an estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leakedAttack.Databreachpersonally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team calledVulnerability-related.DiscoverVulnerabilitythe vulnerability HospitalGown and saidVulnerability-related.DiscoverVulnerabilitythe culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report releasedVulnerability-related.DiscoverVulnerabilityWednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlinesVulnerability-related.DiscoverVulnerabilityin February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortionAttack.Ransomtargets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it foundVulnerability-related.DiscoverVulnerability21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessingAttack.Databreachcompany data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers saidVulnerability-related.DiscoverVulnerabilityvulnerable mobile apps it foundVulnerability-related.DiscoverVulnerabilityran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerableVulnerability-related.DiscoverVulnerabilityto possible exfiltrationAttack.Databreachby a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted accessAttack.Databreachto the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority saidVulnerability-related.DiscoverVulnerability, attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attackAttack.Phishingor brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leakedAttack.Databreachdata . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leakedAttack.DatabreachPulse customer data . AppThority notifiedVulnerability-related.DiscoverVulnerabilityPulse Workspace and its customers of the vulnerability , which have since been fixedVulnerability-related.PatchVulnerability. Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collectAttack.Databreachpersonal identifiable data that can be mined by hackers for phishingAttack.Phishingor ransomware attacksAttack.Ransom. App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .
Adobe is no stranger to finding itself in the security headlines for all the wrong reasons , and it seems that things may not be changing as we enter 2017 . There was controversy earlier this month when news broke about how Adobe took the opportunity on Patch Tuesday of using its regular security updates to force Adobe Acrobat DC users into silently installing a Google Chrome extension . As Bleeping Computer reports , most people first found out about the extension , which offers the ability to easily convert webpages into PDF files , when they saw a prompt asking them to approve the following permissions : Of course , you could choose to remove the extension , but it ’ s the “ Enable ” option which is set by default – and it is probably what many people would click on without thinking of the possible consequences . Users expressed their outrage on social media about Adobe silently installing the Windows-only extension , leaving poor reviews in the Chrome web store : “ How DARE Adobe install this extension automatically and silently as part of a ‘ security ’ update for Acrobat . Not only am I removing the extension from the browser , I am permanently removing Acrobat from ALL systems on my network and blocking any further installations . My school district will be Acrobat free AS SOON AS HUMANLY POSSIBLE . Further , I will recommend to the Department of Education a different solution for PDF viewing and editing . I will push and fight to get as many people as I can to stop using this disgusting trash ” . What further upset some users was that the Adobe Acrobat Chrome extension sends “ anonymous product usage data ” back to Adobe , although the company stresses that it does not receive details of the URLs visited by users . It wasn ’ t long before headlines appeared comparing the sneakily-installed extension to “ spyware ” . Well , perhaps… Controversial Google security researcher Tavis Ormandy ’ s interest was piqued by all of the attention being given to the extension , so he made his own examination of its code and foundVulnerability-related.DiscoverVulnerabilitythat it was vulnerableVulnerability-related.DiscoverVulnerabilityto cross-site scripting ( XSS ) attacks . According to statistics displayed on the Chrome web store , the controversial extension has tens of millions of users – all of whom are potentially vulnerable because of the flaw in its code . Every time you add additional software to your computer , you are increasing your potential attack surface . And be wary of software that is installed without your permission or that vendors bundle with their software against your wishes . Adobe has responded to Ormandy ’ s reportVulnerability-related.DiscoverVulnerabilityby saying it has now issuedVulnerability-related.PatchVulnerabilityan update to the extension that fixesVulnerability-related.PatchVulnerabilitythe security holes
A decade ago , cross-site request forgery ( CSRF , often pronounced “ c-surf ” ) was considered to be a sleeping giant , preparing to wake and inflict havoc on the Worldwide Web . But the doomsday scenario never materialized and you don ’ t even seem to hear much about it anymore . In this blog post , part 1 of 2 , I will explore this idea and try to understand why the CSRF giant never awoke . First we ’ ll cover the overall threat landscape , trends , and some notable CSRF exploits throughout the years , including one from personal experience . As a quick review , CSRF exists because web applications trust the cookies sent by web browsers within an HTTP request . In a CSRF attack , the attacker causes a victim ’ s browser to make a request that results in a change or action which benefits the attacker ( and/or harms the victim ) in some way . Without a specific defense – like a random token in the request body that is validated on the server side – CSRF attacks are possible . After a bit of testing , my suspicions were confirmed . All requests that caused any sort of change could be exploited with CSRF . This included : I contacted the company to let them knowVulnerability-related.DiscoverVulnerabilityabout these security holes . Surprisingly , they didn ’ t seem to be aware there was such a thing as CSRF , but they thanked me anyway and rolled outVulnerability-related.PatchVulnerabilitya fix about a month later . There have been other notable instances of CSRF vulnerabilities with some of them being exploitedVulnerability-related.DiscoverVulnerabilityin the wild . Drive-by pharming is an attack on the DNS settings of home routers and modems and often leverages CSRF as a key element . The web UIs on these devices are the culprit , because they allow users to edit configuration settings . In one attack from 2008 , banking customers in Mexico who owned 2Wire DSL modems were targeted . Victims received an email with an embedded image tag with a CSRF attack that changed the DNS settings on their modem . In another instance , tens of thousands of Twitter users fell victim to a CSRF worm in 2010 when developers failed to implement anti-CSRF measures for tweets . The vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerabilityin a rather distasteful but harmless way . When authenticated Twitter users visited the web page containing the exploit , they unknowingly posted two tweets – one with a link to the same page and another with a message about goats . Anyone who clicked on the link in the first tweet also posted the same two tweets . The worm spread like wildfire before it was fixed by Twitter . In 2012 Facebook ’ s App Center was vulnerableVulnerability-related.DiscoverVulnerabilityto CSRF and the security researcher who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw was awarded $ 5000 as a bounty . Interestingly , in this case the HTTP request included an anti-CSRF token that appeared at first glance to provide protection , but the token was not being validated by the server-side application when the request was received . A Qualys researcher found other examples where anti-CSRF tokens were not properly validated . And similar to the Facebook issue mentioned above , PayPal in 2016 did not validate the anti-CSRF token in paypal.me . An attacker could only change a user ’ s profile photo in that case however .
Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to shareVulnerability-related.DiscoverVulnerabilitywith you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosedVulnerability-related.DiscoverVulnerabilityexploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found outVulnerability-related.DiscoverVulnerabilitythat the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I foundVulnerability-related.DiscoverVulnerabilitythat the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I foundVulnerability-related.DiscoverVulnerabilitythat my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assignedVulnerability-related.DiscoverVulnerabilityCVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findingsVulnerability-related.DiscoverVulnerabilityto NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerableVulnerability-related.DiscoverVulnerability, although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixedVulnerability-related.PatchVulnerabilityas part of a different patch cycle . The second advisory included 25 models , all of which were vulnerableVulnerability-related.DiscoverVulnerabilityin their latest firmware version . In June NETGEAR published a notice that providedVulnerability-related.PatchVulnerabilitya fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patchedVulnerability-related.PatchVulnerabilitynow , and 2 models that they previously listed as vulnerableVulnerability-related.DiscoverVulnerability, but are now listed as not vulnerableVulnerability-related.DiscoverVulnerability. In fact , our tests show that one of the models listed as not vulnerableVulnerability-related.DiscoverVulnerability( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patchVulnerability-related.PatchVulnerabilitymore models . Over that time we have foundVulnerability-related.DiscoverVulnerabilitymore vulnerable models that were not listed in the initial notice , although they were added later . We also discoveredVulnerability-related.DiscoverVulnerabilitythat the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerableVulnerability-related.DiscoverVulnerabilityas well . Luckily NETGEAR did eventually get back to us right before we were set to discloseVulnerability-related.DiscoverVulnerabilitythese vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly discloseVulnerability-related.DiscoverVulnerabilityto NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patchingVulnerability-related.PatchVulnerabilitythese vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have foundVulnerability-related.DiscoverVulnerabilitymore than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack