[German]Today again an overview of security issues in IT. It's about a data leak at a startup that does payment processing, about weaknesses in smart home and compromised apps up to a hacked ad server.
Advertising
Data leak at Startup Paay
Paay is a start-up company in the field of payment transactions. Now a huge database has appeared, in which credit card transactions from eight months are openly stored. The data also includes the complete credit card numbers in plain text. The security researcher Anurag Sen has found the open database on the Internet. It was probably created on April 3, 2020 for a new service, but forgot to protect the database. Techchrunch has written up the story in this article. In the following tweet, Zack Whittaker points out the statement of the company founder.
Paay's co-founder disputed the findings. "We don't store card numbers, as we have no use for them," he said. So we sent him a portion of the exposed data showing card numbers in plaintext. We didn't hear back. (We blanked out the full numbers below.) https://t.co/rKPx3G1BCP pic.twitter.com/txqctqI1M5
— Zack Whittaker (@zackwhittaker) April 22, 2020
He denies that there are credit card numbers in the database because you don't need them. Techchrunch sent him a record with that exact same information and he didn't hear anything.
Vulnerabilities in several smart home hubs
Security provider ESET has developed so-called smart home hubs, which can be used to control household devices. The following tweet links to the article with details.
Serious flaws found in multiple smart home hubs: Is your device among them?
https://t.co/0kqdGyPVmE via @welivesecurity— Aryeh Goretsky (@goretsky) April 22, 2020
Advertising
Result of the investigation: There are serious weaknesses in various smart home hubs. Eset has disclosed the details in this blog post.
Revive AD Server hacked
Most online publishers use hosted ad server platforms like Google Ad Manager to serve their ads (this is the case in my blogs). Some publishers use self-hosted ad serving platforms to give them more control and flexibility in delivering their ads. One self-hosted open source platform that has been around for the past ten years is the Revive Ad Server.
Revive ad servers being hacked to distribute malicious ads – by @LawrenceAbramshttps://t.co/MUFaj3xA2K
— BleepingComputer (@BleepinComputer) April 22, 2020
It has now been revealed that the malvertising group Tag Barnakle is hacking into Revive's ad servers to deliver malicious advertising. The security company Confiant claims that about 60 servers are affected. Bleeping Computer has made a contribution to this, which is linked to in the above tweet.
OnePlus 7 Pro: Pull a fingerprint bitmap from sensor
The fingerprint sensor of the OnePlus 7 Pro Android smartphone have had a vulnerability. Attackers could pull the bitmap of a fingerprint.
Vulnerability lets attacker retrieve fingerprint bitmap data from OnePlus 7 Pro Android phoneshttps://t.co/fYsMfZNoaj pic.twitter.com/mKbtStTXlo
— Catalin Cimpanu (@campuscodi) April 23, 2020
In the meantime, the manufacturer has released a firmware update to close the vulnerability.
