Emails from Uber may not have been from Uber

Plus, U.S. State Department iPhones hacked and Apple HomeKit bug goes unfixed

Uber has finally fixed a vulnerability that allowed bad actors to send emails from Uber’s official email account, but the fix comes seven years after the bug was first reported. Over the years, several researchers have reported the easy-to-exploit vulnerability to Uber – one as early as 2015 – but the rideshare company did not patch the problem until this week. “Uber has a bug bounty program with 1,790 reports resolved,” commented Luis Corrons, Avast Security Evangelist, “so this is not a case of the company not taking care of security, but a human mistake handling the reports of this specific bug. In any case, please remember never to insert any kind of personal data in any link that comes from an email.” It’s not known if the bug was ever exploited, but anyone who has shared personal information in response to an email from Uber over the past seven years is well-advised to change their passwords. For more on this story, see Threatpost.

NSO tool used to hack U.S. State Department iPhones

An unknown assailant attacked at least nine U.S. State Department employees’ iPhones using spyware created by Israeli-based NSO Group, according to Reuters. Each of the attacked officials had something to do with Uganda – they were either based there or otherwise focused on the East African country. NSO reported, however, that there had been no indication any of its tools were used. The company said that it would nevertheless cancel access for the relevant customers and begin an investigation. Senator Ron Wyden commented, “Companies that enable their customers to hack U.S. government employees are a threat to America’s national security and should be treated as such.”

Secure your QNAP NAS now

QNAP Systems, Inc. issued a product security statement warning users that ransomware and brute-force attacks have been widely targeting all QNAP NAS smart storage devices exposed to the internet without any protection. Users can see if their NAS (network attached storage) is exposed to the internet by checking the NAS Security Counselor dashboard. If the NAS is exposed to the internet, users can strengthen the security by disabling first the Port Forwarding function of the router, and then the UPnP function. For more specific instructions, see QNAP Product Security News.

WordPress 5.8.3 fixes 4 flaws

The WordPress team released version 5.8.3 this week, which fixes three flaws rated high severity and one rated medium severity. While all of the flaws have prerequisites for exploitation, any site using WordPress 5.8.2 or older is vulnerable. The three high severity flaws include SQL injection via WP_Query, an XSS vulnerability that adds a backdoor, and an SQL injection via WP_Meta_Query core class. The medium severity flaw fixed by the update is an object injection issue. There have been no reports that any of the vulnerabilities have yet been exploited. For more on this story, see Bleeping Computer

Apple HomeKit bug sends devices into crash spiral

In August 2021, a researcher reported a bug to Apple that could send iPhones and iPads into crash spirals, but the company still has not created an effective fix. The bug is exploited through HomeKit, an Apple feature that allows users to control home features with their phone. First the attacker must give its network an extraordinarily long name, about 500,000 characters. Then they share that network with another device. If the other device accepts, it will be sent into a malfunctioning spiral that ends in complete unresponsiveness. The user’s only option at that point is a factory reset of the device. For more on this story, see Ars Technica

This week’s ‘must-read’ on The Avast Blog

It’s always wise to use a critical eye whenever someone reaches out to you online. By taking your time and carrying out due diligence, you should be able to safely help out your loved ones and avoid being scammed.

--> -->