Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins.

The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, and a card skimmer was found on Boom! Mobile’s web site, putting customer card data at risk.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Vulnerability Exposes Over 4 Million Sites Using WPBakery Plugin
1:50 High Severity Vulnerabilities in Post Grid and Team Showcase Plugins
3:52 Online avatar service Gravatar allows mass collection of user info
5:37 Boom! Hacked page on mobile phone website is stealing customers’ card data

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 90 Transcript

Scott Miller:
Hello everyone. It’s Scott from Wordfence. This is Think Like A Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look at the news.

In our first story this week, a vulnerability in WPBakery exposes over 4 million sites. The Wordfence Threat Intelligence team here found a vulnerability in the WPBakery plugin on July 27th. This plugin is installed on over 4.3 million sites and the vulnerability allowed authenticated attackers with contributor level or greater permissions to inject malicious JavaScript in posts. We initially contacted the plugin team on July 28th and disclosed full details on the 29th. After extensive correspondence between Wordfence and the WPBakery development team, a sufficient patch was released on September 24th.

Now the WPBakery plugin had a flaw that would allow users with contributor level or author level roles, the ability to inject malicious JavaScript into pages and posts. The flaw would also give the users the ability to edit other users’ posts. The plugin disabled any default post HTML filtering checks, which allowed any user with access to the WPBakery Builder, to inject HTML and JavaScript anywhere in a post using the page builder. It is recommended to update to the latest version 6.4.1 as soon as possible. You’ll also want to take a look for any untrusted contributor or author user accounts on your WordPress site.

Wordfence Premium users were protected from the vulnerability when they received a new firewall role for protection on July 28th, and Wordfence free users received the same protection on August 28th.

In our next story this week, we take a look at high severity vulnerabilities in the Post Grid and Team Showcase plugins. On September 14th, our threat intel team here at Wordfence discovered two high severity vulnerabilities in the Post Grid plugin, which has over 60,000 installations. While looking further into one of these issues we found in Post Grid, we discovered similar vulnerabilities were also present in the Team Showcase plugin, which is a separate plugin by the same author, and it has over 6,000 installations.

After triggering vulnerable functions in the plugins, a logged in attacker with subscriber level access or above could then send a source parameter referencing a malicious payload, and the vulnerable function would open the file containing that payload and eventually create a new page layout based on its contents. That page would then include a custom script section, which would allow an attacker to add malicious JavaScript to the custom CSS portion of that area. This would then be executed whenever an administrative user edited that layout or a visitor accessed any page based on that layout.

So this vulnerability could have been used to add a back door to the plugin or the theme files, or potentially to steal administrator session information. We reached out to PickPlugins, the developer of these plugins on September 16th, and patches for both plugins were made available not long after on the 17th. Wordfence Premium users received a firewall rule protecting them from these vulnerabilities in both plugins on September 16th. Sites that are still using the free Wordfence plugin will receive this rule after 30 days on October 16th.

If you’re using either the Post Grid or Team Showcase plugin, you should update to the latest version as soon as possible. At the current time, the latest version of the post grid plugin is 2.0.73. And the latest version of the Team Showcase plugin is 1.22.16.

In our next story, Gravatar, the online profile avatar service allows easy collection of user information. So the online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles. Security researcher Carlo Di Dato demonstrated that after simply appending .JSON to the Gravatar user’s profile page, an ID field was then accessible. Using that ID number specific to each Gravatar profile, user enumeration was possible with a simple script, which Di Dato demonstrated by visiting URLs from IDs 1 to 5,000, giving them access to the JSON data of the first 5,000 Gravatar users.

Some profiles contained more information than others, including location information, as well as phone numbers and Bitcoin wallet addresses. This information could of course also further be used in social engineering attacks. The simple enumeration technique would allow a crawler or bot to grab information at will from Gravatar profiles with no strict rate limiting seemingly in place. As we know, Gravatar is a popular service used with WordPress. And though users with public profiles do consent to making some data publicly available, users are likely unaware that their data could be retrieved as easily as it could be with this user enumeration method. You might consider checking what information is available on your Gravatar profile and also consider what needs to be there. You can also hide your public profile via the services settings.

In our last story for this week, customers card data is at risk due to a card skimmer on Boom! Mobile’s website. So if you’ve recently been searching for a new mobile device and visited Boom! Mobile’s website, you may have been at risk to have your card data stolen. Malwarebytes, the popular security firm has said that Boom!’s website contains a malicious script, which steals payment card data. The script was active and pulled data from the payment fields anytime that it detected changes in those fields.

One thing to note is the site, which is boom.us, is running PHP version 5.6.40, which has not been supported by the PHP developers since 2019, and also has known security issues. The information pulled from the skimmer on the site can include all added information to the forms, such as the name, address, card number, expiration date, and security code, as well as anything else in the form on the site. Boom! released a statement encouraging customers who may have made purchases on boom.us between the 30th of September and 5th of October to take necessary precautions with their card company. Unfortunately, these things can happen on websites and it’s always best to limit where you put your data online and try to stick with reputable websites.

That’s all for us this week. Thanks for joining me on Think Like A Hacker. Stop by on Tuesdays at 12:00 PM Eastern Time for Wordfence live on YouTube, where we talk all things security. Until next time, have a great weekend and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites appeared first on Wordfence.

Vulnerability Exposes Over 4 Million Sites Using WPBakery

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts.

We initially reached out to the plugin’s team on July 28, 2020 through their support forum. After receiving confirmation of the appropriate support channel, we disclosed the full details on July 29, 2020. They confirmed the vulnerability and reported that their development team had begun working on a fix on July 31, 2020. After a long period of correspondence with the plugin development team, and a number of insufficient patches, a final sufficient patch was released on September 24, 2020.

We highly recommend updating to the latest version, 6.4.1 as of today, immediately. While doing so, we also recommend verifying that you do not have any untrusted contributor or author user accounts on your WordPress site.

Wordfence Premium users have been protected against exploits targeting these vulnerabilities since July 28, 2020. Wordfence free users received the same protection on August 28, 2020.

Description: Authenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: WPBakery
Plugin Slug: js_composer
Affected Versions: <= 6.4
CVE ID: Pending.
CVSS Score: 6.4 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.4.1

WPBakery page builder is the most popular page builder for WordPress. It is a very easy to use tool that allows site owners to create custom pages using drag and drop capabilities.

Unfortunately, the plugin was designed with a flaw that could give users with contributor and author level roles the ability to inject malicious JavaScript into pages and posts. This flaw also gave these users the ability to edit other users’ posts. The plugin explicitly disabled any default post HTML filtering checks in the saveAjaxFe function using kses_remove_filters();. This meant that any user with access to the WPBakery builder could inject HTML and JavaScript anywhere in a post using the page builder.

	public function saveAjaxFe() {
		vc_user_access()->checkAdminNonce()->validateDie()->wpAny( 'edit_posts', 'edit_pages' )->validateDie();

		$post_id = intval( vc_post_param( 'post_id' ) );
		if ( $post_id > 0 ) {
			ob_start();

			// Update post_content, title and etc.
			// post_title
			// content
			// post_status
			if ( vc_post_param( 'content' ) ) {
				$post = get_post( $post_id );
				$post->post_content = stripslashes( vc_post_param( 'content' ) );
				$post_status = vc_post_param( 'post_status' );
				$post_title = vc_post_param( 'post_title' );
				if ( null !== $post_title ) {
					$post->post_title = $post_title;
				}
				kses_remove_filters();
				remove_filter( 'content_save_pre', 'balanceTags', 50 );

Furthermore, while WPBakery only intended pages that were built with the WPBakery page builder to be editable via the builder, users could access the editor by supplying the correct parameters and values for any post. This could be classified as a general bug as well as a security issue, and is what made it possible for contributors and editors to use the wp_ajax_vc_save AJAX action and corresponding saveAjaxFe function to inject malicious JavaScript on their own posts as well as other users’ posts.

The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the vc_raw_js, vc_raw_html, and button using custom_onclick shortcodes to add malicious JavaScript to posts.

All of these meant that a user with contributor-level access could inject scripts in posts that would later execute once someone accessed the page or clicked a button, using various different methods. As contributor-level users require approval before publishing, it is highly likely that an administrator would view a page containing malicious JavaScript created by an attacker with contributor-level access. By executing malicious JavaScript in the administrator’s browser, it would be possible for an attacker to create a new malicious administrative user or inject a backdoor, among many other things.

In the latest version of WPBakery, lower level users no longer have unfiltered_html capabilities by default, however, administrators can grant that permission if they wish to. In addition, users without the appropriate privileges can no longer edit other users’ posts, access the page builder unless permitted, or use shortcodes that could allow the injection of malicious JavaScript.

Dual Account Control

One strategy to keep your site protected from Cross-Site Scripting attacks against higher-privileged accounts is to use dual accounts. Dual account control uses two accounts for any user that may require administrative capability. This can be done by using one user account with administrative capabilities for admin-related tasks like adding new users and plugins and another user account with editor capabilities used to review and approve author and contributor posts.

Doing so will limit the impact that a Cross-Site Scripting vulnerability may have. When you access a page as a site administrator, any malicious JavaScript that an attacker injects can use administrative only functions like adding a new user or editing a theme file to further infect the site. By using a user account with only editor capabilities while editing, creating, and checking on posts created by lower-level users, an XSS exploitation attempt could be limited, as an attacker can’t successfully add new admin accounts or edit themes through an Editor account.

Especially in cases where many users can access authenticated actions, we recommend using an administrative user account only when you need to perform administrative functions on your site.

Disclosure Timeline

July 27, 2020 – Initial discovery of the vulnerability. We develop a firewall rule and move it into the testing phase.
July 28, 2020 – The firewall rule is sufficiently tested and released to premium users. We make our initial outreach to the WPBakery plugin team.
July 29, 2020 – The WPBakery team responds confirming the appropriate inbox and we send over full disclosure details.
August 21, 2020 – After some follow-up an initial patch is released.
August 26, 2020 – We let the WPBakery team know that there are some additional minor problems missed that require resolution.
August 28, 2020 – Wordfence free users receive the firewall rule.
September 2, 2020 – We follow up to see if the WPBakery team received our last email.
September 9, 2020 – The WPBakery team confirms they received our email and are working on getting an additional patch released.
September 11, 2020 – The WPBakery team releases an additional patch that is not fully sufficient.
September 11 to 23, 2020 – We work together more closely to get an adequate patch out.
September 24, 2020 – Final sufficient patch released in version 6.4.1.

Conclusion

In today’s post, we detailed a flaw in the WPBakery Plugin that provided authenticated users with the ability to inject malicious JavaScript into posts using the WPBakery Page builder. Along with that, we provided some insight on how you can protect yourself against Contributor and Author level vulnerabilities. This flaw has been fully patched in version 6.4.1. We recommend that users immediately update to the latest version available, which is version 6.4.1 at the time of this publication.

As WPBakery is a premium plugin often included as a page builder with numerous premium themes, you may need to double check that any updates are available to you with your theme purchase. Verifying the plugin version number in your plugins dashboard should alert you to the version installed on your site.

Sites using Wordfence Premium have been protected against attacks attempting to exploit this vulnerability since July 28, 2020. Sites still using the free version of Wordfence received the same protection on August 28, 2020.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a significant security update.

The post Vulnerability Exposes Over 4 Million Sites Using WPBakery appeared first on Wordfence.

High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

On September 14, 2020, our Threat Intelligence team discovered two high severity vulnerabilities in Post Grid, a WordPress plugin with over 60,000 installations. While investigating one of these vulnerabilities, we discovered that almost identical vulnerabilities were also present in Team Showcase, a separate plugin by the same author with over 6,000 installations.

We initially reached out to the plugin’s developer, PickPlugins, on September 16, 2020 and provided full disclosure the next day. Patches for both plugins were made available only a few hours after we provided disclosure on September 17, 2020.

Wordfence Premium users received a firewall rule protecting both plugins from both vulnerabilities on September 16, 2020. Sites still running the free version of Wordfence will receive this rule after 30 days, on October 16, 2020.


Description: Stored Cross-Site Scripting (XSS)
Affected Products: Post Grid, Team Showcase
Plugin slug: post-grid,team
Affected Versions: Post Grid < 2.0.73 and Team Showcase < 1.22.16
CVE ID: Pending
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: Post Grid 2.0.73 and Team Showcase 1.22.16

Post Grid is a popular WordPress plugin that allows users to display their posts in a grid layout, while Team Showcase is designed to showcase an organization’s team members. Both of these plugins allowed the import of custom layouts, and contained nearly identical functions in order to import these layouts. Post Grid no longer actually made use of the vulnerable import function, though the vulnerable code was still present.

In both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name.

Additionally, in the Post Grid plugin, the post_grid_import_xml_layouts function could also be triggered via a shortcode. By default, this meant that only authenticated users would be able to to activate it. Any 3rd party plugin allowing unauthenticated shortcode execution, however, would extend the vulnerability to unauthenticated attackers.

add_shortcode('post_grid_import_xml_layouts', 'post_grid_import_xml_layouts');

function post_grid_import_xml_layouts(){
    $post_grid_info = get_option('post_grid_info');

    $response = array();
    $user_id = get_current_user_id();
    $source = isset($_POST['source']) ? sanitize_text_field($_POST['source']) : '';
    $skip = isset($_POST['skip']) ? sanitize_text_field($_POST['skip']) : '';


    if($skip == 'yes'){

        if(strpos($source, 'post-grid-pro')){
            $post_grid_info['import_pro_layouts'] = 'done';
        }else{
            $post_grid_info['import_layouts'] = 'done';
        }

        $response['skip_success'] = __('Import skipped','post-grid');
        update_option('post_grid_info', $post_grid_info);

        echo json_encode($response);
        die();
    }

    if(!empty($source)){
        $json_obj = file_get_contents($source);
    }else{
        $json_obj = '';
    }



    //$xml_json = json_encode($html_obj);
    $xml_arr = json_decode($json_obj, true);


    $items = isset($xml_arr['rss']['channel']['item']) ? $xml_arr['rss']['channel']['item'] : array();

    if(!empty($items))
    foreach ($items as $item){

        $post_title = isset($item['title']) ? $item['title'] : '';
        $postmeta = isset($item['postmeta']) ? $item['postmeta'] : array();

        $post_id = wp_insert_post(
            array(
                'post_title'    => $post_title,
                'post_content'  => '',
                'post_status'   => 'publish',
                'post_type'   	=> 'post_grid_layout',
                'post_author'   => $user_id,
            )
        );

//            echo '<br>';
//            echo $post_title. ' Created';
//            echo '<br>';


        foreach ($postmeta as $meta){

            $meta_key = isset($meta['meta_key']['__cdata']) ? $meta['meta_key']['__cdata'] : '';
            $meta_value = isset($meta['meta_value']['__cdata']) ? $meta['meta_value']['__cdata'] : '';

//            echo '<br>';
//            //var_dump(unserialize($meta_value));
//            echo '<br>';



            if($meta_key == 'layout_options' || $meta_key == 'layout_elements_data' || $meta_key == 'custom_scripts' ){
                print_r($meta_value);

                update_post_meta($post_id, $meta_key, unserialize($meta_value));
            }


        }




    }


    $response['success'] = __('Import done','post-grid');


    if(strpos($source, 'post-grid-pro')){
        $post_grid_info['import_pro_layouts'] = 'done';
    }else{
        $post_grid_info['import_layouts'] = 'done';
    }


    update_option('post_grid_info', $post_grid_info);



    echo json_encode($response);
    die();


}

add_action('wp_ajax_post_grid_import_xml_layouts', 'post_grid_import_xml_layouts');

Regardless of how the vulnerable function was triggered, an attacker could supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it, and create a new page layout based on its contents. The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section. This would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.

Any malicious JavaScript added in this manner could be used to take over a site by adding a malicious administrator, adding a backdoor to plugin or theme files, or stealing the administrator’s session information.


Description: PHP Object Injection
Affected Products: Post Grid, Team Showcase
Plugin slug: post-grid,team
Affected Versions: Post Grid < 2.0.73 and Team Showcase < 1.22.16
CVE ID: Pending
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: Post Grid 2.0.73 and Team Showcase 1.22.16

The post_grid_import_xml_layouts and team_import_xml_layouts functions could also be used for PHP Object Injection using the same mechanism as the XSS attack. This was possible because the vulnerable functions unserialized the payload supplied in the source parameter.

As such an attacker could craft a string that would be unserialized into an active PHP Object. Although neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object Injection could be used by an attacker. Doing so would allow a malicious actor to execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.

As with the XSS vulnerability, the PHP Object injection vulnerability would typically require the attacker to have an account with at least subscriber level privileges. However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers.

Timeline

September 14, 2020 – Our Threat Intelligence team finds two vulnerabilities in the Post Grid plugin.
September 16, 2020 – We discover identical vulnerabilities in the Team Showcase plugin. We release a firewall rule for Wordfence Premium customers and reach out to PickPlugins, the developer for both plugins.
September 17, 2020 – PickPlugins responds, and we provide full disclosure. PickPlugins releases fixes for both plugins.
October 16, 2020 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we detailed two high-severity vulnerabilities present in both the Post Grid plugin and the Team Showcase plugin, including a stored Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.

Wordfence Premium users have been protected from attacks against both plugins since September 16, 2020. Sites still running the free version of Wordfence will receive the firewall rule on October 16, 2020.

If your site is running either of these plugins it is critical that you update to the latest version as soon as possible. At the time of this writing, the latest version of Post Grid is 2.0.73 and the latest version of Team Showcase is 1.22.16. If you know anyone who is using either of these plugins, please share this report with them as well.

Special thanks to the plugin’s developer, PickPlugins, for their rapid response in patching these vulnerabilities.

The post High Severity Vulnerabilities in Post Grid and Team Showcase Plugins appeared first on Wordfence.

Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks

Shopify reports that two rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers’ earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Shopify Says ‘Rogue’ Employees Stole Data From Merchants
1:15 Flaw in Medium Partner Program allowed attackers to steal writers’ earnings
2:18 Hackers have spent months hiding out in company networks undetected
4:17 Twitter Warns Developers of API Bug That Exposed App Keys, Tokens

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 88 Transcript

Scott Miller:
Welcome back, everybody. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look into this week’s stories.

In our first story this week, rogue employees at Shopify have reportedly accessed and exposed personal details of Shopify customers. A recent report shows that the incident occurred on September 15th when the personal details of Shopify customers were stolen and exposed. The exposed data included order details, addresses, names, and email addresses and was stolen by two employees from over 100 merchants.

The employees who were part of Shopify’s support team were said to be involved in a scheme to obtain this information, which Shopify noted affected fewer than 200 sellers. So, now Shopify is working with the FBI and other agencies after terminating the two employees’ access to their systems. Shopify also mentioned that while customer data was exposed, including order details, addresses, names, email addresses, no sensitive, personal or financial information was exposed in the incident.

In our next story this week, a flaw in the Medium Partner Program left writers earnings exposed. Hackers were able to potentially steal Medium writer’s engagement earnings due to a vulnerability in session cookies. This is a program for select writers to earn money monthly while writing and publishing on Medium. And it’s based on the number of readers and subscribers who access their work.

Mohammad-Ali Bandzar found that Medium would embed any user ID cookie value that you transmitted. The fact that Medium did not validate the user’s logged-in session meant that the submitted user ID was blindly accepted and thought to be correct. Bandzar mentioned that this flaw was very easy to exploit and the amount of money that attackers could have stolen while potentially being undetected had no ceiling at the time. Bandzar also received his first bug bounty for finding this issue and was rewarded $250.

Our next story takes a look at the espionage group Palmerworm and how they’ve remained undetected in information stealing campaigns. New malware is being used to infiltrate organizations in the US, Japan, Taiwan and China, where the group known as Palmerworm have infiltrated multiple organizations related to media, finance, and engineering. This group is focused on stealing company information and have recently begun targeting US-based companies as well. Palmerworm, or BlackTech, as they’re sometimes called were able to go unrecognized on some networks for a year or more while covering their tracks and making it more difficult for companies to trace their steps. It was mentioned that the attackers have previously gained entry via spear phishing email attacks. However, it has not been confirmed how access has been gained in the latest round of attacks. So, the group has been around since 2013 and used network reconnaissance tools to gain access and steal information.

The group then utilizes stolen code signing certificates within their malware to further go undetected. They then use backdoors to maintain access to the networks. The cyber security company Symantec have identified victims of the Palmerworm attacks, however, are not sure who the group is working for. It was mentioned that it is likely that the group is still undetected on some networks and that they still remain a threat. It is best that organizations know their usual server activity and what it looks like in order to identify changes, which may be related to a breach in their security. These sorts of attacks typically involve multiple events and tools and may show activity over a long period of time, rather than a single event. Be sure that you’re regularly monitoring your server and network activity to better be able to identify anomalies, which may relate to unauthorized activity.

And our last story for this week, Twitter warns of a caching issue that could have led to developers exposing API keys and tokens. So, the bug was a caching issue affecting the site, developer.twitter.com. And it could have led to exposure of credentials and other sensitive information. The developer site is a hub for users who create applications for Twitter.

Upon visiting the site, information was temporarily stored in browser cache relating to the developer’s application. The attack is said to be difficult to carry out for a few reasons. First, an attacker would need to use a device just after the developer used the device. And second, they would have needed to have access to developer.twitter.com site and used the sensitive information which would have then been stored in the browser cache as mentioned. Depending on the submitted information by the developer, an attacker could have access to the developer’s API keys, the user access token, and the secret for the developer account. Twitter has since fixed the issue with the cache by changing what is able to be stored regarding sensitive information.

Though, the information that could have been accessed is critical and sensitive to developers, Twitter has mentioned that there is no evidence that the developer app keys were compromised and that it is highly unlikely anyone’s credentials were compromised without their knowledge. Twitter mentioned as a part of their statement, “If you used a shared computer to visit developer.twitter.com with a logged in Twitter account, we recommend that you regenerate your app keys and tokens.” That’s all for this week on Think Like a Hacker. I hope the news found your well, check out wordfence.com for our blog and mailing list to stay up to date with all the latest security news. Until next time, I hope you have a great weekend and thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks appeared first on Wordfence.

Common Ways Attackers Are Stealing Credentials

Common Ways Attackers Are Stealing Credentials

A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense.

On September 29, 2020, the Wordfence Live team covered the 10 Worst Password Mistakes We’ve Ever Seen. This companion blog post reviews the most Common Ways Attackers Are Stealing Credentials to shed some light on common ways malicious actors are obtaining passwords so that you can make better decisions about your credentials

We will follow-up with an additional post summarizing the 10 mistakes we covered in Wordfence Live.

You can watch the video of Wordfence Live below.

Timestamps

Here are timestamps in case you’d like to jump around:

  • 0:00 Introduction
  • 7:43 What is a password?
  • 9:48 Common attack methods that compromise passwords
  • 10:10 Credential stuffing
  • 12:07 Brute force and dictionary attacks
  • 13:57 Shoulder surfing
  • 15:07 Social engineering
  • 18:02 Phishing
  • 20:15 Wireless sniffing
  • 22:17 Man in the middle attacks

You can click on these timestamps to jump around in the video.

What exactly is a password?

Passwords are a critical component of our lives online. They act as keys granting access to our favorite shopping sites, our bank accounts, our social media and email accounts, and even our WordPress sites.

A password is used to prove your online identity. A username acts as an identification mechanism to tell a site who you are, while a password acts as an authentication mechanism to verify that the identity you are claiming is truly and authentically your identity.

It is incredibly important to safeguard your passwords and follow password best practices. Passwords protect your online identity. If any of your passwords are compromised, attackers can gain access to online accounts and sensitive information, causing irreparable harm to your business, your livelihood, and even your personal identity.

What are some common password-stealing attack methods?

No matter what kind of password attack is being used, the end goal for the attacker is to “spoof” your identity by using your compromised password and successfully authenticate as you. Here are the most common methods of stealing or compromising passwords to gain unauthorized entry.

Attack Type #1: Credential Stuffing

Credential stuffing occurs when an attacker already has access to username and password combinations which are commonly obtained from data breaches. In this kind of attack, attackers send automated requests containing these username and password combinations to try to successfully authenticate as you. If successful, attackers can steal your sensitive data, make changes on your account, or even impersonate you. A targeted credential stuffing attack might succeed within a single try, while a large-scale campaign might try millions of combinations against a single site.

To combat credential stuffing attacks, make sure you are not reusing passwords across sites. Monitor your credentials to verify that they haven’t been exposed in a data breach with a service such as haveibeenpwned.com. If your passwords are ever compromised, change them immediately.

 


Attack Type #2: Password Cracking Techniques

There are several password cracking techniques that attackers use to “guess” passwords to systems and accounts. The top three most common password cracking techniques we see are brute force attacks, dictionary attacks, and rainbow table attacks.

In a dictionary attack, an attacker will use a dictionary list of words and combinations of dictionary words to try and guess the password. They may use single dictionary words or a combination of dictionary words, however, the simplicity of having a dictionary list is what makes this an attractive attack method for attackers.

A brute force attack takes things a little further than a dictionary attack An attacker will try various different combinations of letters, numbers, and special characters to try and “guess” the right password. Establishing resources to automate brute force attacks is easy and inexpensive, and attackers usually end up with large databases of credentials due to users using weak passwords.

A rainbow table attack occurs when an attacker uses a precomputed table of hashes based on common passwords, dictionary words, and pre-computed passwords to try and find a password based on its hash. This typically occurs when an attacker is able to gain access to a list of hashed passwords and wants to crack the passwords very quickly. In many cases, credential breaches only contain hashed passwords, so attackers will often use rainbow table attacks to discover the plaintext versions of these passwords for later use in credential stuffing attacks.

Password cracking attacks are quite common and one of the most prevalent types of attacks next to credential stuffing. WordPress sites are often heavily targeted by these attacks.

Weak passwords can take seconds to crack with the right tools, making it incredibly important to use strong, unique passwords across all sites.

 


Attack Type #3: Shoulder Surfing

Shoulder surfing occurs when a malicious bystander observes the sensitive information you type on your keyboard or on your screen from over the shoulder.

This can occur anywhere, whether in an office space, in a coffee shop, on an airplane, etc. Anywhere you access or enter sensitive information while in a public venue can put your passwords at risk. If you are not aware of your surroundings when logging in to sites in public spaces, or in your office, then you can fall victim to this attack.

Be aware of your surroundings when authenticating into sites or resources and ensure no one is watching you. Privacy screens that block screen visibility can be protective if you frequently work in public spaces.

 


Attack Type #4: Social Engineering

Social engineering targets the weakest link in security: humans. These attacks are incredibly common and often fairly successful. Social engineering is primarily a psychological attack tricking humans into performing an action they might not otherwise do based on social trust. For example, an attacker might engineer their way into a corporate physical facility. Once inside, they could approach an employee and say they’re troubleshooting a problem with a very specific service, and their credentials aren’t working.

Social engineering can happen in many ways, including in person, over the phone, through social media, through email phishing. To protect yourself, verify the identity of anyone requesting sensitive information or passwords. Never share sensitive information, especially your passwords, with someone you don’t know, don’t trust, or cannot verify. If possible, never share your passwords with anyone, even if you do trust them.

If you have employees, have them participate in security awareness training to learn how to recognize different social engineering attacks and prepare for reporting and alerting others when a suspected social engineering attack targets an organization.

Never provide sensitive information or passwords to strangers, regardless of who they claim to be. If a help desk technician is calling you saying they need your credentials, verify with your boss first or just say no. In most cases, reputable service providers have alternate ways of obtaining information that will not require your credentials.

 


Attack Type #5: Phishing

While often considered a subcategory of social engineering, phishing is so prevalent that it deserves its own “attack” category. Phishing occurs when an attacker crafts an email to look like it is coming from a legitimate source in order to trick the victim into clicking a link or supplying sensitive information like passwords, social security numbers, bank account information, and more. These emails can range from beautifully crafted and imperceptibly close to the real deal to laughably simple and obviously fake.

Targeted phishing attacks, known as spear phishing, are incredibly effective and often appear to come from a trusted source such as a boss or coworker. If you receive an email from someone you trust asking for something unusual, verify that it was sent by the person who appeared to have sent it by calling them on the phone, talking to them in person, or using some other method of communication.

Verify the source of any email you receive by checking the email headers. We also recommend that you avoid supplying any sensitive information to someone you don’t fully trust. Never click links in emails as they can often lead to phishing kits designed to collect your credentials and hand them over to attackers. To check the validity of the information emailed to you, close your email, and type the name of the institution that purportedly sent the email into your browser location bar to login to their site.

 


Attack Type #6: Wireless Sniffing

An attacker using tools to examine network traffic can “sniff” the network to capture and read packets of data sent. Wireless sniffing captures data being sent between an unsuspecting user’s computer and the server that the client is making the request to. If a site isn’t using a TLS/SSL certificate, an attacker with these tools can easily obtain your passwords just by capturing the packets that are sent.

Use a VPN when accessing sites on public wifi so that an attacker cannot easily capture and read your data. If your WordPress site is not using a TLS/SSL certificate, your WordPress credentials are being sent in plaintext whenever you login. Ensure that you have a TLS/SSL certificate installed on your WordPress site to help keep your site visitors’ data, including passwords, safe in transit.

 


Attack Type #7: Man-in-the-Middle Attack

A Man-in-the-Middle attack occurs when an attacker intercepts traffic, acting as the receiving server of requests and subsequently observing all the traffic being sent to the server they are attacking before forwarding the packets to the legitimate server. This can occur in many different situations, from accessing a website from your home to accessing resources in an office.

Your best protection when it comes to man-in-the-middle attacks is to ensure the site you are visiting is trusted, and the SSL/TLS certificate installed on the site is valid. Google will alert you if there is something suspicious about the SSL/TLS certificate on a site, so if you get that warning, make sure to avoid entering any sensitive information or passwords into that site. You can also use a VPN so that your data remains encrypted when traversing any network.

 


 

Conclusion

Today, we covered some of the most common password stealing techniques in use today. Understanding these attack types is important to know how hackers can gain access to your passwords. By better understanding what attackers are doing, you can better understand what you need to do to protect yourself against password compromise.

This is the first of two related posts. We will be following up with an additional post diving into the top 10 Worst Password Mistakes We’ve Ever Seen.

We often recommend that you share our posts with colleagues and friends that are affected. Today we are asking that you share this post with everyone from your grandma to your next door neighbor. Password theft affects everyone. By sharing this post with everyone, we can hopefully raise awareness about password security and its importance, and make the internet a better and safer place for everyone.

The post Common Ways Attackers Are Stealing Credentials appeared first on Wordfence.

Pin It on Pinterest