To help us understand what can be obtained via a web application that has vulnerabilities, or weaknesses, that an untrusted outsider can take advantage of. Krebsonsecurity talks about a breach caused to a web application that they had purchased from Fiserv, resulting in customers being able to to view account data for other customers, including account number, balance, phone numbers and email addresses. (https://krebsonsecurity.com/tag/fiserv/)
For this week, research a recent breach announcement that was attributed to a web application failure. How did attackers misuse the website, and what were they able to obtain? How could the breach have been averted?
Nicholas Fabrizio says
Title; Free photos, graphics site Freepik discloses data breach impacting 8.3M users
URL: https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/
In August 2020, the Freepik company which provides quality design graphics and icons that can be downloaded online was the victim of a data breach. This breach impacted both brands of the company Freepik and Flaticon which are popular sites on the internet. The breach resulted in 8.3 million of their users’ email and password being stolen. After an investigation it was determined the attacker(s) used SQL injection as their attack vector to gain access to the database where the information was stolen.
Anthony Wong says
Hi Nicholas,
Some preventive measures Freepik could have placed is to validate data on the server before processing and whitelist input. It is at least good to see that they had their database encrypted. If not, this could have been even more severe.
Nicholas Fabrizio says
Hi Anthony,
I agree they should have implemented better validation to help mitigate these vulnerabilities. I also believe they should invest in using a vulnerability scanner on their website to help catch these vulnerabilities.
Zhuofu Wang says
Hi Nicholas,
Fixing a discovered vulnerability is very important, but I sometimes wonder, what should they do with the leaked information? In this case, 8.3 million of their users’ email and password were stolen. How many of these email accounts will be used as a springboard for phishing? Compared with the subsequent impact, fix the vulnerability has become a simple work.
Nicholas Fabrizio says
I definitely think the stolen email addresses will be sold and used for the purposes of phishing attempts. Possibly compared with other stolen data posted online to see if the email addresses appear in other data breaches. The attacker could build a profile of which companies the email addresses are associated with in order to create phishing emails that would appear more relevant.
Candace T Nelson says
It’s interesting that you say that, Nicholas – I envision huge databases being maintained by the cybercriminal masterminds wherein they collect and store pieces of information about all users they steal information about. Little by little these profiles (as you called them) become more robust, as more data is stolen or obtained through some other means. The “resale” value of this information depends on how many pieces are available. It kind of like a puzzle that can drastically impact unsuspecting victims before they even know they are at risk.
Based on our readings and discussions over the past few weeks, I plan to change ALL of my passwords by increasing their complexity and making sure I am not using recycled passwords. It is unfortunate, but tough times call for tougher measures… Thank you for posting this thoughtful article.
Anthony Wong says
In October 2019, Macy’s experienced a security breach due to an unauthorized code injection affecting two web pages on Macy’s website. The attack was performed by a hacker group called Magecart, who installed “card-skimming malware”. JavaScript code was injected into webpages that involve submission of payment information and then the threat actors waited for customers to submit their payment information. In addition to payment information, other data harvested was first and last names, addresses, zip codes, and email addresses. The injection occurred in a ClientSideErrorLog.js script. I believe a mitigation strategy for Macy’s could have implemented is to whitelist the input. This could stop keywords in the malicious code from running.
https://www.zdnet.com/article/macys-suffers-online-magecart-card-skimming-attack/
Nicholas Fabrizio says
Hi Anthony,
Thank you for sharing this article. It seems Magecart attack are becoming more frequent today. I wonder how many people were actually impacted by this attack since the malicious code was on their site for 8 days and Macy’s is such a large organization. I think one way to defend against these type of attacks is use the zero trust approach on third-party scripts.
Anthony Wong says
I’ve definitely seen a spike in the amount of attacks by Magecart as well. It’ll be interesting to see after the holiday season, since most shopping (if not all) will be online this year.
Zhuofu Wang says
Yeah, big festivals are not only for customers, they are also for hackers. With Black Friday approaching, hackers are definitely preparing for new attacks. However, due to the increasing cyberattacks that occurred under the influence of COVID-19, companies should have realized this and started to strengthen their network security.
Anthony Wong says
In theory, companies should be prepared. However, this might not be the case as some organizations may be focused on driving sales and revenue instead of protecting its systems.
Kelly Sharadin says
You had me at “card-skimming malware” – that is really interesting. Good call about possible remediation as well with whitelisting input. This article also points to Javascript’s reputation for evil. I try learning it off and on but its so convoluted and thats partly what makes it so easy for attackers to exploit. Javascript is rarely implemented properly.
https://medium.com/javascript-non-grata/the-top-10-things-wrong-with-javascript-58f440d6b3d8
This is also a sensitive data exposure issue, Macy’s should also routinely audit their code/e-commerce pages that accept customer payment.
Anthony Wong says
Thanks for sharing the Javascript article. I never knew JavaScript had that reputation. Is there another language that can be used to replace JavaScript or are we not at that point yet? Perhaps, more code reviews could help implement JavaScript better?
Kelly Sharadin says
There are a ton of JavaScript frameworks so I don’t see it going away any time soon. JavaScript in and of itself is not bad per say, attackers take advantage of JavaScript. You’re probably familiar with CobaltStrike “by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.”
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/
Candace T Nelson says
This is an interesting article, Kelly. I especially liked the depiction of the AngularJS learning curve. It’s no wonder hackers are drawn to sites that use JS, what with it’s vulnerability to cross-site scripting (XXS) injection.
I found the article below to be similarly interesting. The author stresses the need for testing against JS injection – whether manually, or with testing tools or browser plug ins. In fact, a method to determine whether JS injection is possible or not within a website is described – merely type a command (when navigated to the website) in the browser address bar. Incidentally, I was not able to paste this simple command into my response – it was blocked via HTTP response code 403. However, I intend to test this command out at the website I am examining using Burp Suite!
https://www.softwaretestinghelp.com/javascript-injection-tutorial/
Candace T Nelson says
I am not at all surprised that Macy’s was prone to a Magecart attack. I have been a loyal Macy’s shopper for many years. A few years ago I went on a business trip to CA, and while there I received an email from Macy’s. For some reason I chose not to ignore it (since Macy’s is ALWAYS having email marketing campaigns, I often disregard their notifications). Turns out my account had been hacked, and someone had already purchased an item for around $70. I had paid my bill online just prior to leaving for CA, so I looked to see if I could see my own banking information, which I could. So, I immediately called my bank and closed my account before the cybercriminals had a chance to launch an attack against that as well.
I have since had serious concerns about paying my bill any way other than via snail mail, but that method comes with risks also, e.g. now my checking account information is in the hands of someone – potentially a junior AR clerk – who may not know the risks associated with failure to maintain that information securely…
Anthony Wong says
Wow thank you for sharing your experience Candace. It appears that Macy’s has a history of poor cyber security practices that has made them a “regular” target for attackers. After a few incidents, Macy’s should really consider hiring cyber security consultants to look at their systems annually.
Zhuofu Wang says
LibreHealth medical records app exposes sensitive patient data
URL: https://portswigger.net/daily-swig/librehealth-medical-records-app-exposes-sensitive-patient-data
Security researchers from Bishop Fox found 5 high-risk security vulnerabilities for LibreHealth EHR, which is a free and open-source electronic health records software. These vulnerabilities may allow attackers to compromise the application’s underlying server and gain medical records. They are,
1. CVE-2020-11436 – cross-site scripting (XSS) issue that would allow attackers to force actions on other user’s behalf
2. CVE-2020-11437 – SQL injection issue that resulted in sensitive data disclosure
3. CVE-2020-11438 – cross-site request forgery (CSRF) issue
4. CVE-2020-11439 – local file inclusion (LFI) that could be leveraged to compromise the underlying application server
5. Multiple – previously disclosed, un-remediated vulnerabilities inherited from a vulnerable software base (OpenEMR)
The researcher mentioned there is no evidence that they are being exploited in the wild, but they also have no news to confirm that the vendor has released a patch. These may still “in the wild”.
Nicholas Fabrizio says
It sounds like the vendor is taking the vulnerabilities seriously, which is good because this application is dealing with people’s medical information. Unfortunately, covid related issues is making the patching process take longer.
Zhuofu Wang says
That’s true. The covid things made many people work remotely, which also gives hackers more opportunities. Companies that have no experience in large-scale telecommuting are faced with great security challenges.
Humbert Amiani says
Tiki Wiki authentication bypass flaw gives attackers full control of websites, intranets
A security researcher has detailed how Tiki Wiki, an open source wiki-based content management system allowed unauthenticated attacker bypass login to gain remote access as admin. The vulnerability in the platform could allow full control of target account in Tiki Wiki versions prior 21.2. After 50 invalid login attempts, the account locks and it is then that an attacker can use an empty password to authenticate as admin gaining full control of the whole content management system.
The vulnerability (CVE-2020-15906) was assigned a score of 9.3/10 and has since been patched and users asked to upgrade to the latest version.
https://portswigger.net/daily-swig/tiki-wiki-authentication-bypass-flaw-gives-attackers-full-control-of-websites-intranets
Kelly Sharadin says
Nice article, appreciated the proof of concept video as well. Persistance is key with cyber-attacks, 50 invalid attempts was the threshold. I would be curious to know how the backend constructed authentication and how that was calculated internally. Its no wonder that broken authentication remains number 2 in the OWASP top ten. Its like having a heavily guarded house with a simple latchkey door.
Humbert Amiani says
Hi Kelly,
yes, that’s a very good analogy with the latchkey door. I thought this fascinating as well in how persistent they were in breaking the authentication in this scenario.
Zhuofu Wang says
Thanks for your sharing. Maybe they also need to add an alarming system to send the notification email or message to the users which have high permission. Like when the frequently logged-in IP address has changed, or multiple login failures. These actions should be marked as High-risk actions, then inform the account owner.
Amelia Safirstein says
Thanks for the article, Humbert. I love that the researcher just stumbled upon the vulnerability in a CTF game. It’s interesting and smart that companies are pushing programs like CTF and bounty hunting. It’s like crowdsourcing to extend your cybersecurity efforts.
Candace T Nelson says
Wikipedia defines credential stuffing as “a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.”
https://en.wikipedia.org/wiki/Credential_stuffing
In the October 26, 2020 Infosecurity Magazine article titled Nando’s Customers Hit by Credential Stuffing Attacks, Phil Muncaster reported that cyber-attackers hijacked online accounts of multiple customers of this popular UK restaurant. Presumably, a group of “young people” placed two large orders at one of Nando’s locations after several failed attempts to use their hijacked accounts online.
A security specialist at Comparitech was quoted as saying that “this kind of fraud has become more common during the pandemic as hospitality venues implement online ordering platforms to help protect staff and customers.” In this instance, the restaurant offered to reimburse customers who were defrauded in this manner since they did not have adequate mechanisms in place to detect suspicious account activity. However, since the security measures of such platforms are notoriously weak, it is incumbent upon users to employ stronger security measures.
According to data released last week, “between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality.” By maintaining different passwords for all online accounts and not reusing passwords in general – and especially across sites – users can prevent their credentials from being reused in this fraudulent manner.
https://www.infosecurity-magazine.com/news/nandos-customers-hit-credential/
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-loyalty-for-sale-retail-and-hospitality-fraud-report-2020.pdf
Amelia Safirstein says
Candace, I think most of us are guilty of using the same username and password for multiple accounts at some point. It’s difficult to remember a handful of lengthy passwords that avoid dictionary words and include multiple types of characters. Many people either don’t know of options like lastpass or they just don’t want to put the extra effort in to use them. When breaches occur where bad actors are able to steal login credentials, many of these same folks think that they’re safe as long as they change the password for that one account. I believe this is what caused huge problems for Disney Plus when they first started their streaming services. Bad actors had old stolen credentials for other sites, tested each one on Disney Plus, then changed the passwords for the accounts they were able to log into, and distributed them on the dark web.
Candace T Nelson says
Hi Amy – Denial being what it is, e.g. this will never happen to me, it is unfortunate that some can’t learn from the unfortunate experience of others. There are so very many ways an individual can be defrauded – especially right now – in the midst of a deadly pandemic and with a contentious US presidential election underway.
If a person doesn’t read the papers or listen to the news, they have little knowledge about the types of attacks that are prevalent and the vulnerabilities that are waiting to be exploited. And if they do, thinking that one is immune to being targeted by cybercriminals only puts them at higher risk. I intend to suggest to my family members and close friends who are like minded that they consider changing their password management habits, including how passwords are determined, where and how they are stored, how complex they are, how frequently they are changed, and whether the same passwords are reused and/or are used for multiple sites. I personally believe this is a good practice for all of us to adopt in today’s day and age
Anthony Wong says
Hi Humbert,
Thanks for sharing. It’s interesting to see how one of the mitigation techniques for broken authentication attacks was exploited. I think it would be wise to patch the version, but also perhaps implement multi-factor authentication to further protect the against these kinds of web app attacks.
Humbert Amiani says
Hi Anthony,
MFA will definitely help in such a situation. Most people evidently do not realize how persistent a hacker can be, and in most cases it is the persistence that pays off for them.
Kelly Sharadin says
While this vulnerability pertaining to the Loginizer plugin was disclosed to WordPress by a security researcher before an attacker could exploit, it illustrates WordPress’ notorious SQL injection vulnerabilities. The Logonizer vulnerability would have allowed an attacker to enter a fake username and have it stored in the database for later execution, granting full site access. Due to WordPress’s open-source environment, it can be challenging to know where plugins are coming from or what their patch cycle is – if any. This lack of standardized patching makes many WordPress instances extremely vulnerable to attack. To that end, WordPress took a bold move and forced an update to the Loginizer plugin – much to many web developer/admin’s disapproval.
https://www.darkreading.com/application-security/wordpress-plug-in-updated-in-rare-forced-action/d/d-id/1339255
**Also the latest version of BurpSuite is having some issues specific to Kali Linux. If you cannot resolve them in Kali Linux I suggest installing BurpSuite in an Ubuntu VM
Anthony Wong says
Hi Kelly,
While I understand the concerns of part of the site breaking due to a patch update, this is not an excuse to leave high vulnerability available for threat actors. If exploited, it would cause an organization a bigger headache compared to part of the site not functioning properly. One solution can be to have a development site that mirrors Production. The patch can be applied to the dev site then have the site admin perform a quick regression test. If no issues are identified, then apply the patch to Production.
Also, I will have to try installing BurpSuite in an Ubuntu VM… When I start up Burpsuite in Kali, I get this message, “burpsuite has not been tested for that java platform and may not work properly”. Was this the same error you saw?
Kelly Sharadin says
Hi Anthony,
Yes but its more about overall functionality within Burpsuite, forwarding traffic and using BurpSuite’s own chromium browser
Anthony Wong says
Thank you for the tip!
Amelia Safirstein says
Anthony,
I definitely agree. There will always be pushback on updating systems when those updates may disrupt function. It sounds like WordPress was stuck between a rock and a hard place and they chose the safety of the end user’s PII, which I think is the responsible thing to do.
Anthony Wong says
Currently, I work on Software Development projects and can attest that development and security don’t always see eye to eye. Most of the time the development team I work with just see security as another road block. However, security is just looking out for the organization. I would agree that WordPress is being responsible, but also protect themselves.
Kelly Sharadin says
Also a follow-up to how I would mitigate this risk as this falls under number 9 of the OWASP top ten : using components with known vulnerabilities. As I mentioned, WordPress comes with inherent weaknesses due to virtually anyone being able to submit plugins which many people use without a second thought. Therefore, as a WordPress Admin myself, you have to accept responsibility for the plugins you implement and stay top of updates by regularly checking the WordPress dashboard, researching security news related to the plugins you use and lastly disable plugins you do not use to reduce your attack surface.
Candace T Nelson says
Hi Kelly – I find it interesting that only 89% of the 38.6% websites with a WordPress (WP) foundation have been upgraded as a result of the forced update. I am curious about whether the remaining 11% (which represents more than 4% of total WP websites) intentionally blocked this specific update, or if they block all updates and select those that they wish to implement on their own timetable. Either way, this seems like a risky approach, and it is not highly recommended by WP (per the article below).
https://www.wpbeginner.com/wp-tutorials/how-to-disable-automatic-updates-in-wordpress/#:~:text=If%20you're%20not%20sure,don't%20recommend%20this%20option.
Amelia Safirstein says
This article doesn’t point to one specific incident but it does bring light to how most application providers handle vulnerabilities. Most applications have at least one known vulnerability and many providers take months to remediate the vulnerability. Many of these vulnerabilities come from open-source libraries used by the applications. The writers of this article found that automated, regular vulnerability scanning helps these organizations to address half of these vulnerabilities 17.5 days faster than those organizations that don’t have recurring automated testing.
https://securityboulevard.com/2020/10/veracode-state-of-software-security-half-of-application-security-flaws-remain-open-six-months-after-discovery-apps-with-technical-debt-take-two-times-as-long-to-fix/
Kelly Sharadin says
This is awesome news for a wanna-be bug bounty hunter like myself! Terrible news for many web developers. I talked a little about this in my post as well – open source is truly one of the greatest technological innovations we’ve ever had but it does come with some issues. To implement successful vulnerability management, organizations need dedicated teams to focus solely on this area and even coordinate with CTI teams to remain aware of appsec vulnerabilites as they arise. As your statistic shows an ounce of prevention is worth a pound of cure!
Bryan Garrahan says
https://zonewp.com/2020/05/over-900k-wordpress-sites-targeted-via-xss-vulnerabilities/
In this article, 900,000 WordPress sites were exploited by attackers in order to take advantages of Cross-Site Scripting(XSS) vulnerabilities in April 2020. It was noted that the attackers exploited the vulnerabilities to redirect incoming traffic to malicious sites by planting malicious JavaScript code on websites. Additionally, the article notes that malicious code was used to search for logged-in admin accounts in order to automate backdoor account formation. The article notes the following techniques were used:
– An XSS flaw in the Easy2Map plugin that withdrawn in August 2019 from the WordPress plug-in repository. Wordfence says attempts to exploit this vulnerability accounted for more than half of the attacks, despite the plug-in being activated on less than 3,000 WordPress sites.
– An XSS vulnerability that was patched in Blog Designer in 2019. Wordfence estimates that 1,000 approximately use this plugin and that this vulnerability was also the target of other campaigns.
– An option update vulnerability in late 2018 patched WP GDPR Compliance that would allow attackers to alter the home URL of the site, in addition to other options. Despite having more than 100,000 installs on this plugin, Wordfence reports that no more than 5,000 vulnerable installs remain.
– In Total Donations, options update vulnerability that would allow attackers to alter the home URL of the site. This plugin permanently removed from Envato Marketplace in early 2019. However, Wordfence claims that there are still fewer than 1,000 installations in total.
– In the Newspaper theme, an XSS vulnerability fixed in 2016. This flaw was once a target in the past as well.
Ensuring that all software / plugins are up to date to date could mitigate the risk from attacks such as this. Additionally, removing any unnecessary plugins could also add an additional layer of security.
Bryan Garrahan says
https://threatpost.com/bug-in-google-maps-opened-door-to-cross-site-scripting-attacks/159006/
In August 2020, A researcher initrially identified a cross-site scripting (XSS) bug he found in Google Maps and subsequently reported it to Google patched it in Septermber 2020. After learning a patch was pushed the same resercher learned of a way to bypass the fix simply out of boredom. The researcher indicated that the vulnerability stemmed from functionality where users can generate their own map in a Keyhole Markup Language (KML) format. The article reads, “To exploit this flaw, an attacker could create a new empty map, rename it using these special characters and add an XSS payload for SVG. SVG (or Scalable Vector Graphics) is an XML-based vector image format. Then, they need to set permissions for the map to “public,” allowing everyone to access it, export it as KML and copy the download link. They can then send the download link to their victim. Once the target is persuaded to click on the link (via social engineering) the XSS attack is launched.”
The article also touches on Google’s bug bounty program – which is willing to reward users handsomely when identifying flaws in their systems.
Amelia Safirstein says
Bryan,
I was just reading about the importance of re-testing vulnerabilities after a fix has been put in place. This is the perfect example of where that would have come in handy.
Mahroo Sanati says
Equifax was the victim of an astounding data breach
https://www.infosecurity-magazine.com/news/judge-signs-off-775m-equifax/
In 2017, Equifax, one of the 3 largest credit reporting agencies in the United States, was the victim of an astounding data breach.
The breach lasted about 78 days was caused by a vulnerability in the Apache Struts web application framework, where a patch had been issued but that Equifax had failed to apply in time. This breach of information caused leaking the personal data of nearly 148 million Americans, 15.2 million Brits, and almost 19,000 Canadians. The data trove included a wide range of Personally Identifiable Information including social security numbers, birth dates, and addresses.
The damage that Equifax estimates were about US$1.7 billion as a result of this security breach.