Tag Archive for: bugs

Bugs in Lego Resale Site Allowed Hackers to Hijack Accounts

/in


Security analysts have found bugs in Lego’s second-hand online marketplace that left its users at risk of account hijacking and data leakage.

In a blog post(Opens in a new window), Salt Labs said that the issues, now resolved, affected Lego-owned BrickLink.com, the world’s largest official marketplace for Lego bricks.

The security researchers said that two API security issues could have enabled an attacker to take over BrickLink accounts, and access and steal personally identifiable information stored on the site. The vulnerabilities could have also allowed attackers to gain access to internal production data and compromise internal servers, Bleeping Computer reports(Opens in a new window).

The BrickLink bugs were spotted when Salt Lab analysts were experimenting with user input fields on the marketplace site. 

The first flaw noted by the researchers included a cross-site scripting (XSS) deficiency in the “Find Username” dialog box of the coupon search section which allowed for the “injection and execution” of code that could target a target’s machine.

The flaw, if exploited correctly, means attackers could have access to personal details such as a targeted user’s email address, shipping address, order, and message history, Salt Lab said.

Researchers also exploited a flaw on the “Upload to Wanted List” page where a faulty endpoint parsing mechanism allowed them to launch an attack that could read internal production data. 

Recommended by Our Editors

The analysts said that they were unable to confirm or deny whether any of the vulnerabilities were exploited.

PCMag contacted Lego for comment on the BrickLink bugs but did not immediately receive a response.

The security analysts encourage any concerned Lego fan to directly contact the brand if they are concerned about the reported vulnerabilities. 

In October, Lego decided to discontinue its Mindstorms range of programmable robots, after 24 years of production. It means the end of Lego’s $359.99 Mindstorms Robot Inventor Kit, which lets Lego-fans build five different robot models out of 949 Lego bricks.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories…

Source…

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

/in


Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Deserialized web security roundup

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are…

Source…

0-days, RCE bugs, and a curious tale of signed malware – Naked Security

/in


Another month, another Microsoft Patch Tuesday, another 48 patches, another two zero-days…

…and an astonishing tale about a bunch of rogue actors who tricked Microsoft itself into giving their malicious code an official digital seal of approval.

For a threat researcher’s view of the Patch Tuesday fixes for December 2002, please consult the Sophos X-Ops writeup on our sister site Sophos News:

For a deep dive into the saga of the signed malware, discovered and reported recently by Sophos Rapid Response experts who were called into deal with the aftermath of a successful attack:

And for a high-level overview of the big issues this month, just keep reading here…

Two zero-day holes patched

Fortunately, neither of these bugs can be exploited for what’s known as RCE (remote code execution), so they don’t give outside attackers a direct route into your network.

Nevertheless, they’re both bugs that make things easier for cybercriminals by providing ways for them to sidestep security protections that would usually stop them in their tracks:

CVE-2022-44710: DirectX Graphics Kernel Elevation of Privilege Vulnerability

An exploit allowing a local user to abuse this bug has apparently been publicly disclosed.

As far as we are aware, however, the bug applies only to the very latest builds (2022H2) of Windows 11.

Kernel-level EoP (elevation-of-privilege) bugs allow regular users to “promote” themselves to system-level powers, potentially turning a troublesome but perhaps limited cybercrime intrusion into a complete computer compromise.

CVE-2022-44698: Windows SmartScreen Security Feature Bypass Vulnerability

This bug is also known to have been expoited in the wild.

An attacker with malicious content that would normally provoke a security alert could bypass that notification and thus infect even well-informed users without warning.

Bugs to watch

And here are three interesting bugs that weren’t 0-days, but that crooks may well be interested in digging into, in the hope of figuring out ways to attack anyone who’s slow at patching.

Remember that patches themselves often unavoidably give attackers clear hints on where to start looking, and what sort of things to…

Source…

Department of Defense Forks Over $110K to Hackers Who Discovered 349 Bugs

/in


The US Department of Defense (DoD) has paid out $110,000 in bounties and bonuses to ethical hackers who discovered 349 “actionable” vulnerabilities on its networks.

As The Record reports(Opens in a new window), the vulnerabilities were discovered at a week-long “Hack U.S.(Opens in a new window)” event held in July through a partnership with Hackerone. It tasked so-called white hat (ethical) hackers with finding “High” and “Critical” severity vulnerabilities on any publicly accessible information systems, including web property or data owned, operated, or controlled by the DoD.

In total, 349 actionable vulnerabilities were discovered, leading to the DoD paying out $75,000 in bounties. A further $35,000 was paid out in bonuses and awards.

Melissa Vice, the Vulnerability Disclosure Program director, said in a statement, “in just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge … This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner.”

Hack U.S. is just the latest successful bug bounty program run to discover vulnerabilities and make the US government’s networks more secure. It all started back in 2016 with the launch of a “Hack the Pentagon” program, which discovered 138 problems.

Recommended by Our Editors

Katie Olson Savage, deputy chief digital and artificial intelligence officer and Defense Digital Service director, said “this crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface.” We should therefore expect another DoD bug bounty to run in 2023.

PCMag Logo Readers’ Choice Awards 2021: Antivirus Software and Security Suites

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Source…