In the headlines: Malwarebytes, eBay vulnerability, NASA hack, Waitrose website holes and more

Malwarebytes found to have four vulnerabilities

Malwarebytes, a free anti-malware tool with 250 million users, has been exposed as having four vulnerabilities. The main one described involves the software fetching signature updates via unencrypted HTTP, which could allow an attacker to set up a man-in-the-middle attack. The vulnerabilities are the latest found in a number of discoveries by Google’s Project Zero researcher Tavis Ormandy, who has recently been disclosing a range of vulnerabilities in antivirus software. Malwarebytes have said that they expect to have a patch ready with 3-4 weeks.

eBay refuse to patch ‘severe’ vulnerability

Not for the first time, eBay has been found to be vulnerable to a Persistent XSS vulnerability which could allow an attacker to inject malicious code, by bypassing eBay’s code validation process. Researchers easily managed to include non-standard JavaScript code (JSFUCK) to embed malicious JavaScript into a listing. Users could be tricked into giving their details, or a malware download could be triggered. eBay have admitted that they have no plans to patch this vulnerability, despite having 162 million users in 30 countries and claim that no attacks have been reported as a result of the vulnerability.

EU and US strike new data sharing agreement

A new pact has been made and outlined between the EU and US, to allow continued sharing of data. It’s been dubbed ‘Privacy Shield’ and basically consists of an annual assurance from the US that they will not carry out surveillance of European citizens. This comes just months after the similar ‘Safe Harbor’ agreement was declared invalid by the European Court of Justice. Such an agreement is needed to protect European data when it’s shared with companies in the US, as in the US the data protection regulations are far less stringent. The pact does immediately cover US companies but is yet to gain full political approval, which could take months.

Vulnerabilities found in two children’s IoT products

Two new flaws in internet-connected ‘smart’ toys have been revealed. Both involving the web service authentication process, the flaws could give attackers access to children’s personal information. The affected toys were a smart teddy bear from Fisher Price and a smartwatch by toy company HereO. Both manufacturers have since fixed the vulnerabilities.

NASA hacked as attackers attempt to crash drone

Hacktivism group Anonsec have again been targeting NASA, this time managing to gain control of a $222m drone. Fortunately, NASA employees managed to take manual control of the drone before it could be crashed into the sea. Anonsec have been targeting NASA for some time, already releasing 276GB of stolen data including personal employee information. The group have even gone so far as to publish details about how they gained access to NASA. After purchasing some insider knowledge of NASA servers, they pentested the network and then managed to break the Admin SSH password in under 1 second before using a hidden packet sniffing tool. NASA themselves are denying that a successful hack took place or that there was any threat to the drone.

Oracle ditches Java plugin for security reasons

Some good news in Java security: Oracle have announced that the next version of their Java software will be dropping support for Java Applets to the user’s web browser. As described by security reporter Brian Krebs, Java plugins have been widely exploited by attackers for ‘drive-by’ malware downloads, as many users have outdated versions of the plugins. Considering 89% of machines in the US run Java in some form, this is a hugely effective form of attack. In 2013 for example, the Flashback Trojan exploited Java plugins to enroll more than 600k Mac OS machines in a huge botnet. Until the new version is released, it’s important that users ensure their plugin is either updated or remove it altogether.

Troy Hunt picks holes in Waitrose’s website security

Following a query from a reader, Troy Hunt has taken a closer look at the security of UK supermarket Waitrose’s website. Waitrose is one of the biggest UK supermarket chains, netting 5.5 billion pounds a year. Basically, their login form is not secure. Although, when submitted it uses HTTPS so is encrypted, when the form first loads it is not secure and if JavaScript is disabled then the form will be sent over HTTP, therefore not encrypted. An attacker could carry out a man-in-the-middle attack, sending form entries to their own site before going through to Waitrose. Waitrose were quoted as saying that their security consultants had approved the setup, which Hunt points out is only more worrying. In light of the publicity this story has received, we expect Waitrose might very soon make some changes.

Massive JavaScript scam campaign targets WordPress sites

A new advertising scam malware campaign is targeting visitors to WordPress sites. By injecting malicious JavaScript into targeted sites, visitors are given a cookie which allows cyber criminals to generate fraudulent advertising income. By injecting encrypted malicious code at the end of all WordPress site JavaScript files, attackers create numerous backdoors on the web server and constantly update the code, making the infection very hard to get rid of. Site owners either need to isolate each of their sites or clean them all simultaneously to get rid of the malware.