Application Security Weekly Review, Week 7 2019

Read Time: 3 min.

OkCupid account hijackings, availability of 617 million stolen accounts on the dark web, vulnerabilities in WordPress plugins, and more.

As always at the end of the week, we prepared a brief summary of the most significant news related to web application security, including OkCupid account hijackings, availability of 617 million stolen accounts on the dark web, vulnerabilities in WordPress plugins, and more.

OkCupid account hijackings highlight website account management issues

Recently some users of popular dating site OkCupid found that hackers took over their accounts preventing an access by changing the associated email address and password. In some cases, cybercriminals used the information from the accounts to harass their owners. The interesting part is that OkCupid didn’t even send emails confirming the password change – just accepted the change.

According to the company spokesperson, there has been no increase in account takeovers and no security breach at OkCupid. If OkCupid’s claims are valid, then one of the most likely explanations of account hijackings is that attackers are using login credentials stolen from other sites to compromise OkCupid accounts. But some users claim that their passwords were unique for OkCupid and weren't used on any other sites or services. In this case it’s unclear how hackers managed to compromise the accounts.

Flaw in popular WordPress plugin allows complete website takeover

A popular plugin for WordPress, Simple Social Buttons, which lets users to add support of social media sharing to their sites, contains a flaw that cybercriminals could exploit to elevate their privileges and to take complete control of a website.

This flaw poses a significant risk to tens of thousands of WordPress sites that are using Simple Social Buttons for the distribution of their content on various social media platforms. As the WordPress Plugins repository data shows, plugin has been installed on more than 40,000 sites.

The root of the problem lies in two weaknesses in Simple Social Buttons: an improper application design flow and lack of permissions check. Chained together these flaws permit the privilege escalation and unauthorized actions in WordPress installation. For successful exploitation an attacker only needs to have a registered user account, even low-privileged one, explained the researcher.

Šikić informed WPBrigade, the developer of the plugin, about the bug at the beginning of February 2019 and the team fixed the issue with the release of patched version Simple Social Buttons 2.0.22.

Hackers are actively exploiting a bug in another WordPress plugin

Security researchers at Defiant detected ongoing attacks that leveraging an old security hole in commercial WordPress plugin WP Cost Estimation & Payment Forms Builder to compromise websites and insert backdoors. WP Cost Estimation & Payment Forms Builder, or WP Cost Estimation for short, allows owners of e-commerce websites to create flat visual forms of cost estimation and payment.

According to the researchers, hackers are exploiting AJAX-related vulnerability in the plugin's upload functionality and other AJAX-related functions to hijack website incoming traffic and redirect it to other sites. Vulnerabilities affect all WP Cost Estimation versions prior to v9.644 – a patched version released in October 2018.

Nearly 617 million accounts stolen from 16 hacked websites available for sale on the underground marketplace Dream Market

This week a huge trove of stolen online account details from the 16 hacked websites went on sale on the popular Dream Market underground marketplace. The database compiled of data collected from data breaches of more than a dozen popular websites (Dubsmash, MyFitnessPal, MyHeritage, 500px, Animoto, and DataCamp to name a few) is available for purchase for less than $20,000 in Bitcoin.

Mainly the databases include account holder names, email addresses, hashed passwords and in some of the cases location, personal details, and social media authentication tokens (depending on the site’s specificity). It appears, that the collection doesn’t include financial information.

While some of these breaches were already known about (MyFitnessPal, MyHeritage or 500px), others came as a surprise not only for cybersecurity community, but for the affected companies as well.

Researchers from cybersecurity firm ESET came across so called “clipper” malware in the Google Play Store masquerading as a popular legitimate plugin MetaMask that allows users to run Ethereum decentralized apps (or dApps) in a browser. This new malware named Android/Clipper is capable of stealing user’s credentials and private keys in order to gain access to victim’s coins. Moreover, it has the ability to replace cryptowallet addresses in the clipboard with the ones under control of the attacker.

Google already has removed the offending app from the Play Store. According to the researchers, this is the first clipper malware found in the Google’s app store. In the past there have been several apps disguised as MetaMask, but they merely gathered sensitive information to gain access to the victim’s cryptocurrency funds.