Category: IT Security

Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information.

On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide.

The revelation once again underlines the

failure of the social-media

giant to protect users’ privacy while generating billions of dollars in revenue from the same information.

The revelation came weeks after the disclosure of the

Cambridge Analytica scandal

, wherein personal data of 77 million users was improperly gathered and misused by the political consultancy firm, who reportedly also helped Donald Trump win the US presidency in 2016.

However, the latest scam revealed by the social media giant about the abuse of Facebook’s search tools over the course of several years impacts almost all of its 2.2 billion users, making it the worst year for the world’s largest social network.

"It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse," Zuckerberg told press reporters. "We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake."

The company said it had disabled the feature—which allows anyone to look up users by entering phone numbers or email addresses into Facebook’s search tool—in its site’s search function that enabled malicious actors to scrape public profile information.

Here’s How Scrapped Data Could Have Helped Cybercriminals

As mentioned above, the source of this scam was Facebook’s search function, which was turned on by default. Hackers took help of "Dark Web," where criminals post personal information of users stolen from data breaches over the years, to collect.

Once they had their hands on email addresses and phone numbers, the hackers then used automated computer programs to feed the email addresses and phone numbers into Facebook’s "search" box.

This scan allowed them to find out the full names of people associated with the email addresses or phone numbers, along with the Facebook profile information they chose to make public, which often includes names, profile photos, and hometown.

This collected information was then more likely to be used by cybercriminals to target particular individual using social engineering or other cyber attacks.

"Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name," Facebook Chief Technology Officer Mike Schroepfer said in a blog post describing changes the company has made to its service to protect its users’ data better.

"However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way."

While apologizing "second time" to its users, Zuckerberg said this feature has immediately been turned off, noting that the scraped profile information was only limited to what was publically viewable.

However, Zuckerberg defended gathering users’ data for a business model, arguing "People tell us that if they’re going to see ads, they want the ads to be good."

"On the one hand, people want relevant experiences, and on the other hand there is some discomfort about how data is used," Zuck added. "I think the overwhelming feedback is for wanting a good experience."

Also, it was initially reported that Cambridge Analytica quiz app gathered data on some 50 million Facebook users, but Facebook revised that number upward by 74 percent, i.e., over 77 million.

In an effort to protect its users private data, Facebook is now restricting third-party apps from accessing users’ information about their relationship status, religious or political views, work history, education, habits, interest, video watching, and games—basically almost every information data brokers and businesses collect to build profiles of their customers’ tastes.

The company is all set to roll out a new feature on Monday that will inform users who were affected by the Cambridge Analytica data leak.

Facebook dropped another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious third-party scrapers have compromised their public profile information.

On Wednesday, Facebook CEO Mark Zuckerberg revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide.

The revelation once again underlines the

failure of the social-media

giant to protect users’ privacy while generating billions of dollars in revenue from the same information.

The revelation came weeks after the disclosure of the

Cambridge Analytica scandal

, wherein personal data of 77 million users was improperly gathered and misused by the political consultancy firm, who reportedly also helped Donald Trump win the US presidency in 2016.

However, the latest scam revealed by the social media giant about the abuse of Facebook’s search tools over the course of several years impacts almost all of its 2.2 billion users, making it the worst year for the world’s largest social network.

"It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse," Zuckerberg told press reporters. "We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake."

The company said it had disabled the feature—which allows anyone to look up users by entering phone numbers or email addresses into Facebook’s search tool—in its site’s search function that enabled malicious actors to scrape public profile information.

Here’s How Scrapped Data Could Have Helped Cybercriminals

As mentioned above, the source of this scam was Facebook’s search function, which was turned on by default. Hackers took help of "Dark Web," where criminals post personal information of users stolen from data breaches over the years, to collect.

Once they had their hands on email addresses and phone numbers, the hackers then used automated computer programs to feed the email addresses and phone numbers into Facebook’s "search" box.

This scan allowed them to find out the full names of people associated with the email addresses or phone numbers, along with the Facebook profile information they chose to make public, which often includes names, profile photos, and hometown.

This collected information was then more likely to be used by cybercriminals to target particular individual using social engineering or other cyber attacks.

"Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name," Facebook Chief Technology Officer Mike Schroepfer said in a blog post describing changes the company has made to its service to protect its users’ data better.

"However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way."

While apologizing "second time" to its users, Zuckerberg said this feature has immediately been turned off, noting that the scraped profile information was only limited to what was publically viewable.

However, Zuckerberg defended gathering users’ data for a business model, arguing "People tell us that if they’re going to see ads, they want the ads to be good."

"On the one hand, people want relevant experiences, and on the other hand there is some discomfort about how data is used," Zuck added. "I think the overwhelming feedback is for wanting a good experience."

Also, it was initially reported that Cambridge Analytica quiz app gathered data on some 50 million Facebook users, but Facebook revised that number upward by 74 percent, i.e., over 77 million.

In an effort to protect its users private data, Facebook is now restricting third-party apps from accessing users’ information about their relationship status, religious or political views, work history, education, habits, interest, video watching, and games—basically almost every information data brokers and businesses collect to build profiles of their customers’ tastes.

The company is all set to roll out a new feature on Monday that will inform users who were affected by the Cambridge Analytica data leak.

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

The worst part is that this vulnerability will not be patched by Microsoft anytime soon.

It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

The vulnerability has been

discovered

and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories.”

The exploitation of this preferential search order would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges.

When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.

Although Kanthak demonstrated the attack using the Windows version of Skype, he believes the same DLL hijacking method could also work against other operating systems, including Skype versions for macOS and Linux.

Kanthak informed Microsoft of the Skype vulnerability back in September, but the company told him that the patch would require the Skype update installer go through “a large code revision,” Kanthak

told

ZDNet.

So rather than releasing a security update, Microsoft decided to build an altogether new version of the Skype client that would address the vulnerability.

It should be noted that this vulnerability only affects the Skype for the desktop app, which uses its update installer which is vulnerable to the DLL hijacking technique. The Universal Windows Platform (UWP) app version available from the Microsoft Store for Windows 10 PCs is not affected.

The vulnerability has been rated as “medium” in severity, but Kanthak said, “the attack could be easily weaponized.” He gave two examples, which have not been released yet.

Until the company issues an all-new version of Skype client, users are advised to exercise caution and avoid clicking on attachments provided in an email. Also, make sure you run appropriate and updated anti-virus software that offers some defence against such attacks.

This is not the first time Skype has been dealing with a severe security flaw. In June 2017, a

critical flaw in Skype

was revealed before Microsoft released a fix for the issue that allowed hackers to crash systems and execute malicious code in them.

Last month, among several messaging applications, Skype was also dealing with a critical remote code execution

vulnerability in Electron

—a popular web application framework widely-used in desktop applications.

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a

blogpost

on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named "photo_high_re*U+202E*gnp.js" in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

"As a result, users downloaded hidden malware which was then installed on their computers," Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: "at the time of publication, the zero-day flaw has not since been observed in messenger’s products."

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

"After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools," the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as "all the exploitation cases that [the researchers] detected occurring in Russia," and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a

blogpost

on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named "photo_high_re*U+202E*gnp.js" in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

"As a result, users downloaded hidden malware which was then installed on their computers," Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: "at the time of publication, the zero-day flaw has not since been observed in messenger’s products."

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

"After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools," the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as "all the exploitation cases that [the researchers] detected occurring in Russia," and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.