Flaw in defunct WordPress plugin exploited to create backdoor

By John E Dunn

A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts.

The attacks were noticed earlier this month by security company Sucuri, and are believed to be ongoing.

The vulnerability that makes it possible is a cross-site scripting (XSS) flaw that allows attackers to inject malicious JavaScript into the plugin’s settings, redirecting innocent visitors to the attacker’s landing page.

In addition, JavaScript is injected via HTML <script> tags, which allows attackers to detect and hijack authenticated admin sessions.

Read more at https://nakedsecurity.sophos.com/2020/04/29/flaw-in-defunct-wordpress-plugin-exploited-to-create-backdoor/

Twitter turns off SMS-based tweeting in most countries

By Lisa Vaas

Buh-bye, original way of tweeting: Twitter said that for the most part, it’s turned off its Twitter via texting service.

Besides a few countries that rely on the feature, Twitter’s turned off its ability to take in our SMS messages and turn them into tweets. On Monday, it said on its support account that it’s killed SMS tweeting in order to keep our accounts safe, referring to SMS-enabled vulnerabilities for which it didn’t give any details.

We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries.

Everyone will still have access to important SMS messages needed to log in to and manage their accounts.

This isn’t a biggie for most of us, given that nowadays, the vast majority of Twitter’s users access the service via its mobile or online apps. And, as Twitter noted, you can still use SMS messages to do important things, like sending authentication codes needed to log in.

But “most of us” isn’t all of us.

Read more at https://nakedsecurity.sophos.com/2020/04/29/twitter-turns-off-sms-based-tweeting-in-most-countries/

iPhone “word of death” could crash your phone – what you need to know

By Paul Ducklin

It’s happened again!

A weird combination of Unicode characters that make up a nonsense word can crash your iPhone, apparently by confusing the iOS operating system when it tries to figure out how to display the “word”.

(We say apparently because we have an iPhone 6+, which is stuck back on iOS 12, and we couldn’t get our phone to crash, although we’ve seen one person on Twitter claiming that their iOS 12 device was affected.)

If you’re a regular Naked Security reader, you’ll have a feeling not just of having read this before but of having read it before, because we covered similar troubles for iOS back in 2013 and in 2018.

And it’s not only Apple that has been in the firing line here, with the WhatsApp software having similar issues in the past dealing with legal-but-unusual character code combinations, and leading to what was described at the time as a “text bomb“.

Read more at https://nakedsecurity.sophos.com/2020/04/28/iphone-word-of-death-could-crash-your-phone-what-you-need-to-know/