Forwarded from BlackBox (Security) Archiv
Kasper-Spy: Kaspersky Anti-Virus puts users at risk
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
Kaspersky promises security and data protection. However, a data leak allowed third parties to spy on users while they were surfing the web. For years.
A strange discovery on my office computer led me to unearth an astonishing data leak caused by Kaspersky's antivirus software. Originally, I had installed the software in order to experience the promised added value during everyday use. We, journalists at c't magazine, regularly test antivirus software, and this was part of a test for our c't issue 3/2019.
The following weeks and months seemed to offer little excitement β the Kaspersky software worked essentially as well or as badly as Windows Defender. One day, however, I made a strange discovery. I looked at the HTML source code of an arbitrary website and came across the following line of code:
<script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js" charset="UTF-8"></script>Obviously, an external JavaScript script named main.js was being loaded from a Kaspersky domain. This is not uncommon, since a website nowadays hardly works without external JavaScript resources. However, when I checked the HTML source of other websites displayed in my browser, I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. So I had an inkling that the Kaspersky software might have something to do with it.
To investigate, I experimented with webbrowsers Firefox, Edge, and Opera. Again, the same line of code popped up everywhere. Since I had no suspicious browser extensions installed which could be responsible, the simple conclusion was that Kaspersky's virus protection was manipulating my traffic. Without my permission, it was injecting that code. Before that day, I had observed such behaviour only from online banking Trojans. That is malware built to manipulate bank websites, for example to secretly change the recipient of a money transfer. But what the heck was Kaspersky doing there?
My first examination of Kaspersky's script main.js showed me that, among other things, it displays green icons with Google search results if Kaspersky believes the relevant link to lead to a clean website. This could have been the end of my analysis, but there was this one small detail: The address from which the Kaspersky script was loaded contained a suspicious string:
https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.jsThe part marked bold has a characteristic pattern. The structure matches a so-called Universally Unique Identifier (UUID). These IDs are used to make things, well, uniquely identifiable. But who or what can be identified using the Kaspersky ID?
I expanded my experiment and installed the Kaspersky software on other computers. Kaspersky also injected JavaScript on those other systems. However, I discovered a crucial difference: The UUID in the source address was different on each system. The IDs were persistent and did not change, even several days later. So it was clear that each computer had it's own permanently assigned ID.
ππΌ Read more:
https://www.heise.de/ct/artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html
#Kaspersky #AntiVirus #software #Spy #DataLeak
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/
#deletefacebook #security #phonenumbers #dataleak #facebook
#deletefacebook #security #phonenumbers #dataleak #facebook
TechCrunch
A huge database of Facebook usersβ phone numbers found online
Hundreds of millions of phone numbers linked to Facebook accounts have been found online. The exposed server contained more than 419 million records over
Forwarded from BlackBox (Security) Archiv
Spyware company leaves private customer data on the internet
A manufacturer of consumer spyware marketed to parents and partners has published incredibly intimate user data on a server freely accessible over the Internet. Freely available for all to see and hear: photos of children, school report cards, call recordings. The companies responsible for the stalkerware are largely indifferent to what happens with the data.
A child, maybe six or seven, picks his nose with both fingers and makes silly faces for the camera. In the next picture he is eating a banana. Then we see a photo of a school report card, picture taken from a computer screen. It shows the childβs full name and the current grades in English and biology.
What looks like the digital photo album of a normal family has been freely available on the internet for more than a year β without the knowledge of the people concerned. A company that sells stalkerware β software for the secret surveillance of children and partners β has published these pictures and hundreds of intimate call recordings on the internet.
The photos not only show the child and his parents, their apartment, their bedroom, but also connect these to personal data such as names, e-mail addresses or medication prescriptions. The data has been on a server since April 2018 β without a password or other protection, freely available ot anyone with an internet connection.
For people βwho are tired of being lied toβ
Responsible for this privacy disaster is a company called Spyapp247. It sells an app that allows you to spy on what another person is doing on their phone. The Android app records phone calls, chat messages, browser history, photos, allows access to the address book and tracks location data β without the affected person noticing. According to the manufacturer, even the microphone can be switched on remotely: The telephone becomes a bug.
Spyapp247 markets the app on its website to people βwho are tired of being lied to and cheated on,β meaning: who want to spy on a partner. Civil rights organizations therefore call such apps stalkerware. But the company also advertises its apps as a tool for cautious parents to recognize βdangers to your children before they ever happen.β
Spyware manufacturer not reacting
It is hard to tell who installed the app in this case, and for what purpose, but it is likely that the data was obtained without the consent of the person targeted. In order to install the app, a person must have physical access to the device for at least a few minutes. Once the app is on the phone, it can collect all kinds of information in the background. The data is uploaded to a server and presented to the operator in a browser window.
ππΌ Read more:
https://netzpolitik.org/2019/spyware-company-leaves-private-customer-data-on-the-internet/
#spyware #Spyapp247 #stalkerware #dataprotection #dataleak #userdata #surveillance #why
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
A manufacturer of consumer spyware marketed to parents and partners has published incredibly intimate user data on a server freely accessible over the Internet. Freely available for all to see and hear: photos of children, school report cards, call recordings. The companies responsible for the stalkerware are largely indifferent to what happens with the data.
A child, maybe six or seven, picks his nose with both fingers and makes silly faces for the camera. In the next picture he is eating a banana. Then we see a photo of a school report card, picture taken from a computer screen. It shows the childβs full name and the current grades in English and biology.
What looks like the digital photo album of a normal family has been freely available on the internet for more than a year β without the knowledge of the people concerned. A company that sells stalkerware β software for the secret surveillance of children and partners β has published these pictures and hundreds of intimate call recordings on the internet.
The photos not only show the child and his parents, their apartment, their bedroom, but also connect these to personal data such as names, e-mail addresses or medication prescriptions. The data has been on a server since April 2018 β without a password or other protection, freely available ot anyone with an internet connection.
For people βwho are tired of being lied toβ
Responsible for this privacy disaster is a company called Spyapp247. It sells an app that allows you to spy on what another person is doing on their phone. The Android app records phone calls, chat messages, browser history, photos, allows access to the address book and tracks location data β without the affected person noticing. According to the manufacturer, even the microphone can be switched on remotely: The telephone becomes a bug.
Spyapp247 markets the app on its website to people βwho are tired of being lied to and cheated on,β meaning: who want to spy on a partner. Civil rights organizations therefore call such apps stalkerware. But the company also advertises its apps as a tool for cautious parents to recognize βdangers to your children before they ever happen.β
Spyware manufacturer not reacting
It is hard to tell who installed the app in this case, and for what purpose, but it is likely that the data was obtained without the consent of the person targeted. In order to install the app, a person must have physical access to the device for at least a few minutes. Once the app is on the phone, it can collect all kinds of information in the background. The data is uploaded to a server and presented to the operator in a browser window.
ππΌ Read more:
https://netzpolitik.org/2019/spyware-company-leaves-private-customer-data-on-the-internet/
#spyware #Spyapp247 #stalkerware #dataprotection #dataleak #userdata #surveillance #why
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
Major German shopping site leaks customer data
A publicly-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.
Our Security team, led by Anurag Sen, discovered a vulnerable and unsecured server containing more than 6 terabytes of data operated by German company windeln.de.
Our team detected the breach on 13 June 2020 and estimates that the server vulnerability was exposed on the Internet on 11 June 2020.
The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports. Our team found that the server was completely unsecured and publicly exposed without a password β meaning that anyone in possession of the serverβs IP address could access the entire database.
We tried to reach out to Windeln.de, but nobody ever got back to us. We then contacted the German CERT, so they could inform the company about the data leak. A few days later, the server got secured.
π ππΌ https://www.safetydetectives.com/blog/windeln-leak-report/
#windeln #germany #vulnerability #leak #data #dataleak #customers
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
A publicly-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publicly exposing private data belonging to around 700,000 of its customers.
Our Security team, led by Anurag Sen, discovered a vulnerable and unsecured server containing more than 6 terabytes of data operated by German company windeln.de.
Our team detected the breach on 13 June 2020 and estimates that the server vulnerability was exposed on the Internet on 11 June 2020.
The ElasticSearch server and its vulnerability were discovered during a routine check of IP addresses on particular ports. Our team found that the server was completely unsecured and publicly exposed without a password β meaning that anyone in possession of the serverβs IP address could access the entire database.
We tried to reach out to Windeln.de, but nobody ever got back to us. We then contacted the German CERT, so they could inform the company about the data leak. A few days later, the server got secured.
π ππΌ https://www.safetydetectives.com/blog/windeln-leak-report/
#windeln #germany #vulnerability #leak #data #dataleak #customers
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
SafetyDetectives
Major German shopping site leaks customer data
A publicly-listed multinational retailer with millions of dollars in annual revenues was discovered to be operating a completely unsecured server, thereby publi