Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system.

Dubbed “Dirty_Sock” and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month.

The vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification.

Built by Canonical, snapd comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora.

Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software on various Linux systems for desktop, cloud, and Internet of Things.

images from Hacker News

A hacker who was selling details of nearly 620 million online accounts stolen from 16 popular websites has now put up a second batch of 127 million records originating from 8 other sites for sale on the dark web.

Last week, The Hacker News received an email from a Pakistani hacker who claims to have hacked dozens of popular websites (listed below) and selling their stolen databases online.

During an interview with The Hacker News, the hacker also claimed that many targeted companies have probably no idea that they have been compromised and that their customers’ data have already been sold to multiple cyber criminal groups and individuals.

Package 1: Databases From 16 Compromised Websites On Sale

In the first round, the hacker who goes by online alias “gnosticplayers” was selling details of 617 million accounts belonging to the following 16 compromised websites for less than $20,000 in Bitcoin on dark web marketplace Dream Market:

• Dubsmash — 162 million accounts
• MyFitnessPal — 151 million accounts
• MyHeritage — 92 million accounts
• ShareThis — 41 million accounts
• HauteLook — 28 million accounts
• Animoto — 25 million accounts
• EyeEm — 22 million accounts
• 8fit — 20 million accounts
• Whitepages — 18 million accounts
• Fotolog — 16 million accounts
• 500px — 15 million accounts
• Armor Games — 11 million accounts
• BookMate — 8 million accounts
• CoffeeMeetsBagel — 6 million accounts
• Artsy — 1 million accounts
• DataCamp — 700,000 accounts

Out of these, the popular photo-sharing service 500px has confirmed that the company suffered a data breach in July last year and that personal data, including full names, usernames, email addresses, password hashes, location, birth date, and gender, for all the roughly 14.8 million users existed at the time was exposed online.

Just yesterday, Artsy, DataCamp and CoffeeMeetsBagel have also confirmed that the companies were victims of a breach last year and that personal and account details of their customers was stolen by an unauthorised attacker.

Diet tracking service MyFitnessPal, online genealogy platform MyHeritage and cloud-based video maker service Animoto had confirmed the data breaches last year.

In response to the news, video-sharing app Dubsmash also issued a notice informing its users that they have launched an investigation and contacted law enforcement to look into the matter.

images from Hacker News

How do you check if a website asking for your credentials is fake or legit to log in?

By checking if the URL is correct?

By checking if the website address is not a homograph?

By checking if the site is using HTTPS?

Or using software or browser extensions that detect phishing domains?

Well, if you, like most Internet users, are also relying on above basic security practices to spot if that “Facebook.com” or “Google.com” you have been served with is fake or not, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.

Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, told The Hacker News that his team recently spotted a new phishing attack campaign “that even the most vigilant users could fall for.”

Vincent found that cybercriminals are distributing links to blogs and services that prompt visitors to first “login using Facebook account” to read an exclusive article or purchase a discounted product.

That’s fine. Login with Facebook or any other social media service is a safe method and is being used by a large number of websites to make it easier for visitors to sign up for a third-party service quickly.

Generally, when you click “log in with Facebook” button available on any website, you either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information.

images from Hacker News

Welcome back!

Adobe has today released its monthly security updates to address a total of 75 security vulnerabilities across its various products, 71 of which resides in Adobe Acrobat and Reader alone.

February 2019 patch Tuesday updates address several critical and important vulnerabilities in Adobe Acrobat Reader DC, Adobe Coldfusion, Creative Cloud Desktop Application, and Adobe Flash Player for Windows, macOS, Linux, and Chrome OS.

According to the advisory released today, 43 out of 71 vulnerabilities addressed by Adobe in Acrobat and Reader are rated as critical in severity, most of which could lead to arbitrary code execution in the context of the current user upon successful exploitation.

The update also includes a permanent fix for a critical, publicly disclosed zero-day vulnerability (CVE 2019-7089) impacting Adobe Reader that could allow remote attackers to steal targeted Windows NTLM hash passwords just by tricking victims into opening a specially crafted PDF file.

Another advisory related to Adobe Flash Player, which will receive security patch updates until the end of 2020, reveals the existence of an important out-of-bounds read vulnerability (CVE-2019-7090) that could lead to information disclosure.

ColdFusion, Adobe’s commercial rapid web application development platform, also receives patches for a critical arbitrary code execution flaw and an important cross-site scripting vulnerability that could result in information disclosure.

images from Hacker News

A new security vulnerability has been discovered in the latest version of Apple’s macOS Mojave that could allow a malicious application to access data stored in restricted folders which are otherwise not accessible to every app.

Discovered by application developer Jeff Johnson on February 8, the vulnerability is unpatched at the time of writing and impacts all version of macOS Mojave, including macOS Mojave 10.14.3 Supplemental update released on February 7.

Certain folders in macOS Mojave have restricted access that is forbidden by default, like ~/Library/Safari, which can be accessed by only a few applications, such as Finder.

However, Johnson discovered a way to bypass these restrictions in Mojave, allowing applications to access ~/Library/Safari without needing any permission from the user or the system, and read users’ web browsing history.

images from Hacker News