Application Security Weekly Review, Week 4 2019
Mysterious attack on PHP PEAR website, hack of popular WordPress plugin maker, and privacy risks of top free VPN Android apps.
Friday's rolled around again and it’s time to take a quick look at some of the most significant sybersecurity headlines of this week. In our Weekly Roundup we compiled a list of the most important events, including mysterious hack of PHP PEAR website, hack of popular WordPress plugin maker, and privacy risks of top free VPN Android apps.
Backdoor in PHP PEAR package manager
The official website of the PEAR (pear-php.net) was taken down after PEAR team found that someone replaced original PHP PEAR package manager (go-pear.phar) with backdoored version. According to the developers, the installation file contaminated with the malicious code was available for download for at least half a year.
At the current moment, the exact purpose of the backdoor is unknown, as the maintainers at PEAR are still analyzing the malicious package and trying to pinpoint the vulnerability that was exploited to plant the tainted version of the original package.
Meanwhile PHP PEAR team released a ‘’clean’’ version PEAR v1.10.10 that webmasters can install without fear of downloading a potentially backdoored release. Since PEAR developers have not disclosed any details about security incident, it’s still unclear, who is responsible for the hack.
Former employee blamed for the hack of popular WordPress plugin
Developers of a popular WordPress language and translation plugin WPML had to rebuild their web server from scratch after someone defaced WPML website and sent out mass warning email to customers, claiming that plugin’s code supposedly contains a bunch of unpatched flaws that could lead to the compromise of websites. The WPML team disputed these claims, saying that the hacker is a former employee who left a backdoor on its official website and later used it to gain access to its server and its customer database.
Officials at WPML stressed that the hacker did not get access to the customers financial information or to the source code of its plugin but said that the intruder might have access to users accounts at WPML.org as a result of compromising the site's database.
Nearly 200 Chrome, Firefox, and Opera extensions are vulnerable to attacks from malicious sites
Web applications can exploit browser extension APIs to execute code inside the browser and steal various sensitive information such as bookmarks, browsing history or user cookies. According to the french researcher Dolière Francis Somé, the same extension APIs can also be used to trigger the download of arbitrary files and store them on the user device, store and retrieve data in an extension's permanent storage, and to execute arbitrary code in the context of extensions (with the same privileges).
Using the tool he created, Somé tested more than 78,000 Chrome, Firefox, and Opera extensions and found that 197 of them (171 for Chrome, 16 for Firefox, and 10 for Opera) exposed API communication interfaces to web applications, allowing malicious websites to gain access to the data stored inside a user's browser.
The researcher reported his findings to the Google, Mozilla, and Opera and all three vendors acknowledged the issues. Mozilla removed all vulnerable extensions, Opera also has removed 8 out of 10 reported extensions and Google is still considering the course of action – to remove all extensions or to fix them.
User privacy failures found in top free VPN Android apps
A majority of web and smartphone users rely upon free VPN services to ensure privacy while surfing the web, but that might be a dangerous step, as has shown the recent analysis. Researchers from Top10VPN examined 150 popular free VPN Android apps available in Google Play Store and found that nearly 90% of them were capable of compromising the security and privacy of web users via various methods.
For example, one in five free VPN apps tested contained malware, 25% of apps were affected by a DNS leak security issue, and many apps requested intrusive permissions, such as location tracking ( 25% of apps), access to device status information (38%) or use of camera and microphone. More than 50% of apps contained the code to get a user’s last known location. Although researchers didn’t test the premium versions of the apps, they believe that the majority of the key privacy issues (leaks, intrusive permissions and risky code functions) will be present.
Bomb threat, sextortion spammers abused weakness at GoDaddy.com
At the end of the last year United States, Canada and some other countries were hit by the massive spam email campaign that threatened to blow up buildings and schools unless recipients paid a $20,000 ransom. It provoked massive evacuations and disrupted the work operations in hundreds of organizations. According to an analysis conducted by independent researcher Ronald Guilmette, a campaign was made possible thanks to a weakness at GoDaddy.com that allowed the scammers to hijack at least 78 domains belonging to Expedia, Mozilla, Yelp, and other legitimate people or organizations.
Expert warns, that this same weakness also affects many other major Internet service providers, and is actively being exploited to launch phishing and malware attacks which leverage dormant website names currently owned and controlled by some of the world’s most trusted companies and brands.
Research shows, that in recent years person or group had hijacked almost 4,000 domains belonging to hundreds of people, companies or organizations, including Facebook, MasterCard International, Hilton International, ING Bank, Dignity Health, the Church of Scientology, Warner Bros. Entertainment, Massachusetts Institute of Technology, McDonalds Corporation, and certificate authority DigiCert.