones -- such as glitches at nuclear power plants -- were minor and resolvable.

On December 31st, 1999, Roblimo posted a call for comments from Slashdot readers, writing "This thread ought to make an interesting chronicle of Y2K events -- or non-events, as the case may be."

But NBC had even filmed a made-for-TV Y2K disaster movie (which Jon Katz called "profoundly stupid and irresponsible.")

And one survivalist videotape even featured an ominous narration by Leonard Nimoy.
Chrome

Google Releases Chrome 79 With New Features Including an Option To Freeze Tabs and Back-Forward Caching (zdnet.com) 29

Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.
Bug

The Most Copied StackOverflow Java Code Snippet Contains a Bug (zdnet.com) 71

The admission comes from the author of the snippet itself, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, a Q&A website for programming-related topics. From a report: An academic paper [PDF] published in 2018 identified a code snippet Lundblad posted on the site as the most copied Java code taken from StackOverflow and then re-used in open source projects. The code snippet was provided as an answer to a StackOverflow question posted in September 2010. The code snippet printed byte counts (123,456,789 bytes) in a human-readable format, like 123.5 MB. Academics found that this code had been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet. In a blog post published last week, Lundblad said that the code had a flaw as it incorrectly converted byte counts into human-readable formats. Lundblad said he revisited the code after learning of the academic paper and its results. He looked at the code again and published a corrected version on his blog.
Bug

A Bug In Microsoft's Login System Put Users At Risk of Account Hijacks (techcrunch.com) 20

Microsoft has fixed a vulnerability in its login system that could have been used to trick unsuspecting victims into giving over complete access to their online accounts. TechCrunch reports: The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords. Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account -- potentially without ever alerting the user.

CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user. With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen. [...] Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

IOS

iOS Apps Could Really Benefit From the Newly Proposed Security.plist Standard (zdnet.com) 13

Security researcher Ivan Rodriguez has proposed a new security standard for iOS apps, which he named Security.plist. From a report: The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps. The file would contain all the basic contact details for reporting a security flaw to the app's creator. Security researchers analyzing an app would have an easy way to get in contact with the app's creators. Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017. Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams. Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app's dev or security team has been a problem in the past. "I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,"Rodriguez told ZDNet.
Facebook

NSO Employees Take Legal Action Against Facebook For Banning Their Accounts (vice.com) 53

On Tuesday, lawyers representing current and former employees of Israeli surveillance contractor NSO Group took legal action against Facebook to try and get their accounts reinstated after being banned by the social media giant. Motherboard reports: Last month, Facebook itself sued NSO in California for leveraging a vulnerability in the WhatsApp chat program that NSO Group clients used to hack targets. As part of that, Facebook also banned the personal Facebook and Instagram accounts of multiple current and former NSO employees. The new lawsuit argues that Facebook violated its own terms of service by blocking the NSO employees, and it used personal information they shared with Facebook in order to identify them, in violation of an Israeli privacy law. As relief, the lawyers ask the court to make Facebook lift the ban on the accounts. The lawsuit was first reported in Israeli media.

"It appears that Facebook used the [NSO employees'] personal data...in order to identify them as NSO employees (or former employees), in service of imposing 'collective punishment' on them, in the form of blocking their personal accounts," the lawsuit reads in Hebrew. The lawsuit argues that the personal data used to identify them as NSO employees belonged to the individuals, and not Facebook. The legal action says that the NSO employees were banned without warning even though they are "private people, who make private use of the social networks, whose only 'sin' was any association with NSO, as employees or former employees." The lawsuit includes a screenshot of an email Facebook allegedly sent to someone who had their account suspended.
Facebook told Motherboard in a statement on Tuesday, "In October we filed a legal complaint which attributed a sophisticated cyber attack to the NSO Group and its employees that was directed at WhatsApp and its users in violation of our terms of service and U.S. law. Such actions warranted disabling relevant accounts and continue to be necessary for security reasons, including preventing additional attacks."
Social Networks

Facebook and Twitter Users' Data Exposed Due To Third-Party SDK Bug (thurrott.com) 10

Facebook and Twitter announced on Monday that the companies were notified about malicious software development kits (SDKs) that allowed certain apps to collect users' data from the apps without their permission. Paul Thurrott reports: The main culprits here are One Audience and Mobiburn, developers of the malicious SDKs that apparently paid developers to use the SDKs and secretly collect users data. Twitter noted that the issue isn't due to a vulnerability in its software. The breach was caused by "the lack of isolation between SDKs within an application," according to the company. The company also said that the malicious SDKs could allow apps to access personal information like your email, username, and your last tweet without your permission. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," the company said. The two social networks said that they will notify the affected users about the breach.
Security

OnePlus Notifies Customers of Data Breach Impacting Users of Its Online Store 7

OnePlus has sent out an email informing recent OnePlus customers of a security issue. "This 'Security Notification' from OnePlus informs customers that an 'unauthorized party' was able to access order information from the company's online store," reports 9to5Google. "OnePlus says that payment information as well as account details were not accessed, but names, addresses, emails, and phone numbers 'may' have been exposed. The company says it will continue to investigate the matter, but obviously this is no small issue." From the report: Speaking to Droid-Life, OnePlus says that they took "immediate steps to stop the intruder and reinforce security," and that they are currently "working with the relevant authorities to further investigate this incident." OnePlus didn't explain what went wrong, but they are apparently working to start a bug bounty program by the end of this year.

This isn't the first time the company's store has fallen victim to a security issue like this. In early 2018, OnePlus customers found evidence of credit card fraud stemming from the Store that triggered OnePlus to shut down credit card payments temporarily. Just a day later, OnePlus' investigation into the matter revealed that 40,000 credit card numbers had been exposed.
OnePlus has a thread on its forums with more details about the breach.
Google

Google Will Pay Bug Hunters Up To $1.5M if They Can Hack Its Titan M Chip (zdnet.com) 21

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

Slashdot Top Deals