Weekly Security Review: Exposing Secrets, Artificial Intelligence Manipulation, and Allegations of Hidden Access Points
Unsecured Databases and Data Breaches: A Growing Concern for Closed-Source Apps
In a series of recent incidents, numerous applications have been found to have unsecured databases, exposing sensitive user data and leading to potential data breaches. Here are some notable examples:
- Copilot Enterprise, a popular tool used for troubleshooting commands, has gained the ability to potentially gain root access in the Jupyter container, thanks to a Python sandbox and Jupyter Notebook this year. An attack using a new technique to hide malicious processes via Linux Bind mounts was reported.
- The Pi-hole project has reported leaks of donors' name and email addresses to various projects. In another incident, a bug injected the entire donor list into the source code of a site using a plugin.
- A large set of users' photo IDs and other photos were leaked due to unsecured Firebase databases in the Tea app, a dating safety application for women. The Tea app's security failure may be difficult for the company to recover from.
- Another unsecured database discovered in the Tea app contained private messages between users, many of which contain sensitive details.
- Leaks were due to a bug in version 4.6.0 of GiveWP, a popular WordPress plugin.
- Chinese officials have accused Nvidia of putting a backdoor in its new H20 device, but it's unlikely that Nvidia actually put backdoors in their hardware.
- A zero-trust platform for secure VPN-like access was defeated by a Cross-Site Request Forgery (CSRF) and an improper Cross-Origin Resource Sharing (CORS) configuration.
- CrushFTP has an RCE due to a missed authentication check on an endpoint, allowing an XML-RPC call to manage a remote system.
- A simple hack discovered by Mahmoud El Manzalawy involved changing an HTTP POST call to a GET and resending it, causing the application to respond with a full dump of the user database.
- A Raspberry Pi with a 4G cellular modem was discovered on a bank's network, believed to be part of a scheme by cyber crime group UNC2891 to infiltrate the bank's ATM network and ultimately steal money.
These incidents highlight the importance of securing databases and protecting sensitive user data. Adopting security measures such as strong authentication and network access controls, encryption of sensitive data, multi-factor authentication, securing CI/CD pipelines, enabling comprehensive and secure logging and monitoring, and regularly scanning for vulnerabilities can help prevent such incidents.
[1] Data Protection Best Practices [2] 22 Million Records Exposed in Elasticsearch Database Breach [3] Data Breaches: Types, Examples, and Prevention [4] Securing CI/CD Pipelines
- In light of the data breaches with closed-source apps, consider switching to open-source alternatives like Linux-powered devices such as Raspberry Pi, offering increased transparency and potentially stronger security measures.
- The finance and banking-and-insurance industries should take note, as unsecured databases pose a significant risk to personal-finance data, leading to potential data breaches.
- In the aftermath of the Pi-hole project's data leak and the Tea app's security failures, it's essential for businesses to invest in technology and resources for data-and-cloud-computing solutions that prioritize security.
- Cybersecurity professionals should be vigilant in securing open-source apps such as GiveWP and CrushFTP, as backdoors and vulnerabilities can still be present, as seen in the alleged Nvidia H20 device case.
- To mitigate the risks of Cross-Site Request Forgery (CSRF) and improper Cross-Origin Resource Sharing (CORS) configurations, implementing best practices for secure VPN-like access can help ensure a safe and reliable connection.
- Just as personal data needs to be protected on personal-finance platforms, so does sensitive corporate information residing on devices, such as the Raspberry Pi used by the cyber crime group to infiltrate banks' networks.Following data protection best practices is crucial for all industries and businesses, as data breaches can have severe financial and reputational consequences.
