Information Technology

Google has set up the Android Ready SE Alliance to support the adoption of Android smartphones and wearables as digital keys, identity documents, and wallets for digital cash.As part of the alliance’s inauguration, Google has launched the general availability (GA) version of the StrongBox for SE applet. SE stands for Secure Element, a discrete tamper-resistant piece of hardware, such as Google’s Titan M chip. 

While most modern phones have an SE, the alliance is about standardising multiple Android OEMs around the way Pixel devices use the Titan M chip as a tamper-resistant hardware enclave. Android’s StrongBox, which runs on this hardware enclave on Pixel phones, is used for storing cryptographic keys in an environment that’s isolated from the CPU.  SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)Google notes that StrongBox and Titan M-like hardware will be important for emerging user features, including digital keys for your car, home and office, identification documents such as mobile driver’s licence (mDL), National ID, and ePassports, and Wallet for digital money.The SE alliance is working with Google to create open-source and validated SE applets, such as StrongBox for SE. This applet is available from alliance members, including chip makers Giesecke+Devrient, Kigen, NXP, STMicroelectronics, and Thales.Google is confident in the security of its Titan M chip and sees it as important enough to warrant a $1 million reward for anyone who finds a way to achieve a full chain remote code execution exploit with persistence that compromises data protected by the chip.      

Additionally, StrongBox is applicable to WearOS, Android Auto Embedded, and Android TV devices.Android phone brands or OEMs will need to pick validated hardware from an SE alliance vendor and to work with Google to provision Attestation Keys/Certificates in the SE factory. Android OEMs will also need use the GA version of the StrongBox for SE applet, adapted to the specific SE in use.SEE: Google: Here’s how we’re toughening up Android securityGoogle notes that it is prioritising the development of applets for mobile driver’s licence and identity credentials, as well as digital car keys for future Android releases.”A major goal of this alliance is to enable a consistent, interoperable, and demonstrably secure applets across the Android ecosystem,” Google says on its page for the Android Ready SE Alliance.”Validated implementations of Android Ready SE applets build even stronger trust in the Android Platform. OEMs that adopt Android Ready SE can produce devices that are more secure and allow for remote updates to enable compelling new use cases as they are introduced into the Android platform.” More

An unknown threat group is deploying a variant of Hades in targeted attacks against US big game. 

On Friday, Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis into the latest Hades campaign which has been operating since at least December 2020 until this month. According to the cybersecurity researchers, at least three major companies have been successfully attacked with the ransomware strain including a transport & logistics company, a consumer products retailer, and a global manufacturer. Forward Air was reportedly a past victim. Accenture says that the threat actors are focused on hunting organizations that generate at least $1 billion in annual revenue.  In the latest recorded attacks, the threat actors take a hands-on approach and use a mix of custom tools and fileless approaches.  Hades appears to infiltrate systems through internet-facing systems, Remote Desktop Protocol (RDP), or Virtual Private Network (VPN) setups using legitimate credentials — which may be obtained through brute-force attacks or stolen data dumps.  Once Hades lands on a victim’s machine, it creates a copy of itself and relaunches itself via the command line. The ‘spare’ copy is then deleted and an executable is unpacked in memory. A scan is then performed in local directories and network shares to find content to encrypt but each Hades sample secured uses a different extension. 

A ransom note, “HOW-TO-DECRYPT-[extension].txt,” is then dropped on the machine.  The ransomware notes obtained through Hades samples direct victims to install Tor and a unique address appears to be generated for each target. In total, six have been traced, which may indicate further infections.  Similarities between ransom notes used by the Hades group and REvil ransomware operators. CrowdStrike considers Hades to be the successor to WastedLocker ransomware, a variant that has been deployed by REvil against US targets in past campaigns. Cobalt Strike and Empire are used to manage command-and-control (C2) servers and to maintain persistence. Batch scripts, log clearance, disabling endpoint antivirus products, and modifying Group Policy Object (GPO) to disable audit logging are all implemented to circumvent existing defenses. Hades also includes code obfuscation to avoid signature-based detection. A variety of reconnaissance tools are also utilized to grab network, host, and domain information and to achieve lateral movement through networks.  “In addition, the threat actors operated out of the root of C:ProgramData where several executables tied to the intrusion set were found,” Accenture noted. Prior to encryption, Hades operators steal and archive data before whisking it away to a C2 in what is known as a double-extortion tactic: pay up, or risk the leak of corporate data online.  “We assess with moderate confidence that the group’s operations have just begun, and that Hades activity will likely continue to proliferate into the foreseeable future, impacting additional victims,” Accenture says.  CIFR and ACTI have published Indicators of Compromise (IoC) for the threat group and Hades variant.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has offered the Australian Competition and Consumer Commission (ACCC) a number of suggestions on how best to move forward with regulation in the digital advertising space, saying a “collaborative” approach would provide the most benefit to consumers and Australian businesses.”Google succeeds when our partners do — so we have a strong incentive to ensure a healthy digital advertising ecosystem,” a blog post penned by Google Australia’s marketing director Barney Pierce said. The competition watchdog is currently probing the advertising technology (ad tech) sector, focusing its efforts, again, on the search giant, with the ACCC concerned with “Google’s industry-leading position”.In response to the ACCC kicking off the inquiry, Google argued ad tech is a competitive market with low barriers to entry, and that it’s merely one of the many companies offering such a service.The search engine giant said it creates AU$32 billion in benefits annually for businesses and content creators in Australia through its advertising platforms.  In its 68-page submission [PDF] to the inquiry, Google said the ACCC’s Interim Report presented an incomplete view of the digital advertising industry. “Focussing only on web-based open display advertising results in a misleading view of industry dynamics,” it said.

“Any regulatory intervention must not reduce the innovation and competition that has driven so many benefits”.Google said ad tech has been marked by constant innovation, driven by the evolving needs of advertisers, publishers, and consumers. This constant innovation, Google claimed, substantially changes the ad tech landscape every two to three years.”The dynamism of the ad tech ecosystem combined with these differing interests means that it will be extremely difficult to predict all of the consequences of any intervention,” it said. “In the face of these issues, regulation is likely to create unanticipated disadvantages and disruptions.”Google has asked the ACCC to also consider the implications for consumer privacy when designing proposals. “Several of the ACCC’s proposals will impact consumer privacy,” it said. “This extends beyond data portability and interoperability measures (which the ACCC has recognised will depend on the underlying privacy regulatory framework currently under review).”It also said the ACCC’s proposals around data separation measures, such as through data silos or purpose limitation requirements, may overlap with the issues being considered in the Privacy Act Review. Similarly, Google said the watchdog’s proposals to increase transparency and address issues of supply chain opacity may conflict with the privacy issues being considered in the review.”We therefore think it is critical that the ACCC consult with the Attorney-General’s Department, the OAIC, and other relevant stakeholders (including privacy advocacy groups such as the Australian Privacy Foundation) for the remainder of the Inquiry to consider the privacy implications of the ACCC’s proposals,” it said.Google in its submission also provided comment on how the ACCC should consider measures for improving data portability and interoperability.”We believe the ACCC’s objectives are best achieved by data portability measures that are industry-led and industry-wide and where the user is in control,” Google said. “To safeguard consumer privacy and promote participation and competition, such measures should only apply to data controlled by the user.”Data portability measures should not apply to data that the user does not control, Google said, providing examples such as data about a consumer’s activity on a website where their ads are displayed.Google added that data portability should not extend to data that a service provider creates by using a consumer’s data — inferred data — such as a user profile created by analysis of the data collected. On the issue of conflict of interest and self-preferences, Google said it believes the current Competition and Consumer Act 2010 provisions are sufficient for addressing potential competition concerns that may arise from vertical integration in the ad tech chain.In addition, Google labelled the interim report as having a narrow focus, stating it omits key competition dynamics that constrain Google’s ad tech business.MORE GOOGLE VS ACCC More

Services Australia has told Senate Estimates that it reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran’s Affairs, in addition to its own IT shop.The ACSC reported receiving a total of 436 notifications from government entities.Services Australia CEO Rebecca Skinner said while it wouldn’t be appropriate to discuss the nature of the incidents, her agency did not have breaches of Australian citizen data. As one of the largest government entities, Services Australia has its own security operation centre (SOC) that, since 2017, has been responsible for protecting all of its systems, including the ones that hold Centrelink, Medicare, and child support information.”We are always undertaking security reviews, upgrades, patches — those sorts of things to maintain our responsibilities against [the] ASD essential eight security arrangements,” she added.Skinner said the agency’s cybersecurity division blocks about 14 million suspicious emails a month.”If something looks strange, people do something,” she said, noting the division also detects multiple campaigns attempting to attack its systems. “We’re monitoring all of those.”

Services Australia chief information officer Michael McNamara said the SOC also “runs its own testing, in terms of the dark web”.See also: Cops are the only ones being lawful on the dark web, AFP declares”We have our own internal capability … that routinely works through that and identifies issues in that domain,” he told Senators. “We can’t discuss any individual cases, But we do work very, very closely with the AFP and the ACSC and ASD.”McNamara said that while a lot of its data is not classified with a national security classification, it is all treated the same as the agency’s most sensitive and important datasets.”They reside, if you like, in physical security centres that are equivalent to the sorts that you would protect national security information in, it’s just technically, they don’t have a national security classification,” he explained.”We have a very robust data security framework inside the agency … [including] a data integrity framework, which looks at training our staff on the use of data on the inappropriate and appropriate use of data, distribution of data. We do that on a regular basis.”He said there are also a number of access controls in place, such as monitoring tools, in addition to multifactor authentication across the agency and the systems it controls. “Our systems, as you can imagine, are secure by their very nature and design, and the data is encrypted at rest,” he added. “As that data is moved, we will use our monitoring tools to control the movement, the distribution of that data, particularly if it leaves the agency.”He said the same requirements are placed on its biggest contractors — Telstra, Microsoft, and IBM.MORE FROM SERVICES AUSTRALIA More

Australia’s coronavirus contact tracing app, COVIDSafe, was sold as “digital sunscreen” with people encouraged by the Prime Minister to download the app in order to have life return to some form of normal.There have been over 7 million downloads of the app, but that doesn’t necessarily mean it’s logged into, or being used by individuals that have the app taking up real estate on their phone. The app has received scrutiny from the country’s security community from day one, and it has only accounted for a total of 17 cases found, with 81 close contacts of those 17 identified through the app, too. The Senate Select Committee on COVID-19 also previously said the app significantly under-delivered on Scott Morrison’s promise that the app would enable an opening up of the economy in a COVID safe manner.As previously disclosed by the Digital Transformation Agency (DTA), the app cost in excess of AU$5 million.DTA CEO Randall Brugeaud told senators on Thursday night that the cost to keep the app’s lights on, so far, has been around AU$900,000.”The spend to date on the app is AU$6,745,322.31, that’s to 31 January,” he said.”That includes a combination of development, which is the actual build of the app, and the hosting of the app. So the breakdown is, for the development of the app, AU$5,844,182.51 and the hosting is AU$901,139.80.”

Brugeaud said COVIDSafe has moved into the “business as usual state”, which means the DTA simply applies “very small amounts of maintenance”. “It costs about AU$100,000 per month to run the infrastructure and we’ve made a provision for about AU$200,000 per month to allow us to make future changes,” he said. “Now, that isn’t money that must be spent, but we’ve estimated about AU$200,000 a month for future feature changes that may be required by the Department of Health who is the business owner of the app.”Labor Senator Nita Green asked why there was a need to continue sinking funds into an app that has barely been used.”COVIDSafe was developed based on the health need and it will continue to be supported until we’re advised that capability is no longer required,” Brugeaud said.”I know it seems like a small number, 17 … I think it was 774 detections that have occurred, but just think through 17 people going undetected, and what that might look like in terms of shutdowns,” Minister for Families and Social Services Anne Ruston added.”Even though it may seem like a small number, that could have had a very significant impact on the health outcomes or the economic outcomes for our country.”Ruston said the app was designed at a time when it was thought Australia would have a lot more cases than it did. “Not withstanding that, it was something that was put in place at the time, an unknown time, it has served a purpose, whether it has served as much of a purpose as perhaps it might otherwise — but, clearly the health officers, the CMOs in both Victoria and New South Wales have both indicated that they believe that the app has had provided a very positive opportunity and benefit to their states,” she said. “It was a decision that was taken that has provided some value.”Brugeaud said there could be more contacts located via the app, but legislation is preventing the government from having access to the data.He also said, however, the app has received “very good feedback” from the tech community to help the DTA improve the app.Digital vaccination record limboLast month, Minister for Government Services Stuart Robert touted a vaccination passport, a digital record confirming people have received the jab through the Australian Immunisation Register (AIR).”They will have a record, they will have a digital and paper certificate. For some 89% of Australians that have a smartphone, they will be able to access that digital certificate in their smartphone, download it onto their phone as a permanent record,” Robert said at the time.The certificate would be available, he said, through linking myGov and Medicare online services.Brugeaud said the DTA has been working with Services Australia on a “range of enhancements” to myGov, including a release which is about to occur and will provide access through myGov to the AIR.”That will provide access to the current immunisation record,” he said. “There are discussions currently underway in relation to the creation of a potential vaccination certificate, but that would be a question for Services Australia … we’re not leading the work on the vaccination certificate.”Time ran out during Senate Estimates on Thursday night to hear testimony from Services Australia on the progress of the AIR.HERE’S MORE More

First, the good news. Starting with the mid-April release of Google’s Chrome 90 web browser, Chrome will default to trying to load the version of a website that’s been secured with a Transport Layer Security (TLS). These are the sites that show a closed lock in the Chrome Omnibox, what most of us know as the Chrome address (URL) bar. The bad news is that just because a site is secured by HTTPS doesn’t mean it’s trustworthy. 

ZDNet Recommends

A few years ago, WordFence, a well-regarded WordPress security company, found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Because the certificates are valid, even though they’re operating under false premises, Chrome reports these sites as being secure. True, the data sent along that connection is secure, but safe? I think not! Of course, CAs shouldn’t issue bogus security certificates. Unfortunately, it happens. A perfect example of “Why we can’t have nice things,” it’s been revealed that Let’s Encrypt, the free, open, and automated CA, had been used to create thousands of SSL certificates for phishing sites illegally using “PayPal” as part of their name. It’s not just PayPal. Google, Microsoft, and Apple have also had their names taken in vain by phishers. It’s also not just that the CA process can be abused. Paul Walsh, founder and CEO of the zero-trust security company, MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, sees many other problems with our naïve belief that HTTPS alone is enough to secure our internet connections. True, Walsh tweeted, “When DNS-based security services were first introduced, most of the web wasn’t encrypted, and threat actors didn’t use trusted domains like Google, Microsoft, GitHub, et al. So they were effective in the past, but less effective today.” When the leading free CA, Let’s Encrypt, began in 2015, less than a fifth of websites were secured by HTTPS. Today, 82.2% of sites are covered. That was then. This is now. And there are other problems.First, Walsh believes that what Google is doing is “great in theory, but their execution sucks. I think it’s unethical for a single company that represents a single stakeholder to railroad what they think is the right thing for every website creator and every person that uses the web.” Walsh isn’t the only one that feels that way, while many people think of this as a small, but real, step forward in web security, others think, “Forcing https on people’s throats is a stupid idea.”

Besides, as Walsh observed in his analysis of website security, “the basic [URL] padlock is designed to tell users when their connection to a website is encrypted. A padlock doesn’t represent anything related to trust or identity. Browser designers didn’t do a good job with the design of their UI. They should have made website identity more obvious — such as a separate icon on the toolbar — making it completely separate to the padlock.”In other words, you can be “safely” secured to a site that’s pretending to be the real Amazon, eBay, or PayPal. That’s a fail.Also: What is phishing? Everything you need to know to protect yourself from scam emails and moreThis happens not just because of the fake sites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse-proxy between you and the website you want to visit. It looks like you’re connected to the real thing because you get authentic content from the legitimate website but the reverse-proxy is silently redirecting all your traffic to and from the Modlishka server. Thus, your “credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse proxy also asks users for 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts.”Ouch.Besides that, Walsh is not at all convinced that free and easy HTTPS certificates is a good thing at all. Walsh wrote, “The volume of cyberattacks that use automatically issued free DV certificates has weakened the Trusted Computing Base (TCB) of the internet in my opinion. And free DV certificates are an existential threat to the safety and wellbeing of society.”The answer? According to Walsh, CAs should: Tighten up their identity verification processes.Reduce the cost, time, and effort of acquiring identity verification.Browser vendors should design a meaningful icon for identity verification for the browser toolbar — away from the padlock.Browser vendors should improve the user experience so websites’ real identity is intuitive.Then, and only then, will the web be well on its way to being truly secure. Related Stories: More

Now that you’re finally serious about backing up your Windows PC or Mac, you’ve probably figured out that the backup software included with your preferred operating system just isn’t going to cut it.Also: PC and Mac backup: How to protect your data from disasterSure, you can use the built-in tools (Time Machine on a Mac or File History on Windows 10), if you’re willing to settle for a limited feature set with few options outside the standard settings. But replacing those default utilities with one of these third-party alternatives unlocks a wide range of useful features and capabilities that can save you time and disk space, not to mention helping you sleep better.

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Backup software features to look forOn the backup side, these are the features that matter most:The ability to create a disk image that can restore the entire contents of a PC or Mac, so you can recover quickly after a disk crash or other data disasterOngoing backups that can save your work daily, hourly, or in real-time, so you never risk losing important workProtection from ransomware attacksThe option to save backup files on a local drive, on a network server, or in the cloudAnd when the day arrives that you have to call on those backups to recover your files, a good backup program will allow you to quickly mount that backup image as a virtual drive to retrieve individual files or folders. Or you can boot from recovery media to restore an entire image.Those backup files come in handy even if you didn’t have a data catastrophe. Good backup software offers an effortless way to migrate your PC or Mac when you upgrade to a new device, allowing you to be productive immediately without having to reinstall apps or re-create settings.How we choseYou might be startled by just how many third-party backup products there are to choose from. We were even more surprised by the sheer number and complexity of purchase and subscription options for those products.

Those that offer a free version try (sometimes very aggressively) to upsell you to one of their paid plans, which typically come in multiple tiers, in home and commercial versions, and with varying discounts for longer subscription terms and multiple licenses. Getting all the bells and whistles you think you need, especially if you have multiple devices to protect, can run up a pretty hefty bill.All the products we’ve included here have a good reputation, as evidenced by comments on public forums and reviews from trusted sources. It’s worth noting that backups can fail for a variety of reasons, usually at the worst possible time, so we’ve given extra marks to companies that offer easily accessible support options.The most important feature we looked for is the ability to create a backup image that can be stored on a local drive (typically USB or network storage). Some programs also offer the ability to back up to the cloud. We’ve highlighted those programs for the benefit of those who have that combination of manageable data sets and high bandwidth that make an all-cloud option feasible. We didn’t include products like Carbonite, which are exclusively focused on cloud-based backup.Other important features we looked for include easy options for restoring a single file or folder from a backup set, as well as robust scheduling and reporting options.As always, this listing doesn’t represent a full hands-on review. We didn’t stress-test these apps, and we encourage you to do your own testing to ensure that the backup and restore features (especially the latter) meet your standards for ease of use and robustness.

A solid free version, with a vast array of upgrade options

The free version of Macrium Reflect 7 is surprisingly robust, offering solid imaging and cloning capabilities that are licensed for use in home and business environments. The resulting images can be browsed in Windows Explorer or mounted instantly in a Hyper-V VM.You’ll need to upgrade, though, if you want to add file/folder backups to the mix, or encrypt your backups, or create space-saving incremental backups. The Home and Workstation versions ($70 and $75 per PC, respectively, with discounts for multiple licenses) also add protection against ransomware attacks.The company also offers Server and Server Plus editions as well as a specialized Technicians edition ($799) that allows IT pros to create snapshots of an unlimited number of PCs or servers using a USB flash drive instead of installing the software to each PC.  

View Now at Macrium

Would you like security software with your backups?

Acronis is one of the best-known names in backup, with its flagship True Image product recently celebrating its 18th birthday. The latest version, True Image 2021, is available on Windows PCs and MacOS and offers a wide range of antimalware features in addition to the familiar backup tools.True Image 2021 is offered in three subscription editions. The entry-level Essential package ($50 per year) does disk imaging and file backups to local and network destinations. For cloud backup, you’ll need to upgrade to the pricier Advanced or Premium editions, ($90 and $125 per year, respectively), which offer 500 GB or more of cloud storage in Acronis’s protected data centers. All three editions include incremental and differential backups as well as non-stop backups.Acronis doesn’t offer a free version of True Image, although you can try it out for free for 30 days without having to supply a credit card.

View Now at Acronis

The free edition comes with incessant upsell offers

EaseUS Todo Backup comes in three editions, including a free offering that covers most of the backup bases. You can back up an entire system, a specific disk, or data locations of your choosing. And you can send that backup file to a local drive, a network location, or one of three popular cloud locations: Dropbox, OneDrive, and Google Drive.If you choose the free option, however, be ready for constant reminders that the company really wants you to upgrade to one of its paid products. Those reminders include pop-up notifications and orange reminders in the user interface that specific features aren’t available to you.Those paid upgrades are primarily available as subscriptions, at a yearly cost of $30 per PC for the Home edition and $39 for Pro. With the home upgrade, you lose the upsells and get the ability to transfer a system to a new PC. The Pro edition includes a Smart Backup feature that runs every half-hour to capture recent changes.

View Now at EaseUS

Surprisingly sophisticated and free for home use

Paragon’s Backup & Recovery Community Editions are free for home use, but you’ll need a license if you want to use them for commercial purposes or as part of a business network joined to a domain. The free edition includes versions for Mac and Windows as well as Backup for Hyper-V Host, which does full backups and one-click restores of virtual machines in non-production environments.The Backup & Recovery version 17 interface is easy to use, with options to schedule full system backups with incremental or differential updates as well as data backups focusing on key locations. Those backup features are part of a larger paid product, Paragon Hard Disk Manager 17, which costs $80 for a home version covering three PCs or $99 for a single business license. The full product also includes advanced partitioning tools, drive migration features, and disk wiping methods.

View Now at Paragon Software

Pro and EZ options available

NTI’s website has the old-school look you’d expect from a company that has been around since Windows 95 was still new and fresh. For Windows, you can take your choice of NTI Backup Now Pro and  NTI Backup Now EZ, with list prices of $70 and $50, respectively. For Mac users, the complete backup solution is NTI Shadow 5 for Mac, which lists for $40 for a single license. There’s no free edition, but you can get a 30-day trial, and the company is aggressive with discounts.NTI Backup Now Pro offers a full range of backup options, with file backups, drive imaging, and cloud backups using Microsoft Azure. A Continuous Backup option (not available on Backup Now EZ) ensures that work you do between scheduled backups is protected.It’s worth noting that NTI has a warning on its product page that its complete system restore operation isn’t compatible with “some tablet PCs (e.g. Microsoft’s Surface Pro tablets).” This warning appears to be outdated but it should be a red flag for anyone whose primary PC fits that description.

View Now at NTI Corp

ZDNet Recommends More

Two severe vulnerabilities have been patched in the Facebook for WordPress Plugin.

Disclosed by the Wordfence Threat Intelligence team this week, the bugs impact Facebook for WordPress, formerly known as Official Facebook Pixel. The plugin, used to capture user actions when they visit a page and to monitor site traffic, has been installed on over 500,000 websites. On December 22, the cybersecurity researchers privately disclosed a critical vulnerability to the vendor which has been issued a CVSS severity score of 9. The vulnerability, described as a PHP Object injection, was found in the run_action() function of the software. If a valid nonce was generated — such as through the use of a custom script — an attacker could supply the plugin with PHP objects for malicious purposes and go so far as to upload files to a vulnerable website and achieve Remote Code Execution (RCE). “This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness,” the team says.  The second vulnerability, deemed of high importance, was discovered on January 27. The cross-site request forgery security flaw, which leads to a cross-site scripting issue, was introduced accidentally when the plugin was rebranded. 

When the software was updated, an AJAX function was introduced to make plugin integration easier. However, a permissions check problem in the function opened up an avenue for attackers to craft requests that could be executed “if they could trick an administrator into performing an action while authenticated to the target site,” according to Wordfence.”The action could be used by an attacker to update the plugin’s settings to point to their own Facebook Pixel console and steal metric data for a site,” the team says. “Worse yet, since there was no sanitization on the settings that were stored, an attacker could inject malicious JavaScript into the setting values.” Malicious JavaScript could, for example, be used to create backdoors in themes or create new admin accounts for hijacking entire websites.  The reports were accepted by Facebook’s security team and a patch for the first vulnerability was released on January 6, followed by a second fix on February 12. However, the patch for the second bug required tweaking and a full fix was not published until February 17. Both vulnerabilities have been updated in version 3.0.4, and so it is recommended that webmasters update to the latest version available of the plugin, which is currently 3.0.5. ZDNet has reached out to Facebook for comment and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More