Security Week 5: Literacy at the expense of security; mining at the highest level; site is not for people
→ News in Russian , problem report in English
An illiterate letter to a partner or customer can seriously spoil the reputation. But by checking his spelling and punctuation, as it turned out, it can be made publicly available. In the Grammarly service, designed to find errors in the English text, a serious vulnerability was discovered that allowed outsiders to obtain user authentication tokens using a simple script - and, accordingly, access to their documents.
The Grammarly service has extensions for popular browsers, including Chrome. In it, in fact, an error was discovered that allowed any site to generate tokens corresponding to Grammarly cookies. With their help, manually or using a script, attackers could enter the main site of the service on behalf of registered users and view records, documents, journals and other personal data.
')
To honor service developers, they reacted to the message almost instantly. Together, Grammarly and Google have eliminated the problem and released an updated extension in just a few hours - not only for Chrome, but also for Firefox.
→ News
The popular Coinhive script for mining has hit 4275 sites, including manchester.gov.uk, nhsinform.scot, uscourts.gov and other government portals around the world. For four hours, the malware is mine through Monero, using 40% of the visitors' central processor power. As it turned out, the fault was a compromised BrowseAloud plugin from Texthelp - it converts text to speech, and is usually used to simplify the work with the site for people with poor eyesight.
Having received information about the problem from researchers, Texthelp turned off the plugin and promptly conducted a study. Fortunately, the problem really limited itself to crypto-mining: given the specifics of the extension, which passes all the text on the page through, to voice it, and the nature of the affected sites, some of which have private offices with access to financial and other personal information, one would expect also a large-scale leak of confidential data, but it did not happen.
→ News
We are accustomed to take information security seriously, and in the meantime, someone uses security tools as ... material for creativity! For example, online actionist Danyan Pita (Danjan Pita), known by his nickname Damjanski, arranged a virtual performance, “turning it inside out” captcha. The artist decided to create a website exclusively for bots.
CAPTCHA, on the contrary, consists of nine pictures that are so blurry that only a specially trained program or a very short-sighted person who has never worn glasses can see objects in them. The user is prompted to select those that contain something specific, such as a computer or a lamppost. To a visitor who has not managed to solve a puzzle designed for the capabilities of artificial intelligence, the page says: You're a human. You're not invited ("You - man. You were not invited").
According to Damjanski himself, he is constantly improving the test, complicating the blur mechanism, and visitors are actively inventing ways to decrypt pictures. However, in addition to the selection of algorithms for solving the problem, there is also a simpler, although unreliable way to choose the right pictures - by typing. Some get it.
Want to prove that you are a robot? Welcome!
Amstrad Family
Family of non-resident dangerous viruses.
Common features:
Some versions of the virus quickly manifest themselves: starting with the fifth “generation” of the virus, when the infected program starts, with a probability of 1/2, a message appears on the screen: “Program sick error: Call doctor or buy PIXEL for cure description”.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
An illiterate letter to a partner or customer can seriously spoil the reputation. But by checking his spelling and punctuation, as it turned out, it can be made publicly available. In the Grammarly service, designed to find errors in the English text, a serious vulnerability was discovered that allowed outsiders to obtain user authentication tokens using a simple script - and, accordingly, access to their documents. The Grammarly service has extensions for popular browsers, including Chrome. In it, in fact, an error was discovered that allowed any site to generate tokens corresponding to Grammarly cookies. With their help, manually or using a script, attackers could enter the main site of the service on behalf of registered users and view records, documents, journals and other personal data.
')
To honor service developers, they reacted to the message almost instantly. Together, Grammarly and Google have eliminated the problem and released an updated extension in just a few hours - not only for Chrome, but also for Firefox.
Government mining
→ News
The popular Coinhive script for mining has hit 4275 sites, including manchester.gov.uk, nhsinform.scot, uscourts.gov and other government portals around the world. For four hours, the malware is mine through Monero, using 40% of the visitors' central processor power. As it turned out, the fault was a compromised BrowseAloud plugin from Texthelp - it converts text to speech, and is usually used to simplify the work with the site for people with poor eyesight.
Having received information about the problem from researchers, Texthelp turned off the plugin and promptly conducted a study. Fortunately, the problem really limited itself to crypto-mining: given the specifics of the extension, which passes all the text on the page through, to voice it, and the nature of the affected sites, some of which have private offices with access to financial and other personal information, one would expect also a large-scale leak of confidential data, but it did not happen.
CAPTCHA-on the contrary
→ News
We are accustomed to take information security seriously, and in the meantime, someone uses security tools as ... material for creativity! For example, online actionist Danyan Pita (Danjan Pita), known by his nickname Damjanski, arranged a virtual performance, “turning it inside out” captcha. The artist decided to create a website exclusively for bots.
CAPTCHA, on the contrary, consists of nine pictures that are so blurry that only a specially trained program or a very short-sighted person who has never worn glasses can see objects in them. The user is prompted to select those that contain something specific, such as a computer or a lamppost. To a visitor who has not managed to solve a puzzle designed for the capabilities of artificial intelligence, the page says: You're a human. You're not invited ("You - man. You were not invited").
According to Damjanski himself, he is constantly improving the test, complicating the blur mechanism, and visitors are actively inventing ways to decrypt pictures. However, in addition to the selection of algorithms for solving the problem, there is also a simpler, although unreliable way to choose the right pictures - by typing. Some get it.
Want to prove that you are a robot? Welcome!
Antiquities
Amstrad Family
Family of non-resident dangerous viruses.
Common features:
- All .COM files in the current directory are infected.
- The virus writes itself to the beginning of the file.
- Reinfection is possible.
- Long files can be destroyed.
Some versions of the virus quickly manifest themselves: starting with the fifth “generation” of the virus, when the infected program starts, with a probability of 1/2, a message appears on the screen: “Program sick error: Call doctor or buy PIXEL for cure description”.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/349754/
All Articles