Hackers Infiltrate Firefox, Prowl Non-AshMad Dating Websites and Share Porn at U. of New South Wales
Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.
In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:
Hacker Stole Cyberweapon from Mozilla’s Bug-fixing Website
More than 50 critical security vulnerabilities in the Bugzilla database were copied and at least one was used to bust into Firefox users’ computers.
Bugzilla allows Mozilla developers to record vulnerabilities they discover and discuss potential fixes.
“Entries on critical bugs are blocked to all but privileged accounts long after a fix has been released to ensure that the bulk of Firefox users have installed the patch,” according to Computerworld.
An attacker was able to break into one of these privileged accounts and download security-sensitive information about flaws in Firefox and other Mozilla products, the company disclosed Sept. 4.
It seems the legitimate account holder used the same password for Bugzilla and an outside website. The attacker breached the second site and was able to score the double-duty password.
WHSmith Website Glitch Spams Private Customer Details
Because of an apparently flawed "contact us" form, anything users entered on the retailer’s help site erroneously was sent to hundreds of WHSmith customers.
A WHSmith statement blamed the incident on a "bug" in a system belonging to I-subscribe, a company that manages its magazine subscriptions. "It is a bug, not a data breach,” WHSmith said.
The details accidentally leaked include names, phone numbers, postal addresses and email addresses of people trying to contact WHSmith.
It is unclear how many customers were affected by the whole mess.
Russian-speaking Crooks Hacked 97, Mostly Dating-related Websites
Batches of stolen login credentials from the sites were discovered on a server by Hold Security, a U.S. company that specializes in analyzing data breaches.
The information on that server also includes a list of software vulnerabilities on the hacked sites, along with some notes written in Russian. The server was not password protected.
Many of the attacked sites were ones similar to the Ashley Madison infidelity site, while a few were job-related sites.
The hackers are not tied to the “Impact Team,” a group claiming credit for the intrusion into Ashley Madison.
The breached sites appeared to have database errors -- called SQL injection flaws – that, when exploited, give hackers the ability to access the systems.
The hackers essentially “are doing what security auditors would,” by externally probing websites for weaknesses, said Alex Holden, Hold Security’s founder and CTO.
Hacked U. of New South Wales Facebook Page Shares Images of Porn with Prospective Students
The renowned Australian university, on the day of its annual open house, began posting graphic photos of porn star Mia Khalifa along with pictures of Mexican guns and instructions on how to French kiss.
After being locked out of the school’s Facebook page, UNSW system administrators made several attempts to contact the social network. Administrators eventually “regained access to the site through other means” and removed the racy content, university officials said.
One bogus post showed a woman’s bare cleavage exposed in an American customs officer uniform.
Hundreds of bewildered students voiced their confusion on Facebook, with some posts amassing more than 800 Facebook likes.
Adam Hongru Liu wrote: 'If you can't even secure a freaking Facebook account, how can you be called the leading engineering institute in au?! Even a 10 year-old boy knows that.'"