Hacks

A researcher discovered a critical Account takeover vulnerability in Facebook’s Authorization feature “Login with Facebook” and, it allowed attackers to steal the Access_Token and completely take over the victim’s Facebook account. Facebook using  OAuth 2.0  as an Authorization protocol that helps to exchange the token from Facebook and other third party websites. The vulnerability resides in the “Login with Facebook” feature that allowed attackers to set up a malicious website, and steak the Access token for several apps including Instagram, Oculus, Netflix, Tinder, Spotify, etc along with Facebook accounts. Once the attacker compromised the targeted accounts using the stolen tokens, he/she could able to gain full read/write privileges such as messages, photos, videos even if privacy control is set to the “only me”. Indian Security Researcher  Amol Baikar   who found this Vulnerability told  GBHackers on Security  ” This critical Faceboo...

On the same day yesterday, when the US-based telecom giant  T-Mobile admitted a data breach , the UK-based telecommunication provider Virgin Media announced that it has also suffered a data leak incident exposing the personal information of roughly 900,000 customers. What happened? Unlike the T-Mobile data breach that involved a sophisticated cyber attack, Virgin Media said the incident was neither a cyber attack nor the company's database was hacked. Rather the personal details of around 900,000 Virgin Media UK-based customers were exposed after one of its marketing databases was left unsecured on the Internet and accessible to anyone without requiring any authentication. "The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack, but as a result of the database being incorrectly configured," the company said in a  note published  on its website on Thursday night. Accord...

The most popular free certificate signing authority  Let's Encrypt  is going to revoke more than 3 million TLS certificates within the next 24/48 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt  confirmed  on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates. As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name. The  Certification Authority Authorization  (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name. Let's Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record a...

Google has published a blog post recommending mobile app developers to encrypt data that their apps generate on the users' devices, especially when they use unprotected external storage that's prone to hijacking. Moreover, considering that there are not many reference frameworks available for the same, Google also advised using an easy-to-implement  security library  available as part of its Jetpack software suite. The open-sourced  Jetpack Security  (aka JetSec) library lets Android app developers easily read and write encrypted files by following  best security practices , including storing cryptographic keys and protecting files that may contain sensitive data, API keys, OAuth tokens. To give a bit of context, Android offers developers  two different ways  to save app data. The first one is app-specific storage, also known as internal storage, where the files are stored in a sandboxed folder meant for a specific app's use and inaccessible t...

If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Yes, that's possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) ' file read and inclusion bug '—which can be exploited in the default configuration. But it's more concerning because several proof-of-concept exploits ( 1 ,  2 ,  3 ,  4  and  more ) for this vulnerability have also been surfaced on the Internet, making it easy for anyone to hack into publicly accessible vulnerable web servers. Dubbed ' Ghostcat ' and tracked as  CVE-2020-1938 , the flaw could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows fil...