hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates
Credit card stealer hides inside social media buttons
Sanguine Security analysts discovered that attackers are hiding MageCart skimmers in buttons used to post on social networks. Fake buttons look like the regular social media buttons found on countless websites and do not arouse any suspicion among visitors. The malware consists of two parts: the payload code itself and a decoder that reads and executes the payload. In new attacks, hackers use SVG files to hide malicious code. According to Sanguine Security: "The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element ". This technique was discovered in September on e-commerce sites, with malicious payloads hidden inside buttons designed to post content to social networks (Google, Facebook, Twitter, Instagram, YouTube, and Pinterest). In infected stores, the decoder reads the hidden malicious code and downloads a keylogger that would capture and steal bank card information from the payment form. To date, 37 online stores have been identified as infected with malware.
PlayStation Now bug allowed malicious code execution on Windows
Many apps in Google Play Store still vulnerable to critical code execution vulnerability
About 8% of Android applications available in the Google Play Store are still affected by the CVE-2020-8913 vulnerability in the popular Android library. By exploiting the vulnerability, an attacker can inject malicious code into vulnerable applications, providing access to the host application's resources. As a result, a hacker can gain access to sensitive data from other applications on the device. The vulnerability was discovered this year and patched by Google in Play Core 1.7.2 back in March; however, not all developers have updated the library.
Among the most popular apps running the unpatched version of the library are Microsoft Edge, Grindr, OkCupid, Cisco Teams, Yango Pro, Movit, Xrecorder.
Chrome fixed serious bugs that allowed hijacking PCs
Google has rolled out an update fixing eight vulnerabilities at once, half of which are considered highly critical. Some of them could lead to memory violations, allowing hackers to compromise computers running Chrome. Windows, macOS, and Linux versions of the browser are vulnerable.
Three dangerous use-after-free vulnerabilities (CVE-2020-16037, CVE-2020-16038, CVE-2020-16039) could trigger memory errors. Under certain conditions, these could be used to run malicious code on the host system.
Google also fixed two medium-threat bugs: CVE-2020-16041 and CVE-2020-16042. The latter affects V8; the former allows accessing objects outside the allocated memory.
Google will not release any details about any of these vulnerabilities until most users have updated their browsers.