April 4, Softpedia – (International) Authentication flaw in Microsoft accounts gets researcher $13,000 reward. Microsoft patched a cross-site request forgery (CSRF) flaw in its main authentication system after a security researcher found attackers could gain access to its Azure, Outlook, and Office servers by altering the “wreply” parameter and sending authentication tokens to a hacker-controlled Web site due to improper input filtering on the “wreply” Uniform Resource Locator (URL). Source
April 4, SecurityWeek – (International) Romanian hacker “Guccifer” appears in U.S. court. A Romanian national was extradited to the U.S. for a period of 18 months after U.S. authorities stated the man allegedly hacked into the email and social media accounts of two former presidents, a former cabinet member, a former presidential advisor, and a former member of the U.S. Joint Chiefs of Staff, among other people, and released victims’ personal information including private emails, personal photographs, and medical and financial data from December 2012 – January 2014. Source
April 1, Softpedia – (International) Hackers can unlock any HID door controller with one UDP packet. A security researcher from Trend Micro discovered a design vulnerability in HID Global’s door controllers, specifically in VertX and Edge products, that can allow an attacker to send one malicious User Datagram Protocol (UDP) request to a door and automatically unlock the door and/or deactivate the alarm. An attacker could execute remote commands on the device with root privileges due to the two devices running a special daemon titled, discoveryd, which communicates to UDP network packets on port 4070 with information about the device. Source