Tag Archive for: Bug’

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

/in


Jan 15, 2024NewsroomVulnerability / Browser Security

Opera MyFlaw Flaw

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

“This is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser’s security boundaries.

Cybersecurity

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called “Opera Touch Background,” which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

Opera MyFlaw Flaw

In the case of Opera, the domains that can talk to the extension should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both controlled by the browser vendor itself.

“This exposes the messaging API to any page that matches the URL patterns you specify,” Google notes in its documentation. “The URL pattern must contain at least a second-level domain.”

Guardio Labs said it was able to unearth a “long-forgotten” version of the My Flow landing page hosted on the domain “web.flow.opera.com” using the urlscan.io website scanner tool.

Opera MyFlaw Bug

“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it…

Source…

Atomic Wallet Offers $1 Million Bug Bounty Amid Security Lawsuit

/in


Atomic WalletAtomic Wallet
Source: Adobe / Ascannio

Amid an ongoing class-action lawsuit related to a $100-million hack in June, the developer of Atomic Wallet has launched a $1-million bug bounty program aimed at identifying security flaws in its wallet software.

In an announcement on December 18, the development team invited ethical hackers and security experts globally to scrutinize the open-source code for potential vulnerabilities.

White hat hackers who discover the most severe vulnerabilities, defined as those allowing an over-the-internet attack without physical access, installed malware, or social engineering, stand to earn $100,000 under the program.

The bug bounty program is designed to enhance the security of the wallet and minimize the risk of future cyber threats.

The bounty program also offers compensation ranging from $500 to $10,000 for hackers who identify bugs or flaws not meeting the criteria of the most serious vulnerabilities.

The reward depends on the severity of the vulnerability, with $5,000 allocated for a “high-risk” discovery and $10,000 for a “critical-risk” one.

The total bounty pool for all discoveries is set at $1 million.

Harnessing the ‘expertise of the global community’


Konstantin Gladych, founder of Atomic Wallet, expressed confidence in the bug bounty program’s ability to harness global expertise and creativity to bolster cybersecurity.

“Recent events in the blockchain industry have once again reminded us that cybersecurity is a dynamic field, and the best way to stay ahead is by harnessing the creativity and expertise of the global community,” he said.

$100 million hacking incident


Atomic Wallet in June this year suffered a $100 million hacking incident.

About 5,500 users of the non-custodial cryptocurrency wallet were affected by the hack which has been linked to the North Korean Lazarus Group.

Two months later, the incident led victims to launch a class action lawsuit against Atomic Wallet for compensation.

According to reports at the time, the claims rest on the company’s inaction to share proper information about…

Source…

Ubiquiti fixes massive bug that allowed users to view others’ security cameras

/in


In context: Internet of Things (IoT) devices have often been scrutinized for being prone to security vulnerabilities. Many reports have detailed how smart cameras, doorbells, etc., are relatively easy to hack. It seems things haven’t changed much in the last several years.

A new development now puts the spotlight squarely on networking device manufacturer Ubiquiti after the company admitted that a misconfiguration with its cloud infrastructure allowed some of its customers to watch footage from strangers’ security cameras.

The admission came days after some Ubiquiti customers reported seeing images and videos from other people’s cameras through the company’s Unifi Protect cloud app. One of the first persons to report the bug was a Redditor claiming his wife received a notification, which included an image from a security camera that didn’t belong to them.

Another Redditor reported something even more alarming. The poster claimed to have navigated to the official Unifi device manager portal and logged into someone else’s account despite entering their own Unifi credentials. The user claimed seeing footage from another customer’s UDM Pro and could navigate the device and view or change settings.

A Ubiquiti customer on the company’s forum claimed to have accessed “88 consoles from another account” when logging into the Unifi portal. The user had full access to these devices until refreshing their browser. After that, the client returned to normal, with only owned devices showing.

After a massive outcry from customers, Ubiquiti fixed the bug. Last week, Ubiquiti released a statement admitting that in “a small number of instances,” users either received notifications from unknown consoles or accessed consoles that didn’t belong to them.

The company claims the problem happened due to an upgrade to Ubiquiti’s UniFi Cloud infrastructure, which it has since resolved. So, customers should no longer worry about their other users accessing their cameras and UniFi accounts. While the company claimed the bungle affected 1,216 accounts in one group and 1,177 in another, supposedly fewer than a dozen instances of improper access occurred. It added that it would notify those customers about…

Source…

Google 0-day browser bug under attack, patch available

/in


Google patched a zero-day bug being exploited in the wild that is tied to its Chrome browser and ChromeOS software. The flaw allows an attacker, who is able to compromise the browsers rendering process, to bypass sandbox security measures and execute remote code or access sensitive data.

Tracked as CVE-2023-6345 and rated by Google as a high priority fix, the vulnerability is an integer overflow bug in Chrome’s open source 2D graphics library called Skia. Google is withholding technical details of the vulnerability until fixes have been rolled out to a majority of users and vendors who use the Chromium browser engine in their products.

The patch, which impacts versions of Chrome prior to 119.0.6045.199, is one of seven security updates the company released on Tuesday.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the Google security bulletin stated.

The Skia flaw is an integer overflow that opens unpatched software to a “remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file.”

An attack that involves exploiting a sandbox escape allows an adversary to “break out of a secure or quarantined environment (sandbox)… An attacker could use a sandbox escape to execute malicious code on the host system, access sensitive data, or cause other types of harm,” according to a NordVPN description.

Part of Google’s security bulletin also included patches high-severity bugs including:

The announcement is the latest zero-day bug to affect the popular web browser from Google this year. 

The company patched another zero-day, CVE-2023-5217, in September that was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Source…