This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson.

When the Ransomware Decryptor is More Malware

We’ve seen a few instances of decryptor programs being released for ransomware malware. In some cases, the ransomware author made a blunder in their crypto, and in others, the decryption keys get released. Once the keys (or flaw) are known, security researchers often put together an automated decryption program.

The bad guys want to keep you from running them. In extreme contrast to a true decryptor, some men just want to watch the world burn. Using the name Zorab, this piece of malware claims to be a decryptor, but actually just adds a second layer of encryption. Touche, for now.

Docker Images

I’ve always been a bit skittish about Docker images, particularly those published by an untrusted third party. It seems that caution was warranted, at least according to a new report on the security of Docker images (pdf). Most of the results are as one would expect: Official images are more secure, Javascript and Python are the languages where most vulnerabilities pop up, and Python2 packages are the most problematic.

In related news, there is a new vulnerability scanner specifically for Docker images.

Facebook, a Hack, and a Predator

Modern security and privacy tools like Tor and the Tails distribution are amazing and potentially extremely useful. Journalists, protesters, and even whistleblowers find legitimate use for the tool set. However, Every once in a while a story forces us to look straight into the ugly face of the dark side of the net. In this case, it’s a predator that used Tor to stalk and harass teenage girls on Facebook, and extort compromising photographs out of them.

The reason we’re talking about this case is that Facebook went to the extreme of hiring a security firm to develop an exploit specifically for their anonymous stalker. They found a zero-day in the Tails video player, and developed a full de-anonymyzing attack. Facebook then handed the attack over to the FBI, who used it to finally catch Buster Hernandez.

It’s still unknown what the zero-day exploit was precisely, as disclosure never happened. Apparently the flaw was eventually removed from Tails through the process of normal updates, and never publicly identified as a vulnerability. It’s not entirely clear how long the FBI was in possession of the tool before the flaw was patched. It’s reasonable to suspect that it was used in other cases, though it’s not likely we’ll find out any time soon.

Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform? As a business decision, it was critical that they not allow that sort of activity to continue unchecked. Cooperating in hacking one of their users, though, is quite a blow to the trust their users have in the platform. I’m curious what our readers think about Facebook’s decision here.

Netgear

Have a need to compromise a Netgear device? The guys at GRIMM have your back. They just published a writeup on a buffer overflow in the Netgear HTTP service that runs on many of their SOHO devices. 28 devices, in fact.

This specific flaw was also independently discovered by [d4rkn3ss] and reported by the Zero Day Initiative.

The overflow is exploitable before user authentication, so this is a potentially nasty, wormable problem. It should go without saying, but don’t expose your router’s HTTP service to the internet.

Errata

Last week we covered an oddball hack using cmd.exe and relative paths to run commands. I forgot to credit [Julian Horoszkiewicz] for finding the hack in the first place.

27 thoughts on “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers

  1. With all the stuff that’s gone on (that we know about) over the last few years, why would anyone with half a brain have any trust in Facebook at all? Why would anyone with half a brain still have a Facebook account?

      1. Wow, I have not seen that one before, but that interviewer must have been totally lost after this and regretting asking such a basic question to one of the most brilliant minds that ever existed. I love Feynman’s way of explaining things and I never truly understood gravity until listening to one of his lectures from a relativity series. I always thought I understood gravity, but after his lecture I knew I didn’t have a clue.

      2. Every time you ask why, the answer is far more complicated than you thought it could be. I’m reminded of this constantly, when writing this column, and when trying to talk to people face to face. Great clip.

    1. Because we compromise our security and anonymity in every interaction we take in life – shopping, walking, pooping (I’m sure there’s data that’d count as “sensitive” under GDRP in what you send to the sewers!). So we have to decide how much we’re willing to give up for what returns. That decision may be uninformed, or it may be informed; but just because you can’t extract significant value from using FB, doesn’t mean others can’t.

    2. > Why would anyone with half a brain still have a Facebook account?
      “Think of how stupid the average person is, and realize half of them are stupider than that.” — George Carlin.

  2. Fakebook has a strange group of “Standards”. When I still had an account, I “Reported” some obvious FAKE posts indicating I had “WON” a prize. The scam was, send my bank info, and the money will be sent directly to me.
    Clearly a scam. So, I report it, and Fakebook reply’s, “Not against our community standards”. WTF?

  3. You can argue about whether Facebook should have developed that hack.

    However, they did two things that are ABSOLUTELY UNACCEPTABLE.

    First, they turned around and gave the tool (and presumably knowledge of the bug and the exploit) to the FBI, which could have and probably did use it in cases that Facebook didn’t know anything about, and may very well have shared it with other government agencies. You do NOT let a tool like that leave your own hands, and you especially do NOT hand it over to an organization that’s known to have done various shady stuff in the past. The FBI’s own reports show that it’s not capable of disciplining itself to stay legal.

    Second, they did not report the vulnerability. There is absolutely no trace of an excuse for that. They SHOULD have reported it the instant they found it, even if they planned to exploit it. To not report it at all is way, way beyond the pale.

    1. That’s assuming the FBI didn’t supply the hack from their big library…
      And that FB weren’t responsible for it getting fixed through “normal updates”.

      Also they are under business pressure to clamp down on bad actors, so perhaps some helpfulness there buys them some good favour in another area.

      We just don’t know. But I agree, we still don’t like it.

      1. > That’s assuming the FBI didn’t supply the hack from their big library…

        Well, they said they hired a consultant who found it. If that’s a lie, it’s the lie upon which they have chosen to be judged. But I doubt that it is a lie.

        > And that FB weren’t responsible for it getting fixed through “normal updates”.

        It doesn’t matter if Facebook wrote the patch, submitted it, argued for it, and tracked it all the way through release. They’re still culpable if they didn’t specifically call it out as an exploitable security issue.

        People are less likely to *install* “normal updates” than security updates. Downstream forks are less likely to pick them up. People are less likely to learn from them. And if the project doesn’t know that it’s a security update, the “normal update” is likely to be a lot slower to get out.

        > Also they are under business pressure to clamp down on bad actors, so perhaps some helpfulness there buys them some good favour in another area.

        That would not even resemble a valid excuse for any of this.

  4. Was Facebook right?

    Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform?

    I guess the answer is in the question.

    Some apes don’t behave well in the group.

  5. Don’t do bad crap on the internet and you have nothing to worry about. Glad they caught the creep. I have no problem with social media platforms assisting law enforcement to rid us of pedos, terrorists, and bad actors. I wish more companies would be more proactive in helping.

Leave a Reply to AdbookCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.