Daily Archives: September 15, 2019

CISO do’s and don’ts: Lessons learned

Keeping a business safe from cyber threats while allowing it to thrive is every CISO’s goal. The task is not easy: a CISO has to keep many balls in the air while being buffeted by an increasingly complex and always shifting threat landscape. Consequently, the importance of a good CISO should not be underestimated. Mistakes to avoid, practices to implement Francesco Cipollone, CISO and director at UK-based cybersecurity consultancy NSC42, says that he has seen … More

The post CISO do’s and don’ts: Lessons learned appeared first on Help Net Security.

Threat visibility is imperative, but it’s even more essential to act

Cyberthreats are escalating faster than many organizations can identify, block and mitigate them. Visibility into the expanding threat landscape is imperative, but according to a new threat report released by CenturyLink, it is even more essential to act. “As companies focus on digital innovation, they are entering a world of unprecedented threat and risk,” said Mike Benjamin, head of CenturyLink’s threat research and operations division, Black Lotus Labs. “Threats continue to evolve, as do bad … More

The post Threat visibility is imperative, but it’s even more essential to act appeared first on Help Net Security.

Tor Project’s Bug Smash Fund raises $86K in August

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network.

The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.

“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.

“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”

The organization has added donations it received in August 2019 to the Bug Smash Fund.

Any vulnerability that could be used to de-anonymize Tor users or that could be used by attackers to cause a malfunction to the anonymizing network is considered critical and must be addressed rapidly, and part of the Bug Smash Fund will allow paying developers to do it.

The funding project aims to be transparent, any donors can track how that money is being used by the foundation, the Tor Project will tag any bug tickets that utilize the money of the fund with the “BugSmashFund” tag.

“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.

“Want to contribute anonymously, with cryptocurrency, or by mail? Here’s how.”

Pierluigi Paganini

(SecurityAffairs – Tor Project, privacy)

The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.

Astaroth Trojan leverages Facebook and YouTube to avoid detection

Cofense experts uncovered a new variant of the Astaroth Trojan that uses Facebook and YouTube in the infection process.

Researchers at Cofense have uncovered a phishing campaign targeting Brazilian citizens with the Astaroth Trojan that uses Facebook and YouTube in the infection process.

The attach chain appears to be very complex and starts with phishing messages that come with an .htm file attached. At each step of the infection process, threat actors leverage trusted sources and the interaction of the end-user. At every turn in the infection chain, the malware uses legitimate services to evade detection.

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection.” reads the analysis published by Cofense.” There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.”

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

In the recent campaign, the experts observed three differed kind of emails written in Portuguese used in this phishing campaign, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

“This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.” continues the analysis.

Once the victims have clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file. The .LNK file then downloads JavaScript code from a Cloudflare workers domain, that in turn downloads multiple modules and payloads that are used to help obfuscate and execute a sample of the Astaroth information-stealer.

Among the files downloaded in the infection process there are two .DLL files that are joined together into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe.’

The use of a legitimate program to run the malicious code resulting from the union of the two DLLs downloaded from a trusted source allows bypassing security measures.

“After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state.” continues the expert. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe.”

The experts noticed that the Astaroth Trojan involved in this campaign uses YouTube and Facebook profiles to host and maintain the C2 configuration data.

The C2 data are encoded in base64 format as well as custom encrypted, attackers inserted them within posts on Facebook or the profile information about user accounts on YouTube. This trick allows the attackers to bypass content filtering and other network security measures.

“The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.” continues the researchers.

The Astaroth storage is able to steal sensitive information, including financial information, stored passwords in the browser, email client credentials, SSH credentials. The information gathered by the malware is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, experts noticed that most of the sites are hosted on Appspot.

This phishing campaign exclusively targets Brazilians, the experts noticed that the initial .ZIP archive geo-fenced to Brazil.

However, experts warn that attackers could expand their activities to other countries using similar tactics.

“Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads,” concludes the analysis.. “This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.”

In July, experts at the Microsoft Defender ATP Research Team discoveredfileless malware campaign that is delivering the information stealing Astaroth Trojan.

Pierluigi Paganini

(SecurityAffairs – Astaroth, malware)

The post Astaroth Trojan leverages Facebook and YouTube to avoid detection appeared first on Security Affairs.

Four in five businesses need ways to better secure data without slowing innovation

While data loss protection is critical to Zero Trust (ZT), fewer than one in five organizations report their data loss prevention solutions provide transformational benefits and more than 80 percent say they need a better way to secure data without slowing down innovation, according to Code42. ZT architectures are based on the principle of “trust no one, verify everything,” abolishing the idea of a trusted network within a data security perimeter and requiring companies to … More

The post Four in five businesses need ways to better secure data without slowing innovation appeared first on Help Net Security.

Exploitation of IoT devices and Windows SMB attacks continue to escalate

Cybercriminals upped the intensity of IoT and SMB-related attacks in the first half of 2019, according to a new F-Secure report. The report underscores the threats IoT devices face if not properly secured when online, as well as the continued popularity of Eternal Blue and related exploits two years after WannaCry. F-Secure’s honeypots – decoy servers that are set up to lure in attackers for the purpose of collecting information – measured a twelvefold increase … More

The post Exploitation of IoT devices and Windows SMB attacks continue to escalate appeared first on Help Net Security.

Open source breach and attack simulation tool Infection Monkey gets new features

Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks. The latest version of Infection Monkey enables both enterprise security leaders and network engineers … More

The post Open source breach and attack simulation tool Infection Monkey gets new features appeared first on Help Net Security.

Only one quarter of retail banks have adopted an integrated approach to financial crime systems

Most banks plan to integrate their fraud and financial crime compliance systems and activities in response to new criminal threats and punishing fines, with the U.K. leading the pack, according to a survey by Ovum, on behalf of FICO. Responses show that U.S. systems are less integrated than Canada’s – only 25 percent of U.S. banks have a common reporting line for both fraud and compliance, versus 60 percent for Canada. The survey also found … More

The post Only one quarter of retail banks have adopted an integrated approach to financial crime systems appeared first on Help Net Security.

Cyber Battle of the Emirates: Training the next generation of cyber security pros

Held annually in Asia, Europe and the Middle East, Hack In The Box conferences bring together the world’s top cyber security experts to share and discuss their latest knowledge, ideas and techniques with security professionals and students. The next HITB event is HITB+ CyberWeek, which takes place October 12th – 17th at Emirates Palace, Abu Dhabi. As usual, it will offer security trainings, talks, and live challenges. Cyber Battle of the Emirates Among the live … More

The post Cyber Battle of the Emirates: Training the next generation of cyber security pros appeared first on Help Net Security.

GDPR One Year Anniversary: The Civil Society Organizations’ View

GDPR is a landmark in privacy jurisdiction. Through its 99 articles, it sets a framework for both businesses and individuals on their rights and responsibilities when it comes to protecting privacy. The most important element in my opinion is that privacy functions a fundamental human right and needs to be protected. The Authorities View Although […]… Read More

The post GDPR One Year Anniversary: The Civil Society Organizations’ View appeared first on The State of Security.

Irdeto launches Trusted Home enabling CSPs to secure the entire smart home beyond the router

Consumer demand for IoT devices is growing rapidly as they look to make the most of connectivity and the smart home. However, the increase in IoT devices also increases the number of security vulnerabilities and creates challenges for communication service providers (CSPs) and consumers alike around control of the smart home. To address these challenges, Irdeto has launched Trusted Home which enables CSPs to secure the entire smart home beyond the router, increase ARPU by … More

The post Irdeto launches Trusted Home enabling CSPs to secure the entire smart home beyond the router appeared first on Help Net Security.

TSYS Authentication Platform helps companies fight synthetic and account takeover fraud

TSYS announced a new authentication product that provides unprecedented real-time verification of customer identities. The new offering, the TSYS Authentication Platform, relies on customer experience data collected from direct cardholder touchpoints and integrates into TSYS clients’ existing authentication systems. TSYS Authentication Platform is available in Europe and will be launched in North America in 2020. The new product is designed to verify that a person is who he or she claims to be, reducing application, … More

The post TSYS Authentication Platform helps companies fight synthetic and account takeover fraud appeared first on Help Net Security.

HITRUST issues guidance for relying on work of internal audit departments in CSF assessments

HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings. HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being Inheritance of the results of other … More

The post HITRUST issues guidance for relying on work of internal audit departments in CSF assessments appeared first on Help Net Security.

New Razberi features use deep packet inspection to monitor video quality and camera security

Razberi Technologies has extended its Razberi Monitor solution with new video health monitoring features. Razberi leverages its patent-pending deep packet inspection technology to assure security professionals that their cameras are providing secure and reliable audio and video streams. Razberi’s latest software automatically reboots cameras and sends alerts when problems are detected. Razberi Monitor provides complete system health and cyber monitoring solutions for video surveillance systems. Razberi Monitor integrates video health with award-winning Razberi CameraDefense for … More

The post New Razberi features use deep packet inspection to monitor video quality and camera security appeared first on Help Net Security.

Easy NX Connect for Egnyte enables fast and secure file sharing

Fujitsu Computer Products of America, the established leader in document imaging, announced a new integration with the FUJITSU fi-7300NX document scanner and Egnyte. Easy NX Connect for Egnyte is a convenient software license that enables organizations to scan directly to Egnyte via a quick tap and scan into a secure, sharable workflow. Easy NX Connect for Egnyte includes NFC authentication and direct integration into Egnyte’s Enterprise File Sharing and Content Governance platform. In conjunction with … More

The post Easy NX Connect for Egnyte enables fast and secure file sharing appeared first on Help Net Security.

Bank Mayapada chooses NICE Actimize to update its AML compliance programs

NICE Actimize, a NICE business and the leader in autonomous financial crime management, has been chosen by PT Bank Mayapada Internasional, Tbk, Jakarta, Indonesia, to launch full-scale improvements within its financial crime operations with anti-money laundering compliance and investigation management solutions that employ artificial intelligence and machine learning technology. To more effectively meet the needs of its regulators, Bank Mayapada will implement an array of components from NICE Actimize’s Autonomous Anti-Money laundering portfolio, including Suspicious … More

The post Bank Mayapada chooses NICE Actimize to update its AML compliance programs appeared first on Help Net Security.

Oliver Wyman and Next Peak offer a broader and enhanced range of advisory and operational services

Global management consulting firm Oliver Wyman and Next Peak, an operational cyber defense consulting company, announced a new collaboration to offer a broader and enhanced range of advisory and operational services to clients focused on defending and improving resilience against global cyber threats. “At a time when cyber threats are becoming increasingly common, more dangerous, and more sophisticated, leaders across all industries are looking for ways to protect their companies,” said Michael Zeltkevic, Partner and … More

The post Oliver Wyman and Next Peak offer a broader and enhanced range of advisory and operational services appeared first on Help Net Security.

Snowflake and FedResults partnership provides cloud-based solutions for government

Snowflake, the data warehouse built for the cloud, announced that it has a public sector distribution relationship with FedResults, a government-focused IT provider. This partnership will enable Snowflake and FedResults to provide secure, powerful, flexible cloud data warehouse and analytics solutions to federal agencies. Bloomberg Government analysts project that the U.S. Federal Government will invest more than $93B in information technology programs in fiscal year 2020. The 2019 Federal Cloud Computing Strategy, Cloud Smart is … More

The post Snowflake and FedResults partnership provides cloud-based solutions for government appeared first on Help Net Security.

Digital River brings its payments, tax and compliance capabilities to Salesforce AppExchange

Digital River announced it has launched an integration to bring its payments, tax and compliance capabilities to Salesforce AppExchange, empowering customers to connect with their customers and partners in entirely new ways. The integration of Salesforce Commerce Cloud and Digital River lets brands create efficient online buying experiences with a solution designed to grow revenue, expand internationally and help protect brands from risks associated with selling online. The on-demand shopping experience is now ingrained in … More

The post Digital River brings its payments, tax and compliance capabilities to Salesforce AppExchange appeared first on Help Net Security.

HID Global acquires HydrantID to secure enterprise data, IT systems, networks, and the IoT

HID Global, a worldwide leader in trusted identity solutions, announced that it has acquired HydrantID, a provider of management and automation services to secure enterprise organizations’ data, IT systems, networks, and the Internet of Things (IoT). Specializing in public key infrastructure (PKI) as a service, HydrantID has issued over three million PKI credentials and secured over 125,000 domains – a perfect complement to HID’s IdenTrust business, which is the world’s leading digital certification authority. HydrantID … More

The post HID Global acquires HydrantID to secure enterprise data, IT systems, networks, and the IoT appeared first on Help Net Security.

Odaseva records growth and supports over a trillion documents in Salesforce

Odaseva, the unified cloud data protection, compliance and operations platform for enterprises running Salesforce as a business-critical application, announced that it has seen triple year over year growth, and after only seven years of operation, supports a staggering one trillion Salesforce records, with over 10 million enterprise-level internal Salesforce customers. Odaseva’s explosive growth is in part due to the influx of new data privacy and governance laws such as GDPR or CCPA, demanding that businesses … More

The post Odaseva records growth and supports over a trillion documents in Salesforce appeared first on Help Net Security.

Week in review: Simjacker attacks, critical Exim flaw, Sandboxie becomes freeware

Here’s an overview of some of last week’s most interesting news, interviews and articles: More than a year after GDPR implementation, half of UK businesses are not fully compliant 52% of UK businesses are not fully compliant with the regulation, more than a year after its implementation, according to a survey of UK GDPR decision-makers conducted on behalf of Egress. Simjacker vulnerability actively exploited to track, spy on mobile phone owners Following extensive research, AdaptiveMobile … More

The post Week in review: Simjacker attacks, critical Exim flaw, Sandboxie becomes freeware appeared first on Help Net Security.

Drone attacks hit two Saudi Arabia Aramco oil plants

Drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Drone attacks have hit Saudi Arabia’s oil production suffered severe damage following a swarm of explosive drones that hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia.

Online are circulating the images of a huge blaze at Abqaiq, site of Aramco’s largest oil processing plant, the Abqaiq site. A second drone attack hit the Khurais oilfield. Abqaiq is about 60km south-west of Dhahran, while in Khurais, 200km further south-west, there is the second-largest oilfield in the country.

According to the local media, the emergency response of the fire brigade teams allowed to control the fires at both facilities.

Saudi Arabia drone attacks 2
The two facilities are located in Abqaiq and Khurais, Saudi Arabia’s interior ministry said. (Photo: Twitter videograb | @Sumol67)

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

“The military spokesman, Yahya Sarea, told al-Masirah TV, which is owned by the Houthi movement and is based in Beirut, that further attacks could be expected in the future.” reported the BBC.

“He said Saturday’s attack was one of the biggest operations the Houthi forces had undertaken inside Saudi Arabia and was carried out in “co-operation with the honourable people inside the kingdom”.”

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Officials have attributed the attacks to a specific threat actor:

“At 04:00 (01:00 GMT), the industrial security teams of Aramco started dealing with fires at two of its facilities in Abqaiq and Khurais as a result of… drones,” the official Saudi Press Agency reported. “The two fires have been controlled.”

The attacks will have a dramatic impact on Saudi Arabia’s oil supply, it could be cut off 50 percent following the incidents.

These latest attacks demonstrate the potential impact of drone attacks against critical infrastructures, at the time is not clear if the Houthis group use weaponized commercial civilian drones or they obtained military support from Iran.

“The Saudi Air Force has been pummelling targets in Yemen for years. Now the Houthis have a capable, if much more limited, ability to strike back. It shows that the era of armed drone operations being restricted to a handful of major nations is now over.” continues the BBC.

Groups like the Houthis and Hezbollah have access to drone technology and could use it is sophisticated operations. Intelligence analysts fear the escalating tensions in the region that could open a world oil crisis.

Pierluigi Paganini

(SecurityAffairs – drone attacks, Saudi Arabia)

The post Drone attacks hit two Saudi Arabia Aramco oil plants appeared first on Security Affairs.

Security Affairs newsletter Round 231

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Experts found Joker Spyware in 24 apps in the Google Play store
Toyota Boshoku Corporation lost over $37 Million following BEC attack
University, Professional Certification or Direct Experience?
WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws
Belarusian authorities seized XakFor, one of the largest Russian-speaking hacker sites
China-linked APT3 was able to modify stolen NSA cyberweapons
Stealth Falcon New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data
Stealth Falcons undocumented backdoor uses Windows BITS to exfiltrate data
Symantec uncovered the link between China-Linked Thrip and Billbug groups
Telegram Privacy Fails Again
Wikipedia suffered intermittent outages as a result of a malicious attack
DoS attack the caused disruption at US power utility exploited a known flaw
Million of Telestar Digital GmbH IoT radio devices can be remotely hacked
Police dismantled Europes second-largest counterfeit currency network on the dark web
Robert Downey Jrs Instagram account has been hacked
Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player
Dissecting the 10k Lines of the new TrickBot Dropper
Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks
NetCAT attack allows hackers to steal sensitive data from Intel CPUs
Some models of Comba and D-Link WiFi routers leak admin credentials
The Wolcott school district suffered a second ransomware attack in 4 months
Iran-linked group Cobalt Dickens hit over 60 universities worldwide
LokiBot info stealer involved in a targeted attack on a US Company
SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News
SimJacker attack allows hacking any phone with just an SMS
Poland to establish Cyberspace Defence Force by 2024
The US Treasury placed sanctions on North Korea linked APT Groups
WatchBog cryptomining botnet now uses Pastebin for C2
Expert disclosed passcode bypass bug in iOS 13 a week before its release
Hackers stole payment data from Garmin South Africa shopping portal
InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets

Pierluigi Paganini

(SecurityAffairs – Newsletter, hacking)

The post Security Affairs newsletter Round 231 appeared first on Security Affairs.

Delaler Leads, a car dealer marketing firm exposed 198 Million records online

Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned into online inventory advertising classified sites, service sites, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

A bug in Instagram exposed user accounts and phone numbers

Facebook addressed a vulnerability in Instagram that could have allowed attackers to access private user information.

The security researcher @ZHacker13 discovered a flaw in Instagram that allowed an attacker to access account information, including user phone number and real name.

ZHacker13 discovered the vulnerability in August and reported the issue to Facebook that asked for additional time to address the issue. The social network giant has finally fixed the flaw.

“In putting this article together, I had the security researcher run tests on the platform and he successfully retrieved “secure” user data I know to be real. This data included users’ real names, Instagram account numbers and handles, and full phone numbers.” reads a post published by Forbes. “The linking of this data is all an attacker would need to target those users. It would also enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.”

The expert also warns that attackers could use automated scripts and bots to collect user data from the platform, linking users with their contact details.

Just a week before ZHacker13 disclosed the bug, phone numbers associated with 419 million accounts of the social network giant were exposed online.

It is not clear if the two incidents could have the same root cause.

“I found a high vulnerability on Instagram that can cause a serious data leak,” @ZHacker13 told to Forbes. “The vulnerability is still active—and it looks like Facebook are not very serious about pathing it.” Exploiting this vulnerability would enable an attacker using an army of bots and processors to build a searchable/ attackable database of users, bypassing protections protecting that data.”

The expert explained that he discovered by flaw by using the platform’s contact importer in combo with a brute-force attack on its login form.

The attack scenarios is composed of two steps:

  • The attacker carries out a brute force attack on Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account.
  • The attacker finds the account name and number linked to the phone number by exploiting Instagram’s Sync Contacts feature.

A Facebook spokesman explained that his company modified the contact importer in Instagram to address the flaw.

we have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue, and to the entire research community for their efforts.” said the spokesman.

Facebook, after initial resistance, confirmed it is evaluating to reward @ZHacker13 for reporting the bug as part of its bug bounty program.

“Facebook had also told @ZHacker13 that although the vulnerability was serious, there was internal awareness of the issue and so it was not eligible for a reward under the bounty scheme.” continues the post. “This would have set a terrible precedent and disincentivized researchers from coming forwards with similar vulnerabilities. I questioned Facebook on its decision, and the company reconsidered and told me it has “reassessed” the discovery of the bug and would reward the researcher after all. “

Facebook pointed out that there is no evidence that any user data has been abused by threat actors.  

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

The post A bug in Instagram exposed user accounts and phone numbers appeared first on Security Affairs.