Imagine you’re in a stranded island, with nothing but a ball named Wilson, and a FedEx package appears in the beach with leaked user credentials…
GOT(IT) #20, going steady! We continue the weekly recaps with news that confirm that the greatest threat to account break-ins isn’t just bad passwords, but terrible database leaks. Plus it’s time to give some credit to all security research initiatives that keep saving us some trouble by discovering threats before attackers do so.
|Skype’s Major Exploit Requires Rewrite|
An exploit that could give attackers full control on host machines has been found on Microsoft’s popular Skype app. The vulnerability discovered by Stefan Kanthak resides in the app’s installer, which can be affected with DLL hijacking.
In a nutshell, the exploit forces Window’s DLL loading process by placing a malicious DLL library into a temporary folder, switching names with the original one to force its use. The worse part? The original DLL can be modified without any special user privileges.
Fixing Kanthak’s discovery would require huge changes in Skype’s code, that Microsoft won’t release a patch anytime soon. Instead, they will build a new version of the app to tackle this error definitely. Meanwhile, be mindful of what you download.
|Hack the Air Force 2.0 Discovers +100 Vulnerabilities|
Bug bounty challenges, great for researchers, even greater for those who save tons of headaches by giving experts the challenge of hunting exploits and vulnerabilities. This time the 20-day competition ‘Hack the Airforce 2.0’ resulted in over 100 reported and fixed exploits.
The initiative brought by HackerOne, creators of Hack the Pentagon and Hack the Army, has already claimed over 3000 vulnerabilities in total, and delivered $103,883 in payouts to this event’s contestants.
This kind of crowd-sourced bug hunting events has proven its worth by aiding the U.S Department of Defense numerous times. Air Force CISO Peter Kim said, “this reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”
|FedEx’s Unsecured Server Exposes Client Data|
Earlier this month, an unsecured FedEx server storing more than 119,000 documents from U.S and global users was discovered and reported by the security firm Kromtech. The files in the Amazon S3 server included passports, driving licenses, and IDs.
FedEx informed that part of this data has been located and secured, and didn’t perceive any kind of malicious use of said information. What hasn’t been detailed is the scope of this recovery, and what remains to be secured. Leaks with such information usually generate a long-term impact, since attackers don’t tend to use the data right away.
The server itself was part of a FedEx owned company, Bongo International, in charge of calculating the costs of international shipping prices and delivery rates, a service that was discontinued by FedEx in the past.
Let’s see how quick they can program Skype’s new version! It’s never good news to learn that you have to wait long for a security patch.