This Week in Security: HaveIBeenPwned And Facebook Attack Their Customers

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson.

So apparently a @haveibeenpwned email wiped an entire ticketing system due to the SQL injection pattern I put in the contents of it https://t.co/orhcCA05RO

— Troy Hunt (@troyhunt) June 3, 2020

When the Ransomware Decryptor is More Malware

We’ve seen a few instances of decryptor programs being released for ransomware malware. In some cases, the ransomware author made a blunder in their crypto, and in others, the decryption keys get released. Once the keys (or flaw) are known, security researchers often put together an automated decryption program.

The bad guys want to keep you from running them. In extreme contrast to a true decryptor, some men just want to watch the world burn. Using the name Zorab, this piece of malware claims to be a decryptor, but actually just adds a second layer of encryption. Touche, for now.

Docker Images

I’ve always been a bit skittish about Docker images, particularly those published by an untrusted third party. It seems that caution was warranted, at least according to a new report on the security of Docker images (pdf). Most of the results are as one would expect: Official images are more secure, Javascript and Python are the languages where most vulnerabilities pop up, and Python2 packages are the most problematic.

In related news, there is a new vulnerability scanner specifically for Docker images.

Facebook, a Hack, and a Predator

Modern security and privacy tools like Tor and the Tails distribution are amazing and potentially extremely useful. Journalists, protesters, and even whistleblowers find legitimate use for the tool set. However, Every once in a while a story forces us to look straight into the ugly face of the dark side of the net. In this case, it’s a predator that used Tor to stalk and harass teenage girls on Facebook, and extort compromising photographs out of them.

The reason we’re talking about this case is that Facebook went to the extreme of hiring a security firm to develop an exploit specifically for their anonymous stalker. They found a zero-day in the Tails video player, and developed a full de-anonymyzing attack. Facebook then handed the attack over to the FBI, who used it to finally catch Buster Hernandez.

It’s still unknown what the zero-day exploit was precisely, as disclosure never happened. Apparently the flaw was eventually removed from Tails through the process of normal updates, and never publicly identified as a vulnerability. It’s not entirely clear how long the FBI was in possession of the tool before the flaw was patched. It’s reasonable to suspect that it was used in other cases, though it’s not likely we’ll find out any time soon.

Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform? As a business decision, it was critical that they not allow that sort of activity to continue unchecked. Cooperating in hacking one of their users, though, is quite a blow to the trust their users have in the platform. I’m curious what our readers think about Facebook’s decision here.

Netgear

Have a need to compromise a Netgear device? The guys at GRIMM have your back. They just published a writeup on a buffer overflow in the Netgear HTTP service that runs on many of their SOHO devices. 28 devices, in fact.

This specific flaw was also independently discovered by [d4rkn3ss] and reported by the Zero Day Initiative.

The overflow is exploitable before user authentication, so this is a potentially nasty, wormable problem. It should go without saying, but don’t expose your router’s HTTP service to the internet.

Errata

Last week we covered an oddball hack using cmd.exe and relative paths to run commands. I forgot to credit [Julian Horoszkiewicz] for finding the hack in the first place.