At a glance.
- Vulnerability in India’s Aadhaar system could allow for identity fraud.
- Snap snafu allows political advertisers access to opposition’s data.
- North Face customer data accessed.
Vulnerability in India’s Aadhaar system could allow for identity fraud.
An academic paper recently published by researchers at Johns Hopkins University highlights the privacy issues of Aadhaar, India’s nationwide identification system. Cybernews explains that, After probing the Aadhaar system for vulnerabilities, the paper’s authors found a cryptographic issue that could allow a hacker to commit identity fraud by reverse engineering the string of numbers that Aadhaar uses to instantiate its encryption standard. The researchers found that the bug has been present ever since the early development stages of the app, indicating that Aadhaar’s designers did not attempt to resolve the issue, despite being aware of the dangers. The researchers admit the bug is not currently exploitable, as the payload is encrypted, but if a hacker were to penetrate the system by some other means the vulnerability could allow for identity theft. The paper suggests a simple, if not perfect, workaround that would involve employing the entire timestamp, as opposed to just a few bits.
Snap snafu allows political advertisers access to opposition’s data.
Social media giant Snap inadvertently allowed leading Democratic campaigns and party committees to access Republican voter data, and records show that the data was used to help several organizations target their ad campaigns on messaging platform Snapchat. Organizations including the Democratic National Committee, the Democratic Senatorial Campaign Committee, the Planned Parenthood Action Fund, and Georgia Democrat Stacey Abrams' gubernatorial campaign gained access to data maintained by the Republican-aligned firm i360. i360 makes data available to other advertisers on the platform, but normally limits availability to a pre-approved list of allied organizations. An oversight in Snap’s system allowed non-approved entities access to the data.
Axios notes that data from TargetSmart, i360’s progressive counterpart, was also inadvertently accessed and used to target ads from conservative media outlet the Daily Wire, but to a lesser extent. The issue was accidental on Snap’s part, and there’s no evidence that any of the advertisers were aware they were using i360 data. A Snap spokesperson stated, “We take full responsibility for this mistake, and as soon as we became aware of it, we notified the two Democratic and Republican vendors who were equally impacted, and took action to correct the issue. We are also taking steps to ensure this doesn’t happen again.” Nonetheless, veteran Republican digital strategist Eric Wilson said the incident should make i360 clients wary of how their data is being used. "i360’s Republican clients and their donors will be surprised to learn that their data is being used to help Democrats, Planned Parenthood and other opponents. They should ask if and how their campaign activities were used to enhance the data provided via Snapchat,” Wilson stated.
That fleece jacket could come with a hidden cost.
Bleeping Computer reports that outdoor apparel brand North Face suffered a large-scale credential stuffing attack that compromised over 190,000 accounts on the thenorthface.com website. The attack, which began in July, was detected by the website’s administrators on August 11 and stopped on August 19. However, before being stopped the attackers hacked into nearly 200,000 accounts and access user data including full names, purchase histories, street addresses, and phone numbers. The company’s breach notification states, “We do not keep a copy of payment card details on thenorthface.com. We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details.” VF Corporation, parent company to North Face as well as other household names like Vans, Timberland, and Eastpak, is notifying all customers impacted by the breach, and all thenorthface.com account passwords have been reset.
Chris Hauk, consumer privacy champion at Pixel Privacy, sees another lesson in password hygiene: “Credential stuffing attacks like this one underscores the need for users to create unique and secure passwords. Never reuse passwords. If your password load is overwhelming and you can't remember them, use a password manager. Most password managers can also create strong and unique passwords on the fly, saving it for you for later logins. The standard warnings to North Face customers apply here. Customers need to stay aware of phishing attacks, avoiding clicking on links or attachments in emails and messages, and being alert for emails or messages that appear to come from North Face or other 'official' sources. Affected users should also check for password reuse on the North Face site, immediately changing the password on any account that shares The North Face password.”
Paul Bischoff, privacy advocate at Comparitech, also thinks we should reach some clarity about just who's vulnerable to this kind of credential stuffing: “Credential stuffing only works against people who reuse the same password across multiple accounts. If all your passwords are unique, you should have nothing to worry about. If you have a North Face account and it has a password that's the same as other account passwords, you should change all of them immediately. The attackers might not stop at The North Face, and you could soon find your other accounts hacked as well. Internet users should minimize how often they create new accounts in the first place. Every account you create increases your attack surface, and in turn the likelihood that you'll be attacked. If you need to create an account for a one-off transaction, use an email alias or burner email. Create strong, unique passwords using a password manager.”