 Your new post is loading...
Your new post is loading...
|
Scooped by
Gust MEES
|
Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, one of them critical that allows hackers to create arbitrary files on the server using specially crafted media files.
Mastodon has about 8.8 million users spread across 13,000 separate servers (instances) hosted by volunteers to support distinct yet inter-connected (federated) communities.
All the four issues fixed were discovered by independent auditors at Cure53, a company that provides penetration testing for online services. The auditors inspected Mastodon's code at Mozilla's request. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/social-media-and-its-influence/?&tag=Mastodon
|
|
Scooped by
Gust MEES
|
Mehrere Mastodon-Nutzer wurden kürzlich über einen "Security Incident auf Mastodon.social" informiert, dem originalen Server, der durch die Mastodon gGmbH betrieben wird. Durch eine Fehlkonfiguration konnten demnach Dritte alle Daten von files.mastodon.social abrufen.
Die meisten der dort abgelegten Dateien sind zwar ohnehin öffentlich einsehbar, darunter die Profilbilder, benutzerdefinierte Emojis, Bilder und Videos, allerdings nicht alle: Auch die von Nutzern angeforderten Datenexporte wurden hier abgelegt, in denen auch nicht-öffentlich geteilte Beiträge enthalten sind. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/social-media-and-its-influence/?&tag=Mastodon
|
|
Scooped by
Gust MEES
|
Offenbar standen Daten von mehr als der Hälfte aller Facebook-Nutzer im Darknet zum Verkauf. 1,5 Milliarden Accounts sollen betroffen sein. Es handelt sich dabei wohl um Informationen wie E-Mailadressen, Wohnorte und die persönliche User-ID. Passwörter solle nicht dabei gewesen sein.
Es handelt sich dabei wahrscheinlich nicht um einen Hack oder eine andere Art von Diebstahl. Die Daten sollen laut "Privacy Affairs" via Scraping gesammelt worden sein. Dabei handelt sich um eine Technik, die öffentliche Informationen sammelt und einordnet bzw. kombiniert. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook
|
|
Scooped by
Gust MEES
|
Large-scale data leaks have become almost a rite of passage for new social networks. If Clubhouse wasn't part of the, erm, club before, it is now.
Cyber News reported over the weekend that personal data for around 1.3 million users was scraped from the trendy voice chatroom app and posted on a hacker forum. The compromised data included names, handles for other linked social media accounts, and the username of whoever invited said user, as Clubhouse is still in an invite-only stage.
Clubhouse didn't immediately respond to Mashable's request for comment, but the official Clubhouse Twitter account pushed back against the idea that there was a hack, saying the leaked information is already public via the app's API. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Clubhouse https://www.scoop.it/topic/social-media-and-its-influence https://www.scoop.it/topic/securite-pc-et-internet
|
|
Scooped by
Gust MEES
|
|
|
Scooped by
Gust MEES
|
Telefonnummern und persönlichen Daten von Hunderten Millionen Facebook-Nutzern sind am Samstag in einem Forum für Hacker veröffentlicht worden. Das berichten mehrere Medien. Obwohl die Daten schon einige Jahre alt sein sollen, stellen sie für diejenigen, deren Angaben publik wurden, ein Risiko dar.
Die Veröffentlichungen sollen persönliche Informationen von über 533 Millionen Facebook-Nutzern aus 106 Ländern umfassen, darunter über 32 Millionen Datensätze zu Nutzern in den USA, 11 Millionen zu Nutzern in Großbritannien und 6 Millionen zu Nutzern in Indien. Die Datensätze enthalten Telefonnummern, Facebook-IDs, vollständige Namen, Standorte, Geburtsdaten und in einigen Fällen auch E-Mail-Adressen.
Die nun aufgetauchten Daten sollen von dem Cybercrime-Unternehmen Hudson Rock entdeckt worden sein. Sie könnten Kriminellen wertvolle Informationen liefern. So ist denkbar, dass Unbefugte die persönlichen Daten von Menschen verwenden, um sich als diese auszugeben. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Two-factor+authentication https://www.scoop.it/topic/securite-pc-et-internet/?&tag=2FA https://www.scoop.it/t/securite-pc-et-internet/?&tag=DATA-BREACHES
|
|
Scooped by
Gust MEES
|
Check Point® Software Technologies Ltd. a révélé avoir découvert plusieurs vulnérabilités dans TikTok qui auraient pu permettre à des pirates de manipuler du contenu dans des comptes d’utilisateurs et d’extraire des informations personnelles confidentielles enregistrées sur ces comptes.
L’application TikTok est principalement utilisée par des adolescents et des enfants pour partager, enregistrer et conserver des vidéos privées (et parfois très confidentielles) d’eux-mêmes et de leurs proches. L’étude a révélé qu’un pirate pouvait envoyer un SMS falsifié contenant un lien malveillant à un utilisateur, et que si l’utilisateur cliquait sur ce lien, le pirate pouvait prendre le contrôle du compte TikTok et manipuler son contenu en supprimant des vidéos, en téléchargeant des vidéos non autorisées et en rendant publiques des vidéos privées ou « cachées ».
L’étude a également révélé que le sous-domaine https://ads.tiktok.com de Tiktok était vulnérable à des attaques XSS, un type d’attaque dans lequel des scripts malveillants sont injectés dans des sites web de confiance ou inoffensifs. Les chercheurs de Check Point ont exploité cette vulnérabilité pour récupérer des informations personnelles enregistrées sur les comptes d’utilisateurs, y compris les adresses email privées et les dates de naissance.
Check Point Research a informé les développeurs de TikTok des vulnérabilités exposées dans cette étude et un correctif a été déployé de manière responsable pour garantir que les utilisateurs puissent continuer d’utiliser l’application TikTok en toute sécurité. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/topic/securite-pc-et-internet
|
|
Scooped by
Gust MEES
|
|
|
Scooped by
Gust MEES
|
A hacker group is exploiting vulnerabilities in more than ten WordPress plugins to create rogue admin accounts on WordPress sites across the internet.
The attacks are an escalation part of a hacking campaign that started last month. During previous attacks, the hackers exploited vulnerabilities in the same plugins to plant malicious code on the hacked sites. This code was meant to show popup ads or to redirect incoming visitors to other websites.
However, two weeks ago, the group behind these attacks changed its tactics. Mikey Veenstra, a threat analyst with cybersecurity firm Defiant, told ZDNet today that starting with August 20, the hacker group modified the malicious code planted on hacked sites.
Instead of just inserting pop-ups and redirects, the malicious code also ran a function in order to test if the site visitor had the ability to create user accounts on the site, a feature only available for WordPress admin accounts. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=WordPress
|
|
Scooped by
Gust MEES
|
Die Sicherheitsexperten von Check Point Software Technologies haben auf der Sicherheitskonferenz Black Hat in Las Vegas drei von ihnen entdeckte Schwachstellen in der Whatsapp-Verschlüsselung vorgestellt. Bei den Nachforschungen zu den Schwachstellen wurde ein Werkzeug entwickelt, für welches die von Whatsapp verwendete Verschlüsselung nachgebaut wurde.
Die Recherche ergab, dass Whatsapp für die Entschlüsselung der Kommunikation im Nachrichtenmodul das "protobuf2"-Protokoll verwendet. Bei Konvertierung der protobuf2-Daten in Json könnten Angreifer diese auf drei Arten manipulieren, und zwar wie folgt:
Verwenden der Zitier-Funktion in einem Gruppengespräch, um die Identität des Zitatgebers zu ändern, selbst dann, wenn diese Person kein Mitglied der Gruppe ist.
Änderung der Antwort eines anderen Teilnehmers, um ihm unbemerkt andere Wörter in den Mund zu legen.
Versenden einer privaten Nachricht an einen anderen Gruppenteilnehmer, die aber als öffentliche Nachricht getarnt ist. Antwortet die Zielperson, ist die Nachricht für alle Teilnehmer des Gespräches sichtbar. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2014/03/05/often-asked-questions-are-there-cyber-security-dangers-with-apps-and-whats-about-privacy/ http://www.scoop.it/t/securite-pc-et-internet/?&tag=WhatsApp...
|
|
Scooped by
Gust MEES
|
The latest Facebook privacy SNAFU (Situation Normal, All Facebooked Up) is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.
On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.
Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.
Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook
|
|
Scooped by
Gust MEES
|
Spätestens seit dem Cambridge-Analytica-Skandal stehen viele Menschen Facebook skeptisch gegenüber. Wie Forscher nun herausgefunden haben können beim "Login mit Facebook" Skripte von Drittfirmen die Facebook-Identität des Besuchers nachverfolgen.
Wenn ein Internet-Nutzer auf einer Webseite die Funktion "Login mit Facebook" verwendet, gibt er der Webseite, auf der er sich befindet, unter Umständen Zugriff auf sein öffentliches Facebook-Konto. Forscher der Princeton-Universität in den USA warnen nun davor, dass auf dieser Webseite eingebettete Skripte von Dritten ebenfalls Zugriff auf diese Daten haben. Laut den Forschern sammeln Tracker so die Informationen der Webseitenbesucher – in den meisten Fällen wohl ohne dass die betroffene Webseite davon Kenntnis hat. Derartige Scripte fanden sie auf 434 der eine Million meistbesuchten Seiten im Netz.
Die meisten der Dritt-Skripte fragen den Facebook-Namen und die E-Mail-Adresse des Besuchers ab, der sich über Facebook auf der Seite anmeldet. Zwar ist die ID, welche die Skripte abgreifen, erst einmal auf die Anmelde-Routine der besuchten Webseite beschränkt; wie die Forscher zeigen, lassen sich darüber allerdings die öffentlichen Facebook-Informationen des Besuchers extrahieren. Dazu gehört dessen Facebook-Name und sein Profilbild. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.
Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.
But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.
The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
|
Scooped by
Gust MEES
|
Die Entwickler der quelloffenen Software hinter dem sozialen Netzwerk Mastodon haben kürzlich ein Sicherheitsupdate für die aufstrebende Twitter-Alternative veröffentlicht. Damit behoben sie insgesamt fünf Schwachstellen, von denen eine es Hackern ermöglichte, ganze Mastodon-Instanzen zu kapern. Auf Github heißt es zu der als CVE-2023-36460 registrierten Sicherheitslücke, sie erlaube es "Angreifern, jede Datei zu erstellen und zu überschreiben, auf die Mastodon Zugriff hat". Dadurch seien etwa Denial-of-Service-Angriffe oder eine beliebige Codeausführung aus der Ferne (RCE) umsetzbar. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/social-media-and-its-influence/?&tag=Mastodon
|
|
Scooped by
Gust MEES
|
Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users' accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.
Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.
This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Two-factor+authentication https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Twitter
|
|
Scooped by
Gust MEES
|
Die Telefonnummern und Kontakte aller Clubhouse-Konten werden wohl im Darknet angeboten. Nummern werden nach ihrer Wichtigkeit eingestuft.
Clubhouse scheint nicht allzu abgesichert zu sein.
(Bild: Pixabay.com/Montage: Golem.de/Pixabay License)
Offenbar hat ein Angreifer Zugang zu allen Telefonnummern erhalten können, die sich mit der App Clubhouse registriert haben. Zusätzlich dazu will er oder sie die gespeicherten Kontakte aller 10 Millionen User erhalten haben. Insgesamt 3,8 Milliarden Telefonnummern, darunter Festnetz, private, geschäftliche und Mobilfunknummern umfasst der Datensatz. Das berichtet der Security-Forscher Marc Ruef auf Twitter. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Clubhouse https://www.scoop.it/topic/social-media-and-its-influence https://www.scoop.it/topic/securite-pc-et-internet
|
|
Scooped by
Gust MEES
|
The personal data of 1.3 million Clubhouse users has leaked online on a popular hacker forum, according to a Saturday report from Cyber News.
The leaked data of Clubhouse users includes names, social media profile names, and other details.
Clubhouse did not immediately respond to Insider's request for comment that was made on Saturday. As Cyber News reported, the exposed data could enable bad actors to target users through
phishing
schemes or identity theft.
The invite-only social media app launched in March 2020 and has grown into a popular platform and attracted millions of users. Its audio community allows users to tune into conversations, or "rooms," about various topics. The company is reportedly in talks for a funding round that values the company at $4 billion. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Clubhouse https://www.scoop.it/topic/social-media-and-its-influence https://www.scoop.it/topic/securite-pc-et-internet
|
|
Scooped by
Gust MEES
|
|
|
Scooped by
Gust MEES
|
In a statement published today, Twitter disclosed a security incident during which third-parties exploited the company's official API (Application Programming Interface) to match phone numbers with Twitter usernames.
In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Two-factor+authentication https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Twitter
|
|
Scooped by
Gust MEES
|
Researchers believe that criminals were able to obtain personal information for millions of Facebook users.
A database exposing the names, phone numbers and Facebook user IDs of millions of platform users was left unsecured on the web for nearly two weeks before it was removed.
Security researcher Bob Diachenko, who along with Comparitech discovered the unsecured Elasticsearch database, believe it belongs to a cybercriminal organization, as opposed to Facebook. Diachenko went to the internet service provider (ISP) managing the IP address of the server so that the access could be removed.
“A database this big is likely to be used for phishing and spam, particularly via SMS,” according to the Thursday report. “Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.” Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook https://www.scoop.it/topic/securite-pc-et-internet/?&tag=DATA-BREACHES
|
|
Scooped by
Gust MEES
|
Millions of phone numbers associated with Facebook users have been found online in an unsecured database.
The database contained the phone numbers of more than 419 million Facebook users from across the world and included the real name, country and gender for many users.
The records leaked included 133 million records on Facebook users from the US, 18 million records associated with UK users - which will invite an investigation by the Information Commissioner's Office (ICO) under GDPR - and another 50 million records on users in Vietnam.
No password was used to protect the exposed server. TechCrunch said it verified some of the phone numbers existing in the database by matching known Facebook users' phone number against their listed Facebook ID.
The database was spotted by Sanyam Jain, a security researcher and a member of the GDI foundation, according to TechCrunch.
|
|
Scooped by
Gust MEES
|
Security researchers at Sophos have warned of a new phishing campaign targeting Instagram users. And this is a phishing campaign with a devious twist. The attackers mock up what's intended to look like two-factor authentication (2FA) in an attempt to appear legitimate. But it's obviously not 2FA. It's a standard attempt to steal login credentials, to amass usernames and passwords.
The initial phishing attack emails include what looks like a 2FA code. The user is instructed to enter the code when they login to prove their identity. The premise of the attack is that there has been an unauthorized login. The login warning, the email and of course the 2FA code are completely fake—the code just a clever twist to suggest some form of security. The whole thing it spurious, but people will be tricked.
The email link takes users to a fake Instagram login page, described by Sophos as "much more believable" than many of the standard email phishing campaigns uncovered. "We don't like to admit it," the research team reports, "but the crooks thought this one through." Learn more / En savoir plus / Mehr erfahren: http://www.scoop.it/t/securite-pc-et-internet/?&tag=Instagram
|
|
Scooped by
Gust MEES
|
Instagram's website leaked user contact information, including phone numbers and email addresses, over a period of at least four months, a researcher says.
The source code for some Instagram user profiles included the account holder's contact information whenever it loaded in a web browser, says David Stier, a data scientist and business consultant, who notified Instagram shortly after he discovered the problem earlier this year. The contact information wasn't displayed on the account holder's profiles on the desktop version of the Instagram website, although it was used by the photo sharing site's app for communication. It isn't clear why the information was included in the website's source code. Learn more / En savoir plus / Mehr erfahren: http://www.scoop.it/t/securite-pc-et-internet/?&tag=Instagram
|
|
Scooped by
Gust MEES
|
Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.
In a blog post, the microblogging site urged users to change their passwords.
"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.
Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."
It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."
The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.
A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.
"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."
The company had 330 million users at its fourth-quarter earnings in February.
Read also: Twitter hopes trolls can be stopped by eradicating ignorance
Twitter is the second company to admit a password-related bug this week.
GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.
It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet?page=2&tag=Passwords https://www.scoop.it/t/securite-pc-et-internet/?&tag=Password+Managers https://www.scoop.it/t/securite-pc-et-internet/?&tag=Twitter
|
|
Scooped by
Gust MEES
|
LinkedIn bug allowed data to be stolen from user profiles
Private profile data — like phone numbers and email addresses — could have been easily collected.
A bug in how LinkedIn autofills data on other websites could have allowed an attacker to silently steal user profile data.
The flaw was found in LinkedIn's widely used AutoFill plugin, which allows approved third-party websites to let LinkedIn members automatically fill in basic information from their profile -- such as their name, email address, location, and where they work -- as a quick way to sign up to the site or to receive email newsletters.
LinkedIn only allows whitelisted domains to have this functionality, and LinkedIn has to approve each new domain. Right now, there are dozens of sites in the top 10,000 websites ranked by Alexa that have been whitelisted by LinkedIn, including Twitter, Microsoft, LinkedIn, and more.
That means any of those websites can retrieve this profile data from users without their approval.
But if any of the sites contains a cross-site scripting (XSS) flaw -- which lets an attacker run malicious code on a website -- an attacker can piggy-back off that whitelisted domain to obtain data from LinkedIn.
And it turns out that at least one of them did. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=LinkedIn
|
Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, one of them critical that allows hackers to create arbitrary files on the server using specially crafted media files.
Mastodon has about 8.8 million users spread across 13,000 separate servers (instances) hosted by volunteers to support distinct yet inter-connected (federated) communities.
All the four issues fixed were discovered by independent auditors at Cure53, a company that provides penetration testing for online services. The auditors inspected Mastodon's code at Mozilla's request.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/social-media-and-its-influence/?&tag=Mastodon