Ah, Facebook. Only you could mess up email verification this badly, and still get a million people to hand over their email address passwords. Yes, you read that right, Facebook’s email verification scheme was to ask users for their email address and email account password. During the verification, Facebook automatically downloaded the account’s contact list, with no warning and no way to opt out.
The amount of terrible here is mind-boggling, but perhaps we need a new security rule-of-thumb for these kind of situations. Don’t ever give an online service the password to a different service. In order to make use of a password in this case, it’s necessary to handle it in plain-text. It’s not certain how long Facebook stored these passwords, but they also recently disclosed that they have been storing millions of Facebook and Instagram passwords in plain-text internally.
This isn’t the first time Facebook has been called out for serious privacy shenanigans, either: In early 2018 it was revealed that the Facebook Android app had been uploading phone call records without informing users. Mark Zuckerberg has recently outlined his plan to give Facebook a new focus on privacy. Time will tell whether any real change will occur.
Cyber Can Mean Anything
Have you noticed that “cyber” has become a meaningless buzz-word, particularly when used by the usual suspects? The Department of Energy released a report that contained a vague but interesting sounding description of an event: “Cyber event that causes interruptions of electrical system operations.” This was noticed by news outlets, and people have been speculating ever since. What is frustrating about this is the wide range of meaning covered by the term “cyber event”. Was it an actual attack? Was Trinity shutting down the power stations, or did an intern trip over a power cord?
The Car that Runs Windows
Do you drive a 2015 Hyundai Tucson? The good news is that you probably have a very hackable infotainment center. The bad news is that you have a very hackable infotainment center that is running Windows CE. [James] has shared some of his ongoing research on Twitter, and it’s as entertaining as it is worrying. The jawdropping revelation is that when a flash drive is plugged in, the infotainment system automatically executes “HyundaiUpdate.exe” without any verification. Keep in mind that the first high profile vehicle exploit was pulled off through the infotainment center, as well.
Java Deserialization Zero-Day
What happens when a cloud provider gets hit by a ransomware attack? That’s what some users of Oracle’s WebLogic Server get to decide after a severe 0-day vulnerability surfaced in the wild, CVE-2019-2725. It all boils down to how Java does deserialization, unpacking flat data back into objects. While outside data must always be viewed with suspicion, Java has a long-standing problem with deserialization, in that the serialized data can overwrite other variables in scope during deserialization. There is an obvious security weakness here, but a fix in the Java language would break untold deployed applications.
The short story is that a server that exposes WebLogic is vulnerable, and likely already compromised with a ransomware attack. Oracle has already released an emergency patch fixing this particular issue.
Check out the presentation below for a detailed introduction to Java deserialization attacks:
Errata
Last time we discussed the ShadowHammer attack, and since then Kaspersky Lab has released their technical report of their findings. There are some more juicy details contained there, so go check it out.
Remember, send us your tips for the next installment of This Week in Security.
Gloss