New month, new IT stories, and some (not so) new security problems. And what a month it’s been! From data leaks to the jailbroken Nintendos, April kept us on our toes.
Data Firm Leaks 48 Million Profiles on—Surprise—an Open S3 Bucket
This story combines two of our favorite topics: leaky S3 buckets, and sketchy data collection practices. Here's what went down: A small, Bellevue, WA-base data firm, Localblox, build 48 million personal profiles by scraping social networks such as Facebook, LinkedIn, Twitter, and real estate site Zilllow—all with out the knowledge or consent of scraped users.
According to the firm, LocalBlox "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks," and then, presumably, uses that information as marketing data.
Earlier this year, the company hit a bit of a snag with that business plan when they left a store of profile data on a public but unlisted Amazon S3 storage bucket without a password, which would allow anyone with the address of the database to download the info within.
The bucket in question,"lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. In that file were the afformentioned 48 million individual records scraped from public profiles. Just Great.
Luckily, the leaky bucket, and the data within was discovered by Chris Vickery, director of cyber risk research at security firm UpGuard. Vickery then disclosed the leak to Localblox's chief technology officer and the bucket was secured hours later.
Nvidia Mobile Processor Vuln Puts Nintendos at Risk
According to security researchers, devices built on Nvidia's Tegra X-1 mobile processor are at risk of attack from an exploit chain known as "Fusée Gelée," which allows anyone to run code on the processor by overloading a buffer during boot-up.
The exploit was discovered by Katherine Temkin and a team at ReSwitched, who say that it affects any device running the Nvidia chip, including some Chromebooks and the Nintendo Switch gaming console—bad news for Zelda fans.
"Fusée Gelée isn't a perfect 'Holy Grail' exploit -- though in some cases it can be pretty damned close," Temkin wrote.
According to Temkin, because the vulnerability is the result of a coding mistaing in the bootROM, the vulnerability cannot be patched.
However, the flaw requires physical access to the device, so it's unlikely to be a major target for hackers.
Fake Ad-Blocker Extensions Were Downloaded 20 Million Times
Fake ad-blockers listed at the top of Google Chrome's web extension store were downloaded by 20 million unsuspecting victims before Google pulled the plug on the phony apps, according to a report published by AdGuard.
The fake extensions featured names that played on popular adblockers, like "UBlock Adblock," a Ublock Origin fake, and could harvest info on users, including browsing history and IP adresses. Some of the fake extensions could even execute commands on chrome, effectively turning infected devices into a botnet.