Splunk has patched Vulnerability-related.PatchVulnerability a slip in its JavaScript implementation that leaks Attack.Databreach user information . The advisory at Full Disclosure explains that the leak Attack.Databreach happens if an attacker tricks Attack.Phishing an authenticated user into visiting a malicious Web page . It only leaks Attack.Databreach the username , and whether or not that user has enabled remote access ; but this would provide enough for an attacker to try follow-up phishing attacks Attack.Phishing to try and get the user 's credentials . The bug , the advisory says Vulnerability-related.DiscoverVulnerability , is how Splunk used Object prototypes in JavaScript . Here 's the proof-of-concept JavaScript from the advisory : The issue affects Vulnerability-related.DiscoverVulnerability Splunk Enterprise versions 6.5.x before 6.5.3 , 6.4.x before 6.4.6 , 6.3.x before 6.3.10 , 6.2.x before 6.2.13.1 , 6.1.x before 6.1.13 , 6.0.x before 6.0.14 , 5.0.x before 5.0.18 and Splunk Light before 6.5.2 , and the company has issued Vulnerability-related.PatchVulnerability patches for all versions

Splunk has patched Vulnerability-related.PatchVulnerability a slip in its JavaScript implementation that leaks Attack.Databreach user information . The advisory at Full Disclosure explains that the leak Attack.Databreach happens if an attacker tricks Attack.Phishing an authenticated user into visiting a malicious Web page . It only leaks Attack.Databreach the username , and whether or not that user has enabled remote access ; but this would provide enough for an attacker to try follow-up phishing attacks Attack.Phishing to try and get the user 's credentials . The bug , the advisory says Vulnerability-related.DiscoverVulnerability , is how Splunk used Object prototypes in JavaScript . Here 's the proof-of-concept JavaScript from the advisory : The issue affects Vulnerability-related.DiscoverVulnerability Splunk Enterprise versions 6.5.x before 6.5.3 , 6.4.x before 6.4.6 , 6.3.x before 6.3.10 , 6.2.x before 6.2.13.1 , 6.1.x before 6.1.13 , 6.0.x before 6.0.14 , 5.0.x before 5.0.18 and Splunk Light before 6.5.2 , and the company has issued Vulnerability-related.PatchVulnerability patches for all versions

Rapid7 disclosed Vulnerability-related.DiscoverVulnerability a found vulnerability in Yopify , an ecommerce notification plugin utilised by a number of websites including Shopify , that indirectly leaks Attack.Databreach the first name , last initial , city and purchase data of recent online shoppers – all without user authorisation . The various plugin sites show over 300 reviews of Yopify , which suggests that the number of exploitable sites is at least in the hundreds , and perhaps thousands . While seemingly harmless at first glance , this personal shopper data can be used by hackers to infer parts of customers ’ identities making them vulnerable to personal information breaches Attack.Databreach , blackmail Attack.Ransom and even violence .

This attack model was brought to light towards the end of 2016 by a team of six researchers , who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week . When the ad plays on a TV or radio , or some ad code runs on a mobile or computer , it emits ultrasounds that get picked up by the microphone of nearby laptops , desktops , tablets or smartphones . Speaking at last week 's 33rd Chaos Communication Congress , Vasilios Mavroudis , one of the six researchers , detailed a deanonymization attack Attack.Databreach on Tor users that leaks Attack.Databreach their real IP and a few other details . The attack Attack.Phishing that the research team put together relies on tricking Attack.Phishing a Tor user into accessing a web page that contains ads that emit ultrasounds or accessing a page that contains hidden JavaScript code that forces the browser to emit the ultrasounds via the HTML5 Audio API . According to Mavroudis , the mobile phone must have an app installed that has embedded one of the many advertising SDKs that include support for uXDT . In tests carried out by Mavroudis , the researcher has intercepted Attack.Databreach some of the traffic these ultrasound beacons trigger on behalf of the phone , traffic which contains details such as the user 's real IP address , geo-location coordinates , telephone number , Android ID , IMEI code , and device MAC address . According to Mavroudis , there are multiple ways to deliver these attacks other than social-engineering Tor users to access certain URLs , where these ultrasound beacons can be served . Similarly , the attackers could also run a malicious Tor exit node and perform a Man-in-the-Middle attack , forcibly injecting the malicious code that triggers uXDT beacons in all Tor traffic going through that Tor node . A simpler attack method would also be to hide the ultrasounds , which are inaudible to human ears , inside videos or audio files that certain Tor users might be opening . The FBI might be very interested in this method and could deploy it to track viewers of child pornography videos on the Tor network , just like it previously did in Operation Playpen , where it used a Flash exploit .

Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince said Vulnerability-related.DiscoverVulnerability there is no evidence the vulnerability , which leaked customer data from memory , was exploited Vulnerability-related.DiscoverVulnerability by attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploited Vulnerability-related.DiscoverVulnerability . In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaks Attack.Databreach have included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaks Attack.Databreach . The vulnerability was privately disclosed Vulnerability-related.DiscoverVulnerability Feb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leaking Attack.Databreach customer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumped Attack.Databreach onto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team and were able to patch Vulnerability-related.PatchVulnerability it , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploiting Vulnerability-related.DiscoverVulnerability the bug before it was patched Vulnerability-related.PatchVulnerability . We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .