Security news weekly round-up - 3rd September 2021

Habdul Hazeez - Sep 3 '21 - - Dev Community

This is a record-breaking publication because it's our 15th consecutive publication. The last record was 14 in a row.

How about you buy me a coffee to celebrate the achievement? Check the link at the end of this post.

Introduction

The vast majority of the stories that we'll review this week are about vulnerabilities and malware with a single exception — a story about online security.

Let's begin.


Skimming the CREAM – recursive withdrawals loot $13M in cryptocash

This story is an account of how a Taiwanese-based cryptofinance company lost $13M due to an exploit in its system.

I have stated many times in this series and I'll state it again, No System Is Safe.

Excerpt from the article:

C.R.E.A.M. (which really is an abbreviation, as the dots imply, that stands for Crypto Rules Everything Around Me), has said simply that it has “stopped the exploit by pausing supply and borrow on AMP”, where AMP is the cryptocurrency system where the company’s bug was abused

15-Year-Old Malware Proxy Network VIP72 Goes Dark

The title says it all. As always, Krebs is detailed in this article.

Excerpt from the article:

But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

WhatsApp Photo Filter Bug Could Have Exposed Your Data to Remote Attackers

The title says it all.

Excerpt from the article:

Tracked as CVE-2020-1910 (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to an unwitting recipient, thereby enabling an attacker to access valuable data stored the app's memory

Twitter introduces new feature to automatically block abusive behavior

SafetyOptionsOnTwitter+1

Excerpt from the article:

Users will have the option to review the details of flagged tweets and autoblocked accounts from the Safety Mode menu at any time. Additionally, they’ll also receive a notification summarizing this information before each Safety Mode period ends

Pwned! The home security system that can be hacked with your email address

Just an email address? 😱

Excerpt from the article:

The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250

NPM package with 3 million weekly downloads had a severe vulnerability

Hey JS devs (myself included 😁), this is for you!

Excerpt from the article:

This week, developer Tim Perry disclosed a high-severity flaw in pac-resolver that can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP request

New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

Two words: Not Good.

Excerpt from the article:

Collectively dubbed "BrakTooth" (referring to the Norwegian word "Brak" which translates to "crash"), the 16 security weaknesses span across 13 Bluetooth chipsets from 11 vendors such as Intel, Qualcomm, Zhuhai Jieli Technology, and Texas Instruments

Support me

Now, you can support what I do by buying me a coffee. It'll mean a lot to me.

Buy Me A Coffee

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .