Daily Digest (8/25)

Hackers Can Exploit Unpatched Flaw in Google Drive; WeChat Users Sue WH Over Messaging App Ban; Big Chinese Ad Network Collects Private Data, Reroutes Clicks; Hackers Posing as HR Staff Sending Fake Layoff Notices. Click “Continue reading” below.

Hackers Can Exploit Unpatched Flaw in Google Drive

An unpatched security flaw in the “manage versions” functionality of Google Drive could allow hackers to distribute malicious files disguised as legitimate ones.

The flaw was discovered by A. Nikoci, a system administrator who reported the flaw to Google and later to The Hacker News, according to Edex Live.

“The affected functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable,” Nikoci told Hacker News.

“A legitimate version of the file that’s already been shared among a group of users can be replaced by a malicious file.”

Last week, Google patched a bug that affected their Gmail and G-Suite emails. The company recently also experienced outages in both its Gmail and Drive services.

Sources (all external links): 

WeChat Users Sue WH Over Messaging App Ban

In a bid to block the executive order barring access to WeChat, some U.S-based users have sued President Donald Trump.

The nonprofit group, U.S. WeChat Users Alliance, and several individuals sued Friday in San Francisco citing that the app was used for work, religion and staying in touch with relatives in China, The Associated Press reports.

The lawsuit alleged that the Aug. 6 executive order violated users’ freedom of speech, free exercise of religion and other constitutional rights.

 “We think there’s a First Amendment interest in providing continued access to that app and its functionality to the Chinese-American community,” Michael Bien, one of the plaintiffs’ attorneys, told AP.

Trump ordered bans on transactions with the Chinese owners of WeChat and TikTok, saying they were a threat to U.S. national security, foreign policy and the economy, AP reports.

Source:

Big Chinese Ad Network Collects Private Data, Reroutes Clicks

A Chinese mobile advertising firm has modified code in a software development kit that’s part of more than 1,200 apps, collecting user activity and performing fraud, a software security firm disclosed Monday.

The apps, exceeding 300 million collective monthly downloads, have incorporated a software development kit (SDK) from a Chinese advertising service, Mintegral, the Snyk firm reports.

The kits have malicious code that spies on user activity and steal potential revenue from competitors, the company said.

The malicious capabilities were integrated into the SDKs in July 2019, Snyk told DarkReading.com.

Normally a way for developers to monetize their applications, SDKs can include functionality features that developers might not know about.

The Mintegral software has reassigned advertising clicks, so that it profits from clicks on advertising fees intended for other ad networks, and has passed along full URLs of pages associated with various applications, potentially exposing security tokens and other sensitive information.

“This is not visible to developers, because they are not stealing every click,” Danny Grander, Snyk’s co-founder and chief security officer.

“It is probabilistic — and developers do not spend their time analyzing every line of code and any binaries that are incorporated into their apps.”

The company briefed Apple on the results of the investigation last Friday, DarkReading reports. Mintegral did not respond to a request for comment.

Source: 

Hackers Posing as HR Staff Sending Fake Layoff Notices

Cybercriminals disguised as HR personnel are sending layoff emails to employees to push malware onto users’ devices and access company networks.

Experts at the Kaspersky cybersecurity firm encountered various phishing emails that alerted employees to various HR topics that included changes in medical-leave plans and worker dismissals, TimesNowNews.com reports.

Once an employee opened the email, hackers could access personal data, enter the network of an organization or push malware onto company devices.

Phishing attacks continue to become increasingly targeted and even use delivery notifications, Kaspersky said in a quarterly report on spam and phishing.

Source: 

— By DPN Staff