If you have any of these, follow these steps. Especially check Yahoo, since the new disclosure impacts 1 billion people
This week, several reported vulnerabilities across popular social media and email services again illustrated the value of testing for such flaws by experts, and the limits of these mechanisms when there are bigger problems at hand.
First, Trustwave’s SpiderLabs discovered a vulnerability in Skype for OS X whereby, “A local program could by-pass authentication if they identified themselves as a Skype Dashboard widget program.” Skype insists it doesn’t program backdoors into its platform, but unfortunately this bug effectively acts as one, and the issue has apparently been around for five years without being caught.
Attackers could read notifications and messages, modify content, record calls, access chat, and also pull personal information out through this vulnerability. The Register advises that Mac users “update to version 7.37 or later to steer clear of the security blunder,” as any version before that one presents a risk.
Also this week, Israeli-based cyber security consultants BugSec Group and Cynet discovered a vulnerability in Facebook Messenger that “allows attackers to read messages and view photos and other attachments sent by Messenger both from the web and from the mobile application.”
Facebook has now addressed the problem, but the researchers note that the null workaround “also potentially affects millions of websites using origin null restriction checks.”
Users using Facebook’s secret conversation option, which has end-to-end encryption, were not vulnerable, however.
The “Originull” attack, which can be delivered by code “planted anywhere on an external website controlled by the attacker,” executes a cross-origin bypass. The user does not actually have to click on a fake ad to fall victim: Just being on a website is enough. (Other means could have also been used, such as phishing emails.)
This allows a hacker to redirect the user’s inbox to a website of their choosing, by exploiting the fact that Facebook allows some of its sub-sites access to Messenger. The system normally rejects data requests that don’t have an authorized header that serves as a signature to verify it’s within Facebook, but because it also recognizes a common stand-in value (null), it’s possible to trick Messenger into thinking it’s communicating with an authorized party.
For now, stick to Messenger’s secret conversation option, which is encrypted, to avoid this problem.
No bug bounty setup can help the email service here, and the delayed disclosure further inflames an already heated debate over how seriously Yahoo takes its users’ data privacy.
This would be the largest attack of its kind to date, surpassing not just the latter 2014 incident but any other breaches known to have happened at any other company.
Verizon, which bought Yahoo for $4.83 billion in July, is expected to ask for a discount in the sale price, at a minimum, in light of the move. According to Bloomberg, Verizon may be thinking about walking away from the deal altogether, though Verizon declined to offer any specifics.
If you have had a Yahoo account in some way, they would have emailed you early this morning, advising you to change passwords and check any associated account for suspicious activity.