Cyber Security News — Past 24 hours | 09.05.2021

SLIIT CS2
6 min readMay 9, 2021

Twitter’s Tip Jar Privacy Fiasco Was Entirely Avoidable

Not long after, former Federal Trade Commission chief technologist Ashkan Soltani discovered that using PayPal for the Tip Jar could reveal a user’s email address, even if no transaction took place.

You’ve likely picked up on PayPal as the common thread here. To be clear, there are ways to send and receive money through that service, including through the Twitter Tip Jar, that do not give away your home or email address. But that makes it all the more disappointing that no one at Twitter thought to head those obvious issues off at the pass.

“Twitter users have come to learn that they can be anonymous on Twitter — it’s a platform that doesn’t require your real name and encourages more potentially anonymous interactions than other social media sites,” says Tobac, cofounder of SocialProof Security. “For that reason, there are many more vulnerable populations that use Twitter to anonymously communicate with others, rather than other platforms.”

But because the Tip Jar simply bounces you to a third-party payment platform — in addition to PayPal, it supports Venmo, Cash App, Patreon, and Bandcamp — you’re suddenly playing by different rules. Twitter notifies users that the transactions happen elsewhere, but without conveying the full implications of what that might mean, and what you might reveal about yourself along the way.

In the case of PayPal, payments are made by default through what the company calls the “Goods and Services” workflow, which is designed for items that go in the mail — and therefore have a home address attached to them. Navigating to a more privacy-accommodating choice in PayPal isn’t especially intuitive. You need to tap on a small arrow next to where it says “Paying for an item or service,” and select “Sending to a friend” instead.

Are Twitter micro-celebrities your friends? Are good tweets a service? Fine philosophical queries! But also an easy source of confusion if you’re just trying to send a few bucks to someone you follow online without letting them know where you live. The email issue discovered by Soltani, meanwhile, applies to people who are trying to get paid: If you don’t have a user name on PayPal, the service displays your email address by default. A Twitter spokesperson said that the company would update its in-app notification to clarify that the payment platforms it looped in for the Tip Jar “may share information about people sending tips to one another.” Twitter product lead Kayvan Beykpour tweeted “this is a good catch, thank you” in a reply to Tobac calling out the home address concern. “We can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via Paypal so that they are aware of this.”

Source — https://www.wired.com/story/twitter-tip-jar-privacy-fiasco-entirely-avoidable/

New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive.

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them.

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Source — https://gbhackers.com/unc2529-hacking-group-targets-u-s-organizations-with-3-malware/

4 Major Privacy and Security Updates From Google You Should Know About

Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. The transparency measures into how apps use data echo a similar push by Apple, which rolled out privacy labels in the App Store in December 2020 with an aim to condense an app’s data collection practices in an easy-to-understand and user-friendly format. Interestingly, the enforcement goes beyond the privacy-oriented nutrition information attached to each app entry, for the changes will also require app developers, including Google, to provide information about whether their apps adhere to security practices, like data encryption, comply with Google’s policies around apps and games aimed at children, and explain why a specific piece of data is being collected, or if users have a choice in opting out of data sharing. Another key difference is that the section will also highlight whether an independent third-party has verified the app’s privacy labels and whether users can request that their data be deleted should they decide to uninstall the app.

Source — https://thehackernews.com/2021/05/4-major-privacy-and-security-updates.html

6 Unpatched Flaws Disclosed in Remote Mouse App for Android and iOS

As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction.

The unpatched flaws, collectively named ‘Mouse Trap,’ were disclosed on Wednesday by security researcher Axel Persinger, who said, “It’s clear that this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration.”

Remote Mouse is a remote control application for Android and iOS that turns mobile phones and tablets into a wireless mouse, keyboard, and trackpad for computers, with support for voice typing, adjusting computer volume, and switching between applications with the help of a Remote Mouse server installed on the machine. The Android app alone has been installed over 10 million times.

In a nutshell, the issues, which were identified by analysing the packets sent from the Android app to its Windows service, could allow an adversary to intercept a user’s hashed password, rendering them susceptible to rainbow table attacks and even replay the commands sent to the computer.

Persinger said he reported the flaws to Remote Mouse on Feb. 6, 2021, but noted he “never received a response from the vendor,” forcing him to publicly reveal the bugs following the 90-day disclosure deadline. We have reached out to the developers of Remote Mouse, and we will update the story if we hear back.

Source — https://thehackernews.com/2021/05/6-unpatched-flaws-disclosed-in-remote.html

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT

--

--