Last Week In Blockchain and CyberSecurity News - October 1, 2019

Hacker Steals Over 218 Million Zynga 'Words With Friends' Gamers Data

A hacker who previously made headlines for exposing nearly one billion user records is now claiming to have breached the user base of the mobile game company Zynga Inc. Zynga owns several popular mobile games, such as Farmville, Words With Friends, Zynga Poker, Mafia Wars, and more. They currently have more than a billion users worldwide.  

The unknown criminal claims to have access to a massive database of more than 218 million Words With Friends users. According to the hacker, the data breach affects all Android and iOS users who have installed and used Words With Friends before September 2.  

Zynga admits the company has suffered a data breach, stating they “have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.” However, the total number of affected users has not been disclosed. According to The Hacker News, the stolen user information includes various users’: 

  • Names 

  • Email addresses 

  • Login IDs 

  • Hashed passwords, SHA1 with salt 

  • Password reset token (if ever requested) 

  • Phone numbers (if provided) 

  • Facebook ID (if connected) 

  • Zynga account ID 

Experts have not considered SHA1 secure for many years, so we recommend changing your password if you’ve reused it.  

Read more here

New Sim Card Attack, Similar to Simjacker, Surfaces

Security researchers have disclosed a new SMS-based attack that allows a malicious actor to track users’ devices.  

The new attack, WIBattack, works in the same way and grants access to similar commands as Simjacker. While Simjacker runs commands against the S@T Browser app, WIBattack sends commands to the Wireless Internet Browser (WIB) app. Both the S@T Browser app and the WIB app are Java applets that mobile telecommunication companies embed into their SIM cards to provide remote management for their customers.  
 

Security researchers from Ginno Security report that both S@T and WIB contain vulnerabilities in which attackers can send a “specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards on which Telco's did not enable special security features.”  

The WIB app supports numerous commands, including: 

  • Get location data 

  • Start call 

  • Send SMS 

  • Send SS requests 

  • Send USSD requests 

  • Launch an internet browser with a specific URL 

  • Display text on the device 

  • Play a tone 

A PoC of the exploit

The researchers also state that criminals could use this attack vector to track users.  

Ginno Security researches discovered this attack in 2015 but never went public with their findings. It’s estimated that hundreds of millions of users could be affected by this vulnerability. 

Read more here

Fusion Network Hacked, $6.4 Million Worth of FSN Tokens Stolen

Blockchain-based swap wallet platform Fusion Network has been hacked, resulting in the theft of $6.4 million worth of FSN tokens. The wallet address 0x8e6bDa71f3f0F49dDD29969De79aFCFac4457379 was compromised, allowing hackers to siphon 10 million native FSN and 3.5 million ERC20 FSN tokens.  

DJ Qian, the platform’s chief executive, announced in the official FSN Telegram group on Saturday that “abnormal wash trading behaviors” followed the theft and part of the stolen funds were transferred and then sold on exchanges such as Bitmex.  

The stolen funds amount to an astonishing 38 percent of the total supply of the token, and as a precaution, Fusion Network has moved the rest of its supply into cold storage. According to the company’s investigation, the compromise of the swap wallet was due to the private yey being stolen as opposed to a vulnerability within their network. Many exchanges have suspended the deposit and withdrawal of FSN tokens as the investigation of the breach continues. 

Get more information here

DoorDash Data Breach Exposes Info of Roughly 5 Million Users

DoorDash has become a victim of a data breach affecting 4.9 million customers. An unauthorized user was able to gain access to the personal information of both users and merchants. As an investigation is still underway, it’s unclear how the data was accessed; however, a third-party service may be to blame.  

The unauthorized user was able to access several pieces of data, including:  

  • Profile information with names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties. 

  • For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV remained secure.  

  • For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed.  

  • For approximately 100,000 Dashers, their driver’s license numbers were also accessed. 

According to DoorDash, the breach affects users who joined DoorDash on or before April 5, 2018. In an announcement, DoorDash also stated it will cut off access to the breached information and improve security systems by "adding additional protective security layers around the data, improving security protocols that govern access to [their] systems, and bringing in outside expertise to increase [their] ability to identify and repel threats."  

Read more here

A New Critical Flaw in Exim Exposes Email Servers to Remote Attacks

Exim maintainers have released a security update to fix a critical security flaw which allows a remote attacker to execute code on targeted servers. The flaw, tracked as CVE-2019-16928, is a heap-based buffer overflow that resides in the string_vformat (string.c).  

If an attacker deploys a long EHLO string, they could crash the Exim process that receives a message. The flaw affects all versions of Exim from 4.92 to up to 4.92.2. A PoC exploit for this vulnerability has been released by an Exim Development Team developer, Jeremy Harris.  

Read more here