Security news weekly round-up - 18th November 2022

Habdul Hazeez - Nov 18 '22 - - Dev Community

Hello đź‘‹ everyone, I hope you're all good.

Introduction

This week's review is about vulnerabilities, malware, and your privacy on the web. The stories are big names like Google (no surprise), Amazon, WordPress, Adobe, and Magento.


Google Pays $70k for Android Lock Screen Bypass

A researcher discovered this bug by accident and it affects Android 10, 11, 12, and 13 that have not applied the November 5, 2022 patch. So, if you have any device running these operating systems, update now after reading the following excerpt from the article:

The vulnerability, a lock screen bypass due to an error in the “dismiss and related functions of KeyguardHostViewController.java and related files”, impacts devices running Android 10, 11, 12, and 13. Google describes the issue as an elevation of privilege bug.

LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover

The vulnerabilities affect the open-source and closed-source LiteSpeed web servers. It's a dangerous bug because it can lead to arbitrary code execution on the web server. If you have a LiteSpeed server, update now.

The vulnerabilities discovered by the security firm’s researchers can be exploited to compromise the targeted web server and execute arbitrary code with elevated privileges. The attacker must first use a brute-force attack or social engineering to obtain valid credentials to the web server’s dashboard.

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

It's a battle from threat actors directing WordPress sites to their sites and it's described as a Black Hat SEO trick. The fix is to update your WordPress installation and enable 2FA.

This extensive compromise allows the malware to execute the redirects to websites of the attacker's choice. It's worth pointing out that the redirects don't occur if the wordpress_logged_in cookie is present or if the current page is wp-login.php (i.e., the login page) so as to avoid raising suspicion.

Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

The summary of this article is: not everything is what it appears to be. Users turned off the location service on their phones, but somehow, Google could track their location. As a programmer myself, this story does not surprise me at all. Still, have read the following excerpt:

Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. For years Google has prioritized profit over their users' privacy. They have been crafty and deceptive.

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

If you store people's personal data, keep it safe. I know it's easier said than done, but ensure that you make an effort. The following is why you should:

Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns. This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins.

Open banking: Tell me what you buy, and I’ll tell you who you are

Take a guess? It has to do with FinTech applications and it's scary.

The trend is set, and open banking is being discussed all over the world. But the pace of its adoption will not be the same everywhere, due to the availability of mobile internet access

Magento Vulnerability Increasingly Exploited to Hack Online Stores

An attacker can exploit the bug for arbitrary code execution. Take your time and read the story after reading the following excerpt from the article:

As part of the observed attacks, threat actors first probe Magento and Adobe Commerce stores, attempting to trigger the system to send an email, with exploit code in one field. Observed triggers include placing an order, registering as a customer, or sharing a wishlist. Should the probe be successful, the attackers then attempt to take over the vulnerable website.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, until next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .