Tag Archive for: lapse

When Microsoft employees exposed passwords in major security lapse

/in


Microsoft resolved a security lapse that exposed internal company files and credentials to the open internet, security researchers said. Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with SOCRadar found an open and public storage server which is hosted on Microsoft’s Azure cloud service. It was storing internal information relating to Microsoft’s Bing search engine which included code, scripts and configuration files containing passwords used by the Microsoft employees for accessing internal systems.

What we know about the storage server?

Microsoft security lapse: A Microsoft logo is seen on an office building in New York City, US.

The storage server was not protected with a password and could be accessed by anyone on the internet, Can Yoleri told TechCrunch adding that the data may help malicious actors identify or access other places where Microsoft stores its internal files which “could result in more significant data leaks and possibly compromise the services in use.”

What Microsoft did after the security breach?

Unlock exclusive access to the story of India’s general elections, only on the HT App. Download Now!

The researchers informed Microsoft of the security lapse on February 6 and the company secured the files on March 5, they said.

Microsoft’s security incidents in the past

This comes as the company has gone through a series of cloud security incidents in recent years. Last year, researchers found Microsoft employees were exposing their own corporate network logins in code published to GitHub. The company had also, in a different incident, admitted that it did not know how China-backed hackers stole an internal email signing key which allowed them broad access to Microsoft-hosted inboxes of senior US government officials.

Discover the complete story of India’s general elections on our exclusive Elections Product! Access all the content absolutely free on the HT App. Download now!
Stay informed on Business News, TCS Q4 Results Live along with Gold Rates Today, India News

Source…

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

/in


Unjected, the controversial anti-vaccine dating platform, faces another bout of scrutiny as a recent security breach exposes the private data of over 35,000 users. 

The latest security problem, discovered by security researcher GeopJr, tackles alarming vulnerabilities within the platform’s infrastructure. It could compromise user privacy and safety.

Unjected Hit by a Glitch

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

(Photo : Mufid Majnun from Unsplash) 

Unjected, a popular website that promotes anti-vaccine campaigns is now under attack by a glitch. The latest security issue exposes confidential information of some users.


GeopJr’s investigation reveals critical flaws in Unjected’s security measures, allowing unauthorized access to sensitive user information. The breach exposes personal details, including full names, birthdates, email addresses, and location data of thousands of users. Moreover, authentication issues enable malicious actors to manipulate user profiles and access private messages exchanged on the platform.

Related Article: Issue-Plagued AirPower Charges Apple Watch For the First Time: Is this an Upgraded Prototype?

History of Security Concerns

This isn’t the first time Unjected has faced security-related controversies. In July 2022, GeopJr uncovered an open administrator dashboard, granting unauthorized access to crucial site functionalities. Despite attempts to rectify the issue, subsequent glitches and outages persisted, raising concerns among users regarding data protection.

Persistent Security Lapses

Despite being alerted to the security vulnerabilities by GeopJr and the Daily Dot, Unjected has failed to address the issues adequately. Efforts to patch the leak inadvertently exacerbated the situation, introducing additional vulnerabilities, including unauthorized account deactivation.

User Concerns and Insecurity

The breach has left users apprehensive about their privacy and safety on the platform. Direct messages reveal widespread distrust and unease among users regarding Unjected’s security practices. Concerns range from potential government surveillance to fears of hacking and data exploitation.

Response and Lack of Transparency

Blackbaud Must Improve its Poor Security, Data Retention Practices to Avoid Future Breaches, Says FTC

(Photo :…

Source…

Nothing’s iMessage app wasn’t its only security lapse (Update: Statement)

/in


Nothing Phone 2 Essential Glyph Light On

C. Scott Brown / Android Authority

TL;DR

  • Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
  • The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
  • Nothing claims it is currently working to resolve the issues.

Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:

CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report

Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.

Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.

Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.

The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed…

Source…

SEC Probes Twitter Security Lapse Before Elon Musk Took Over

/in


The Securities and Exchange Commission is investigating how Twitter Inc. managed a 2018 security lapse that exposed personal user information before billionaire Elon Musk bought the social media platform last year. The agency has been scrutinizing whether the former top executives failed to adequately disclose those privacy issues to shareholders or put in place proper controls, according to people familiar with the matter who asked not to be identified discussing a confidential investigation. A bug on the social media platform had let outsiders view user email addresses during password resets, which revealed the identity of users, said one of the people.

The executives in charge at the time included Twitter’s former Chief Financial Officer Ned Segal and former Chief Technology Officer Parag Agrawal, who became chief executive officer in 2021 after co-founder Jack Dorsey left the company. Dorsey was CEO in 2018.

It isn’t clear whether an enforcement action will result from the review or when it will wrap up, the people said. None of the former executives has been accused of any wrongdoing.

Agrawal and Segal were ousted last year after Musk purchased the company for $44 billion. Musk, who changed the platform’s name to X Corp., hired an outside law firm to do an internal investigation of complaints about lax computer-security measures at the company after he took over.

The SEC and a spokesman for Segal declined to comment. Spokespeople for X Corp. and Dorsey and a lawyer for Agrawal didn’t respond to requests for comment.

Twitter suffered several security breaches in 2018, including discovery of a computer virus that left users’ passwords exposed and a security flaw in Twitter’s system that made it possible to identify the country codes of Twitter users’ phone numbers. That misstep may have allowed wrongdoers to identify countries where accounts were based.

The SEC has been probing the actions of players in Musk’s controversial buyout of Twitter for months after questions arose about management of the social-media firm and the billionaire’s moves in acquiring it. The agency sued Musk Thursday seeking to force him to testify about whether his actions in the run-up to his Twitter…

Source…