Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On March 30, 2016

March 28, Softpedia – (International) Flaw in Truecaller Android app leaves data of millions of users exposed. Security researchers from Cheetah Mobile Security Research Lab discovered a remotely exploitable flaw in the Truecaller app that exposed the personal information of millions of users and could allow attackers to modify users’ account settings through the application’s international mobile equipment identity (IMEI) code. Attackers could write scripts through query random IMEI codes to collect a user’s data and subsequently, use the collected data in spam or phishing campaigns. Source

March 28, SecurityWeek – (International) Zen Cart patches multiple XSS vulnerabilities. Zen Cart released an updated version to its online open source shopping cart application, Zen Cart 1.5.4 that patched several cross-site scripting (XSS) vulnerabilities after researchers from Trustwave found the flaws in the administrative section of Zen Cart that could result in access to cookies, sensitive information, or site defacement. Researchers advised users to upgrade their software to the latest version to avoid the flaws. Source

March 28, Softpedia – (International) Facebook fixes Instagram issue that allowed account takeover. A Belgian security researcher discovered critical flaws in Instagram that could have allowed an attacker to reset emails attached to an account and reset the account’s password after Facebook was discovered printing sensitive Instagram user information on the Web page. In addition, an Insecure Direct Object Reference vulnerability allowed unauthenticated users to access other users’ information and could potentially allow an attacker to do the same. Source

March 29, Softpedia – (National) TreasureHunt PoS malware linked to illegal credit card sharing forum. Researchers from FireEye reported that a new strain of point of sale (PoS) malware, dubbed TreasureHunt was being used by BearsInc, a cyber-crime group, to power its malicious campaign targeting small businesses and banks in the U.S. that have not yet transitioned to the new Europay, MasterCard, and Visa (EMV) chip and Personal Identification Number (PIN) card system. The new strain adds a registry key for boot persistence to a device, scans the device’s memory for credit card information, and encodes and sends the data to a command and control (C&C) server. Source

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.