August 19, 2019
Did Facebook know about “View As” bug before 2018 breach?
By Lisa Vaas
A recent court filing indicates that Facebook knew about the bug in its View As feature that led to the 2018 data breach – a breach that would turn out to affect nearly 29 million accounts – and that it protected its employees from repercussions of that bug, but that it didn’t bother to warn users.
There was a class action lawsuit – Carla Echavarria and Derrick Walker v. Facebook, Inc. – filed within hours of Facebook’s revelations last September that attackers had exploited a vulnerability in its “View As” feature to steal access tokens: the keys that allow you to stay logged into Facebook so you don’t need to re-enter your password every time you use the app.
Reuters reports that the lawsuit in question actually combined several legal actions, presumably including the one filed on the same day as Facebook disclosed the breach.
The breach
As Naked Security’s Paul Ducklin explained at the time, the View As feature lets you preview your profile as other people would see it.
This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private. But crooks figured out to how to exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y. From Paul:
If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.
That’s exactly what attackers did: they took the profile details belonging to some 14 million users, including birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins.
Read more at https://nakedsecurity.sophos.com/2019/08/19/did-facebook-know-about-view-as-bug-before-2018-breach/
Multiple HTTP/2 DoS flaws found by Netflix
By Danny Bradbury
Netflix has identified several denial of service (DoS) flaws in numerous implementations of HTTP/2, a popular network protocol that underpins large parts of the web. Exploiting them could make servers grind to a halt.
HTTP/2 is the latest flavour of HTTP, the application protocol that manages communication between web servers and clients. Released in 2015, HTTP/2 introduced several improvements intended to make sessions faster and more reliable.
Updates included:
- HTTP header compression. In previous HTTP versions, only the body of a request could be compressed, even though for small web pages the headers, which often include data such as cookies and are always sent in text format, could be bigger than the body.
- Multiplexed streams and binary packets. This made it easier to download multiple items in parallel, speeding up rendering of web pages made up of many parts.
- Server Push. This means the server can send across cacheable information that the client might need later, even if it hasn’t been requested yet.
Features like these can help reduce latency and improve search engine rankings. The problem is that more complexity means more opportunity for bugs.
Netflix explains this in its writeup of the issue:
The algorithms and mechanisms for detecting and mitigating “abnormal” behavior are significantly more vague and left as an exercise for the implementer. From a review of various software packages, it appears that this has led to a variety of implementations with a variety of good ideas, but also some weaknesses.
There are eight of those weaknesses, all with their own separate CVE number and nickname.
Some flaws are reminiscent of other non-HTTP/2 DoS attacks.
Read more at https://nakedsecurity.sophos.com/2019/08/19/netflix-finds-multiple-http2-dos-flaws/
61 impacted versions of Apache Struts left off security advisories
By Lisa Vaas
Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.
The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.
The extensive analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’ Cybersecurity Research Center (CyRC), which investigated 115 distinct releases for Apache Struts and correlated those releases against 57 existing Apache Struts Security Advisories covering 64 vulnerabilities.
Synopsys’ Tim Mackey said in a blog post on Thursday that the danger isn’t that developers and users may have upgraded needlessly. Rather, the real danger is that needed updates may not have happened:
While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment. Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.
Case in point: Equifax
Promptly patching security vulnerabilities in Apache Struts is a vital task: you can ask Equifax all about possible ramifications of failing to do so. Equifax blamed a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for the massive data breach of 2017. The patch had been available for months before the breach, it turned out, but Equifax hadn’t applied it.
Read more at https://nakedsecurity.sophos.com/2019/08/19/61-impacted-versions-of-apache-struts-left-off-security-advisories/
iPhone holes and Android malware – how to keep your phone safe
By Paul Ducklin
Recent news stories about mobile phone security – or, more precisely, about mobile phone insecurity – have been more dramatic than usual.
That’s because we’re in what you might call “the month after the week before” – last week being when the annual Black Hat USA conference took place in Las Vegas.
A lot of detailed cybersecurity research gets presented for the first time at that event, so the security stories that emerge after the conference papers have been delivered often dig a lot deeper than usual.
In particular, we heard from two mobile security researchers in Google’s Project Zero team: one looked at the Google Android ecosystem; the other at Apple’s iOS operating system.
Natalie Silvanovich documented a number of zero-day security holes in iOS that crooks could, in theory, trigger remotely just by sending you a message, even if you never got around to opening it.
Maddie Stone described the lamentable state of affairs at some Android phone manufacturers who just weren’t taking security seriously.
Stone described one Android malware sample that infected 21,000,000 devices altogether…
…of which a whopping 7,000,000 were phones delivered with the malware preinstalled, inadvertently bundled in along with the many free apps that some vendors seem to think they can convince us we can’t live without.
But it’s not all doom and gloom, so don’t panic!
Read more at https://nakedsecurity.sophos.com/2019/08/16/iphone-holes-and-android-malware-how-to-keep-your-phone-safe/
Google removes option to disable Nest cams’ status light
By Lisa Vaas
No more stashing your Nest security cameras in the bushes to catch burglars unaware: Google informed users on Wednesday that it’s removing the option to turn off the status light that indicates when your Nest camera is recording.
You can still dim the light that shows when Google’s Nest, Dropcam, and Nest Hello cameras are on and sending video and audio to Nest, Google said, but you can’t make it go away on new cameras. If the camera is on, it’s going to tell people that it’s on – with its green status light in Nest and Nest Home and the blue status light in Dropcam – in furtherance of Google’s newest commitment to privacy.
Google introduced its new privacy commitment at its I/O 2019 developers conference in May, in order to explain how its connected home devices and services work.
The setting that enabled users to turn off the status light is being removed on all new cameras. When the cameras’ live video is streamed from the Nest app, the status light will blink. The update will be done over-the-air for all Nest cams: Google’s update notice said that the company was rolling out the changes as of Wednesday, 14 August 2019.
Read more at https://nakedsecurity.sophos.com/2019/08/16/google-removes-option-to-disable-nest-cams-status-light/
Police site DDoSer/bomb hoaxer caught after jeering on social media
By Lisa Vaas
A UK man who DDoS-ed police websites was caught and imprisoned after he jeered at police about the attacks on social media.
Liam Reece Watts, 20, targeted the Greater Manchester Police (GMP) website in August 2018 and then the Cheshire Police site in March 2019, according to ITV News. Both of the public-facing websites were each disabled for about a day, The Register reported.
According to news outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS) attacks were done in retaliation for Watts having been convicted of calling in bomb hoaxes just days after the 2017 Manchester Arena suicide attack left 22 people dead and 500 injured.
Watts, who was 19 at the time of the DDoS attacks, was caught after he taunted police through Twitter. He used the handle Synic: a possible reference to SYN flood, which is a type of DoS attack in which servers are swamped with SYN – i.e., synchronize – messages.
Watts reportedly wrote this in one of his tweets:
@Cheshirepolice want to send me to prison for a bomb hoax I never did, here you f****** go, here is what I’m guilty of.
Watts reportedly posted that tweet while police were still investigating the first DDoS attack on the GMP site in 2018, and before he unleashed the March 2019 attack on the Cheshire Police site.
He reportedly admitted to carrying out the attack after police searched his home.
Read more at https://nakedsecurity.sophos.com/2019/08/16/police-site-ddoser-bomb-hoaxer-caught-after-jeering-on-social-media/