Select Page
Facebook Caught Asking Some Users Passwords for Their Email Accounts

Facebook Caught Asking Some Users Passwords for Their Email Accounts

Facebook has been caught practicing the worst ever user-verification mechanism that could put the security of its users at risk.

Generally, social media or any other online service asks users to confirm a secret code or a unique URL sent to the email address they provided for the account registration.

However, Facebook has been found asking some newly-registered users to provide the social network with the passwords to their email accounts, which according to security experts is a terrible idea that could threaten privacy and security of its users.

First noticed by Twitter account e-Sushi using the handle @originalesushi, Facebook has been prompting users to hand over their passwords for third-party email services, so that the company can “automatically” verify their email addresses.

However, the prompt only appears for email accounts from certain email providers which Facebook considers to be suspicious.

“Tested it myself registering 3 times with 3 different emails using 3 different IPs and 2 different browsers. 2 out of 3 times I faced that email password verification thing right after clicking “register account” on their front page sign up form,” e-Sushi said in a tweet.

“By going down that road, you’re practically fishing for passwords you are not supposed to know!”

It’s ironic that this news came just two weeks after Facebook admitted that it mistakenly stored passwords for “hundreds of millions” of its users insecurely in plaintext for years in company logs which were accessible to 2,000 Facebook employees.

In a statement provided to the Daily Beast, Facebook confirmed the existence of such “dubious” verification process but also claimed it doesn’t store the user-provided email passwords on its server.

images from Hacker News

In-Depth Analysis of JS Sniffers Uncovers New Families of Credit Card-Skimming Code

In-Depth Analysis of JS Sniffers Uncovers New Families of Credit Card-Skimming Code

In a world that’s growing increasingly digital, Magecart attacks have emerged as a key cybersecurity threat to e-commerce sites.

Magecart, which is in the news a lot lately, is an umbrella term given to 12 different cyber criminal groups that are specialised in secretly implanting a special piece of code on compromised e-commerce sites with an intent to steal payment card details of their customers.

The malicious code—well known as JS sniffers, JavaScript sniffers, or online credit card skimmers—has been designed to intercept users’ input on compromised websites to steal customers’ bank card numbers, names, addresses, login details, and passwords in real time.

Magecart made headlines last year after cybercriminals conducted several high-profile heists involving major companies including British AirwaysTicketmaster, and Newegg, with online bedding retailers MyPillow and Amerisleep being recent victims of these attacks.

The initial success of these attacks already indicated that we are likely going to be seeing a lot more of it in coming days.

Security firm Group-IB today published a report, which it shared with The Hacker News prior to its release, detailing nearly 38 different JS-Sniffer families that its researchers documented after analysing 2440 infected e-commerce websites.

All these JS-Sniffer families have been categorised into two parts. The first one is the universal code that can be integrated into any website, for example, G-Analytics and WebRank families of JS-sniffers.

images from Hacker News

WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites

WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites

If you have a “private” blog with and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites.

WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorisation tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email.

Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of, for example, Imgur or Flickr.

That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a authorisation token to Imgur, leaving a copy of the token in the access logs of the Imgur’s web server.

It should be noted that the WordPress application for Android devices and self-hosted WordPress websites are not affected by this issue.

images from Hacker News

540 Million Facebook User Records Found On Unprotected Amazon Servers

540 Million Facebook User Records Found On Unprotected Amazon Servers

It’s been a bad week for Facebook users.

First, the social media company was caught asking some of its new users to share passwords for their registered email accounts and now…

…the bad week gets worse with a new privacy breach.

More than half a billion records of millions of Facebook users have been found exposed on unprotected Amazon cloud servers.

The exposed datasets do not directly come from Facebook; instead, they were collected and unsecurely stored online by third-party Facebook app developers.

Researchers at the cybersecurity firm UpGuard today revealed that they discovered two datasets—one from a Mexican media company called Cultura Colectiva and another from a Facebook-integrated app called “At the pool”—both left publicly accessible on the Internet.

images from Hacker News

NSA Releases GHIDRA Source Code — Free Reverse Engineering Tool

NSA Releases GHIDRA Source Code — Free Reverse Engineering Tool

Update (4/4/2019) — Great news.

NSA today finally released the complete source code for GHIDRA version 9.0.2 which is now available on its Github repository.

GHIDRA is agency’s home-grown classified software reverse engineering tool that agency experts have been using internally for over a decade to hunt down security bugs in software and applications.

GHIDRA is a Java-based reverse engineering framework that features a graphical user interface (GUI) and has been designed to run on a variety of platforms including Windows, macOS, and Linux.

Reverse engineering a program or software involves disassembling, i.e. converting binary instructions into assembly code when its source code is unavailable, helping software engineers, especially malware analysts, understand the functionality of the code and actual design and implementation information.

The existence of GHIDRA was first publicly revealed by WikiLeaks in CIA Vault 7 leaks, but the NSA today publicly released the tool for free at the RSA conference, making it a great alternative to expensive commercial reverse engineering tools like IDA-Pro.

“It [GHIDRA] helps analyse malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems,” NSA official website says while describing GHIDRA.

images from Hacker News