Take a look
- Twitter issues mea culpa for the misuse of user security data.
- The Smart Jacuzzi bug could allow attackers to dive into user data.
- Halfords tires lose more than air.
Twitter issues mea culpa for the misuse of user security data.
Social media giant Twitter issued an apology on Wednesday for using the account’s security data for targeted advertising. According to a complaint filed by the US Department of Justice and the Federal Trade Commission (FTC), between May 2013 and September 2019, Twitter asked users to provide a phone number or email address to authenticate their accounts, but Twitter was also using the contact information. to serve users targeted ads “that made Twitter rich by the millions.” The Recorded Future Record ExplainThe complaint alleged that the company violated a previous order “by collecting personal information from customers for the stated purpose of security and then exploiting it commercially.”
Twitter also violated the EU-US Privacy Shield agreements. and the Swiss-US Privacy Shield. UU., Which require that companies “follow certain privacy principles to legally transfer data from the EU countries and Switzerland”. FTC Chair Lina Khan explains: “This practice affected more than 140 million Twitter users, while fueling Twitter’s main source of revenue.” To settle the complaint, Twitter agreed in May to pay a $150 million fine and notify users that it had misused security data. The company’s apology was pinned to the top of users’ timelines, saying, “We’re so sorry this happened.” The FTC has also prohibited Twitter from profiting from “deceptively collected data” and requires the company to provide alternative methods of two-factor authentication, as well as implement a comprehensive privacy and information security program.
The Smart Jacuzzi bug could allow attackers to dive into user data.
Proving that perhaps not every device in the home needs to be a smart device, a security researcher has discovered that Jacuzzi’s SmartTub line of hot tubs has several security vulnerabilities. Researcher EatonWorks first spotted the issue while trying to log in to the SmartTub site, which allows users to control tub settings from a phone or SmartHome hub. Eaton noticed that, for a split second, an administration panel with user data appeared on his user login screen. Deciding to dig deeper, Eaton was able to use a program called Fiddler to modify the site’s code and convince the site that he was an administrator, giving him access to data on Jacuzzi users from around the world. The investigator saying Vice, “Once in the admin panel, the amount of data I was allowed was staggering. I could see the details of each spa, see its owner, and even delete its ownership.” Eaton contacted Jacuzzi about the bug in December, and eventually Auth0, the third party that handled the SmartTub software login front, fixed the vulnerabilities in the login page.
Chris Hauk, consumer privacy champion at Pixel Privacy, sees this as an instance of the IoT threat to privacy. “This appears to be a common affliction for users of Internet of Things devices such as smart hot tubs, lighting, smart home appliances, security cameras, and more. Typically, such vulnerabilities are related to the use of weak or non-existent passwords. However, in this case, the developers are at fault for leaving a security hole that could have allowed hackers to access user data and, in some cases, control a user’s bathtub remotely. This underscores how users should be careful about how much personal information they should disclose to any IoT company or any other organization, for that matter.”
Erfan Shadabi, cybersecurity expert at data security specialists at Comforte AG, while aware of the ridiculous aspects of the problem, points out that the risk cannot be laughed at. “As absurd as this breach may seem, it shows that every organization that collects data (and who doesn’t these days) is a potential target for threat actors. Data is the lifeblood of any organization and the approach of threat actors is to get their hands on any sensitive information that they can profit from. What is the solution? Protect the data itself. Data-centric security methods like tokenization and format-preserving encryption replace sensitive data with benign proxy information, so even if it falls into the wrong hands, threat actors can’t exploit it for financial gain or malicious purposes.
Roger Grimes, data-driven defense evangelist at KnowBe4, suggests that the big problem is the difficulty the bug hunter had in getting the vendor to address the issue:
“This was something of a standard IoT hack and we can expect hundreds of thousands of them in the next decade. The latest issue was a poorly secured admin console website where admin credentials could be bypassed. This is a very, very common type of vulnerability and if the website had been subject to any kind of security code review or penetration test, it would have been detected and could have been remediated before people’s data was compromised. .
“The saddest and most worrying thing was the time it took for this well-intentioned bug-finder to resolve the bug by the vendor involved. He contacts them over and over again, lags behind, ignores it and tries again. It shouldn’t be so Difficult for a bug tracker to report a bug and have the vendor acknowledge the bug, thank and reward the bug tracker, and have the bug fixed.The vendor here compounds the original vulnerability with a poor response to the bug report. The latter bothers me more than the former. There are always going to be bugs. What matters most in the long run is how the provider responds when they are reported.
“At this point, I have no faith that the vendor has learned a necessary lesson on how to better respond to bugs. Will the next bug found take that long to resolve?”
Grimes’ colleague at KnowBe4, security awareness advocate James McQuiggan, commented that IoT issues still tend to get overlooked:
“IoT (Internet of Things) and security don’t always seem to be at the forefront of most organizations’ priorities until a data breach is due to the product being compromised. After this, the effort to secure it becomes a high-level focus and the necessary security features are either ignored or added to the product. Budgets are approved, resources are delivered and the company works to provide a safe product. The race to get a product to market always seems more critical than properly securing the IoT device from the start.
“IoT developers want to develop products to ensure they are not shipped with default passwords and require users to change default settings on first use. Using a secure development life cycle (SDLC) where the security department of information is instilled early on and making it a development gate can ensure a more secure product Proper security features have been shown to reduce IoT device risk and compromise.”
Halfords tires lose more than air.
Register reports that Halfords, the UK’s leading provider of vehicle products and services, was found to be exposing customer data through its appointment confirmation process. Cybersecurity consultant Chris Hatton noted that while scheduling a tire replacement appointment, he received a confirmation email that contained a link that gave him access to private details about his reservation, including his phone number, car and address. Hatton also found that the same private data could be retrieved using only a Halfords-issued client ID. Hatton explains: “Through order identification, it seems likely that hundreds of thousands (if not millions) of different orders can be found, each containing [personally identifiable information].” Hatton attempted to disclose the issue to Halfords, but received no response. When contacted by the Registry, Halfords replied, “In this case, we were made aware of a possible vulnerability in one of our customer support systems. No bank or payment details have been at risk. We have removed the vulnerability and will implement an immediate review of our detection protocols to help ensure this does not happen again.”