Search This Blog

Showing posts with label API. Show all posts

Cyber Security Researcher Exposes the Biggest Threat Regarding YouTube Users Privacy

 

David Schutz, a security researcher uncovered the potential unauthorized access to a user’s viewing history, favorites, and playlists by the threat actors. Threat actors manipulated the website and embedded a YouTube video to secure access to a user’s viewing history and playlists.

Threat actors managed to earn $1,337 via the security bug, Schutz explained that he discovered the vulnerabilities by linking two things – in a somewhat “unexpected” manner. Website developers utilize YouTube embedded player to embed videos into their own site and this player also has a feature known as API (Application Programming Interface). 

API lets users embed functions commonly executed on YouTube into their personal website or application. API also allows the users to retrieve, insert, delete or update many of these resources. A resource constitutes a kind of item that comprises part of the YouTube experience which includes loading a new video or playlist, subscription, play/pause the player.

Every user on YouTube has a few personal playlists, for example, the playlist with the ID ‘HL’ comprises the user’s viewing history and the ID with ‘WL’ contains the user’s view later and so on.

David Schutz explained the vulnerabilities via blog post: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g., the ‘HL’ playlist (which would start playing the currently visiting user’s watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website”.

“The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch). The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” the post further read. 

Gamaredon grows by targeting Microsoft Outlook and Office


ESET, an antivirus company has discovered that Gameradon has been growing fast by developing new tools that target Microsoft Office and Outlook.

Gameradon is an advanced persistent threat (APT) group, active since 2013 that mostly targets Ukrainian institutions. New tools have been attributed to the API, developing a module for Microsoft Outlook that creates mails and sends it to the victims or sends the mails from the victims' accounts to their contacts.

These emails contain malicious documents with macros and malware links. The hacker group runs macro scripts in Outlook by disabling protections and plants source files for spearfishing and rapidly spreading the malware to other systems.

 Gameradon uses a new method to target Outlook

Gameradon has been using an unusual way of attacking Outlook by a new package that contains Visual Basic for Applications (VBA) project (.OTM file) to target emails with macro scripts.

 “While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” says researchers at ESET.

The process of attack starts from disabling the Outlook process with a VBScript. Then this script removes further security that would restrict executing VBA macros in Outlook. The macro script stores the OTM file on the disk that spreads the malicious emails to the contact list.

 "These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript" - ESET

Since the Outlook runs one VBA project at a time, the threat actors use the OTM file containing the VBA script in the email attachment. This VBA code can create emails fully efficient with a body, text, and the document containing malware.

Gamaredon's scripts, the researchers found relies and focus more on the speed of infection and development than quality as evident by mistakes found in source code and language.

COVID-19: Google and Apple Team up on Contact Trace Technology


Around the world, the governments and health departments are fighting together against the Coronavirus pandemic, coming up with solutions to reduce its effect, so the society and the people can recover from it at the earliest. Keeping this in mind, various software companies and enthusiasts, too, are continually working to build technologies to aware the people to stay safe. Apple and Google together have come forward to contact trace Coronavirus patients. They are working together in developing a technology that will let people know whether they have come in contact with any Coronavirus infected person.


"To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing," says Apple and Google. The initial aim is to help third party contact tracing applications work accurately. But the primary objective is to get rid of downloading dedicated apps while supporting the work. The approach by Apple and Google will keep in mind that- the users participating are voluntary and would stay anonymous. At the same time, their privacy will remain the utmost concern for both companies.

The contact tracing method will somewhat work like this- with the help device's Bluetooth connection signals; the user will know whether he/she has been in contact with an infected person long enough to catch the virus. If either of the people is tested positive for COVID-19 in the future, an immediate warning will be issued to the original handset owner, informing him about the situation. The companies, while addressing the privacy concern, say that neither GPS nor personal information of the user will be collected.

"All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world's most pressing problems. Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life," said the two companies in a joint statement.

Facebook Data Breach: API Security Risks


In the year 2018 Facebook disclosed a massive data breach due to which the company had to face a lawsuit along with allegations of not properly securing its user data. The breach directly affected the authentication tokens of nearly 30 million of its users which led to the filing of several class-action complaints in a San Francisco appeals court. In the wake of the incident, Facebook pledged to strengthen its security.

A feature, known as "View As" which was employed by developers to render user pages was exploited by hackers to get access to user tokens. The theft of these tokens is associated with the advancement of a major API security risk, it also indicates how API risks can go unnoticed for such a long time frame. The trends in digital up-gradation have further pushed the process of continuous integration and continuous delivery – CI/CD, which are closely related concepts but are sometimes used interchangeably. The main purpose of continuous delivery is to ensure that the deployment of a new code takes the least possible effort. It enables DevOps to maintain a constant flow of software updates to fasten release patterns and reduce the risks related to development.

Conventionally, developers used to work on the parts of an application– one at a time and then manually merge the codes. The process was isolated and time-consuming, it led to the duplication of code creation efforts. However, as the IT ecosystem went on embracing the new CI/CD model and effectively sped up the development process while ensuring early detection of bugs, almost all the security has been commercialized by ace infrastructure providers namely Microsoft and Amazon. The commodities offered include authorization, container protection and encryption of data. Similarly, security components of first-generation firewalls and gateways like the protection of denial-of-service (DDoS) attacks also constitute the infrastructure.

When it comes to navigating and communicating – especially through an unfamiliar space, APIs are a powerful tool with great flexibility in their framework. However, similar reasons also make APIs equally vulnerable also.

While giving insights into the major IT risk posed by APIs, Terry Ray, chief security officer for Imperva told, "APIs represent a mushrooming security risk because they expose multiple avenues for hackers to try to access a company's data."

"To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications."

The API threat is basically rooted in its lack of visibility, Subra Kumaraswamy, the former head of product security at Apigee, an API security vendor owned by Google, while putting the risk into the perspective, told: "When you have visibility into your APIs throughout your organization, you can then put controls in place."

"You might decide that a certain API should only be exposed to in-house developers, not external, third-party ones. If you don't have visibility, you can't see who is accessing what."

While labeling the authorization and improper asset management as areas of key concern, Yalon told, “Authorization mechanisms are complex because they are not implemented in one place, but in many different components like configuration files, code, and API gateways."

“Even though this sometimes may look like simple housekeeping, having a very clear understanding of the APIs, with well-maintained inventory, and documentation (we whole-heartedly recommend Open API Specification) is very critical in the world of APIs,” he further said.

Imperva Firewall Breached: Users API keys, SSL Certificates Exposed



Imperva, a leading security vendor, disclosed a security breach which exposed API keys, SSL certificates, scrambled passwords and email addresses for a subset of its customers using the Cloud Web Application Firewall (WAF) product.

Previously known as, Incapsula, the Cloud WAF examines the incoming requests into applications and obstructs any kind of malicious activity.

The breach was made known to the California based firm by a third party on August 20 and the details of the disclosure are yet to be made public.

In conversation with the Threatpost, Chris Morales, Head of Security Analytics at Vectra, said, “Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection, and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,”

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” He further told.

Referencing from the writings of CEO, Chris Hylen, “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017, were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Assuring the users, he told, “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

As a remedial measure, Imperva brought into force password resets and 90-day password expiration for the product which notably is a key component of the company's leading application security solution.