Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?

Plus: A little reminder to not pay off ransomware crooks


In brief LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address.

French bug-finder Wassime Bouimadaghene spotted that when you go to the app's website and attempt to reset an account's password using its email address, the site responds with a page that tells you to check your inbox for a link to reset your login details – and, crucially, that response contained a hidden token.

It turned out that token was the same one in the link emailed to the account owner to reset the password. Thus you could enter someone's account email address into the password reset page, inspect the response, get the leaked token, construct the reset URL from the token, click on it, and you'd get to the page to enter a new password for the account. And then you control that user's account, can go through its pics and messages, and so on.

After reporting the blunder to Grindr and getting no joy, Bouimadaghene went to Aussie internet hero Troy Hunt, who eventually got hold of people at the software maker, the bug got fixed, and the tokens were no longer leaking out.

"This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token – which should be a secret key – is returned in the response body of an anonymously issued request," said Hunt. "The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously."

"We believe we addressed the issue before it was exploited by any malicious parties," Grindr told TechCrunch.

SEC Consult has warned that SevOne's Network Management System can be compromised via command injection, SQL injection, and CSV formula injection bugs. No patch is available as the infosec biz was ignored when it tried to privately report the holes.

Meanwhile, someone is deliberately disrupting the Trickbot botnet, said to be made up of more than two million infected Windows PCs that harvest people's financial details for fraudsters and sling ransomware at others.

Treasury warns: Don't cave to ransomware demands, it could cost you

The US Treasury this week sent out a warning to cyber-security companies, er, well, at least those in the States: paying cyber-extortionists' demands on behalf of a client is definitely not OK, depending on the circumstances.

Officials reminded Americans [PDF] that agreeing to pay off ransomware crooks in sanctioned countries is a crime, and could run afoul of the rules set by the Office of Foreign Assets Control (OFAC), even if it's in the service of a client. Bear in mind this is an advisory, not a legal ruling.

"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the Treasury said.

Ballers rolled for social account details

As if the distancing bubbles in sports and constant COVID-19 virus tests aren't enough for professional athletes, they have to look out for miscreants on the web, too.

The Feds this week accused Trevontae Washington, 21, of Thibodaux, Louisiana, and Ronnie Magrehbi, 20, of Orlando, Florida, of hijacking internet profiles of football and basketball players. According to prosecutors:

Washington is alleged to have compromised accounts belonging to multiple NFL and NBA athletes. Washington phished for the athletes credentials, messaging them on platforms like Instagram with embedded links to what appeared to be legitimate social media log-in sites, but which, in fact, were used to steal the athletes’ user names and passwords. Once the athletes entered their credentials, Washington and others locked the athletes out of their accounts and used them to gain access to other accounts. Washington then sold access to the compromised accounts to others for amounts ranging from $500 to $1,000.

And...

Magrehbi is alleged to have obtained access to accounts belonging to a professional football player, including an Instagram account and personal email account. Magrehbi extorted the player, demanding payment in return for restoring access to the accounts. The player sent funds on at least one occasion, portions of which were transferred to a personal bank account controlled by Magrehbi, but never regained access to his online accounts.

The pair were charged with conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse. ®

Broader topics


Other stories you might like

  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022