Cookie-nabbing app could have served users side helping of XSS

By Danny Bradbury

A popular GDPR compliance WordPress plugin vendor has patched a flaw that rendered both site visitors and admins vulnerable to cookie-stealing cross-site scripting (XSS) attacks.

The GDPR Cookie Consent plugin, created by WebToffee, claims over 700,000 users. The plug-in is a notification app that begs you to accept cookies when you first visit a WordPress site. Website owners use tools like this to stay compliant with GDPR, which points to cookies as a form of online identifier and therefore subject to its consent rules.

While the GDPR Cookie Consent plugin asks you if you’d mind accepting cookies, it doesn’t ask you if you’d like a dollop of XSS with them too. Until this week, that’s what visitors to pages containing the plugin might have been vulnerable to.

The flaw, enabled an XSS attack and elevation of privilege in versions 1.82 and earlier, said a blog post by The Ninja Technologies Network, which sells web application firewalls to protect WordPress sites.

According to Wordfence, the cause of the vulnerability was an AJAX endpoint used in the administration section of the plugin (AJAX uses JavaScript and XML to deliver web page functionality). This exposes three functions to blog subscribers that should only have been available to admins: get_policy_pageid, autosave_contant_data(“contant” is a typo in the code itself), and save_contentdata. The first just returns a post ID for the plugin’s cookie policy page and isn’t really significant, Wordfence said.

The second defines the standard content for that page and is more worrisome. Because the HTML is unfiltered, an attacker could alter it to contain JavaScript code. That means they could use it to deliver an XSS payload to any user that viewed it on its /cli-policy-preview/ page.

Read more at https://nakedsecurity.sophos.com/2020/02/14/cookie-nabbing-app-could-have-served-users-side-helping-of-xss/

Suspect who refused to decrypt hard drives released after four years

By John E Dunn

The contentious case of a man held in custody since 2015 for refusing to decrypt two hard drives appears to have reached a resolution of sorts after the US Court of Appeals ordered his release.

Former Philadelphia police sergeant Francis Rawls was arrested in September 2015, during which the external hard drives were seized along with other computers from his home.

Based on forensic analysis of his download habits and the testimony of his sister, the police believe they contained child abuse imagery but were unable to prove that without access to the drives.

Rawls claimed he did not know or had forgotten the passcodes while his lawyers argued that on principle forcing him to reveal these violated his Fifth Amendment right against self-incrimination.

Ruled in civil contempt of court, in 2017 a second court rejected the Fifth Amendment argument.

Never formally charged with a crime, a lot seems to have hinged on whether Rawls should be treated as a suspect or a witness. If Rawls was considered a witness, the fact that he’s being asked to provide information that could be used against himself, is, in effect, self-incriminating testimony.

Read more at https://nakedsecurity.sophos.com/2020/02/14/suspect-who-refused-to-decrypt-hard-drives-released-after-four-years/

Facebook ices in-app dating in EU after questions from regulator

By Lisa Vaas

Facebook has delayed the rollout of its new dating feature in Europe, following officers from the Irish data regulator having popped by to ask why Facebook hadn’t checked in about it earlier or provided the necessary data privacy paperwork.

The Irish Data Protection Commission (DPC) said on Wednesday that Facebook Ireland hadn’t bothered to contact the DPC about its intention to roll out the new dating feature in the EU until Monday, 3 February. That’s not much time, the DPC said, given that this is the first we’ve heard about it, and given that Facebook planned to roll it out just 10 days later.

We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature […]. Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland.

Facebook first started talking about invading Tinder’s space with a dating feature for meeting non-friends back in May 2018 at its F8 developer conference. Then, it launched the in-app dating feature – called Facebook Dating – in September 2019 in the US, after having previously premiered it in 19 other countries, including Colombia, Canada, and Thailand.

Read more at https://nakedsecurity.sophos.com/2020/02/14/facebook-ices-in-app-dating-in-eu-after-questions-from-regulator/

Self-driving car dataset missing labels for pedestrians, cyclists

By Lisa Vaas

A popular self-driving car dataset for training machine-learning systems – one that’s used by thousands of students to build an open-source self-driving car – contains critical errors and omissions, including missing labels for hundreds of images of bicyclists and pedestrians.

Machine learning models are only as good as the data on which they’re trained. But when researchers at Roboflow, a firm that writes boilerplate computer vision code, hand-checked the 15,000 images in Udacity Dataset 2, they found problems with 4,986 – that’s 33% – of those images.

From a writeup of Roboflow’s findings, which were published by founder Brad Dwyer on Tuesday:

Amongst these [problematic data] were thousands of unlabeled vehicles, hundreds of unlabeled pedestrians, and dozens of unlabeled cyclists. We also found many instances of phantom annotations, duplicated bounding boxes, and drastically oversized bounding boxes.

Perhaps most egregiously, 217 (1.4%) of the images were completely unlabeled but actually contained cars, trucks, street lights, and/or pedestrians.

Junk in, junk out. In the case of the AI behind self-driving cars, junk data could literally lead to deaths. This is how Dwyer describes how bad/unlabeled data propagates through a machine learning system:

Generally speaking, machine learning models learn by example. You give it a photo, it makes a prediction, and then you nudge it a little bit in the direction that would have made its prediction more ‘right’. Where ‘right’ is defined as the ‘ground truth’, which is what your training data is.

If your training data’s ground truth is wrong, your model still happily learns from it, it’s just learning the wrong things (eg ‘that blob of pixels is *not* a cyclist’ vs ‘that blob of pixels *is* a cyclist’)

Neural networks do an Ok job of performing well despite *some* errors in their training data, but when 1/3 of the ground truth images have issues it’s definitely going to degrade performance.

Read more at https://nakedsecurity.sophos.com/2020/02/14/self-driving-car-dataset-missing-labels-for-pedestrians-cyclists/

Corp.com is up for sale – check your Active Directory settings!

By Danny Bradbury

An old domain that has lain dormant for 26 years is going on sale – and the results could be catastrophic for enterprises with poorly configured Active Directory setups.

Brian Krebs reports that Mike O’Connor, a domain prospector who registered corp.com in 1994, wants to sell the domain for $1.7 million as he simplifies his estate. Most other domains would simply be a useful way to generate web traffic, but corp.com is different.

The problem lies with Microsoft’s Active Directory. This product, which provides identity management services across most of the world’s enterprises, handles internal URLs using its own domain naming system which is connected to but separate from the public domain naming system (DNS).

Because Active Directory is controlling what happens inside the company network, the company can host its services on whatever domains it likes. So, let’s say that your company hosts all of the services that its employees can access from inside the company network on the example.com domain.

The company HR portal might be accessible via a Fully Qualified Domain Name (FQDN) like hr-portal.example.com, for example, assuming that example.com was your company’s domain. Active Directory ensures that people inside the company network who type hr-portal.example.com into their browser are sent to the company HR portal.

No one wants to type in the full name for a server that they visit every day from inside the company network. So, Windows makes that easier too, using a feature called DNS devolution. It works by appending portions of the Active Directory domain to an unqualified domain name. In our example, you could just type hr-portal, and Windows will try appending .example.com to see if it gets a hit.

Windows machines use a search list to tell them what to use during DNS devolution. The search list is either configured in the registry or sometimes declared explicitly in a file. As section 3.1 of this ICAAN Security and Stability Advisor Committee document on DNS search list processing points out, search list processing is affected by factors including the computer’s hostname (which you’ll be asked for when setting up business versions of Windows).

Read more at https://nakedsecurity.sophos.com/2020/02/14/corp-com-is-up-for-sale-check-your-active-directory-settings/

Firefox six-weekly security fixes are out – get them now!

By Paul Ducklin

Mozilla’s own “patch Tuesday” for Firefox happened this week.

Rather than patching once a calendar month, Mozilla goes for every sixth Tuesday – or every 42 days, which we call Fortytwosday in a hat-tip to HHGttG.

This update takes the regular build of Firefox to 73.0, while the long-term release, which includes security fixes but not feature updates, goes to 68.5.0esr.

ESR is short for Extended Support Release, and if you want to know which regular release it matches up to for security patches, just add the leftmost two numbers together, and notice that 68+5 = 73.

The good news is that none of the security holes fixed in this update seem to be what are known as zero-day vulnerabilities, which is the industry term for bugs that the crooks figure out first.

(The name zero day reflects the fact that even if you are the sort of person who patches as soon as you can, there would have been zero days on which you could have been ahead of the crooks.)

Read more at https://nakedsecurity.sophos.com/2020/02/13/firefox-six-weekly-security-fixes-are-out-get-them-now/

IE zero day and heap of RDP flaws fixed in February Patch Tuesday

By John E Dunn

Weeks after the world first got wind of it, Microsoft has finally patched the Internet Explorer (IE) zero-day flaw the company said in January was being used in “limited targeted attacks”.

The fix is part of the February Patch Tuesday update that features a record 99 security vulnerabilities including 12 marked as ‘critical’ and 87 ‘important’.

The first indication of the IE zero-day, now identified as CVE-2020-0674, appeared when Mozilla fixed a very similar issue in Firefox on 8 January, less than two days after the appearance of version 72.

The attacks were reported to Mozilla by a third party which, in a later deleted reference, mentioned that the same issue also affected IE. On 17 January, Microsoft issued its own alert regarding the Scripting Engine memory corruption flaw, citing IE’s Enhanced Security Configuration protection as mitigation against attacks.

This matters because IE code is buried inside Windows 10, which means it presents a risk even to those not using it. In the last year, IE has had other similar troubles, including CVE-2019-1367, a zero-day in September, and a proof-of-concept vulnerability reported in April.

And that’s not all – CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, and CVE-2020-0767 are all Scripting Engine memory corruption issues connected to Edge and IE browsers.

Read more at https://nakedsecurity.sophos.com/2020/02/13/ie-zero-day-and-heap-of-rdp-flaws-fixed-in-february-patch-tuesday/

Google to force Nest users to turn on 2FA

By Lisa Vaas

Nest owners, if you aren’t already flying with two-factor authentication (2FA) on your accounts, get ready for Google to push you into spreading those security wings.

On Tuesday – which, appropriately enough, was Safer Internet Day – Google announced that in the spring (or in the fall, for those in the Southern Hemisphere), it will start forcing users of its Nest webcams and other products to use 2FA to secure their accounts.

Nest users who haven’t yet enrolled in the 2FA option or migrated to a Google account will be required to take an extra step by verifying their identity via email, Google said in a blog post. When a new login hits your Nest account, you’ll get a login notification from account@nest.com containing a six-digit verification code. Without that code, anybody trying to get into your account will be locked out.

That should help with, say, keeping creeps from talking to your baby through a Nest security cam, or trying to crank up your Nest thermostat to tropical levels, both of which have happened to people who say they weren’t aware that 2FA is an option.

Google:

This will greatly reduce the likelihood of an unauthorized person gaining access to your Nest account.

Google started sending out login notifications for Nest accounts in December 2019. Sometimes, simply being told that somebody’s logged into your account is all it takes to spot suspicious activity, Google said:

Every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.

Read more at https://nakedsecurity.sophos.com/2020/02/13/google-to-force-nest-users-to-turn-on-2fa/