The weekly roundup of security news this week includes vulnerabilities in Android, malware, and once again data breaches including the Huazhu hotel chain, Air Canada, and babysitter app Sitter.
Flaw allows millions of Android devices to be tracked
A new vulnerability, CVE-2018-9489, has been identified in all Android devices. The flaw allows hackers to track users through the interception of Wi-Fi network names, BSSID, local IP addresses, DNS server data, MAC addresses, and more. The cybersecurity firm that discovered the flaw reported it to Google back in March. The company developed a fix for it in July, and developed a patch which it is rolling out to all users throughout the fall. The flaw has already been fixed in all devices using Pie, the newest Android operating system.
Exploit Kit allows browser sessions to be attacked
The RIG Exploit Kit is distributing malware called CEIDPageLock which can not only monitor browsing sessions but also redirect pages. The malware was discovered as it was tampering with a user’s browser, attempting to change the home page. The malicious program also sends user info back to the C&C, stealing login credentials and account info as the victim browses online. CEIDPageLock is currently only targeting Windows systems and seems to be focused in China, where there have been thousands of infections reported. So far, only 40 cases have been seen in the US.
Hotel data breach numbers reach new height
Shanghai police are investigating the matter of 500 million pieces of data for sale on the darknet. The data is purported to come from as many as 130 million guests who have stayed at the Huazhu chain hotels, and the information is said to include ID card details and guest registration data. Authorities suspect it was an inside job, perpetrated by a company employee posting the database on GitHub. When final numbers are confirmed, this could become the largest data breach yet involving a hotel chain.
Air Canada data breach takes flight
A data breach on its mobile app may have affected up to 20,000 Air Canada users, the airline has reported. Alerted to unusual login behavior between August 22 and August 24, the company learned their users’ basic profile data — names, contact info, and any extra data users may have added themselves, such as passport numbers — may have been accessed by a third party. The airline has sent emails to users who may have been infected, and has posted an official statement on their website.
Part of the email Air Canada has sent potential victims of the data breach.
More data breaches, more companies hacked
Two other breaches have been reported recently, both involving the MongoDB platform. The same researcher discovered both. One of the data breaches was a 142GB database filled with over 200,000 files, including user details and company documents for the “content intelligence solutions provider” ABBYY. The researcher found the database online without any protections on it.
The other breach also concerned an unprotected database online using MongoDB. The researcher found 93,000 customer records for the babysitting app Sitter. The records contained explicitly personal information as well as transaction details, including partial credit card numbers. Sitter has since said it has patched the vulnerability.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.