Select Page
Brazil’s Biggest Cosmetic Brand Natura Exposes Personal Details of Its Users

Brazil’s Biggest Cosmetic Brand Natura Exposes Personal Details of Its Users

Brazil’s biggest cosmetics company Natura accidentally left hundreds of gigabytes of its customers’ personal and payment-related information publicly accessible online that could have been accessed by anyone without authentication.

SafetyDetective researcher Anurag Sen last month discovered two unprotected Amazon-hosted servers—with 272GB and 1.3TB in size—belonging to Natura that consisted of more than 192 million records.

According to the report Anurag shared with The Hacker News, the exposed data includes personally identifiable information on 250,000 Natura customers, their account login cookies, along with the archives containing logs from the servers and users.

Worryingly, the leaked information also includes Moip payment account details with access tokens for nearly 40,000 wirecard.com.br users who integrated it with their Natura accounts.

“Around 90% of users were Brazilian customers, although other nationalities were also present, including customers from Peru,” Anurag said.

“The compromised server contained website and mobile site API logs, thereby exposing all production server information. Furthermore, several ‘Amazon bucket names’ were mentioned in the leak, including PDF documents referring to formal agreements between various parties,” Anurag said.

images from Hacker News

British Airline EasyJet Suffers Data Breach Exposing 9 Million Customers’ Data

British Airline EasyJet Suffers Data Breach Exposing 9 Million Customers’ Data

British low-cost airline EasyJet today admitted that the company has fallen victim to a cyber-attack, which it labelled “highly sophisticated,” exposing email addresses and travel details of around 9 million of its customers.

In an official statement released today, EasyJet confirmed that of the 9 million affected users, a small subset of customers, i.e., 2,208 customers, have also had their credit card details stolen, though no passport details were accessed.

The airline did not disclose precisely how the breach happened, when it happened, when the company discovered it, how the sophisticated attackers unauthorisedly managed to gain access to the private information of its customers, and for how long they had that access to the airline’s systems.

However, EasyJet assured its users that the company had closed off the unauthorised access following the discovery and that it found “no evidence that any personal information of any nature has been misused” by the attackers.

“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue,” the company said in a statement published today.

EasyJet has also notified the Information Commissioner’s Office (ICO), Britain’s data protection agency, and continues to investigate the breach incident to determine its extent and further enhance its security environment.

“We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated,” says EasyJet Chief Executive Officer Johan Lundgren.

“Since we became aware of the incident, it has become clear that owing to COVID-19, there is heightened concern about personal data being used for online scams. Every business must continue to stay agile to stay ahead of the threat.”

As a precautionary measure recommended by the ICO, the airline has started contacting all customers whose travel and credit card details were accessed in the breach to advise them to be “extra vigilant, particularly if they receive unsolicited communications.”

Affected customers will be notified by May 26.

Last year, the ICO fined British Airways with a record of £183 million for failing to protect the personal information of around half a million of its customers during a 2018 security breach incident involving a Magecart-style card-skimming attack on its website.

Affected customers should be suspicious of phishing emails, which are usually the next step of cybercriminals to trick users into giving away further details of their accounts like passwords and banking information.

Affected customers exposing their credit card details are advised to block the affected cards and request a new one from their respective financial institution, and always keep a close eye on your bank and payment card statements for any unusual activity and report to the bank if you find any.

images from Hacker News

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers.

The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.

“The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment,” the researchers outlined in the paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”

Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organisation that oversees the development of Bluetooth standards, in December 2019.

The Bluetooth SIG acknowledged the flaw, adding it has made changes to resolve the vulnerability. “These changes will be introduced into a future specification revision,” the SIG said.

images from Hacker News

HTTP Status Codes Command This Malware How to Control Hacked Systems

HTTP Status Codes Command This Malware How to Control Hacked Systems

A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe.

The cyberespionage malware—traced to Turla APT with “medium-to-low level of confidence” based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at Kaspersky discovered.

The Turla APT, a Russian-based threat group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies.

First documented by G-Data in 2014, COMpfun received a significant upgrade last year (called “Reductor”) after Kaspersky found that the malware was used to spy on a victim’s browser activity by staging man-in-the-middle (MitM) attacks on encrypted web traffic via a tweak in the browser’s random numbers generator (PRNG).

images from Hacker News

Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable

Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable

Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft’s Remote Desktop Protocol?

Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.

Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.

In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function “PathCchCanonicalise,” unchanged.

Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough to protect other third-party RDP clients against the same attack that relies on the vulnerable sanitisation function developed by Microsoft.

“We found that not only can an attacker bypass Microsoft’s patch, but they can bypass any canonicalisation check that was done according to Microsoft’s best practices,” Check Point researcher Eyal Itkin said in a report shared with The Hacker News.

For those unaware, path traversal attacks occur when a program that accepts a file as input fails to verify it, allowing an attacker to save the file in any chosen location on the target system, and thus exposing the contents of files outside of the root directory of the application.

“A remote malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member’s computer as well,” the researchers described.

The flaw came to light last year, and a subsequent research in August found that it impacted Microsoft’s Hyper-V hardware virtualisation platform as well.

images from Hacker News