Google Project Zero researcher Tavis Ormandy discovered that a Chrome extension installed silently by Adobe last week had been affected by a cross-site scripting (XSS) vulnerability. Adobe quickly patched the flaw after learning of its existence.
The updates released by Adobe on January 10 for Acrobat and Reader addressed 29 vulnerabilities. However, some users were displeased that the updates also automatically installed an Adobe Acrobat Chrome extension designed for converting web pages into PDF files.
The Windows-only extension requires permission to access data on the websites visited by the user, manage downloads, and communicate with cooperating native apps. The tool also collects some information from the system, but Adobe claims no personal information is involved and the “anonymous data will not be meaningful to anyone outside of Adobe.”
“I think CSP [Content Security Policy] might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc,” the Google researcher explained in an advisory.
The issue was reported to Adobe on January 12 and it was patched a few days later. It is not surprising that the vulnerability was fixed quickly considering that many of the flaws found in Adobe products are reported by Google Project Zero researchers or through the Chromium Vulnerability Rewards Program.
This was not the first time Ormandy identified a vulnerability in a Chrome extension. Roughly one year ago, the expert revealed that an extension automatically installed by AVG AntiVirus exposed users’ browsing history and other personal data.
Several vulnerabilities have been identified in Uber’s recently launched UberCENTRAL service. The ride-sharing company patched the flaws and rewarded the expert who found them.
Announced in late July, UberCENTRAL provides a dashboard that companies can use to pay for Uber rides on behalf of their customers. UberCENTRAL administrators can add operators (i.e. employees who request rides for customers) based on their email address.
Since the rules of Uber’s bug bounty program specifically mention enumeration issues, bounty hunter Kevin Roh decided to see if such flaws are present in UberCENTRAL. Uber is particularly interested in vulnerabilities that can be used to enumerate users’ universally unique identifiers (UUIDs) via phone numbers or email addresses as these can allow insecure direct object reference (IDOR) attacks.
One of the flaws discovered by Roh allowed attackers to enumerate user UUIDs by sending requests with possible email addresses. If the email address is associated with an account, the response from the server will include the user’s UUID. If the email address is not valid, the response will contain an error.
While the second issue identified by the expert is similar, the third security hole he found could have been exploited to obtain not only UUIDs, but also full names, phone numbers and email addresses.
These issues were reported to Uber in September and October, and they were patched in October. The company awarded Roh hundreds of dollars for each of the vulnerabilities, but the exact amounts have not been disclosed. Roh is one of the top hackers in Uber’s bug bounty program.
The company says it has paid out more than $700,000 so far, with the average bounty ranging between $750 and $1,000. A researcher earned $10,000 this summer after informing Uber of a critical flaw in a third-party WordPress plugin used on the company’s websites.
Researchers from security consulting and audit firm Integrity informed Uber of 14 flaws, including ones that could have allowed attackers to access the details of Uber drivers and passengers.
Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.
In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.
According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.
The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.
Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.
In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.
“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.
While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.
Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $10,000 for each flaw found in its websites, mobile apps and vehicle hardware.
This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.
UPDATE. Tesla told SecurityWeek that none of the vulnerabilities used in this attack are specific to the company’s products
“The report and video do not demonstrate any Tesla-specific vulnerabilities,” said a Tesla spokesperson. “This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.”
“Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” said Denham, who took up her post in July.
“The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages in the inherited infrastructure,” it said.
“TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
“TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
“The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data.”
Denham said: “In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.”
“The record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
A patch for a low-severity OpenSSL vulnerability issued last week actually made things worse and created a new, more severe vulnerability in the open source cryptographic library.
In an unusual move, the OpenSSL Project bypassed its usual process for announcing vulnerabilities and patch availability, and it instead rushed out a new set of emergency patches to fix the new critical vulnerability.
“This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016,” the OpenSSL Project wrote. “Given the critical severity of one of these flaws, we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification.”
The original flaw, one of 14 fixed in the OpenSSL patch release on Sept. 22, enabled a transitory denial-of-service attack through memory exhaustion and had a low severity rating; the new vulnerability introduced by the patch could allow an attacker to execute arbitrary code on a victim system.
“Due to the way memory is allocated in OpenSSL, this could mean an attacker could force up to 21 MB to be allocated to service a connection. This could lead to a denial of service through memory exhaustion,” according to the original OpenSSL vulnerability advisory. “However, the excessive message-length check still takes place, and this would cause the connection to immediately fail.” Although, the excessive memory allocation is freed immediately, as long as the application uses the SSL_free() function to free up that allocated memory. “Therefore, the excessive memory allocation will be transitory in nature.”
The new critical OpenSSL vulnerability opened by the patch “resulted in an issue where if a message larger than approximately 16 KB is received, then the underlying buffer to store the incoming message is reallocated and moved,” OpenSSL wrote. “Unfortunately, a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash; however, it could potentially lead to execution of arbitrary code.”
Vulnerabilities discovered by a couple of researchers in the Android version of the secure messaging application Signal can be exploited by remote hackers to alter attachments and cause the app to crash.
Developed by Moxie Marlinspike’s Open Whisper Systems, Signal is a privacy-focused application that provides encrypted instant messaging and voice calling features for iOS and Android. The app is recommended by several renowned privacy advocates, including Edward Snowden, and cryptography experts.
Researchers Markus Vervier and Jean-Philippe Aumasson have analyzed the Android version of Signal and discovered several security issues. One of them is related to the message authentication code (MAC) used to verify attachments.
When users send a file, the attachment is first encrypted and then assigned a MAC that is used to verify the sender and the file’s integrity. The attached file is stored on Amazon’s S3 storage servers and downloaded from there via HTTPS to the recipient’s device.
Vervier and Aumasson determined that a man-in-the-middle (MitM) attacker who has access to the Amazon S3 storage or any of the CA certificates trusted by Android can serve the targeted user an altered attachment. The problem is that the MAC verification function can be bypassed by padding the attachment with 4 Gb plus 1 byte of data.
Experts noted that in practice the attacker does not need to send 4 Gb of data to the victim – they can use HTTP stream compression to reduce the attachment to just 4 Mb.
Another flaw disclosed by Vervier and Aumasson is related to the application’s CallAudioManager class and how it handles Real-time Transport Protocol (RTP) packets. The security hole allows a remote attacker to crash the messaging app, but experts believe it could also be possible to exploit it for other purposes. The problematic code may be present in other applications as well.
The vulnerabilities were reported to Signal developers on September 13 and fixes were committed to GitHub on the same day, but the latest version of the app available on Google Play was released on September 9, which means that a patched Android version has yet to be released. Other issues discovered by the researchers in Signal will be disclosed at a later time.
Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move.
An 8-minute video published on Monday by Tencent’s Keen Security Lab shows that researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could control the sunroof, the turn signals, the position of the seats, all the displays, and the door locking system.
While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment).
According to Keen Lab researchers, the attacks they demonstrated are possible due to a series of vulnerabilities that have been chained together.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers said. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”
Based on the video made available by Keen Lab, it appears that a specific Tesla Model S can be identified and hacked while its owner is searching for nearby charging stations.
The vulnerabilities have been disclosed to Tesla Motors through the company’s Bugcrowd-hosted bug bounty program. According to Keen Lab, Tesla has confirmed the flaws and is working on addressing them. Fortunately, Tesla can release over-the-air firmware updates, which means that, unlike other carmakers, the company does not need to recall vehicles to apply security patches.
SecurityWeek has reached out to Tesla for comment and will update this article if the company’s representatives respond.
Tesla launched its bug bounty program in June 2015, more than a year after researchers started demonstrating that its vehicles could be hacked. After initially offering only up to $1,000 per vulnerability, in August 2015, the company decided to increase bug bounty payouts to a maximum of $10,000 for each flaw found in websites, mobile applications and vehicle hardware.
Research conducted over the past years by several experts – the most well-known are Charlie Miller and Chris Valasek, who have managed to hack cars both locally and remotely – has led to the launch of companies and departments that specialize in automotive security. Earlier this month, Volkswagen announced that it has teamed up with Israeli security experts to launch a new firm called CYMOTIVE Technologies.
UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy to conduct as the researchers have suggested. The company has provided the following statement:
“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”
The attack launched from 12 miles contradicts Tesla’s claims that the targeted vehicle must be connected to a malicious hotspot. This has led experts to believe that Keen Lab may have found a way to gain persistence.
“At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla. While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m. This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short. Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site simulator,” Tripwire researcher Craig Young told SecurityWeek.
“In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another,” Young added.
An Indian researcher earned a significant bug bounty from Facebook after discovering a serious vulnerability that could have been exploited to hijack Facebook pages.
The flaw, identified by Arun Sureshkumar, affected Facebook Business Manager, a free tool that allows users to manage ad accounts, pages, apps and the people who work on them.
When users assign a partner to their page via Business Manager, they need to specify the partner’s business ID and their role. The problem, according to the expert, was that the request sent in the process contained several parameters that could have been easily manipulated due to an insecure direct object reference (IDOR) vulnerability.
An attacker could generate a request using test accounts, intercept it, and modify the value of various parameters in order to assign an arbitrary page to their own Facebook Business Manager account. Once the modified request was resubmitted, the hacker would gain control of the targeted page.
Sureshkumar claims the technique could have been used to hack any Facebook page, including ones belonging to high-profile individuals. The expert has published a video to demonstrate his findings:
The vulnerability was reported to Facebook on August 29 and it was fully patched by September 6. The social media giant has decided to award the researcher a $16,000 bounty. The company said the bounty was higher because it discovered and fixed another issue while investigating Sureshkumar’s report.
This was not the first time the expert received a significant bounty from Facebook. Earlier this year, he reported getting $10,000 after responsibly disclosing a serious account takeover vulnerability.
By the end of 2015, Facebook had paid out more than $4.3 million to researchers since the launch of its bug bounty program in 2011.
Researchers have discovered critical security flaws in connected smart plugs which can give attackers access to a full home network — as well as your email account.
Bitdefender researchers Dragos Gavrilut, Radu Basaraba, and George Cabau said on Thursday that one particular device uses no encryption and weak default passwords, with no alerts issued to users to change them in the interests of security.
Internet of Things (IoT) devices are products with network capabilities. While these now range from smartphones to fridges, the use of smart plugs is also on the rise.
IoT-based smart outlets can be used to monitor energy usage, schedule devices to turn on and off at the user’s convenience, and can be used to power and control gadgets including security cameras, smart TVs and coffee makers, among others.
According to the security firm, a popular, but undisclosed, electrical outlet currently on the market not only has poor security in place but is also susceptible to malicious firmware updates which permit attackers to control devices remotely and gain an entry point into your home networks and activity.
To set up the device, users must plug it in, download the accompanying Android or iOS app, and then go through the installation process. The device requests the credentials to the user’s home network and then registers to vendor servers through UDP messages containing the device name, model, and MAC address. The server then replies with the firmware version, port, and local IP address.
Bitdefender noted that the device’s Wi-Fi hotspot is secured with a weak username and password, and during configuration, the Wi-Fi network credentials are transferred in cleartext rather than using any encryption to speak of. To make matters worse, the device-to-application communication which passes through the vendor’s servers are only encoded and not encrypted.
“Encoding can be easily reversed using a scheme that is publicly available, while encryption keeps data secret, locked with a key available for a selected few,” the researchers note.
In addition, a feature of the smart plug has been poorly managed. The outlet can be configured to send email notifications every time there is a state change — such as turning on or off — but this requires access to the user’s email account credentials, further expanding the potential attack surface.
If an attacker knows the MAC address of the device and the default credentials, they can gain control of the device, plundering all of the user information stored within — which includes the user’s email credentials if the alert feature is enabled.
Due to these security flaws — and a lack of password sanitization — new passwords can also be set to override the root password and access the embedded Telnet service. When access to the network protocol is in hand, attackers can then remotely send commands to stop, start, and schedule the device, as well as execute malicious code. In addition, the outlet is vulnerable to malicious firmware updates.
The researchers note that attackers could use the device to perform attacks on other devices connected to the same local network. It may even be the case that we could see power outlets become another element of botnets, which have already included home and office routers.
“One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” says Cabau. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”
Bitdefender reported the vulnerabilities to the vendor before public disclosure 30 days later. The vendor is working on a fix due to be released in Q3 2016.
Eight out of 10 Android devices are affected by a critical Linux vulnerability disclosed last week that allows attackers to identify hosts communicating over the Transmission Control Protocol (TCP) and either terminate connections or attack traffic.
The flaw has been present in the TCP implementation in Linux systems since 2012 (version 3.6 of the kernel), and according to researchers at mobile security company Lookout, 80 percent of Android devices—going back to KitKat—run the same version of the kernel.
The issue was publicly disclosed last week during the USENIX Security Symposium where researchers from the University of California Riverside and the U.S. Army Research Laboratory presented a paper entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.”
While an attacker would need to be able to identify both ends of a TCP connection before initiating an attack, successful exploits would not need that attacker to be in a man-in-the-middle position on the network, the researchers said.
Lookout security researcher Andrew Blaich said that some other Android vulnerabilities such as Stagefright, Quadrooter or other kernel and driver flaws that are being patched on a monthly may be more severe, but this attack is practical and within reach of hackers.
“This is about information disclosure and an attacker being able to infer where you’re going, what you’re viewing and having the ability to inject code,” Blaich said, adding that chaining this vulnerability with a WebKit or browser-related bug could allow for remote code execution. “All you need is one of those and this is where this bug gets interesting.”
A patch has been pushed to the Linux kernel, but Lookout said that as of Friday, the latest developer preview of Android Nougat still remains vulnerable, and the Android Open Source Project has yet to receive the patch as well. Android updates are released monthly to carriers and handset makers, and over-the-air security updates for Nexus devices are sent by Google the first of every month.
The Cal-Riverside and Army researchers said last week the problem is linked to the introduction of challenge ACK responses and the imposition of a global rate limit on TCP control packets. “
At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.”
Blaich cautioned that in some instances where connections must be long-lived such as video conferencing or large file-sharing, attackers could take advantage of those scenarios to exploit this bug.
Lookout recommends that until a patch is ready, Android users should rely on encrypted communications, in particular, deploy a VPN. For rooted Android devices, Lookout recommends using the sysctl tool to change the value for net.ipv4.tcp_challenge_ack_limit a large value such as 999999999. Blaich said he expects a patch to be ready for the next monthly Android update, which is set for Sept. 1.