Solutions
For pentesters. Collaborative platform For clients. Pentest management platform Security testing
Research
Blog
Help
Pricing
Contact us
hexway › Blog › CYBERSECURITY NEWS V. 11.12 - Critical bug in PlayStation Now, MageCart skimmers in social media buttons
11 December 2020

CYBERSECURITY NEWS V. 11.12 – Critical bug in PlayStation Now, MageCart skimmers in social media buttons

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Credit card stealer hides inside social media buttons

Sanguine Security analysts discovered that attackers are hiding MageCart skimmers in buttons used to post on social networks. Fake buttons look like the regular social media buttons found on countless websites and do not arouse any suspicion among visitors. The malware consists of two parts: the payload code itself and a decoder that reads and executes the payload. In new attacks, hackers use SVG files to hide malicious code. According to Sanguine Security: "The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element ". This technique was discovered in September on e-commerce sites, with malicious payloads hidden inside buttons designed to post content to social networks (Google, Facebook, Twitter, Instagram, YouTube, and Pinterest). In infected stores, the decoder reads the hidden malicious code and downloads a keylogger that would capture and steal bank card information from the payment form. To date, 37 online stores have been identified as infected with malware.

PlayStation Now bug allowed malicious code execution on Windows

A critical bug has been fixed in the PlayStation Now app for Windows that could be used by malicious sites to execute arbitrary code. The issue affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later. Due to vulnerable WebSocket connections, websites could send requests to the application and load malicious URLs, which would then trigger arbitrary code execution in the system. This is possible if the WebSocket server running on the target device does not perform origin header or origin request checks. To successfully exploit the bug, attackers must convince a PS Now user to open a specially crafted malicious site. For example, they can send a link in a phishing email or a Discord channel, and so on. Besides that, the AGL Electron app launched by PlayStation Now allowed loaded JavaScript to run new processes on web pages, leading to code execution.

Many apps in Google Play Store still vulnerable to critical code execution vulnerability

About 8% of Android applications available in the Google Play Store are still affected by the CVE-2020-8913 vulnerability in the popular Android library. By exploiting the vulnerability, an attacker can inject malicious code into vulnerable applications, providing access to the host application's resources. As a result, a hacker can gain access to sensitive data from other applications on the device. The vulnerability was discovered this year and patched by Google in Play Core 1.7.2 back in March; however, not all developers have updated the library.

Among the most popular apps running the unpatched version of the library are Microsoft Edge, Grindr, OkCupid, Cisco Teams, Yango Pro, Movit, Xrecorder.

Chrome fixed serious bugs that allowed hijacking PCs

Google has rolled out an update fixing eight vulnerabilities at once, half of which are considered highly critical. Some of them could lead to memory violations, allowing hackers to compromise computers running Chrome. Windows, macOS, and Linux versions of the browser are vulnerable.

Three dangerous use-after-free vulnerabilities (CVE-2020-16037, CVE-2020-16038, CVE-2020-16039) could trigger memory errors. Under certain conditions, these could be used to run malicious code on the host system.

Another vulnerability (CVE-2020-16040) affects Google's JavaScript and WebAssembly engine, V8: due to insufficient data validation, it makes XSS attacks possible.

Google also fixed two medium-threat bugs: CVE-2020-16041 and CVE-2020-16042. The latter affects V8; the former allows accessing objects outside the allocated memory.

Google will not release any details about any of these vulnerabilities until most users have updated their browsers.

Popular
21 April 2021
Scanning result import feature: integration with Nessus
Read
7 April 2021
CYBERSECURITY NEWS V. March - Microsoft Exchange Server hack, Purple Fox, RCE vulnerability in Facebook
Read
12 March 2021
HIVE ONLINE DEMO VERSION RELEASED
Read
11 February
2020
Cybersecurity News V. 2.11 –...

Severe WhatsApp vulnerability patched Facebook has released a patch for WhatsApp vulnerability (CVE-2019-18426). WhatsApp Desktop prior to version 0.3.9309 allowed […]

30 January
2020
Cybersecurity News V. 1.30 –...

Recent news about Citrix CVE-2019-19781 vulnerability Citrix has finally released patches for CVE-2019-19781. The vulnerability affects Citrix Application Delivery Controller […]

18 January
2021
CYBERSECURITY NEWS V. 18.01 –...

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates News […]

Subscribe to be notified about our updates and new research

    © Hexway
    Privacy policy
    Contacts
    How to get started with Hive
    Demo request

      I agree to the processing of my personal data
      Your mail is send!
      Thank you for trust!
      Back
      Download whitepaper

        I agree to the processing of my personal data
        Your mail is send!
        Thank you for trust!
        Back
        Price request

          I agree to the processing of my personal data
          Your mail is send!
          Thank you for trust!
          Back
          Contact us

            I agree to the processing of my personal data
            Your mail is send!
            Thank you for trust!
            Back