Also, State Department iPhones Hacked, Apple HomeKit Vulnerability Unfixed
Uber has finally fixed a bug that allowed bad actors to send emails from Uber’s official email account, but the fix comes seven years after the bug was first reported. Over the years, some researchers have reported easy-to-exploit flaws in Uber — there was one as far back as 2015 — but the ride-sharing company didn’t fix it until this week. “Uber has a bug bounty program that addresses 1,790 reports,” commented Avast security evangelist Luis Corrons, “so it’s not a case of the company not paying attention to security, but human error in handling this particular bug report. In any case Please remember to never insert any kind of personal data in any link from an email.” It’s unclear whether the vulnerability was ever exploited, but anyone who has shared personal information in response to Uber’s emails over the past seven years is advised to change their passwords.For more on this story, see threatening post.
NSO tool used to hack US State Department iPhones
An unidentified attacker used spyware created by Israel’s NSO Group to attack the iPhones of at least nine U.S. State Department employees, according to Israel’s National Bureau of Statistics. Reuters. Every officer attacked was associated with Uganda – they were either stationed there or focused on the East African country. However, the NSO reported that there was no indication that any of its tools were used. The company said it would revoke access to the customers in question and start an investigation. Senator Ron Wyden commented, “Companies that allow their clients to hack into U.S. government employees are a threat to U.S. national security and should be treated the same.”
Protect your QNAP NAS now
QNAP Systems, Inc. has issued a product security statement warning users that ransomware and brute force attacks are widely targeting all QNAP NAS smart storage devices exposed to the Internet without any protection. Users can see if their NAS (Network Attached Storage) is exposed to the internet by looking at the NAS Security Advisor dashboard. If the NAS is exposed to the Internet, users can enhance security by disabling the router’s port forwarding function first, and then disabling the UPnP function.For more specific instructions, see QNAP Product Safety News.
WordPress 5.8.3 fixes 4 bugs
Posted by the WordPress Team Version 5.8.3 This week, it fixed three high-severity and one medium-severity bugs. While all vulnerabilities have prerequisites to be exploited, any website using WordPress 5.8.2 or earlier is vulnerable. The three high-severity vulnerabilities include SQL injection via WP_Query, XSS vulnerability that adds a backdoor, and SQL injection via the WP_Meta_Query core class. A medium-severity defect fixed by the update is an object injection issue. There are no reports that any vulnerabilities have been exploited.For more on this story, see beeping computer.
Apple HomeKit bug sends device into crash spiral
In August 2021, a researcher reported a bug to Apple that could send iPhones and iPads into a crash spiral, but the company has yet to find an effective fix. The vulnerability was exploited through HomeKit, an Apple feature that allows users to control home functions from their phone. First, an attacker would have to name their network a very long name, around 500,000 characters. Then they share that network with another device. If other devices accept it, it will be sent into a failure spiral and eventually become completely unresponsive. The user’s only option at this point is a factory reset of the device.For more on this story, see Ars Technica.
take an examA Week’s “Must Reads” on the Avast Blog
It’s always wise to use a critical eye whenever someone contacts you online. By taking the time to do your due diligence, you should be able to help your loved ones safely and avoid being scammed.
