Search Go hack yourself with Detectify

An EASM blog from Detectify

The 7 biggest web security news of 2015

December 16, 2015

Below, the Detectify team has listed some of the largest security news and breaches of the past year, that have had a great impact on the security and privacy of both companies and individuals. Let’s make it a new year’s resolution to be more web-secure next year, shall we?

The Ashley Madison hack leaking cheaters’ user data

The online cheating site was hacked in July, leaking out email addresses and account details from 32 million site members. Avid Life Media (ALM), Toronto-based parent company of AshleyMadison, also had sensitive internal data leaked. The hackers, calling themselves “The Impact Team”, performed the hack as a response to the site’s unethical mission of arranging affairs between married people, as well as a comeback to ALM for charging $19 from their users for a “total delete” of account information-function, which in reality didn’t work. Passwords on the live site were hashed using a bcrypt algorithm. ALM have announced a bounty hunt for the hackers, but with no result so far.
(Read more on )

Google Chrome Extensions sharing your private browsing history

Earlier in November, the Detectify team could confirm that popular Google Chrome Extensions were constantly tracking you per default, and making it very difficult or even impossible to opt-out. By downloading certain extensions from the Chrome Web Store, users automatically agreed to the aggressive tracking. These extensions receive your complete browsing history, all your cookies, your secret access-tokens used for authentication (i.e., Facebook Connect) and shared links from sites such as Dropbox and Google Drive. Our findings were picked up by media like BBC and Observer.

– Since the publication, all of the Chrome Extension mentioned turned off the tracking script per default, and some of the extensions were also completely disabled by the Google Chrome Web Store team. The Firefox extension mentioned was disabled until the maintainer removed the tracking script and submitted a new version without tracking, says Frans Rosén, Knowledge Advisor at Detectify.

Let’s encrypt is now trusted by all major browsers

Let’s encrypt – a free, automated, and open certificate authority (CA) – announced in October that they are now trusted and supported by all major browsers. The free SSL/TLS certificate encrypts all the Internet traffic passed between a site and its users, supporting a secure browsing experience. The company wants to see HTTPS become the standard for all websites. Let’s Encrypt entered Public Beta in the beginning of December, and can now be installed through their site.

(Read more on )

CIA Director John Brennan’s private email hacked

CIA Director John Brennan’s personal AOL email account was hacked in October, in what Brennan calls a case study showing the challenges that face national security in the modern age. A high school student claimed to be behind the the hack, saying he obtained access to the account by posing as a Verizon worker, tricking another employee into revealing login information. Sensitive information from Brennan’s email was later published on Wikileaks, like Social Security Numbers of both Brennan and his family as well as of some US intelligence officials. Earlier in the year Hillary Clinton’s private server and email account were also hacked, and she has been criticized since for using her private email to do official work, and in a sense risking national security. (Read more on )

Crowdfunding site Patreon hacked – despite warnings

The crowdfunding site Patreon got hacked in October, leaking 2.3 million unique email addresses, as well as information on who had supported what projects and the conversations users had had between each other. Detectify reported a specific Remote Code Execution to Patreon prior to the breach, due to Werkzeug Debugger. We believe that the public debugger was the attack method due to the simplicity and availability of the vulnerable endpoint. Read our full blogpost on the hack here.

There are still thousands of publicly available instances of Werkzeug Debugger out there, causing a security breach for many more sites. To prevent it from happening to you, it is important to remember that the Werkzeug Debugger should only be used in testing environments and not when putting a site up online.

– Patreon thanked us after the disclosure, in terms of getting the information out, since more companies were affected. They also paid a bug bounty for the finding,
says Frans Rosén, Knowledge Advisor at Detectify.

Experian hack affecting 15 million people

The hack of Experian, one of the largest data brokers in the world, leaked personal information from around 15 million people, many of them T-Mobile customers who had used Experian to apply for credit checks. Names, addresses, and social security, driver’s license and passport numbers are assumed to have been leaked. Experian, being a data broker, is paradoxically often trusted by other companies to anonymize personal information. The hack is the most recent in a series of data breaches affecting organizations from the US government’s Office of Personnel Management to Target. (Read more on )

VTech hack leaking personal information of both parents and children

Chinese digital toy company VTech’s app store database Learning Lodge was hacked in November, exposing personal information of about 4.8 million parents and 200,000 children. The hack has been deemed among the biggest hacks ever documented, and the leaked information makes it possible to link listed kids to their parent. The hacker claimed there was no reason behind the hack, and appears to have shared the breached data only with the staff at tech news site Motherboard who first covered the story. However, it can’t be ruled out that the data may also have been sold to a third party. (Read more on )

“Unfortunately more websites will be hacked in 2016”

Detectify co-founder and security researcher Fredrik Almroth Nordberg summarizes the consequences of the biggest security breaches of 2015, and predicts how web security will develop in 2016.