Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?
Plus: A little reminder to not pay off ransomware crooks
In brief LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address.
French bug-finder Wassime Bouimadaghene spotted that when you go to the app's website and attempt to reset an account's password using its email address, the site responds with a page that tells you to check your inbox for a link to reset your login details – and, crucially, that response contained a hidden token.
It turned out that token was the same one in the link emailed to the account owner to reset the password. Thus you could enter someone's account email address into the password reset page, inspect the response, get the leaked token, construct the reset URL from the token, click on it, and you'd get to the page to enter a new password for the account. And then you control that user's account, can go through its pics and messages, and so on.
After reporting the blunder to Grindr and getting no joy, Bouimadaghene went to Aussie internet hero Troy Hunt, who eventually got hold of people at the software maker, the bug got fixed, and the tokens were no longer leaking out.
"This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token – which should be a secret key – is returned in the response body of an anonymously issued request," said Hunt. "The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously."
"We believe we addressed the issue before it was exploited by any malicious parties," Grindr told TechCrunch.
SEC Consult has warned that SevOne's Network Management System can be compromised via command injection, SQL injection, and CSV formula injection bugs. No patch is available as the infosec biz was ignored when it tried to privately report the holes.
Meanwhile, someone is deliberately disrupting the Trickbot botnet, said to be made up of more than two million infected Windows PCs that harvest people's financial details for fraudsters and sling ransomware at others.
Treasury warns: Don't cave to ransomware demands, it could cost you
The US Treasury this week sent out a warning to cyber-security companies, er, well, at least those in the States: paying cyber-extortionists' demands on behalf of a client is definitely not OK, depending on the circumstances.
Officials reminded Americans [PDF] that agreeing to pay off ransomware crooks in sanctioned countries is a crime, and could run afoul of the rules set by the Office of Foreign Assets Control (OFAC), even if it's in the service of a client. Bear in mind this is an advisory, not a legal ruling.
"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the Treasury said.
Ballers rolled for social account details
As if the distancing bubbles in sports and constant COVID-19 virus tests aren't enough for professional athletes, they have to look out for miscreants on the web, too.
The Feds this week accused Trevontae Washington, 21, of Thibodaux, Louisiana, and Ronnie Magrehbi, 20, of Orlando, Florida, of hijacking internet profiles of football and basketball players. According to prosecutors:
Washington is alleged to have compromised accounts belonging to multiple NFL and NBA athletes. Washington phished for the athletes credentials, messaging them on platforms like Instagram with embedded links to what appeared to be legitimate social media log-in sites, but which, in fact, were used to steal the athletes’ user names and passwords. Once the athletes entered their credentials, Washington and others locked the athletes out of their accounts and used them to gain access to other accounts. Washington then sold access to the compromised accounts to others for amounts ranging from $500 to $1,000.
Magrehbi is alleged to have obtained access to accounts belonging to a professional football player, including an Instagram account and personal email account. Magrehbi extorted the player, demanding payment in return for restoring access to the accounts. The player sent funds on at least one occasion, portions of which were transferred to a personal bank account controlled by Magrehbi, but never regained access to his online accounts.
The pair were charged with conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse. ®