In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.
https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages
Tag: security
New defense tools from Abnormal Security defend against seemingly harmless QR codes
The innocuous black-and-white Quick Response (QR) codes pervasive across retailers, airports, bars, hotels (and more) are the threat surfaces no one talks about. But attackers see them as the perfect Trojan Horse for hijacking phones and stealing digital identities.
https://venturebeat.com/security/how-a-simple-qr-code-can-take-control-of-your-phone-and-digital-life/
Forever 21 data breach affects half a million people | TechCrunch
A data breach notice filed with Maine’s attorney general said the fashion giant was hacked over a three-month period beginning early January 2023, during which intruders obtained files from its systems. This data included the personal information of current and former employees, said Lorena Terroba Urruchua, a spokesperson for Forever 21 via public relations firm FTI Consulting, in an email to TechCrunch.
https://techcrunch.com/2023/08/31/forever-21-data-breach-half-million/
A popular Android app began secretly spying on its users months after it was listed on Google Play
Research by ESET found that the Android app, “iRecorder — Screen Recorder,” introduced the malicious code as an app update almost a year after it was first listed on Google Play. The code, according to ESET, allowed the app to stealthily upload a minute of ambient audio from the device’s microphone every 15 minutes, as well as exfiltrate documents, web pages and media files from the user’s phone.
https://techcrunch.com/2023/05/29/popular-android-app-microphone-spying-google-play/
TikTok’s Answer to Security Concerns? Grant Oracle Full Source Code Access
According to TikTok, "many of the major components of Project Texas are already operational, and we will continue bringing more parts of the initiative online in the coming weeks and months." This comes amid continued scrutiny of the service by the US government, and an impending ban of the service in Montana (TikTok has sued to stop the latter).
https://www.pcmag.com/news/tiktoks-answer-to-security-concerns-grant-oracle-full-source-code-access
WordPress plugin flaw puts ‘millions of websites’ at risk
WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks. Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.
https://www.theregister.com/2023/05/08/wordpress_plugin_vulnerability/?td=rt-3a
Twitter alternative Hive shuts down its app to fix critical security issues
The team at the newly popular Twitter alternative Hive is in over its head. The company has now taken the fairly radical step of fully shutting down its servers for a couple of days in response to concerns raised by security researchers who discovered a number of critical vulnerabilities on Hive, several of which they say remain unfixed. The issues they found would allow attackers access to all data, including private posts and messages, shared media and even deleted direct messages, as well as the ability to edit other people’s Hive posts.
https://techcrunch.com/2022/12/01/twitter-alternative-hive-shuts-down-its-app-to-fix-critical-security-issues/