Application Security Weekly Review, Week 2, March 2019
New WordPress bug, enterprise data exposure via misconfigured Box Enterprise accounts, massive mobile adware and data stealing campaigns aimed at Android users, and more.
Here’s our latest review of the most interesting and troubling events in cybersecurity. This week’s roundup includes a new WordPress bug, enterprise data exposure via misconfigured Box Enterprise accounts, massive mobile adware and data stealing campaigns aimed at Android users, and more.
New WordPress flaw could lead to remote execution attacks
WordPress team patched a serious flaw in the CMS's core that could let unauthenticated remote attackers to compromise websites. The bug stems from a cross-site scripting (XSS) issue in the WordPress comment section (one of the main CMS’s components, which is enabled by default) and affects all supported WordPress versions prior to 5.1.1.
An attacker could take advantage of this flaw to permanently store the XSS payload on the website and execute it in administrator’s browser. This could lead to a complete website takeover.
WordPress websites are a common target for malicious actors that use any means to compromise them. For example, recently researchers spotted a wave of attacks on e-commerce WordPress sites using a shopping cart plugin Abandoned Cart Lite for WooCommerce. Hackers abused a vulnerability in the software to plant backdoors and take over the vulnerable web applications. According to the official WordPress Plugins repository, the plugin is installed on 20,000+ WordPress websites.
Misconfigured Enterprise Box accounts leak sensitive internal data
Some of the world’s biggest companies that use a popular cloud storage service Box for sharing files and folders inadvertently exposed a large amount of their internal data via misconfigured Box Enterprise accounts. The issue was brought to attention by a cybersecurity firm Adversis, which discovered that links to sensitive corporate and customers data can be easily guessed by brute forcing them.
The researchers found a trove of sensitive data, including hundreds of passport photos, social security and bank account numbers, high profile technology prototype and design files, employees lists, financial data, invoices, internal issue trackers, VPN configurations, etc.
Among dozens of companies that exposed internal documents are Apple, Amadeus, the Discovery Channel, Herbalife, and even Box itself.
Only one in three Android antivirus apps provides sufficient protection
Two thirds of Android antivirus apps available through the Google Play Store are ineffective or unreliable, according to the results of an extensive research carried out by an independent testing lab AV-Comparatives.
AV-Comparatives tested 250 security solutions found on the Play Store against the 2,000 most common Android malware threats of 2018 and 100 clean, popular apps.
The research has shown that only 80 out of the 250 tested security apps detected more than 30% malicious samples and had no false positives and only 50 achieved detection rate in a range between 90% and 100%. More than two thirds of the apps didn’t even hit a block rate of 30% and it appears that the main purpose of the majority of the tested antivirus solutions is to bring easy revenue to the developers rather than to provide protection to their users.
Two massive mobile adware and data stealing campaigns uncovered
Researchers from cybersecurity outfit Check Point uncovered two malicious campaigns dubbed SimBad and Operation Sheep targeting Android users. In the first case malicious actors infected more than 200 apps available in the Google Play Store with malicious advertising code named SimBad that could cause a mobile device to show ads outside the app, direct users to websites and app store links, and download new apps.
The adware masquerading as an advertising kit named RXDrioder was found in 210 Android apps that had nearly 150 million downloads combined. Most of the offending apps were simulator games.
In the second case the researchers discovered 12 Android applications that were stealing contact information from mobile devices. The malicious code was hidden inside a data analytics Software Development Kit (SDK). According to Check Point, malicious apps have been downloaded more than 111 million times. This is the first campaign leveraging Man-in-the-Disk attack, which exploit a weakness in Android's handling of external storage to inject malicious code, researchers note.
GoDaddy, Apple and Google misissue more than 1 million certificates
An operational error made by major certificate authorities like Apple, Google, and GoDaddy led to the issuance of at least one million digital certificates that don’t comply with the industry standards. The issue stems from the companies' misconfiguration of the open source EJBCA software package that many certificate authorities use to generate certificates. As a result, CAs misissued a large amount of TLS certificates with 63-bit serial numbers instead of 64 bits as required by industry standards.
This problem does not pose direct security threat to the internet users, but could bring a lot of pain to the site owners and organizations because the impact of replacing large numbers of certificates could be substantial.