Another Facebook flaw puts user data at risk

The media is abuzz this week with news about Facebook falling victim to yet another vulnerability that could have exposed very sensitive, private user data.   

According to Ron Masas, the security researcher who discovered the flaw, it could have let any website gather information from a Facebook user’s profile while they were logged in to the site, including data on their personal “likes” and interests.

Masas found the vulnerability was related to Facebook’s search system, saying “I browsed Facebook's online search results, and in their HTML noticed that each result contained an iframe element — probably used for Facebook's own internal tracking.”

The flaw allowed information to cross over domains. If an attacker tricked an active Facebook user into opening a malicious site, once the user clicked anywhere within that site, the security flaw would launch a tab giving the hacker access to Facebook search queries. Searches could return simple “yes” or “no” responses, or could deliver more complex results, like lists of a user’s friends with a certain name, or more personal data like the names of all friends residing in a particular city.

“Software bugs happen,” says Luis Corrons, Avast Security Evangelist. “In this case, the good news is, the flaw was discovered and Facebook quickly fixed it, avoiding user data being compromised. But, this situation is another reminder for all of us that data housed outside of our control — such as on social networks or clouds — is susceptible to compromise.”

Imperva contacted Facebook to make them aware of the findings in May of this year. The social media giant reportedly fixed the flaw soon thereafter. Imperva only reported on the flaw publicly on Tuesday morning this week.

WordPress GDPR plugin flaw leaves websites open to hackers  

WordPress, the most popular, open-source website creation tool in the world, has reportedly been violated by cybercriminals that have been actively working to compromise user sites.

The vulnerability was found in the WP GDPR Compliance plugin that helps websites maintain compliance with Europe’s General Data Protection Regulation (aka GDPR). The plugin displays a checkbox on a WordPress site allowing visitors to opt-in on the use of their personal data, or request copies of the data the site collects about them.

The plugin vulnerability enables hackers to employ bots that are able to register administrative accounts, once a site is compromised. As an administrative-level user, the hacker then owns the controls to the WordPress site and can take any action they want, such as setting up separate rogue webpages.

Wordfence, the WordPress security firm that discovered the flaw, said they couldn’t determine the intention for this attack, but speculated the attackers may be collecting websites for future nefarious activities.

“It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions,” Wordfence researchers said. “There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet.”  

To avoid further issues, it is recommended that WordPress users immediately install the newest version of the WP GDPR Compliance plugin.

“The irony in this case is obvious,” added Corrons. “Yet, it makes sense from the attackers’ point of view. WordPress is used worldwide, and GDPR is a concern for all website owners who manage customer data. The ability for hackers to compromise this plugin could provide them access to thousands of websites effortlessly.”

Nordstrom data breach seeks a different type of information

In another cyber attack targeted at the retail industry, a report was released this week saying the data of more than 75 thousand Nordstrom employees has been exposed to cybercriminals. Unlike the most common breaches that are focused on obtaining customer data, this one was different, leaving employees vulnerable.

The story, which was first reported by The Seattle Times, said that employee information including names, dates of birth, bank accounts, social security numbers, salaries, and other important personal data was exploited.

A statement from Nordstrom said the breach resulted from a contract worker who “improperly handled some Nordstrom employee data,” but that “customer data was not impacted.”

Soon after the breach took place on October 9th, Nordstrom employees received an email notification that informed them of the security incident. The company is being commended for its quick response time and public acknowledgment.  

Report says Magecart is expanding to steal even more credit card data

The term Magecart has evolved, since it was first used to describe malware deployed by a single group of hackers, into something more significant.  An in-depth new report from RiskIQ and Flashpoint outlines why.  

Over the last few years, cyberattacks focused on obtaining consumer credit card information and selling it for profit on the dark web have become more and more common, with some of the most recent targets being established companies like Newegg and British Airways.

The report describes the updated term “Magecart” as a larger group of at least seven hacking groups that are inspired by the first Magecart malware campaign. These groups are now working to deploy attacks in a similar fashion, hoping to replicate its success.

RiskIQ threat researcher, Yonathan Klijnsma, believes the groups are operating with differing operations and targets, describing Magecart as a “thriving criminal underworld that has operated in the shadows for years.”

It is estimated that at least 6,400 sites have been negatively impacted by Magecart activities thus far, with more to come.

Klijnsma acknowledged the new research is an important step in the right direction, helping to uncover the ways Magecart groups work, but admitted it “doesn’t mean we will be able to spot every instance and every attack.”

He believes joining forces across the industry by sharing information on potential Magecart attacks will be critical in the effort to stop them.  

Protecting proprietary customer or company information, through a layered security approach, can be a good way to catch these types of attacks, regardless of where or how they are initiated.  

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.