February 10, Softpedia – (International) About 40,000 MongoDB databases found open online. Three Saarland University cyber-security students reported security vulnerabilities in MongoDB’s database configuration, including servers with no access control mechanisms that could potentially allow access outside the backend and expose the information of millions of customers to unauthorized parties. An initial scan found nearly 40,000 databases that were open, prompting the researchers to submit their findings to MongoDB maintainers for integration into revised security instructions for users. Source
February 10, Securityweek – (International) Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information. Source
February 9, Securityweek – (International) Box Sync for Mac exposed sensitive information: Researcher. Box Sync for Mac released version 4.0.6035 to fix a security issue discovered in January that exposed Python files containing sensitive data, such as application program interface (API) keys, internal user IDs, passwords, and URLs. Box Sync representatives asserted that customer data was never at risk. Source
February 9, Securityweek – (International) LG fixes authentication bypass vulnerability in on-screen phone app. LG released On-Screen Phone application update 4.3.010 to fix a vulnerability discovered by Search-Lab researchers in September 2014 that allowed attackers to possibly bypass authentication and take control of users’ smartphones without their knowledge through a connection between the mobile device and the computer conducted via USB cable, Wi-Fi, or Bluetooth. Source
February 9, Securityweek – (National) API vulnerability exposed accounts of Delmarva Power customers. Delmarva Power, a subsidiary of Pepco Holdings, issued a patch in January addressing a vulnerability in its Android app after a researcher discovered the application programming interface (API) is plagued by Insecure Direct Object Reference (IDOR), which could have allowed an attacker to hijack customer’s online accounts by resetting user’s passwords and gaining control over their accounts. Source