Tag: Allowed | SpinSafe

Salt Security uncovers security flaws within ChatGPT extensions that allowed access to third-party websites and sensitive data

March 13, 2024/in Internet Security

PALO ALTO, Calif., March 13, 2024 /PRNewswire/ — Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, highlighting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and permissions to perform tasks on behalf of users within third-party websites. For example, committing code to GitHub repositories or retrieving data from an organization’s Google Drives. These security flaws introduce a new attack vector and could enable bad actors to:

Gain control of an organization’s account on third-party websites
Allow access to Personal Identifiable Information (PII) and other sensitive user data stored within third-party applications

ChatGPT plugins extend the model’s abilities, allowing the chatbot to interact with external services. The integration of these third-party plugins significantly enhances ChatGPT’s applicability across various domains, from software development and data management to educational and business environments. When organizations leverage such plugins, it subsequently gives ChatGPT permission to send an organization’s sensitive data to a third-party website and allow access to private external accounts. Notably, in November 2023, ChatGPT introduced a new feature, GPTs, a similar concept to plugins. GPTs are custom versions of ChatGPT that any developer can publish, and contain an option called “Action” which connects it with the outside world. GPTs pose similar security risks as plugins.

The Salt Labs team uncovered three different types of vulnerabilities within ChatGPT plugins.

The first of which was noted within ChatGPT itself when users install new plugins. During this process, ChatGPT redirects a user to the plugin website to receive a code to be approved by that individual. When ChatGPT receives the approved code from a user, it automatically installs the plugin and can interact with that plugin on behalf of the user. Salt Labs researchers discovered that an attacker could exploit this function, to deliver users instead a code approval with a new malicious plugin, enabling an attacker to install their credentials on a…

Source…

Opera found a significant security flaw that could have allowed hackers to run any file they want – but it says everything is now fine

January 17, 2024/in Computer Security

UPDATE: Opera has published a response to the reports, claiming that the flaw is no longer active and has been addressed.

“There is no evidence that the vulnerability was ever exploited, and Opera users’ security was never compromised as a result,” it said. “It’s also important to note that, as mentioned above, the vulnerability would require the installation of a malicious add-on in order to work. This would be very hard to accomplish on Opera, because we employ manual review in our add-ons store – another measure we take to protect users.”

“This vulnerability, which no longer exists, was identified as part of a collaboration with security researchers Guardio Labs, and was subsequently fixed within only five days – as such, Opera users are not at risk.”

Opera, a popular Chromium-based browser, was found carrying a vulnerability that would allow hackers to install pretty much any file on both Windows and macOS operating systems.

The vulnerability was discovered by cybersecurity researchers from Guardio Labs, who notified the browser’s developers and helped it plug the hole.

In its technical writeup, Guardio Labs explained that the flaw stemmed from a feature built into the browser, called My Flow. This is a feature built on a browser extension called Opera Touch Background, which comes preinstalled with the browser and technically can’t be removed.

Abusing a landing page

My Flow allows users to take notes and share files between the desktop and mobile versions of the browser. There is a trend among software developers to allow users a seamless transition between desktop and mobile solutions for both work and play. In this case, however, the feature came at the cost of security.

“The chat-like interface adds an “OPEN” link to any message with an attached file, allowing users to immediately execute the file from the web interface,” the researchers explain. “This indicates that the webpage context can somehow interact with a system API and execute a file from the file system, outside the browser’s usual confines, with no sandbox, no limits.”

The second important factor is the fact that specific, other web pages, as well as extensions, can connect to My Flow. When…

Source…

Ubiquiti fixes massive bug that allowed users to view others’ security cameras

December 18, 2023/in Internet Security

In context: Internet of Things (IoT) devices have often been scrutinized for being prone to security vulnerabilities. Many reports have detailed how smart cameras, doorbells, etc., are relatively easy to hack. It seems things haven’t changed much in the last several years.

A new development now puts the spotlight squarely on networking device manufacturer Ubiquiti after the company admitted that a misconfiguration with its cloud infrastructure allowed some of its customers to watch footage from strangers’ security cameras.

The admission came days after some Ubiquiti customers reported seeing images and videos from other people’s cameras through the company’s Unifi Protect cloud app. One of the first persons to report the bug was a Redditor claiming his wife received a notification, which included an image from a security camera that didn’t belong to them.

Another Redditor reported something even more alarming. The poster claimed to have navigated to the official Unifi device manager portal and logged into someone else’s account despite entering their own Unifi credentials. The user claimed seeing footage from another customer’s UDM Pro and could navigate the device and view or change settings.

A Ubiquiti customer on the company’s forum claimed to have accessed “88 consoles from another account” when logging into the Unifi portal. The user had full access to these devices until refreshing their browser. After that, the client returned to normal, with only owned devices showing.

After a massive outcry from customers, Ubiquiti fixed the bug. Last week, Ubiquiti released a statement admitting that in “a small number of instances,” users either received notifications from unknown consoles or accessed consoles that didn’t belong to them.

The company claims the problem happened due to an upgrade to Ubiquiti’s UniFi Cloud infrastructure, which it has since resolved. So, customers should no longer worry about their other users accessing their cameras and UniFi accounts. While the company claimed the bungle affected 1,216 accounts in one group and 1,177 in another, supposedly fewer than a dozen instances of improper access occurred. It added that it would notify those customers about…

Source…

US Department of Labor finds Salt Lake City restaurant supply company illegally employed 22 minor-aged workers beyond hours allowed

March 28, 2023/in Mobile Security

SALT LAKE CITY – A federal investigation has found a Salt Lake City restaurant supply company allowed 22 employees – ages 14 and 15 – to work as many as 46 hours per workweek, and to begin work after midnight – both illegal practices under child labor laws.

Investigators with the U.S. Department of Labor’s Wage and Hour Division found Specialty Consulting Services LLC – operating as Standard Restaurant Supply – violated child labor work hours standards of the Fair Labor Standards Act. The employer also failed to keep accurate time records including the date of birth for one minor-aged employee, in violation of the FLSA’s recordkeeping provision.

The division assessed $16,595 in penalties to resolve the child labor violations.

The investigation follows a March 2022 announcement by the division’s Southwest Region reminding Salt Lake City-area employers of the importance of complying with federal child labor laws, and its stepped up enforcement efforts.

“Minors as young as 14- and 15-years-old not only worked beyond permitted hours, but more than half of them were employed in violation of the Fair Labor Standards Act by being allowed to work long shifts often exceeding eight hours,” explained Wage and Hour Division District Director Kevin Hunt in Salt Lake City. “Our investigators continue to see an increase in child labor violations in several industries. We will take vigorous action whenever we discover young workers’ safety and well-being are being jeopardized by employers who fail to follow the law.”

Federal labor law prohibits the employment of workers under the age of 14 in non-agricultural settings. 14- and 15-year-olds must work outside of the hours of school and cannot work:

More than 3 hours on a school day, including Friday.
More than 18 hours per week when school is in session.
More than 8 hours per day when school is not in session.
More than 40 hours per week when school is not in session.
Before 7 a.m. or after 7 p.m. on any day, except from June 1 through Labor Day, when nighttime work hours are extended to 9 p.m.

“We urge employers in the region to gain a full understanding of child labor regulations and ensure…

Source…

Tag Archive for: Allowed