Friday Five: 12/22 Edition (2018)
Facebook dinged - again - over data sharing, bypassing Gmail's two-factor authentication, and more - catch up on the week's news with this roundup!
1. How Hackers Bypass Gmail 2FA at Scale by Joseph Cox
One of the week's biggest news stories, save perhaps the New York Times expose into Facebook's continued data privacy issues, landed Wednesday after an Amnesty International report described how hackers are side-stepping two-factor authentication to break into Gmail and Yahoo accounts at scale. “Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist for the organization told Motherboard, one outlet that reported the news. The report is worth reading to dig into it further but essentially the hijack revolves around hacked servers taking phished credentials, then the hacked server asking for the legitimate code with the victim being none the wiser. It's the second story in the last week to detail hackers beating 2FA. Last week a story made the rounds about Iranian phishers breaking 2FA offered by Yahoo and Gmail as well.
2. Twitter Discloses Suspected State-Sponsored Attack After Minor Data Breach by Swati Khandelwal
Twitter downplayed a vulnerability in its customer support forms, an API bug, this week that apparently could have been used to determine the country code of a user's phone number and whether or not their account was locked by the company. Twitter was fairly vague in its description of the bug; at one point it said its informed users who it believes are affected, then says it's possible other account holders it can't identify may have been impacted as well. Part of the reason the company is being so mum may be because it believes the hack was carried out by a state-sponsored actors; Twitter says it observed inquiries from IP addresses in China and Saudi Arabia. Twitter's transparency should be applauded here, especially given how simultaneously confounding and near impossible attribution can be.
3. Facebook photo API bug exposes photos of 6.8M, underscores API development issues by Teri Robinson
Twitter wasn’t the only social media service to warn of an API issue this week. Facebook, technically last week, notified users that a bug affecting its photo API may have affected users who granted permission to third party apps to access their photos. Because of the issue those apps may have had access to photos for 12 days, between Sept. 13 and Sept. 25, Tomer Barr, an engineering director at Facebook said last Friday. SC Media's Teri Robinson notes it's not the first big API story to make waves this year. Google said in October it'd be closing Google+ after an API bug exposed profile data, including names, email addresses, birth dates, and gender, of 500,000 users.
4. Memes posted to Twitter have been coded to talk to malware by Zaid Shoorbajee
Among the more fascinating infosec stories this week was this write up on malware leveraging memes on Twitter to get its marching orders. According to the research, published late last week by Trend Micro, some malware the firm encountered used commands embedded in images posted to Twitter to communicate. “We found that once the malware has been executed on an infected machine, it will be able to download the malicious memes from the Twitter account to the victim’s machine. It will then extract the given command," Aliakbar Zahravi, a researcher with the firm, said.
5. ICO issues final warning to care homes failing to pay data protection fee by Lee Peart
If you're a data protection officer, or an administrator that’s responsible for data protection, at a nursing home - or care home, as they're known in the U.K. - your days are numbered. The Information Commissioner's Office (ICO) has reportedly begun warning care homes that haven't paid the data protection fee to pay up or they'll be subject to a fine. Organizations that process personal data need to pay a fee, usually between £35 and £2,900. The ICO warned it would begin fining orgs back in November, when it said it would be issuing 100 notices to violators. Some of those 100 violators appear to be care homes.