The cyberattackers allegedly stole information from US campaign officials only to turn around and weaponize it against unfavored candidates.

Source: Hakan Gider via Alamy Stock Photo

The US Justice Department has announced charges against three members of Iran's Islamic Revolutionary Guard Corps (IRGC).

The individuals — known as Masoud Jalili, 36; Seyyed Ali Aghamiri, 34; and Yaser Balaghi, 37 — are accused of running a cyber campaign targeting the upcoming US presidential election, and conducting hacks against political campaigns, current and former US officials, nongovernmental organizations, and members of the media. They have been charged with conspiracy to commit identity theft, aggravated identity theft, unauthorized access to computers, access device fraud, and wire fraud.

The activity, according to a DoJ press release, "was part of Iran's continuing efforts to stoke discord, erode confidence in the US electoral process, and unlawfully acquire information relating to current and former US officials that could be used to advance the malign activities of the IRGC," including retribution on behalf of the death of former commander of the IRGC-Qods Force, Qasem Soleimani.

The DoJ alleges the attackers focused on compromising accounts of former US government officials for several years for shifting their focus and targeting campaign officials in May, using their access to campaign accounts to steal information, non-public campaign documents, and emails.

The attackers then broadened their operation, engaging in a "hack-and-leak" operation to weaponize stolen materials from a US presidential campaign in order to undermine certain candidates, according to the announcement.

"The conduct laid out in the indictment is just the latest example of Iran's brazen behavior," said FBI Director Christopher Wray. "So today the FBI would like to send a message to the government of Iran — you and your hackers can't hide behind your keyboards."

In tandem, the DoJ and the Department of State issued a reward of up to $10 million through the Rewards for Justice Program for information leading to the identification or location of any foreign person or entity engaging in interference in US elections.

**Spear-Phishing for Malicious Opportunities**

The indictments come on the heels of a joint warning with the UK's National Cyber Security Centre of continued malicious cyberactivity by threat actors working on behalf of the Iranian government, especially in the realm of spear-phishing.

Potential targets include current and former senior government or political officials, journalists, activists, and lobbyists, among others, which have been hit with social engineering messages tailored to the individual. The threat actors may impersonate family members or professional contacts to trick their victims; and heir lures could be a request for an interview, a public speaking event, or generally offering an opportunity to discuss policy.

"The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the advisory stated. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."

It's recommended that individuals who think they may be targeted be suspicious of unsolicited contact from any individual they do not know personally, unsolicited requests to share files, or attempts to share links.

DoJ Charges 3 Iranian Hackers in Political 'Hack &amp; Leak' Campaign

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by…

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by enabling “Privacy Preserving Attribution” (PPA), a tracking feature in Firefox, by default without user consent.

The European Center for Digital Rights (NOYB) based in Vienna, Austria has lodged a formal complaint against Mozilla, accusing the company of turning its Firefox browser into a “tracking tool” through the introduction of a privacy feature known as Privacy Preserving Attribution (PPA).

In **July 2024**, Mozilla included the PPA feature in its Firefox update version 128.0. According to Mozilla, PPA is intended to help advertisers understand ad effectiveness without allowing individual websites to collect personal user data. Instead, Firefox itself aggregates ad interaction data on behalf of users before passing this information to advertisers. Mozilla presents this as a balanced solution that maintains user privacy while meeting advertising needs.

However, NOYB sees it differently. The advocacy group claims that PPA effectively turns Firefox into a tool that enables tracking, simply moving the data collection from websites to the browser itself.

According to NOYB’s **report**, the PPA feature violates users’ rights under the European Union’s General Data Protection Regulation (**GDPR**), as it involves data processing without obtaining explicit user consent.

****Concerns Over Default Activation and Lack of Transparency****

NOYB’s main criticism is directed at Mozilla’s implementation of PPA. The feature was enabled by default without notifying users or seeking their consent, making it an opt-out rather than an opt-in system.

NOYB compares this approach to Google’s controversial **Privacy Sandbox**, which also faced criticism for centralizing user tracking within the browser. Felix Mikolasch, a data protection lawyer at NOYB, remarked, “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.”

According to the organization, the alleged lack of transparency has further alarmed privacy advocates, as users were neither informed about the feature nor given the opportunity to decide whether they wanted to participate. Mikolasch added, “It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice, and the feature should have been turned off by default.”

Mozilla has long been **recognized as a privacy-focused company,** particularly as other popular browsers have been criticized for invasive data collection practices. This recent move, however, has called that reputation into question. PPA, while potentially less invasive compared to third-party cookies, nonetheless involves tracking that most users are unaware of, which has led NOYB to demand regulatory scrutiny.

****How to Disable Privacy Preserving Attribution in Firefox Browser?****

For users wanting to disable Privacy Preserving Attribution, Mozilla has **provided** an opt-out process that requires navigating Firefox settings:

*   Click the **menu button** and select **Settings**.
*   Navigate to the **Privacy & Security** section.
*   Under **Website Advertising Preferences**, uncheck the box labeled **“Allow websites to perform privacy-preserving ad measurement”**.

Nevertheless, NOYB has filed a complaint with the Austrian Data Protection Authority (Available **here** (PDF) in English), asking them to investigate Mozilla’s behaviour. The advocacy group demands that Mozilla switch the feature to an opt-in system and properly inform users about the data collection. Moreover, NOYB insists that Mozilla should delete any data processed without proper user consent.

1.  **Avast Fined Millions for Selling User Browsing Data**
2.  **Why Browser Security Matters More Than You Think**
3.  **Apple Safari Safest, Google Chrome Riskiest Browser**
4.  **Mullvad VPN and Tor Project Release Mullvad Browser**
5.  **How much does a data breach cost? + How to prevent it**

Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature

Debian Linux Security Advisory 5779-1 - Simone Margaritelli reported that cups, the Common UNIX Printing System, does not properly sanitize IPP attributes when creating PPD files, which may result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5779-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 29, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cupsCVE ID         : CVE-2024-47175Simone Margaritelli reported that cups, the Common UNIX Printing System,does not properly sanitize IPP attributes when creating PPD files, whichmay result in the execution of arbitrary code.For the stable distribution (bookworm), this problem has been fixed inversion 2.4.2-3+deb12u8.We recommend that you upgrade your cups packages.For the detailed security status of cups please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/cupsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmb5cQJfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QspA//fRq1YZHhn9UlhgfupxmpK3MHf7XjBl3cttiSkw7mZA+y1CGgUEr4Jxvd8PjkIpsN2xUuKt1Y1iLw79jOU7Vn2VOfJlUSp8ub2aT/wPHt5WnKv4/77xqS/aa+mTa2wHQWWeDssfeF67Z1rYnPk9s6cYvXhKLyAuLTLLOWq+6NWQ6ZmuXqBzmxD7rrOxBBU9rNZsp07AE6jvYmrpvDMYT0Lsy3GvBP/M6BAUF8iMJA38K3J6sR73Zh80TMDOAa8Yp/Svk12kxbjuzWxgPr2sQ/Mb/lpTH+xxxPRVIm9WWUFumPn7j+FqAfIDOieX6/nSMd1kWbSuZyKzLXz2gpVMpU8ge3ypsT9Fa3CdZbXqW6DtrOuCRyQxBKVj0qOhv/qZDIv2eYtGj2wVEphtMWGe8TfW0pFaJPK/WTNdH3xcqyo/OScv0OucW02RjEEGEjD/ErUkRorPkDmTlRIQ4W2e6lcyBYrOkFu2JGHPtnugvohQ3Xc/eEDvdABQp5xZI20F0jl+qljMFFK36qI75eIPQnPEqVfvAG9xmoBgHS4hqIYLi4p14ZaYOci8yW2FHlof2t3TgjH6TJFdH8sp3dGOHCTnKfB+3mq97oipjm6Xoqb8mW2Z0RygvUIS94NFGaFzFKzAlkIssL3Y2VoC9kfrrCe2zhMJ6zRrO5JuXdWapA51E==6Gtg-----END PGP SIGNATURE-----

Debian Security Advisory 5779-1

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

**Student Management System 1.0 Insecure Cookie Handling**

Posted Sep 30, 2024

Authored by indoushka

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

tags | exploit, insecure cookie handling

SHA-256 | d658fbfc8c6a719141fdd1f2794283b78eab23b21c7970420e8965f026849eba

Download | Favorite | View

**Student Management System 1.0 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Student Management System 1.0 Insecure Cookie Handling Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/student-management-system-using-php-and-mysql/                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] The default username is admin & The chosen password is user123[+] http://127.0.0.1/studentms/admin/dashboard.php Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,997)
*   Arbitrary (17,113)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,047)
*   Code Execution (7,925)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,434)
*   DoS (25,304)
*   Encryption (2,395)
*   Exploit (54,342)
*   File Inclusion (4,278)
*   File Upload (1,022)
*   Firewall (822)
*   Info Disclosure (2,924)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,310)
*   Local (14,864)
*   Magazine (587)
*   Overflow (13,228)
*   Perl (1,435)
*   PHP (5,284)
*   Proof of Concept (2,413)
*   Protocol (3,751)
*   Python (1,662)
*   Remote (31,922)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,052)
*   Shell (3,308)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,738)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,133)
*   Web (10,144)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,306)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,130)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,374)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,912)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,882)
*   UNIX (9,461)
*   UnixWare (188)
*   Windows (6,780)
*   Other

Student Management System 1.0 Insecure Cookie Handling

Productivity has a downside: A shocking number of employees share sensitive or proprietary data with the generational AI platforms they use, without letting their bosses know.

Source: Marcos Alvarado via Alamy Stock Photo

Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses.

In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem.

The NCA survey (which polled 7,000 people globally) found that Gen Z and millennial workers are more likely to share sensitive work information without getting permission: A full 46% and 43%, respectively, admitted to the practice, as opposed to 26% and 14% of Gen X and baby boomers, respectively.

**Real-World Consequences From Sharing Data With Chatbots**

The issue is that most of the most prevalent chatbots capture whatever information users put into prompts, which could be things like proprietary earnings data, top-secret design plans, sensitive emails, customer data, and more — and send it back to the large language models (LLMs), where it's used to train the next generation of GenAI.

And that means that someone could later access that data using the right prompts, because it's part of the retrievable data lake now. Or, perhaps the data is kept for internal LLM use, but its storage isn't set up properly. The dangers of this — as Samsung found out in one high-profile incident — are relatively well understood by security pros — but by everyday workers, not so much.

ChatGPT’s creator, OpenAI, warns in its user guide, "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations." But it's hard for the average worker to constantly be thinking about data exposure. Lisa Plaggemier, executive director of NCA, notes one case that illustrates how the risk can easily translate into real-world attacks.

"A financial services firm integrated a GenAI chatbot to assist with customer inquiries," Plaggemier tells Dark Reading. "Employees inadvertently input client financial information for context, which the chatbot then stored in an unsecured manner. This not only led to a significant data breach, but also enabled attackers to access sensitive client information, demonstrating how easily confidential data can be compromised through the improper use of these tools."

Galit Lubetzky Sharon, CEO at Wing, offers another real-life example (without naming names).

"An employee, for whom English was a second language, at a multinational company, took an assignment working in the US," she says. "In order to improve his written communications with his US based colleagues, he innocently started using Grammarly to improve his written communications. Not knowing that the application was allowed to train on the employee's data, the employee sometimes used Grammarly to improve communications around confidential and proprietary data. There was no malicious intent, but this scenario highlights the hidden risks of AI."

**A Lack of Training & the Rise of "Shadow AI"**

One reason for the high percentages of people willing to roll the dice is almost certainly a lack of training. While the Samsungs of the world might swoop into action on locking down AI use, the NCA survey found that 52% of employed participants have not yet received any training on safe AI use, while just 45% of the respondents who actively use AI have.

"This statistic suggests that many organizations may underestimate the importance of training, perhaps due to budget constraints, or a lack of understanding about the potential risks," Plaggemier says. And meanwhile, she adds, "This data underscores the gap between recognizing potential dangers and having the knowledge to mitigate them. Employees may understand that risks exist, but the lack of proper education leaves them vulnerable to the severity of these threats, especially in environments where productivity often takes precedence over security."

Worse, this knowledge gap contributes to the rise of "shadow AI," where unapproved tools are used outside the organization's security framework.

"As employees prioritize efficiency, they may adopt these tools without fully grasping the long-term consequences for data security and compliance, leaving organizations vulnerable to significant risks," Plaggemier warns.

**It's Time for Enterprises to Implement GenAI Best Practices**

It's clear that prioritizing immediate business needs over long-term security strategies can leave companies vulnerable. But when it comes to rolling out AI before security is ready, the golden allure of all those productivity enhancements — sanctioned or not — may often prove too strong to resist.

"As AI systems become more common, it's essential for organizations to view training not just as a compliance requirement but as a vital investment in protecting their data and brand integrity," Plaggemier says. "To effectively reduce risk exposure, companies should implement clear guidelines around the use of GenAI tools, including what types of information can and cannot be shared."

Morgan Wright, chief security adviser at SentinelOne, advocates starting the guidelines-development process with first principles: "The biggest risk is not defining what problem you're solving through chatbots," he notes. "Understanding what is to be solved helps create the right policies and operational guardrails to protect privacy and intellectual property. It's emblematic of the old saying, 'When all you have is a hammer, all the world is a nail.'"

There are also technology steps that organizations should take to shore up AI risks.

"Establishing strict access controls and monitoring the use of these tools can also help mitigate risks," Plaggemier adds. "Implementing data masking techniques can protect sensitive information from being input into GenAI platforms. Regular audits and the use of AI monitoring tools can also ensure compliance and detect any unauthorized attempts to access sensitive data."

There are other ideas out there, too. "Some companies have restricted the amount of data input into a query (like 1,024 characters)," Wright says. "It could also involve segmenting off parts of the organization dealing with sensitive data. But for now, there is no clear solution or approach that can solve this thorny issue to everyone's satisfaction."

The danger to companies can also be exacerbated thanks to GenAI capabilities being added to third-party software-as-a-solution (SaaS) applications, Wing's Sharon warns — this is an area that is too often overlooked.

"As new capabilities are added, even to very reputable SaaS applications, the terms and conditions of those applications is often updated, and 99% of users don't pay attention to those terms," she explains. "It is not unusual for applications to set as the default that they can use data to train their AI models."

She notes that an emerging category of SaaS security tools called SaaS Security Posture Management (SSPM) is developing ways to monitor which applications use AI and even monitor changes to things like terms and conditions.

"Tools like this are helpful for IT teams to assess risks and make changes in policy or even access on a continuous basis," she says.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Shadow AI, Data Exposure Plague Workplace Chatbot Use

In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is `/management/domain`. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-jq3f-mfmg-747x: Eclipse Glassfish improperly handles http parameters

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users' passwords in plaintext in its systems.
The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union's

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users' passwords in plaintext in its systems.

The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union's General Data Protection Regulation (GDPR).

To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data breaches concerning the storage of user passwords in plaintext, and utilize proper technical measures to ensure the confidentiality of users' passwords.

Meta originally revealed that the privacy transgression led to the exposure of a subset of users' Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or abused internally.

According to Krebs on Security, some of these passwords date back to 2012, with a senior employee stating "some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plaintext user passwords."

A month later, the company acknowledged that millions of Instagram passwords were also stored in a similar manner, and that it's notifying affected users.

"It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Graham Doyle, deputy commissioner at the DPC, said in a press statement.

"It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

In a statement shared with Associated Press, Meta said it took "immediate action" to fix the error, and that it "proactively flagged this issue" to the DPC.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Fined €91 Million for Storing Millions of Facebook and Instagram Passwords in Plaintext

The vulnerability is the latest discovered in connected vehicles in recent years, and it points out the cyber dangers lurking in automotive APIs.

Source: Jonathan WeissI via Shutterstock

Car buyers typically have many questions when purchasing a new automobile, but few are likely to consider whether an attacker could remotely control their vehicle using just license plate information.

Yet that's exactly what millions of Kia vehicles allowed until mid-August, when the automaker fixed a flaw that enabled such access, after independent security researchers alerted them to the issue.

**Remote Control of Kia Cars & SUVs**

The glitch is similar to those that the same group of researchers and others have discovered in recent years, and is sure to stoke already high concerns over the vulnerability of modern connected vehicles to cyberattacks.

In a Sept. 26 report, independent researcher Sam Curry said he discovered the Kia vulnerability when doing some follow-up research on multiple flaws he and colleagues discovered a couple of years ago in vehicles from Kia, Honda, Infiniti, Nissan, Acura, BMW, Mercedes, and others.  

At the time, the researchers showed how anyone could take advantage of the vulnerabilities to issue commands for remotely locking and unlocking vehicles, starting and shutting down the engine, and activating a vehicle's headlight and horn. Some of the flaws allowed an adversary to remotely take over an owner's account and lock them out of managing their own vehicle, while others enabled remote access to a vehicle's camera, with the ability to view live images from inside the vehicle. Some of the hacks required an adversary to have little more than a vehicle identification number, and sometimes even just an owner's email address.

**An Issue With Automotive API Protocols**

As with many of the previous flaws, the new issue that Curry and his fellow researchers discovered had to do with the application programming interface (API) protocols that enable Internet-to-vehicle commands on Kia automobiles.

The researchers found that it was relatively easy to register a Kia dealer account and authenticate it to the account. They could then use the generated access token to call APIs reserved for use by dealers, for things like vehicle and account lookup, owner enrollment, and several other functions.

After some poking around, the researchers found that they could use their access to the dealer APIs to enter a vehicle's license-plate information and retrieve data that essentially allowed them to control key vehicle functions. These included functions like turning the ignition on and off, remotely locking and unlocking vehicles, activating its headlights and horn, and determining its exact geolocation.

In addition, they were able to retrieve the owner's personally identifying information (PII) and quietly register themselves as the primary account holder. That meant they had control of functions normally available only the owner. The issues affected a range of Kia model years, from 2024 and 2025 all the way back to 2013. With the older vehicles, the researchers developed a proof-of-concept tool that showed how anyone could enter a Kia's vehicle license plate info and in a matter of 30 seconds execute remote commands on the vehicle.

"The recent discovery underscores the intricate challenges posed by the complex API protocols — such as gRPC, MQTT, and REST — used in connected cars," says Ivan Novikov, CEO of API security firm Wallarm. "Automakers must prioritize enhancing their cybersecurity measures by implementing stronger authentication methods and securing communication channels to protect against unauthorized access."

Akhil Mittal, senior manager of cybersecurity strategy and solutions at Synopsys Software Integrity Group, says the new discovery highlights how the biggest vulnerabilities in connected vehicles often have to do with systems that communicate with the outside world. He points to always-connected vehicle telematics systems as one example of such a component.

"Infotainment systems are another concern, as they connect to smartphones, apps, and other services, creating more entry points for hackers into the car's internal network," Mittal says. "The recent Kia hack really highlights how APIs and cloud services can be weak spots; if the APIs that control critical functions aren't secured properly, they become easy targets for attackers."

**A Troubling Pattern of Cars' Cyber Insecurity**

News of the Kia hack adds to growing concerns over connected vehicles — and not just about their security either. Earlier this year, two senior US lawmakers slammed General Motors, Honda, and Hyundai for collecting extensive data from connected vehicle about owners and their movement. The two lawmakers, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) called the data collection by the three automakers of a symptomatic industry-wide problem that highlighted the need for greater oversight and scrutiny of automaker practices.

"Automotive vendors have proven irresponsible at security again and again, and I wonder how much more we are going to see before action is taken," says David Brumley, CEO of software security firm ForAllSecure. "Yesterday the average driver worried about \[the theft of their\] key fob. Today, they have to worry about whether their dealer or manufacturer has an unprotected API. Where is the \[National Transportation Safety Board\] on this?"

Kia Motors did not respond immediately to a Dark Reading request for comment.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Kia Vehicles Open to Remote Hacks via License Plate

Red Hat Security Advisory 2024-7260-03 - An update for net-snmp is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7260.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: net-snmp security update  
Advisory ID:        RHSA-2024:7260-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7260  
Issue date:         2024-09-26  
Revision:           03  
CVE Names:          CVE-2022-24805  
====================================================================

Summary: 

An update for net-snmp is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.

Security Fix(es):

* net-snmp: A buffer overflow in the handling of the INDEX of             NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. (CVE-2022-24805)

* : net-snmp: Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously (CVE-2022-24806)

* net-snmp: A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access (CVE-2022-24807)

* net-snmp: A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference. (CVE-2022-24809)

* net-snmp: A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference (CVE-2022-24808)

* net-snmp: A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference. (CVE-2022-24810)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-24805

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2103225  
https://bugzilla.redhat.com/show_bug.cgi?id=2104759  
https://bugzilla.redhat.com/show_bug.cgi?id=2104763  
https://bugzilla.redhat.com/show_bug.cgi?id=2104766  
https://bugzilla.redhat.com/show_bug.cgi?id=2104768  
https://bugzilla.redhat.com/show_bug.cgi?id=2104769

Red Hat Security Advisory 2024-7260-03

As security technology and threat awareness among organizations improves so do the adversaries who are adopting and relying on new techniques to maximize speed and impact while evading detection.
Ransomware and malware continue to be the method of choice by big game hunting (BGH) cyber criminals, and the increased use of hands-on or “interactive intrusion” techniques is especially alarming.

Tag

#perl