Category Archives: digital id

Snapchat staff used internal tools to spy on users

Snapchat internal staff has allegedly abused their role in the company to spy on Snapchat users using and internal tools and steal data.

Snapchat is a multimedia messaging app that makes pictures, videos, and messages (snaps) available for a short time before they become inaccessible to their recipients. Initially, it was only allowing person-to-person photo sharing, but now it also implements users’ “Stories” of 24 hours of chronological content. As of February 2018, Snapchat has 187 million daily active users.

Snapchat has internal tools that allow employees to access consumer data, and unfortunately, these tools have been abused by the internal staff.

The news was first reported by Motherboard that learned of abuses of the tools by “multiple” members to spy on users.

“Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.” reports Motherboard.

Current and former employees, along with a cache of internal company emails obtained by Motherboard, demonstrates the abuse of internal tools to access user data. Employees were able to access location information, personal information, including phone numbers, email addresses, and snaps.

Multiple sources and emails referred to an internal tool called SnapLion that was originally used to gather information on users in response to valid law enforcement requests (i.e. court order or subpoena). 

A former employee told Motherboard that SnapLion provides “the keys to the kingdom,”

snapchat

Over time the use of the SnapLion tool was extended to other departments, including security staff, and a team called “Customer Ops.”

The information obtained by Motherboard demonstrates that Snapchat failed in implementing the concept of least privilege to limit access based on what are the effective needs of members according to their jobs.

The good news is that Snapchat today implements stricter controls for data access, but it was not true in the past. Moreover, SnapLion and other internal tools did not implement a satisfactory level of logging to track what data employees accessed. 

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.” reads a spokesperson’s statement sent to Motherboard via email.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Snapchat, privacy)

The post Snapchat staff used internal tools to spy on users appeared first on Security Affairs.

Facebook says it took down 2.19 billion accounts in Q1 2019

Social network giant Facebook revealed it recently disabled billions of accounts operated by “bad actors” and that five percent of active accounts are fake.

The news is disconcerting, but sincerely not so surprising, Facebook announced it recently disabled billions of accounts operated by “bad actors” and that five percent of its active accounts are fake.

Facebook released its third Community Standards Enforcement Report, covering Q4 2018 and Q1 2019 that provides an estimate of its efforts in fighting the abuse of the social network platform and actions to identify and taken accounts managed by threat actors.

Data is impressive, the company disabled 2.19 billion accounts in the first quarter of 2019, the number if doubled respect the number of accounts blocked in the prior quarter.

“The amount of accounts we took action on increased due to automated attacks by bad actors who attempt to create large volumes of accounts at one time,” Facebook said,

“We disabled 1.2 billion accounts in the fourth quarter of 2018 and 2.19 billion in the first quarter of 2019. We’ll continue to find more ways to counter attempts to violate our policies,”

Facebook

Facebook apparently disabled the accounts because they have been created by imposters through automated processes.

Facebook also highlighted its the progress made in battling hate speech, its systems were able to automatically detect 65 percent of the content removed before needing someone to report it. This represents great success respect the previous year, with an increase of 24% in automatic detection.

In Q1 2019, Facebook took down four million posts with a content classified as hate speech.

“In the first quarter of 2019, we took down 4 million hate speech posts and we continue to invest in technology to expand our abilities to detect this content across different languages and regions.” continues Facebook.

Facebook

Additional data are included in the report, enjoy it!


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Fake accounts, social network)

The post Facebook says it took down 2.19 billion accounts in Q1 2019 appeared first on Security Affairs.

G Suite users’ passwords stored in plain-text for more than 14 years

Google accidentally stored the passwords of its G Suite users in plain-text for 14 years allowing its employees to access them.

The news is disconcerting, Google has accidentally stored the passwords of the G Suite users in plain-text for 14 years, this means that every employee in the company was able to access them.

G Suite

According to the tech giant, the incident was caused by a bug in the password recovery mechanism and only business users were affected.

“However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.” reads a blog post published by the company. “This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. “

The G Suite (aka Google Apps) includes cloud computing, productivity and collaboration tools, it is widely adopted by business users, Google already addressed the bug by removing the capability from G Suite administrators.

The bug resides in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without the knowledge of their previous passwords. The procedure could be used to set the password for newcomers employees and for account recovery.

Google admitted that if the admins reset the password, the admin console would store the passwords in plain text on google servers.

Google investigated the problem and confirmed that it has no evidence of improper access to or misuse of the affected G Suite credentials.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure.” continues Google. ” This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google attempted to reassure users explaining that even if the passwords were stored in plain text passwords they were stored on internal secure encrypted servers that were not accessible for the open Internet.

At the time Google did not reveal how many users might have been impacted, but we have to consider that currently, G Suite has 5 million enterprise customers potentially at risk.

The company notified the incident to the impacted business users via and asked them to reset their passwords, it also announced that will automatically reset passwords for users who do not change their passwords.

Google isn’t the only tech giant that accidentally store plain text passwords on its internal servers. Recently, Facebook revealed a similar incident that affected its users and Instagram users.

In 2018, Twitter asked more than 330 million users to change their passwords after a bug exposed them in plain text on internal systems.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – G Suite, hacking)

The post G Suite users’ passwords stored in plain-text for more than 14 years appeared first on Security Affairs.

Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk

Security researchers from SRLabs have published a report that analyzed the risks for Ethereum network caused by unpatched Ethereum clients.

Researchers at SRLabs published a report based on ethernodes.org data, that revealed that a large number of nodes using the popular clients Parity and Geth is still unpatched. The expert discovered that the Ethereum clients and its users remained exposed for “extended periods of time” after security patches have been released.

“SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.” reads the report.

Experts pointed out that a hacker who controls more than 51% of the computational power in the Ethereum network can double spend coin and undermining the trust in the ecosystem. An attacker that can crash a large number of nodes, could be able to control 51% of the network in an easier way.

For that reason, denial of service issue are classified as high severity in cryptocurrency networks, the attackers can leverage these issue to reduce the amount of computational power needed to perform a 51% attack.

In February, SRLabs reported a vulnerability in the Parity client that could be exploited to remotely crash Parity Ethereum node running versions prior 2.2.10.

“According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.” continues the report.

A month after the flaw was patched, experts have found that around 40% of all scanned Parity Ethereum nodes remained unpatched. Another patch released on Mar 2, 2019 was installed by around 70% of Parity Ethereum nodes, leaving the remaining 30% exposed.

The situation is worse is we consider that 7 percent of Parity nodes still run a version vulnerable to a critical consensus vulnerability patched in July 2018.

The following graph shows the percentage of unpatched Ethereum nodes in 2019 that decreases slowly over time.

Ethereum nodes.PNG

Researchers explained that the Parity Ethereum has an automated update process, but it suffers from high complexity and some updates are left out. 

The report confirms that the patch management for Geth client is even worse that does not include an auto-update feature. Geth clients remained unpatched for longer periods of time.

“According to their announced headers, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two-month before our measurement.,” continues the SRLabs team.

Experts conclude that the lack of basic patch hygiene undermines the security of the entire Ethereum ecosystem.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – patch management, hacking)

The post Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk appeared first on Security Affairs.

Twitter inadvertently collected and shared iOS location data

Twitter confirmed revealed that a bug in its iOS app it the root cause for an inadvertent collection of location data and sharing it with a third-party.

A new story of a violation of the user’s privacy made the lines, Twitter revealed that due to a bug is collected and shared iOS location data with a third-party advertising company,

Fortunately, only one partner of the micro-blogging firm was involved and the data collection and sharing occurred in certain circumstances.

“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.” reads the security advisory published by Twitter.

“Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,”

Twitter admitted having failed into removing the location data from the information shared with the trusted advertising partner that was accessing it during real-time bidding process. 

The company pointed out that location data its shared could not be used to track individuals because it had implemented technical measures to “fuzz” the information. Twitter explained that shared was no more precise than zip code or city (5km squared).

Twitter did not share users’ handles or other unique account IDs, this means that it was impossible to link the identity of a specific user to a geographic location. 

“The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter.” continues the announcement.

“This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,”

Another good news is that the partner did not retain the data that was deleted “as part of their normal process.” 

Twitter

Twitter has already fixed the issue and notified the incident to all the impacted users, anyway it did not reveal the extent of the incident either for how long it shared the data with its partner.

“We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us. We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” concludes Twitter.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Twitter inadvertently collected and shared iOS location data appeared first on Security Affairs.