Sunday, January 24, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Facebook tackles developer databases leaking at least one million user records

February 16, 2019
in Internet Security
Facebook tackles developer databases leaking at least one million user records
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Facebook has tackled two serious security issues disclosed through the social networking giant’s bug bounty programs including an external data leak potentially impacting over one million users.

In light of the Cambridge Analytica scandal, in April 2018, the company expanded its bug bounty scope to include the misuse of user data by developers.

You might also like

MrbMiner crypto-mining operation linked to Iranian software firm

Hacker leaks data of millions of Teespring users

SEC calls out dubious cryptocurrency traders, miners soliciting customers worldwide

The program, known as the Data Abuse Bounty scheme, received a report from Nightwatch Security researcher Yakov Shafranovich which detailed how a third-party Android application with Facebook API access was copying and storing data outside of the social network in an insecure manner.

Disclosed this week, the security failure was first discovered in September 2018. 

The Android application, available in the Google Play store, described itself as a way to provide “additional functionality to Facebook users that are not available through the platform,” and has been downloaded over one million times. 

TechRepublic: How to create a hidden admin account in macOS

While it is not known how many users have been impacted, it is known that the application accessed user data through the Facebook API and copied this information to a Firebase database and API server without any authentication or HTTPS protections in place.

“This would allow an attacker to mass-download the user data accumulated by the application from its users,” Nightwatch Security says. “We do not know for sure how many users have been impacted or exposed, but one of the databases accessed contained over 1,000,000 records.”

The Facebook app associated with the insecure software has been removed but the Android app is still available.

The data leak was reported through the Facebook Data Abuse Bounty program in September, leading to the insecure storage systems becoming protected in November. Under the rules of the program a bug bounty payout was issued, and while the figure has not been disclosed, Facebook offers payouts of up to $40,000 for valid reports. 

This is not the only security issue Facebook has tackled in recent months. Earlier this week, a bug hunter who goes under the name Samm0uda disclosed a CSRF protection bypass vulnerability uncovered in the main Facebook website domain.

“This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to a takeover of victims accounts,” the researcher said. “In order for this attack to be effective, an attacker would have to trick the target into clicking on a link.”

The vulnerable endpoint was facebook.com/comet/dialog_DONOTUSE/?url=XXXX, in which XXXX is where the POST request would be made. A CSRF token, fb_dtsg, is automatically added to the request body, and if a user visits the URL by way of a crafted, malicious app, this permits an attacker to utilize tokens to hijack account processes.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter,” Samm0uda added. “Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.”

While testing the security flaw, the researcher found that he was able to publish posts on timelines, delete profile pictures, and trick users into deleting their accounts — on the proviso that the user entered their password at the deletion prompt.

In order to fully hijack an account, it would be necessary for a new email address or phone number to be added to the target account. However, this would require a victim to visit two separate URLs.

The bug bounty hunter needed to bypass these protections by finding endpoints which have the “next” parameter in play so an account takeover could be made with a single click.

See also: Opening this image file grants hackers access to your Android phone

Samm0uda created several scripts hosted externally which, once the malicious app is authorized as the user, were able to pull user access tokens and bypass Facebook redirection protections to forcefully add a new email to the target account — potentially allowing an attacker to reset a password and take over a Facebook profile.   

Account hijacking is deemed a serious issue for Facebook and users alike. The tech giant received a report of the security flaw on 26 January and was fixed by 31 January. Samm0uda received a bug bounty reward of $25,000 for his efforts.

CNET: Facebook, FTC reportedly negotiating massive fine to settle privacy issues

Previous and related coverage


Credit: Source link

Previous Post

Machine Learning Technology Radically Improves Accuracy of Additive Manufacturing

Next Post

Second Spectrum and L.A. Clippers Select Aws As Official Cloud and Machine Learning Provider of Clippers Co... - Clippers.com

Related Posts

MrbMiner crypto-mining operation linked to Iranian software firm
Internet Security

MrbMiner crypto-mining operation linked to Iranian software firm

January 24, 2021
Hacker leaks data of millions of Teespring users
Internet Security

Hacker leaks data of millions of Teespring users

January 24, 2021
SEC calls out dubious cryptocurrency traders, miners soliciting customers worldwide
Internet Security

SEC calls out dubious cryptocurrency traders, miners soliciting customers worldwide

January 24, 2021
Rogue CCTV technician spied on hundreds of customers during intimate moments
Internet Security

Rogue CCTV technician spied on hundreds of customers during intimate moments

January 24, 2021
SonicWall says it was hacked using zero-days in its own products
Internet Security

SonicWall says it was hacked using zero-days in its own products

January 23, 2021
Next Post
Second Spectrum and L.A. Clippers Select Aws As Official Cloud and Machine Learning Provider of Clippers Co… – Clippers.com

Second Spectrum and L.A. Clippers Select Aws As Official Cloud and Machine Learning Provider of Clippers Co... - Clippers.com

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

MrbMiner crypto-mining operation linked to Iranian software firm
Internet Security

MrbMiner crypto-mining operation linked to Iranian software firm

January 24, 2021
AI and its Importance in Financial Crime Investigation
Data Science

AI and its Importance in Financial Crime Investigation

January 24, 2021
Global Machine Learning as a Service Market (2020-2026) | Latest COVID19 Impact Analysis | Know About Brand Players: Amazon, Oracle, IBM, Microsoftn, Google, etc.
Machine Learning

Machine Learning in Education Market 2020-2026 | Comprehensive Study COVID19 Impact Analysis | Worldwide Key Players: IBM, Microsoft, Google, AWS, Cognizant, etc.

January 24, 2021
Hacker leaks data of millions of Teespring users
Internet Security

Hacker leaks data of millions of Teespring users

January 24, 2021
AI: The Horsepower of the Future
Data Science

AI: The Horsepower of the Future

January 24, 2021
Global Machine Learning as a Service Market (2020-2026) | Latest COVID19 Impact Analysis | Know About Brand Players: Amazon, Oracle, IBM, Microsoftn, Google, etc.
Machine Learning

Global Machine Learning Market (2020-2026) | Latest COVID19 Impact Analysis | Know About Brand Players: International Business Machines Corporation, Microsoft Corporation, SAP SE, Sas Institute Inc., Amazon Web Services, etc.

January 24, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • MrbMiner crypto-mining operation linked to Iranian software firm January 24, 2021
  • AI and its Importance in Financial Crime Investigation January 24, 2021
  • Machine Learning in Education Market 2020-2026 | Comprehensive Study COVID19 Impact Analysis | Worldwide Key Players: IBM, Microsoft, Google, AWS, Cognizant, etc. January 24, 2021
  • Hacker leaks data of millions of Teespring users January 24, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates