Tag Archive for: ThirdParty

Salt Security uncovers security flaws within ChatGPT extensions that allowed access to third-party websites and sensitive data


PALO ALTO, Calif.March 13, 2024 /PRNewswire/ — Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, highlighting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and permissions to perform tasks on behalf of users within third-party websites. For example, committing code to GitHub repositories or retrieving data from an organization’s Google Drives. These security flaws introduce a new attack vector and could enable bad actors to:

  • Gain control of an organization’s account on third-party websites
  • Allow access to Personal Identifiable Information (PII) and other sensitive user data stored within third-party applications

ChatGPT plugins extend the model’s abilities, allowing the chatbot to interact with external services. The integration of these third-party plugins significantly enhances ChatGPT’s applicability across various domains, from software development and data management to educational and business environments. When organizations leverage such plugins, it subsequently gives ChatGPT permission to send an organization’s sensitive data to a third-party website and allow access to private external accounts. Notably, in November 2023, ChatGPT introduced a new feature, GPTs, a similar concept to plugins. GPTs are custom versions of ChatGPT that any developer can publish, and contain an option called “Action” which connects it with the outside world. GPTs pose similar security risks as plugins.

The Salt Labs team uncovered three different types of vulnerabilities within ChatGPT plugins.

The first of which was noted within ChatGPT itself when users install new plugins. During this process, ChatGPT redirects a user to the plugin website to receive a code to be approved by that individual. When ChatGPT receives the approved code from a user, it automatically installs the plugin and can interact with that plugin on behalf of the user. Salt Labs researchers discovered that an attacker could exploit this function, to deliver users instead a code approval with a new malicious plugin, enabling an attacker to install their credentials on a…

Source…

Third-party keyboards could help hackers spy on your iPhone


iPhones are well known for their security, and many people choose to buy iPhones because of that added safety. However, their popularity also makes iPhones appealing targets for hackers and bad actors. Now, hackers have found a way to spy on iPhones by installing third-party keyboards that bypass Apple’s rigorous security checks.

It isn’t completely impossible for malicious code to be served to iPhone customers, but hackers are taking advantage of TestFlight, Apple’s pre-release testing system, which allows app developers to ship unfinished versions of their apps to users. According to a report from Certo Software, hackers are installing third-party keyboards by uploading them to TestFlight.

Once users install the app to test it, the hackers are able to install a custom keyboard that looks just like the iPhone’s default keyboard. From there, the keyboard acts as a keylogger, and logs a ton of the user’s data, including passwords, messages, and more, all without the user ever suspecting it.

Dvorak keyboard enabled on iPhone.
Check your iPhone’s keyboard settings to see which keyboards are installed and active. Image source: Chris Smith, BGR

It’s this use of third-party keyboards to spy on iPhones that could very well lead to some drastic changes in how Apple allows developers to use TestFlight. But, in the meantime, there is something you can do to ensure you aren’t having your information and data logged by a malicious keyboard.

Head over to Settings > General > Keyboard and then navigate down to Keyboards. Here, you’ll be able to see any keyboards you have installed. If you see anything that doesn’t make sense, we recommend deleting it by tapping on the Edit button and then selecting the red minus button to delete the keyboard from your device.

Of course, hackers are bound to find other ways to spy on your iPhone, so make sure you’re always watching what you download and what sites you visit, as just because iPhones are more secure does not make them impossible to hack and…

Source…

Third-party gained access to University of Michigan systems, leading to August internet outage


ANN ARBOR, MI – A third-party source infiltrated University of Michigan computer systems, which led to officials shutting down university internet during the outage at the start of the fall semester, officials said.

The university first detected suspicious activity on its campus computer network on Aug. 23, according to university spokeswoman Kim Broekhuizen. The university’s Information Assurance team, which fights cybersecurity threats and malicious actors, shut down the system the afternoon of Aug. 27.

An investigation was launched into the hack, and with the help of third-party experts, it was determined that an unauthorized individual was able to access certain university systems from Aug. 23-27, officials said.

“Based on this data analysis, we believe that the unauthorized third party was able to access personal information relating to certain students and applicants, alumni and donors, employees and contractors, University Health Service and School of Dentistry patients, and research study participants,” Broekhuizen wrote in an email to MLive/The Ann Arbor News.

The university has determined that students, applicants, alumni, donors, employees and contractors have had the following information accessed: Social Security numbers, driver’s license or other government-issued identification numbers, financial account of payment card numbers and/or health information, officials said.

Research study participants through the University Health Service and School of Dentistry have had the same information accessed, plus any information related to participation in certain research studies, officials said.

In addition to disconnecting the campus network from internet, the university notified law enforcement and is working with outside cybersecurity experts to make its network more secure, officials said.

Letters were sent on Monday, Oct. 23 to all university individuals affected, officials said. People with sensitive information from this incident are being offered a credit monitoring service free of charge from the university, officials said.

Credit reports can be accessed in the following ways:

Source…

Third-party ransomware attack impacts UK’s Greater Manchester Police


BleepingComputer reports that the UK’s Greater Manchester Police has been impacted by a data breach stemming from a ransomware attack against a service supplier, which also caters to other UK organizations.

Information compromised in the incident includes the personal information of some of the police department’s employees but financial data is unlikely to have been impacted, according to GMP Assistant Chief Constable Colin McFarlane.

“…[W]e have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported,” McFarlane added.

Such an intrusion follows third-party breaches affecting the UK’s Metropolitan Police and the Police Service of Northern Ireland during the past month.

Metropolitan Police had data from 47,000 police officers and staff, including names, ranks, and vetting levels, exposed after a cyberattack against ID card and access pass manufacturer Digital ID, while 10,000 police officers of PSNI also had their personally identifiable information stolen, some of which were already leaked online.

Source…