On October 7, 2022 Toyota, the Japanese-based automotive manufacturer, revealed they had accidentally exposed a credential allowing access to customer data in a public GitHub repo for nearly 5 years. The code was made public from December 2017 through September 2022. While Toyota says they have invalidated the key, any exposure this long could mean multiple malicious actors had already acquired access.
Samsung Accidentally Exposes Source Code for Apps in Massive Data Breach
Download File: https://urlgoal.com/2vK9X6
In December 2017, while working with an unnamed (so far) subcontractor, a portion of the source code for T-Connect was uploaded to a public GitHub repository. Inside the repo there was a hardcoded access key for the data server that manages customer info. Anyone who found that credential could access the server, gaining access for 296,019 customers.
SevenRooms Data Breach: Threat actors on a hacking forum posted details of over 400GB of sensitive data stolen from the CRM platform's servers. The information included files from big restaurant clients, promo codes, payment reports, and API keys. However, it seems that the servers that were breached did not store any customer payment details.
Rockstar Data Breach: Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.
The company claims the attack was conducted by state-funded hackers. A Vice article further shows the Department of Justice is pointing to members of the Russian Federal Security Service as the initiators of the massive Yahoo data breach.
A massive data breach of 113.5 million user accounts took place at FitMetrix. Each record consisted of usernames, email addresses, gender, phone number, pictures, height, weight, shoe sizes, and desired gym locations.
Hardcoded passwords are particularly dangerous because they are easy targets for password guessing exploits, allowing hackers and malware to hijack firmware, devices (such as health monitoring equipment), systems, and software. The same hardcoded password, or a limited number of them, are often used across all applications (many that require elevated privileges to function) or devices produced by a manufacturer/software development company within a particular series, release, or model. So, once a hacker knows the default password, they can potentially access all similar devices or application instances. This kind of exploit has resulted in some massive cyberattacks (two of which are detailed below), that have caused massive security breaches, worldwide outages, and even jeopardized critical infrastructure.
Telegram is open, anyone can check our source code, protocol and API, see how everything works and make an informed decision. Telegram supports verifiable builds, which allow experts to independently verify that our code published on GitHub is the exact same code that is used to build the apps you download from App Store or Google Play.
If you have reasons to worry about your personal security, we strongly recommend using only Secret Chats in official or at least verifiable open-source apps for sensitive information, preferably with a self-destruct timer. We also recommend enabling 2-Step Verification and setting up a strong passcode to lock your app, you will find both options in Settings > Privacy and Security.
On Friday, Microsoft completed its investigation into a little-known tool it provides to Windows 7 customers and determined that it illegally utilizes open-source code. The software giant said that the infraction was "not intentional," and that it will now re-release the tool and provide access to its source code publicly, as is required by the open-source license utilized by the stolen code."After looking at the code in question, we are now able to confirm ... that a free tool that was offered by the Microsoft Store contains GPLv2 code, although it was not intentional on our part," a Microsoft representative explained. "While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process. We have furthermore conducted a review of other code provided through the Microsoft Store and this was the only incident of this sort we could find."The tool in question is the Windows 7 USB/DVD Download Tool (WUDT), and it's designed to help customers who purchase an electronic version of Windows 7 to burn the code to disc or copy its contents on a bootable USB memory device; they could then use either method to install the OS.A few weeks earlier, my "Windows 7 Secrets" co-author Rafael Rivera began investigating the WUDT after I asked him about discrepancies in its behavior that I was seeing while preparing my own article about the tool. A veteran hacker and Windows internals expert, Rafael became immediately suspicious of the tool's code structure, which he described to me as inefficient and below Microsoft's usual standards. After a short investigation, he discovered that the offending code had been taken from an open-source project. He contacted the author of the code and found that he had never been approached by Microsoft or anyone representing Microsoft.I was at the Microsoft campus the next week and asked the team responsible for the Windows Setup routine whether they were aware that the WUDT tool used open-source code. They were not, but they noted that the tool was certainly Microsoft's responsibility even though it had been created by a third party, since Microsoft was distributing it to customers from its own online store.A few days later, Rafael posted about the code theft, although he was more political than I would have been. "The source code was obviously lifted from the CodePlex-hosted GPLv2-licensed ImageMaster project," he wrote. "I see two problems here ... First, Microsoft did not offer or provide source code for their modifications to ImageMaster nor their tool \[as is legally required by the GPL.\] Second, Microsoft glued in some of \[its\] own licensing terms, further restricting your rights to the software. \[This is also contrary to the GPL.\] I understand Microsoft is a big company and that this could have been externally contracted work, but someone dropped the ball during code review/licensing."Days later, Microsoft pulled the WUDT from its online store and began its own investigation. Predictably, the company found exactly what Rafael had claimed: The code for the tool had been taken from an open-source project, in violation of the GPL. That the company is doing the right thing now is, in many ways, astonishing and admirable. Sadly, Microsoft's official response to this event hasn't been admirable, although it has certainly been astonishing. The blog posting admitting to the GPL breach doesn't credit Rafael at all for his discovery and, as originally published, didn't even link to his blog post, which exposed the issue. (The link now exists, after some complaints, but Rafael's name still isn't mentioned.) More astonishing, the post actually links to a PC Magazine article describing the problem. No offense to PC Magazine, but it is only one of dozens of publications that picked up this story and was one of the last to do so. The Microsoft post as originally written was a clear snub to Rafael, who has taken a lot of heat for exposing this problem. In its current form, it's still not particularly respectful. You can read it here.So I'm asking, publicly now, but not for the first time, for Microsoft to please publicly credit Rafael Rivera for his work uncovering this issue. And to remove the PC Magazine link, which unfairly provides a skewed view of how this event was reported. Microsoft appears to want to do the right thing here, so I think it should finish the job.Rafael's post about the code theft is available on his WithinWindows website. 1 comment Hide comments Comment * Switch to plain text editorMore information about text formats 2ff7e9595c