Facebook Collected Contacts from 1.5 Million Email Accounts Without Users' Permission

facebook email database

Not a week goes without a new Facebook blunder.

Remember the most recent revelation of Facebook being caught asking users new to the social network platform for their email account passwords to verify their identity?

At the time, it was suspected that Facebook might be using access to users’ email accounts to unauthorizedly and secretly gather a copy of their saved contacts.

Now it turns out that the collection of email contacts was true, Facebook finally admits.

In a statement released on Wednesday, Facebook said the social media company “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers, without their consent or knowledge, since May 2016.

In other words, nearly 1.5 million users had shared passwords for their email accounts with Facebook as part of its dubious verification process.

A Facebook spokesperson shared information with Business Insider that the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

The social media giant said the company had stopped this email verification process a month ago and has assured its users that it has not shared those contacts with anyone and that it has already started deleting them.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” Facebook says.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

This recently reported incident is the latest in a long list of privacy-related issues and controversies the tech giant is dealing with.

Just last month, Facebook was caught storing passwords of hundreds of millions of users in plaintext within its internal servers, which were accessible to some of its employees.

In October last year, Facebook also announced its worst-ever security breach that allowed hackers to successfully steal secret access tokens and access personal information from 29 million Facebook accounts.

The recent revelation once again underlines the failure of Facebook to protect its users’ information while generating billions of dollars in revenue from the same information.

Let’s block ads! (Why?)

Link to original source

Drupal Releases Core CMS Updates to Patch Several Vulnerabilities

drupal security updates

Drupal, the popular open-source content management system, has released security updates to address multiple “moderately critical” vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites.

According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in third-party libraries that are included in Drupal 8.6, Drupal 8.5 or earlier and Drupal 7.

One of the security flaws is a cross-site scripting (XSS) vulnerability that resides in a third-party plugin, called JQuery, the most popular JavaScript library that is being used by millions of websites and also comes pre-integrated in Drupal Core.

Last week, JQuery released its latest version jQuery 3.4.0 to patch the reported vulnerability, which has not yet assigned a CVE number, that affects all prior versions of the library to that date.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype,” the advisory explains.

“It’s possible that this vulnerability is exploitable with some Drupal modules.”

The rest three security vulnerabilities reside in Symfony PHP components used by Drupal Core that could result in cross-site scripting (CVE-2019-10909), remote code execution (CVE-2019-10910) and authentication bypass (CVE-2019-1091) attacks.

Considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update of the CMS as soon as possible:

  • If you are using Drupal 8.6, update to Drupal 8.6.15.
  • If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
  • If you are using Drupal 7, update to Drupal 7.66.

Almost two months ago, Drupal maintainers patched a critical RCE vulnerability in Drupal Core without releasing any technical details of the flaw that could have allowed remote attackers to hack its customers’ website.

But despite that, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the team rolled out the patched version of its software.

And then, several individuals and groups of hackers started actively exploiting the flaw to install cryptocurrency miners on vulnerable Drupal websites that did not update their CMSes to the latest version.

Last year, attackers also targeted hundreds of thousands of Drupal websites in mass attacks using in the wild exploits leveraging two separate critical remote code execution vulnerabilities, which were dubbed Drupalgeddon2 and Drupalgeddon3.

In those case as well, the attacks started shortly after PoC exploit code for both the vulnerabilities was published on the Internet, which was then followed by large-scale Internet scanning and exploitation attempts.

Long story short—Patch your websites before it gets too late.

Let’s block ads! (Why?)

Link to original source

Researcher Hijacks a Microsoft Service Using Loophole in Azure Cloud Platform

windows live tiles microsoft azure

A cybersecurity professional today demonstrated a long-known unpatched weakness in Microsoft’s Azure cloud service by exploiting it to take control over Windows Live Tiles, one of the key features Microsoft built into Windows 8 operating system.

Introduced in Windows 8, the Live tiles feature was designed to display content and notifications on the Start screen, allowing users to continuously pull up-to-date information from their favorite apps and websites.

To make it easier for websites to offer their content as Live Tiles, Microsoft had a feature available on a subdomain of a separate domain, i.e., “notifications.buildmypinnedsite.com,” that allowed website admins to automatically convert their RSS feeds into a special XML format and use it as a meta tag on their websites.

The service, which Microsoft had already shut down, was hosted on its own Azure Cloud platform with the subdomain bound/set to an Azure account operated by the company.

However, now it turns out that even after disabling the RSS-to-XML converter service, the company forgot to delete nameserver entries, leaving the unclaimed subdomain still pointing to the Azure servers.

Hanno Böck, who discovered this issue, seized this opportunity to exploit the weakness and reclaimed the same subdomain using a newly created account on Azure.

windows live tiles

Apparently, the indirect control over Microsoft’s subdomain made it possible for him to push arbitrary content or notifications on Windows Live Tiles of various app or websites that are still using meta tags generated by the disabled service.

“With an ordinary Azure account, we were able to register that subdomain and add the corresponding hostname. Thus we were able to control which content is served on that host,” Böck said.

“Web pages that contain these meta tags should remove them or if they want to keep the functionality, create the appropriate XML files themselves.”

This technique is usually known as “subdomain takeover,” an important attack vector that can usually be found in the way most online services allow their users to run web apps or blogs with a custom domain name.

For example, when you create an app on Azure and wants to make it available on the Internet with a custom domain name, the platform asks users to point their domain’s nameserver to Azure and then claim it within their account’s dashboard.

Since Microsoft Azure does not have a mechanism to verify if the account claiming a domain really owns it, any Azure user can claim any unclaimed domain (or left unattended) that have nameservers pointing to the cloud service.

“We have informed about this problem but have not received it yet,” Böck said. “Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.”

Google’s Blogger service also had a similar issue, which the company patched a few years ago by making it mandatory for every blog owners to set a separate, unique TXT record for their custom domains in order to verify the claim.

Though it seems Microsoft has now secured its subdomain by removing the nameservers, The Hacker News reached out to Microsoft to learn if the company has any plans to fix the “subdomain takeover” issue in its Azure cloud service platform that could eventually affect other domain users as well.

We will update this report when we hear back.

Let’s block ads! (Why?)

Link to original source

Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet

justdial data breach hacking

An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.

Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.

Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.

The leaked data includes JustDial users’ name, email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with—basically whatever profile related information a customer ever provided to the company.

Though the unprotected APIs exist since at least mid-2015, it’s not clear if anyone has misused it to gather personal information on JustDial users.

Justdial is Leaking Personal Details Of All Customers

After verifying the leaky endpoint, The Hacker News also wanted to verify if the API is fetching results directly from the production server or from a backup database that might not have information belonging to recently signed-up users.

justdial data breach hacking

To find this, I provided Rajshekhar a new phone number that was never before registered with Justdial server, which he confirmed was not listed in the database at that time.

Instead of installing and using the JD app or its website, I then simply called the customer care number and shared a random name and personal details with the executive to learn a few good restaurants in my city.

Immediately after completing the call, Rajshekhar sent me the profile details I shared with the JD executive associated with the same phone number that was previously not found in the database, indicating that the unprotected API is fething real-time information of users.

Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.

Rajshekhar told The Hacker News that he discovered this unprotected end-point while pentesting the latest APIs in use, which are apparently protected and using authentication measures.

Besides this, Rajshekhar also found a few other old unprotected APIs, one of which could allow anyone to trigger OPT request for any registered phone number, which might not be a serious security issue, but could be used for spamming users and costing the company.

Rajshekhar also claimed that he tried to contact the company to responsibly disclose his findings, but unfortunately failed to find any direct way to contact the company and report the incident.

The Hacker News has also dropped an email to a few email addresses, linked to the company, we found on the Internet, providing the details of the incident. We will update this report when we hear back. Stay Tuned.

Let’s block ads! (Why?)

Link to original source

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

android malware google play store

Even after Google’s security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store.

Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers’ existing accounts, is enough for ‘bad-faith’ developers to trick the Play Store into distributing unsafe apps to Android users.

Since the mobile device platform is growing rapidly, every new effort Google makes apparently comes with trade-offs.

For example, Google recently made some changes in its Play Store policies and added new restriction in Android APIs that now makes it mandatory for every new app to undergo rigorous security testing and review process before appearing in the Google Play Store.

These efforts also include:

Unfortunately, many developers are not happy with the process, and handling of manually reviewed cases after the team of experts at Google made false-positive malware and policy violation detections and failed to timely respond developers on whether their apps meet policy requirements.

“When we began enforcing these new SMS and Call Log policies, many of you expressed frustration about the decision making process,” Sameer Samat, VP of Product Management, Android & Google Play says in a blog post.

Continuing its efforts over this ground, Google has now announced the company’s plan to adopt more detailed communication with developers, explaining why a decision was made, as well as offering improved and transparent evaluations and appeal process.

Google says the company is expanding its “team to help accelerate the appeals process.”

Besides this, Google has also planned to spend more time in reviewing Android apps by new developers before approving them to go live in Google Play Store in an effort to avoid taking decisions in error.

The review for an app from any new developer who doesn’t have a proven track record with the tech giant will now take “days, not weeks,” allowing the company to do “more thorough checks” before approving apps to publish over the Play Store.

“While the vast majority of developers on Android are well-meaning, some accounts are suspended for serious, repeated violation of policies that protect our shared users,” Android developers say in a blog post.

“While 99%+ of these suspension decisions are correct, we are also very sensitive to how impactful it can be if your account has been disabled in error.”

From now, those developer accounts disable in error can immediately appeal any enforcement, which will be carefully reviewed by the Android team. If the team discover that an error has been made, it will restore the account.

Let’s block ads! (Why?)

Link to original source