Glassdoor corrects CSRF bug. Spotify addresses privacy issues. Outlook update phishbait. Faculty discussions leaked.

Summary

By the CyberWire staff

At a glance.

CSRF vulnerability found and corrected in Glassdoor.
Spotify addresses security issues.
Outlook updates as phishbait.
Recorded discussions in a faculty lounge (sorry, students).

A bug bounty hunter finds a security bug and Glassdoor fixes it.

A bug bounty hunter has discovered a critical vulnerability on employer review platform Glassdoor’s web domain, reports ZDNet. The flaw, which earned a severity score of 9-10, involves a cross-site request forgery (CSRF) that, if exploited, could allow attackers to hijack user accounts. The bounty hunter, who earned a $3,000 reward, actually found the bug by mistake when he mistyped a request attempt and received an unexpected result. The issue was reported to Glassdoor’s security team last February, after which they promptly patched the bug, but it was not disclosed to the public until this month.

CSRF is a risk any number of web applications are susceptible to. Jayant Shukla, Co-Founder and CTO of K2 Cyber Security, wrote us:

"The discovery of a CSRF vulnerability in the Glassdoor site is a good reminder that CSRF remains a critical web application risk, and has appeared often on the OWASP Top 10 web application risks list. The fact that CSRF vulnerabilities continue to exist in web sites and applications like Glassdoor shows that not enough organizations test and protect their websites and applications against common web application vulnerabilities. NIST recently updated their SP800-53 Security and Privacy Framework to add focus on these issues by including RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). These types of security solutions more effectively target the risks outlined by the current and past OWASP Top 10 lists."

Spotify addresses security issues.

As the CyberWire noted last week, Spotify experienced its third data breach in the past month, and now Threatpost reports that the music streaming platform has followed up with details. According to Spotify’s statement, user emails, display names, passwords, genders, and dates of birth were inadvertently exposed to a third-party business associate due to a software vulnerability that surfaced last April and was resolved in November. Spotify stated that the individuals who might have viewed the private information have been contacted and asked to delete it, the Daily Swig reports. Spotify is advising users to change their passwords not just for Spotify, but also for any accounts tied to the same email account. Just a few days before the breach several musician profiles were hijacked by a threat actor (and Taylor Swift fan, based on his enthusiastic posts) named “Daniel.” And last month Spotify accounts were compromised in a credential-stuffing operation in which cybercriminals tested stolen login info on a variety of services.

Phishers use Microsoft Outlook update as bait.

Researchers at Abnormal Security have discovered a phishing campaign that is attempting to steal users’ Office 365 credentials, BankInfoSecurity reports. The threat actors are sending emails appearing to originate from the user’s company IT department requesting that the user update Microsoft Outlook to the most recent version. The email mentions a twenty-four-hour deadline and even throws in the additional lure of a COVID-19 employee symptom tracker for good measure. A link directs the user to a webpage mimicking an Outlook login page where the credentials will be harvested. About 80,000 victims have received the email so far.

Ever wish you could eavesdrop on the faculty lounge? (Us neither, honest.)

Galway-Mayo Institute of Technology (GMIT) in Galway, Ireland accidentally leaked a video of lecturers discussing student grades, reports TheJournal.ie. The video, which has been circulating on social media, appears to have been recorded without the faculty’s knowledge as they discussed the performance of individual students—mentioned by name—on a recent assignment. GMIT’s president released a statement on the school’s website apologizing for the incident: “GMIT is known as a student-centred institute and some of the comments made by our staff do not reflect the values to which we aspire.”

Selected Reading

Twitter Fined for Breaking EU Privacy Law in First for U.S. Tech Firm (Wall Street Journal) Two and a half years after going into effect, the European Union’s new privacy law has its first fine for an American tech company in a cross-border case—an overdue development, critics say.

FTC Demands Social-Media, Operations Data From Big Tech Companies (Wall Street Journal) The orders demand the companies turn over detailed, private business information about how they track Americans’ online activities and how they use that data.

FTC orders Amazon, Facebook and others to explain how they collect and use personal data (CNBC) Amazon, TikTok owner ByteDance, Discord, Facebook and its subsidiary WhatsApp, Reddit, Snap, Twitter and Google-owned YouTube were each sent the orders.

FTC launches sweeping privacy study of top tech platforms (Axios) The move appears to be a wide-reaching inquiry into everything major tech companies know about their users and what they do with that data

FTC launching broad probe into big tech privacy/data practices - Axios (NASDAQ:AMZN) (SeekingAlpha) The Federal Trade Commission is launching a broad inquiry into privacy and data collection practices at big tech firms, Axios reports.

Australian travel agency criticized over coding event that exposed sensitive user data to external software developers (The Daily Swig) When a ‘design jam’ ends up costing thousands of dollars in new passports

Desjardins had 'series of gaps' in system, leading to massive data breach (Yahoo) The Privacy Commissioner said the financial services cooperative breached several aspects of the privacy act.

Data leak exposes identities of 2m Chinese Communist Party members (teiss) A database stolen from a government server in Shanghai has exposed the identities of two million members of the Chinese Communist Party.

Spotify Changes Passwords After Another Data Breach (Threatpost) This is the third breach in the past few weeks for the world’s most popular streaming service.

Spotify security vulnerability exposed personal data to business partners (The Daily Swig) Music streaming giant believes flaw was present for about seven months

Kaspersky: Gamers face high and ongoing risk of identity theft and bullying (TechRepublic) A survey of gamers worldwide found that gamers deal with bullying and theft of in-game valuables in addition to identity theft.

Phishing Campaign Uses Outlook Migration Message (BankInfo Security) An ongoing phishing campaign designed to harvest Office 365 credentials is using a Microsoft Outlook migration message, according to researchers at Abnormal

GMIT apologises for 'data breach' after lecturers recorded discussing student grades (TheJournal.ie) The video has circulated on social media in recent days.

'A toxic cesspit': Head of Perthshire 'data breach' holiday resort resigns with broadside at members (The Courier) The head of a troubled holiday complex has resigned with a stinging attack on a group of fellow committee members and timeshare owners who he blames for turning the resort into a "toxic cesspit".

CSU San Marcos was hacked in October (EdScoop) Students, staff and faculty were notified earlier this year that a malicious actor had accessed sensitive data, prompting an upgrade to multi-factor authentication.

Students targeted with university-themed phishing emails (TechRadar) Scam looks to steal Office 365 credentials

Cruise Company Hurtigruten Hit By 'Serious' Cyber Attack (gCaptain) Norwegian cruise company Hurtigruten said it had suffered a serious ransomware cyber attack on Monday and several of its systems are paralysed....

More Than 45 Million Medical Images Openly Accessible Online (BusinessWire) The analyst team at CybelAngel has discovered that more than 45 million medical imaging files are freely accessible on unprotected servers.

Medical Imaging Files Exposed on Unprotected Servers (CybelAngel) A report uncovered more than 45 million medical imaging files – including X-rays and CT scans – are freely accessible on unprotected servers.