At a glance.
- CSRF vulnerability found and corrected in Glassdoor.
- Spotify addresses security issues.
- Outlook updates as phishbait.
- Recorded discussions in a faculty lounge (sorry, students).
A bug bounty hunter finds a security bug and Glassdoor fixes it.
A bug bounty hunter has discovered a critical vulnerability on employer review platform Glassdoor’s web domain, reports ZDNet. The flaw, which earned a severity score of 9-10, involves a cross-site request forgery (CSRF) that, if exploited, could allow attackers to hijack user accounts. The bounty hunter, who earned a $3,000 reward, actually found the bug by mistake when he mistyped a request attempt and received an unexpected result. The issue was reported to Glassdoor’s security team last February, after which they promptly patched the bug, but it was not disclosed to the public until this month.
CSRF is a risk any number of web applications are susceptible to. Jayant Shukla, Co-Founder and CTO of K2 Cyber Security, wrote us:
"The discovery of a CSRF vulnerability in the Glassdoor site is a good reminder that CSRF remains a critical web application risk, and has appeared often on the OWASP Top 10 web application risks list. The fact that CSRF vulnerabilities continue to exist in web sites and applications like Glassdoor shows that not enough organizations test and protect their websites and applications against common web application vulnerabilities. NIST recently updated their SP800-53 Security and Privacy Framework to add focus on these issues by including RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). These types of security solutions more effectively target the risks outlined by the current and past OWASP Top 10 lists."
Spotify addresses security issues.
As the CyberWire noted last week, Spotify experienced its third data breach in the past month, and now Threatpost reports that the music streaming platform has followed up with details. According to Spotify’s statement, user emails, display names, passwords, genders, and dates of birth were inadvertently exposed to a third-party business associate due to a software vulnerability that surfaced last April and was resolved in November. Spotify stated that the individuals who might have viewed the private information have been contacted and asked to delete it, the Daily Swig reports. Spotify is advising users to change their passwords not just for Spotify, but also for any accounts tied to the same email account. Just a few days before the breach several musician profiles were hijacked by a threat actor (and Taylor Swift fan, based on his enthusiastic posts) named “Daniel.” And last month Spotify accounts were compromised in a credential-stuffing operation in which cybercriminals tested stolen login info on a variety of services.
Phishers use Microsoft Outlook update as bait.
Researchers at Abnormal Security have discovered a phishing campaign that is attempting to steal users’ Office 365 credentials, BankInfoSecurity reports. The threat actors are sending emails appearing to originate from the user’s company IT department requesting that the user update Microsoft Outlook to the most recent version. The email mentions a twenty-four-hour deadline and even throws in the additional lure of a COVID-19 employee symptom tracker for good measure. A link directs the user to a webpage mimicking an Outlook login page where the credentials will be harvested. About 80,000 victims have received the email so far.
Ever wish you could eavesdrop on the faculty lounge? (Us neither, honest.)
Galway-Mayo Institute of Technology (GMIT) in Galway, Ireland accidentally leaked a video of lecturers discussing student grades, reports TheJournal.ie. The video, which has been circulating on social media, appears to have been recorded without the faculty’s knowledge as they discussed the performance of individual students—mentioned by name—on a recent assignment. GMIT’s president released a statement on the school’s website apologizing for the incident: “GMIT is known as a student-centred institute and some of the comments made by our staff do not reflect the values to which we aspire.”