Apple's Privacy Software Allowed Users To Be Tracked, Says Google

technology - Posted On:2020-01-22 17:14:59 Source: slashdot

Google researchers have exposed details of multiple security flaws in its rival Apple's Safari web browser that allowed users' browsing behavior to be tracked [Editor's note: the link may be paywalled; alternative source], despite the fact that the affected tool was specifically designed to protect their privacy. From a report: The flaws, which were ironically found in an anti-tracking feature known as Intelligent Tracking Prevention, were first disclosed by Google to Apple in August last year. In a soon-to-be published paper seen by the Financial Times, researchers in Google's cloud team have since identified five different types of potential attack that could have resulted from the vulnerabilities, allowing third parties to obtain "sensitive private information about the user's browsing habits." "You would not expect privacy-enhancing technologies to introduce privacy risks," said Lukasz Olejnik, an independent security researcher who has seen the paper. "If exploited or used, [these vulnerabilities] would allow unsanctioned and uncontrollable user tracking. Apple rolled out Intelligent Tracking Prevention in 2017, with the specific aim of protecting Safari browser users from being tracked around the web by advertisers' and other third-parties' cookies. Read more of this story at Slashdot.

Read More

Microsoft's CEO Looks To a Future Beyond Windows, iOS, and Android

technology - Posted On:2020-01-22 15:45:00 Source: slashdot

The future of the next 46 billion devices. From a report: "What do you think is the biggest hardware business at Microsoft?" asked Microsoft CEO Satya Nadella last week during a private media event. "Xbox," answered a reporter who had been quizzing Nadella on how the company's hardware products like Surface and Xbox fit into the broader ambitions of Microsoft. "No, it's our cloud," fired back Nadella, explaining how Microsoft is building everything from the data centers to the servers and network stack that fit inside. As the reporter pushed further on the hardware point, a frequent question given Microsoft's focus on the cloud, Nadella provided us with the best vision for the modern Microsoft that moves well beyond the billion-or-so Windows users that previously defined the company. "The way I look at it is Windows is the billion user install base of ours. We continue to add a couple of hundred million PCs every year, and we want to serve that in a super good way," explained Nadella. "The thing that we also want to think about is the broader context. We don't want to be defined by just what we achieved. We look at if there's going to be 50 billion endpoints. Windows with its billion is good, Android with its 2 billion is good, iOS with its billion is good -- but there is 46 billion more. So let's go and look at what that 46 billion plus 4 [billion] looks like, and define a strategy for that, and then have everything have a place under the sun." Read more of this story at Slashdot.

Read More

'How I Stopped a Credit Card Thief From Ripping Off 3,537 People -- and Saved Our Nonprofit in the Process'

it - Posted On:2020-01-22 15:45:00 Source: slashdot

Quincy Larson, founder of freeCodeCamp, a non-profit organization that runs an open-source community for learning to code, writes in a blog post: I tucked my son under my arm and jogged to my desk. I'd been up until 2 a.m. finishing the announcement for our new #AWSCertified Challenge. And so far, the launch was going well. Our new Twitter bot was tweeting, and our Discord chatroom was abuzz with ambitious developers eager to earn their AWS certifications. I was getting ready to meet with my team when I noticed two strange emails -- both of which arrived within minutes of one another. "Your a fraud" read one of the emails in typo-riddled English. "That's exactly what I'm thinking since I see a charge on my financial institution from you and since I've never heard of you. Yes you need to resolve this." The other email was... well, let's just say it was also an angry letter and let's leave it at that. freeCodeCamp is a donor-supported nonprofit, and we have thousands of people around the world who donate to us each month. Once in a while, there are misunderstandings -- usually when one family member donates without telling the other. But this felt different. So I tabbed over to Stripe, the credit card processing service our nonprofit uses for donations. On a typical day, we'd have 20 or 30 new donors. But here's what I saw instead: Stripe's dashboard showing 11,000 new customers and $60,000 in revenue for a single 24 hour period. It took me a moment to process what was happening. Our nonprofit -- which operates on an annual budget of less than $400,000 -- had just received more than $60,000 in 24 hours - and from thousands of donors. And my heart began to sink. There was no way those were real donations. We've had spikes in donations from articles in major newspapers. Heck -- I've even been interviewed on Good Morning America. But none of those spikes caused such a surge in donations. No. There was only one thing that could cause a surge in donations like this. Fraud. Extensive, programmatic credit card fraud. I'd heard about this technique before. It's called "card testing." Here's how it works: 1. A fraudster finds a website with a relatively simple credit card form. 2. Then they run scripts to test thousands of stolen credit card numbers in rapid succession. 3. That way they can see which cards are still valid and which ones have been cancelled. Then they turn around and sell those valid card numbers on the dark web. In this case, I'd detected the fraud much faster than a lot of other websites would have. So I had a window. Read more of this story at Slashdot.

Read More

German Government To Pay Over $850,000 in Windows 7 ESU Fees This Year

technology - Posted On:2020-01-22 15:45:00 Source: slashdot

Running an outdated operating system will cost Germany some additional fee. The German federal government stands to pay at least $886,000 this year to Microsoft, according to local media. ZDNet: The sum represents support fees for over 33,000 government workstations that are still running Windows 7, a Microsoft operating system that reached end of support (EoS) on January 14, and for which Microsoft has stopped providing free security updates and bug fixes. Last year, Redmond announced a paid program for governments and enterprise partners. The program, named the are Windows 7 Extended Security Updates (ESU), would provide paid access to Windows 7 security updates until January 10, 2023. ESU updates, for which the German government has recently signed up, cost between $25 to $200 per workstation, depending on the Windows 7 version a company is running (Enterprise or Pro) and the amount of time they'll need the updates. Read more of this story at Slashdot.

Read More

Microsoft To Force Bing Search in Chrome for Office 365 ProPlus Users

it - Posted On:2020-01-22 13:30:00 Source: slashdot

Microsoft has announced that it will install a new Google Chrome extension for some Office 365 ProPlus customers that will force the browser to use Bing as the default search engine "to access relevant workplace information directly from the browser address bar." From a report: The Microsoft Search in Bing extension will be added to all new Office 365 ProPlus installations and when updating to newer releases. The only customers that won't have this Chrome extension installed automatically are those that already have set Bing as their default Chrome search engine. "Microsoft Search is part of Microsoft 365 and is turned on by default for all Microsoft apps that support it," Microsoft says. "Even after Bing is made the default search engine, your users can still change to a different default search engine in Google Chrome on their own." Read more of this story at Slashdot.

Read More

Here Is the Technical Report Suggesting Saudi Arabia's Prince Hacked Jeff Bezos's Phone

it - Posted On:2020-01-22 13:00:00 Source: slashdot

A report investigating the potential hack of Jeff Bezos' iPhone indicates that forensic investigators found a suspicious file but no evidence of any malware on the phone. Motherboard: It also says that investigators had to reset Bezos's iTunes backup password because investigators didn't have it to access the backup of his phone. The latter suggests that Bezos may have forgotten his password. The report, obtained by Motherboard, indicates that investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that "appears to be an Arabic language promotional film about telecommunications." That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented "study of the code delivered along with the video." Investigators determined the video or downloader were suspicious only because Bezos' phone subsequently began transmitting large amounts of data. "[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter," the report states. "The amount of data being transmitted out of Bezos' phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS' account, egress on the device immediately jumped by approximately 29,000 percent," it notes. "Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos' phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data. The digital forensic results, combined with a larger investigation, interviews, research, and expert intelligence information, led the investigators "to assess Bezos' phone was compromised via tools procured by Saud al Qahtani," the report states. Read more of this story at Slashdot.

Read More

Tesla Surges Past $100 Billion Market Value, Usurping VW

technology - Posted On:2020-01-22 10:29:57 Source: slashdot

Tesla's market value has climbed above Volkswagen AG's for the first time to more than $100 billion. From a report: The electric-car maker's shares jumped as much as 4.6% shortly after the open of regular trading Wednesday. At the early intraday high of $572.11, Tesla's market capitalization was roughly $103.1 billion, exceeding Volkswagen's $99.8 billion and trailing only Toyota Motor. While Musk's skeptics view as absurd Tesla being worth more than a carmaker that sold almost 30 times as many vehicles last year, Volkswagen's Herbert Diess isn't one of those cynics. He's been arguably the most vocal CEO running a traditional carmaker to acknowledge that Tesla's expansion heralds a radical shakeup of the more than century-old auto industry. Read more of this story at Slashdot.

Read More

Boeing Officially Stops Making 737 Max Airplanes

technology - Posted On:2020-01-21 19:14:59 Source: slashdot

Boeing confirmed that it has stopped building 737 Max airplanes in Renton, Washington, as it waits to get permission for the plane to fly again following two deadly crashes that killed 346 people. CNN reports: Boeing will not furlough or lay off workers because of the shutdown, but pain will ripple through its supply chain and could hurt America's economic growth. Boeing would not release a headcount for people who had been working on the plane. The company said the employees will be reassigned to other duties during the shutdown, and there are a number of reasons for that. The 737 Max has been grounded since March following two fatal crashes that killed all 346 people on board. Although Boeing couldn't deliver the 737 Max planes to customers, the company continued to build the jets, albeit at a slightly reduced pace of 42 a month. It now has about 400 completed jets parked in Washington and Texas, waiting to be delivered to airlines around the world. The company hoped that the plane would fly again before the end of 2019. But in December Stephen Dickson, administrator of the Federal Aviation Administration, announced approval would not come until some time in 2020. Shutdown plans were announced a week later. Read more of this story at Slashdot.

Read More

Wine 5.0 Released

technology - Posted On:2020-01-21 17:44:59 Source: slashdot

An anonymous reader quotes a report from BleepingComputer: Wine 5.0 has been released today and contains over 7,400 bug fixes and numerous audio and graphics improvements that will increase performance in gaming on Linux. With the release of Wine 5.0, WineHQ hopes to resolve many of these issues, with the main improvements being: -Builtin modules in PE format: To make games think Wine is a real Windows environment, most Wine 5.0 modules have been converted into the PE format rather than ELF binaries. It is hoped that this will allow copy-protection and anti-cheat programs to not flag games running under Wine as being modified. -Multi-monitor support: Multiple displays adapters and multi-monitor configurations are now supported under Wine. -XAudio2 reimplementation: XAudio2 libraries have been added back to Wine and will use the FAudio library for better compatibility. -Vulkan 1.1 support: "The Vulkan driver supports up to version 1.1.126 of the Vulkan spec." Here are the release notes, download locations for the binary packages (when available) and source. Read more of this story at Slashdot.

Read More

Notorious Crime Gang Targets Internet Routers Using Tomato Firmware

it - Posted On:2020-01-21 15:45:00 Source: slashdot

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress. On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable. Read more of this story at Slashdot.

Read More

Feds Seize WeLeakInfo.com For Selling Access To Stolen Data

technology - Posted On:2020-01-20 17:59:59 Source: slashdot

JustAnotherOldGuy shares a report from PC Magazine: The FBI has shut down a website that offered hackers easy access to 12 billion records stolen in thousands of data breaches. On Thursday, the Justice Department announced it had seized the internet domain to WeLeakInfo.com, a site that was cataloging data taken from more than 10,300 data breaches at various companies and websites over the years. Customers could pay as little as $2 to gain access to the massive trove of data, which was carefully indexed and searchable. In return, subscribers could look up a person's email address to find out what previously leaked passwords, names, phone numbers, and IP addresses had been associated with it. It isn't entirely clear how WeLeakInfo.com was obtaining the data breach records. But hackers routinely sell, trade, and collect such information on dark web marketplaces and forums. Read more of this story at Slashdot.

Read More

China Reports More Than 200 Infections With New Coronavirus From Wuhan

it - Posted On:2020-01-20 16:44:59 Source: slashdot

The outbreak of a new virus that began in the Chinese city of Wuhan last month appears to be far from over. Today, Chinese health authorities reported that over 130 new pneumonia cases caused by the virus were identified over the weekend, bringing the total in China alone to 201, including three outside Wuhan. From a report: There has also been a third death from the infection, and South Korea now has reported a case as well -- the third country outside China to do so. Meanwhile, the pattern of spread makes it increasingly unlikely that the virus does not transmit between people, some experts say. "Uncertainty and gaps remain, but it's clear that there is some level of person-to-person transmission," Jeremy Farrar, head of the Wellcome Trust in London, said in a statement today. "The sudden spike in cases is disconcerting, but not entirely unexpected," says Adam Kamradt-Scott, an infectious diseases specialist at the University of Sydney. As more people learn about the disease, more will go to doctors, Kamradt-Scott says, even with mild symptoms, whereas previously they might have just stayed home. And doctors are now on the lookout for the new disease. "The result is that you see a sudden surge in cases," he says. But ‚oeif we continue to see this trend continue over the next week where there are 50 to 100 new cases every day, then that would be cause for further concern." Read more of this story at Slashdot.

Read More

Huawei Signs Maps Deal With TomTom

technology - Posted On:2020-01-20 12:00:00 Source: slashdot

Dutch navigation and digital mapping company TomTom said on Friday it had closed a deal with China's Huawei Technologies for the use of its maps and services in smartphone apps. From a report: The deal with TomTom means that the Chinese telecoms and technology giant can now use the Dutch company's maps, traffic information and navigation software to develop apps for its smartphones, according to a Reuters report. A TomTom spokesman said the deal had been closed some time ago but had not been made public by the company and he declined to provide further details, according to the Reuters report. China's largest smartphone vendor has been forced to develop its own operating systems (OS) for both smartphones and computers after being added to a US blacklist in May on national security grounds, barring it from buying US-origin technology and blocking access to widely used apps such as Google Maps in Huawei's new devices. Read more of this story at Slashdot.

Read More

Google's Sundar Pichai Doesn't Want You To Be Clear-Eyed About AI's Dangers

technology - Posted On:2020-01-20 11:15:00 Source: slashdot

Alphabet and Google CEO, Sundar Pichai, is the latest tech giant kingpin to make a public call for AI to be regulated while simultaneously encouraging lawmakers towards a dilute enabling framework that does not put any hard limits on what can be done with AI technologies. From a report: In an op-ed published in today's Financial Times, Pichai makes a headline-grabbing call for artificial intelligence to be regulated. But his pitch injects a suggestive undercurrent that puffs up the risk for humanity of not letting technologists get on with business as usual and apply AI at population-scale -- with the Google chief claiming: "AI has the potential to improve billions of lives, and the biggest risk may be failing to do so" -- thereby seeking to frame 'no hard limits' as actually the safest option for humanity. Simultaneously the pitch downplays any negatives that might cloud the greater good that Pichai implies AI will unlock -- presenting "potential negative consequences" as simply the inevitable and necessary price of technological progress. It's all about managing the level of risk, is the leading suggestion, rather than questioning outright whether the use of a hugely risk-laden technology such as facial recognition should actually be viable in a democratic society. Read more of this story at Slashdot.

Read More

Do Engineering Managers Need To Be 'Technical'?

it - Posted On:2020-01-19 20:14:58 Source: slashdot

Will Larson has been an engineering leader at Digg, Uber, and Stripe, and last May published the book An Elegant Puzzle: Systems of Engineering Management. Recently he wrote a thoughtful essay asking, "Do engineering managers need to be technical?" exploring the industry's current thinking and arriving at a surprisingly thoughtful conclusion: Around 2010, with Google ascendant, product managers were finding more and more doors closed to them if they didn't have a computer science degree. If this policy worked for Google, it would work at least as well for your virality-driven, mobile-first social network for cats... [N]ow the vast majority of engineering managers come from software-engineering backgrounds. This is true both at the market-elected collection of technology companies known as FANG (Facebook, Amazon, Netflix, Google) and at the latest crop of technology IPOs, like Fastly, Lyft, and Slack. While engineering management has not prioritized its own measurement, there is evidence that expert leadership works in some fields... If this is the case, modern technology companies are already well along the right path. This is where the story gets a bit odd. If we know that managers with technical skills outperform others, and we're already hiring managers with backgrounds as software engineers, why are we still worrying whether they're technical? If these folks have proven themselves as practitioners within their fields, what is there left to debate? This is an awkward inconsistency. The most likely explanation is that "being technical" has lost whatever definition it once had... It's uncomfortable to recognize that a distinction I relied upon so heavily for so long no longer means anything to me, but comfort has never been a good reason to get into management. With the term "not technical" unusable, I instead focus on the details. Is there a kind of technology that a given person is not familiar with? Were they uncomfortable, or did they lack confidence when describing a solution? Would I care about them knowing this detail if I didn't personally know it? Given their role in and relation to the project, was the project's success dependent on them knowing these details...? Looking forward to the next 30 years of management trends, only a few things seem certain: Managers should be technical, and the definition of technical will continue to change. Read more of this story at Slashdot.

Read More

127 Tesla Owners Complain The Cars Accelerate On Their Own

technology - Posted On:2020-01-19 17:44:59 Source: slashdot

An anonymous reader quotes the Associated Press: The U.S. government's auto safety agency is looking into allegations that all three of Tesla's electric vehicle models can suddenly accelerate on their own. Brian Sparks of Berkeley, California, petitioned the National Highway Traffic Safety Administration asking for an investigation. An agency document shows 127 owner complaints to the government that include 110 crashes and 52 injuries. The agency said it will look into allegations that cover about 500,000 Tesla vehicles including Model 3, Model S and Model X vehicles from the 2013 through 2019 model years. The agency's investigations office will evaluate the petition and decide if it should open a formal probe... Frank Borris, a former head of safety defect investigations for NHTSA, said the number of complaints cited in the petition is unusual and warrants further investigation. "The sheer number of complaints would certainly catch my eye," said Borris, who now runs an auto safety consulting business. Tesla owners communicate with other owners on Internet forums and social media, and that could influence the number of complaints, he said. He said the timing of the petition is good, because the agency needs to do a "deeper dive" into Tesla safety. Some of the unintended acceleration complaints, which have yet to be verified by NHTSA, allege that the cars' electronics malfunctioned. CNBC points out that Brian Sparks, the man asking for the investigation, "is currently shorting Tesla stock, but has hedged his bets and been long shares of Tesla in the past." Read more of this story at Slashdot.

Read More

Facebook Won't Put Ads in WhatsApp -- For Now

technology - Posted On:2020-01-19 16:44:59 Source: slashdot

Facebook "will no longer push through with its plans to sell ads on WhatsApp," writes Engadget, citing a report in the Wall Street Journal which says WhatsApp still "plans at some point to introduce ads to Status." Newsweek reports: WhatsApp is the only app in Facebook's suite of products free from ads, which make up a vast amount of the parent company's revenue, bringing in the majority of its $17.65 billion during Q3 last year. Like rival apps Snapchat or TikTok, advertising features prominently in Messenger and Instagram. But what does it mean for Facebook? The impact of a delayed WhatsApp ad roll-out will not only mean a financial hit, but may also disrupt how much ad data Facebook can possibly extract from users of the app's desktop and web versions. Currently, Facebook does not charge people for access to its products. Instead, it monetizes personal information by selling details about user preferences to companies for use in targeted ads. And there is clearly money to be made via mobile-based ads, which brought in about 94 percent of Facebook's total ad revenue during the third quarter of last year... "My assessment of this is it will be a delayed introduction of ads," social media consultant and commentator Matt Navarra told Newsweek today... "With the current climate of unrest surrounding data privacy and Facebook's plans to integrate its messaging apps backend, as well as the many legal battles they are facing, I suspect they are being cautious with yet more activity that could ruffle feathers at this time," Navarra told Newsweek. "But it's a case of when they do launch ads in WhatsApp, not if," he predicted. The ad strategy sparked clashes between Facebook executives and WhatsApp founders Jan Koum and Brian Acton, and became a factor in their departures from the firm. Koum and Acton, pro-privacy technologists, reportedly feared the app's encryption could be put at risk. Read more of this story at Slashdot.

Read More

Telnet Passwords Leaked For More Than 500,000 Servers, Routers, and IoT Devices

it - Posted On:2020-01-19 13:45:00 Source: slashdot

ZDNet is reporting on a security breach leaking "a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) 'smart' devices." The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet... Some devices were located on the networks of known internet service providers (indicating they were either home router or IoT devices), but other devices were located on the networks of major cloud service providers... According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.... To our knowledge, this marks the biggest leak of Telnet passwords known to date. As ZDNet understands, the list was published online by the maintainer of a DDoS-for-hire (DDoS booter) service... When asked why he published such a massive list of "bots," the leaker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers. Read more of this story at Slashdot.

Read More

Exploit Fully Breaks SHA-1, Lowers the Attack Bar

it - Posted On:2020-01-18 17:45:04 Source: slashdot

ThreatPost reported on some big research last week: A proof-of-concept attack has been pioneered that "fully and practically" breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering. The exploit was developed by GaŽtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources. "This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function," the researchers wrote. "Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks." Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger. Long-time Slashdot reader shanen writes, "I guess the main lesson is that you can never be too sure how long any form of security will remain secure." Read more of this story at Slashdot.

Read More

Researchers Find Serious Flaws In WordPress Plugins Used On 400K Sites

it - Posted On:2020-01-17 19:59:59 Source: slashdot

An anonymous reader quotes a report from Ars Technica: Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks. The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details. The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here. Read more of this story at Slashdot.

Read More