Hey all,
Here are this week’s cyber updates.
(1) I’m pretty sure most of you
are aware of Google Chrome’s (as well as other browser’s) auto fill feature.
This feature allows Chrome to automatically fill your personal information in
websites in order to speed up registration processes.
What most of you don’t know is
that hidden fields are auto-filled, and thus submitted to the website’s owner.
This allows the website to collect personal information without the user’s
consent.
Here is a link to a PoC website: https://anttiviljami.github.io/browser-autofill-phishing/
If you didn’t understand this
one, please let me know and I’ll send you a link to another website, with an
example of stealing your credit card info J
(2) Cellebrite, the
Israeli-based company that allegedly helped the FBI to hack the iPhone, was
hacked.
The my.Cellebrite database has been
hacked, allowing the hackers to extract over 900GB of customers’ data.
Here are all the details: http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach
(3) The Brazilian government
has accidentally twitted a link to a Google Drive Excel spreadsheet, which
contained a list of plain text passwords for social media accounts (Facebook,
Gmail, Twitter, Instagram and more).
It appears as if the tweet contained by accident a
copy-paste link to the spreadsheet instead of the intended URL.
They really should be more careful with their tweets,
but more than that, I couldn’t help but wonder why they didn’t enforce any
permissions on Google Drive…
Here are all the details: https://www.hackread.com/brazilian-govt-twitter-posts-social-media-passwords/
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit