Wawa Breach: Hackers Steal and Place for Sale Details of 30M Payment Cards
Last month, Wawa announced that millions of customers might have had their credit or debit card information stolen in a data breach impacting almost all of their store locations. According to the report, malware, which originated on March 4, was discovered on Wawa’s payment processing servers on December 10.
This week, malicious actors posted the card details of more than 30 million Wawa breach victims for sale at Joker’s Stash, a sizable dark web marketplace for stolen payment card data.
This breach is one of the largest credit card breaches in the history of the United States. The post on Joker’s Stash marketplace is titled as BIGBADABOOM-III and includes credit card numbers, expiration dates, and cardholder names.
Last week, Wawa released a statement confirming reports of criminal attempts to sell its customers’ data and informing customers that it has alerted relevant payment card companies and issuers to increase fraud monitoring activities. Customers who have purchased any item with a credit card from Wawa convenience stores between March and December of 2019 are advised to pay close attention to their credit card activity.
Read more here
WhatsApp Bug Allows Attackers to Access Local File System
Facebook has patched a critical vulnerability that allows a malicious actor to read files from a user’s local file system on both Windows and macOS systems. The vulnerability, tracked as CVE-2019-18426, was discovered by Gal Weizman, a PerimeterX researcher.
Weizman found the flaw, which produces a cross-site scripting (XSS) vulnerability on the desktop app, in WhatsApp’s Content Security Policy (CSP).
Facebook’s security advisory states that the “vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading,” and that “[e]xploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”
The attacks themselves could have gone unnoticed to those who aren’t security-conscious. We recommend updating the application to the current version to protect yourself.
Read more here
Twitter Claims Attacker Used Its API to Match Usernames to Phone Numbers
Twitter has disclosed a security incident highlighting multiple exploitation attempts against the company’s official API to match phone numbers with Twitter usernames. According to the disclosure, Twitter became aware of the exploitation attempts on December 24, 2019, and has not clarified who the third-party attackers were. However, Twitter has stated that some of the IP addresses used in the API exploitation attempts had ties to state-sponsored attackers.
According to Twitter, the attackers exploited a legitimate API by creating a large number of fake accounts to query the service. Only users with the allow “phone number-based matching” option enabled in their settings could be affected by the attacks, other users remain safe.
Get more information here
Sudo CVE-2019-18634 Flaw Allows Non-Privileged Linux and macOS Users Run Commands as Root
Apple security expert Joe Vennix has discovered a vulnerability within the “sudo” utility that allows non-privileged Linux and macOS users to run commands as root. The vulnerability is tracked as CVE-2019-18634 and can only be exploited when the “pwfeedback” option is enabled in the sudoers configuration file. Pwfeedback is an option that allows visual feedback when a user is inputting their password.
According to a statement by NIST, “In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process.” An attacker would need to “deliver a long string to the stdin of getln() in tgetpass.c..”
To mitigate the vulnerability, disable the “Defaults pwfeedback” to “Defaults !pwfeedback” in the sudoers configuration file and also update their Sudo version to 1.8.31.
Read more here
Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers
Check Point Security researchers have disclosed two recently patched vulnerabilities in Microsoft Azure services. The two potentially critical bugs enabled attackers to access businesses that run their web and mobile apps on Azure.
The first flaw, CVE-2019-1234, is a request spoofing issue that affects Azure Stack. If an attacker exploits the vulnerability, they could access sensitive information and screenshots of any virtual machine on the Azure infrastructure. The attacker does so by leveraging an insecure API to discover the virtual machine name, ID, hardware information, and other information combined with an unauthenticated HTTP request to grab screenshots.
The second vulnerability, CVE-2019-1372, is a remote code execution flaw that affects the Azure App Service on Azure Stack. The vulnerability allows a malicious actor to control the Azure server. A detailed post can be found here. Check Point researcher Ronen Shustin reported the vulnerabilities to Microsoft last year, providing more time for organizations to patch their systems.
Read more here