Reading Time: ~ 2 min.
E-Scooter Security Vulnerability
A security researcher recently found an API vulnerability
within the software of Voi
e-scooters that allowed him to add over $100,000 in ride credits to his
account. The vulnerability stems from a lack of authentication after creating
an account which allows users to enter an unlimited number of promo codes offering
ride discounts through several of the service’s partners. The writeup of steps
to replicate flaw was temporarily taken down by the researcher until the
company resolves the issue.
MageCart Strikes Volusion Sites
Thousands of sites using Volusion
software have been affected by malicious MageCart scripts going back to
mid-September. The scripts have been running from a non-descript API bucket and
are using filenames that would appear benign to most security software and site
admins. While victims will likely begin monitoring for stolen payment card
data, it is still unclear how many sites have been compromised in total.
Brazilian Database for Sale
A database containing extremely sensitive information belonging
to more than 92 million Brazilian
citizens was found up for auction on several marketplaces on the dark web. Included
in a sample of the data were driver’s license numbers and taxation info for the
93 million Brazilians currently employed within the country. Unfortunately for
those involved, Brazil’s recently introduced data protection law won’t be in
effect until halfway through next year.
Twitter 2FA Leak
announced earlier this week that many email addresses and phone numbers customers
were using for two-factor authentication had been provided to third-parties for
use in targeted advertisements. The company is still working to determine how
many users are involved in this apparently unintentional misuse of their
sensitive information. Twitter has fixed the main issue, though they still
require a phone number for 2FA regardless of the method used to verify the
New Zealand Health Organization Hacked
Following a cyber
attack in August of this year, officials discovered evidence of multiple
intrusions into their systems going back nearly three years. The health organization
has been working with law enforcement to determine the extent of the
unauthorized access, as well as attempting to contact all affected individuals.