Yahoo’s in the news again with a new vulnerability (now fixed) and a starring role, unknown to them, in the Brit’s surveillance methods. With Sears possibly facing another breach and a cache of 360 million user credentials found for sale on the black market, there’s a lot to know about so take a few minutes and catch up on all you may have missed!
Another Yahoo! Vulnerability Fixed This Week
After malware-injected advertisements, a hacked email client, and a bevy of other security issues, Yahoo hit another bump this week when a security researcher discovered he could purge 1.5 million records on Yahoo’s suggestions.yahoo.com subdomain. The researcher, Ibrahim Raafat, discovered an Insecure Direct Object Reference Vulnerability within the site and exploited it by escalating his user permissions to delete any topic or comment on the site – a grand total of over 1.1 million comment and 365,000+ posts. He also found he was able to write comments using other Yahoo user accounts.
Raafat was rewarded with a bug bounty for his find and Yahoo has since fixed the vulnerability. Quoting himself, Raafat summed up his post and the security industry incredibly well:
“There are a lot of quotes all over the world. Some of them change our lives, and the others change the SQL Query result.”
Read Raafat’s full post on his find and watch a video of the exploitation here.
Sears Department Stores May Hit By Breach
The Secret Service is said to be looking into a possible breach at America’s fourth largest department store. Sears, which operates around 2,500 locations throughout the United States and Canada, announced the launch of an investigation on Friday.
“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Howard Riefs, Sears spokesman stated in an email. “We have found no information based on our review of our systems to date indicating a breach.”
The Secret Service is still investigating the attacks on Target and Neiman Marcus from the end of 2013 and very beginning of 2014. We’ll update you as more information on this latest investigation emerges.
Read Brian Kreb’s take on the possible breach here.
Yahoo webcam Images Intercepted by GCHQ
British surveillance agency GCHQ, working on a program nicknamed Optic Nerve, intercepted millions of webcam images from internet users with no suspicion of wrongdoing, new documents leaked by Edward Snowden reveal. The program was piloted in 2008 and appeared to still be active in 2012.
Millions of internet users were targeted by the British surveillance agency – 1.8 million in just one six month period – and whereas the NSA is required by law to minimize the amount of domestic surveillance done on American citizens, the GCHQ has no such law, meaning Brits most likely make up a large part of the collected image data. The GCHQ targeted Yahoo users because apparently, the documents stated, “Yahoo webcam is known to be used by GCHQ targets.” Yahoo replied in a statement to The Guardian that they strongly condemn the Optic Nerve program and was not aware of it or other surveillance activities by the GCHQ and the NSA.
Read the whole post published on The Guardian here.
360 Million Stolen Credentials Discovered
The security firm that previously discovered the massive Adobe breach last October, in which up to 150 million Adobe user accounts were compromised, reported yet another major credentials breach last Tuesday. Hold Security LLC wrote in a post that they had uncovered 360 million records gathered from several breaches that the company believes have yet to even be reported. The biggest collection of 105 million records would make it the worst breach of credentials ever.
The trove includes mostly email addresses for usernames and their corresponding passwords, in most cases totally unencrypted. Also found for sale was 1.25 billion email addresses – a spammer’s fantasy. As the data breach becomes more prevalent, and the amount of data gleaned from these attacks increases, the security industry has a tough hurdle to get over in the next few years.
Read the Reuter’s article here.
YouTube Ads Served Banking Malware Using Java Exploit
A rogue advertiser was found serving up malvertising to YouTube viewers, a security company announced last week. Using a drive-by-download attack, the banking trojan was distributed by simultaneously infecting a user while he or she watched a YouTube video. The malware, known as Caphaw, were exploiting vulnerabilities in outdated versions of Java to target user’s online banking credentials. Much like the attacks on Yahoo ads in early January, the user wouldn’t need to click on anything in order to be affected; simply watching the ad or seeing an online ad would be enough to infect a computer.
While the impact of this particular malware campaign is as yet unknown, YouTube is one of the most used sites in the world with over a billion users. Google has pinpointed the advertiser serving the malware and is currently working on ways to strengthen internal procedures to prevent future attacks from occurring. Users are encouraged to use ad blockers to disable online ads and malware like this and make sure your Java and Adobe Flash are up to date.
Catch Bromium’s full post here.