Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.

Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.

This vulnerability is only triggerable if another _Business Intelligence_ _BI pack_ (next to the default) was created.

We found this vulnerability internally.

**Affected Versions**:

*   2.2.0
*   2.1.0
*   2.0.0
*   1.6.0 (probably older versions as well)

**Indicators of Compromise**: To check for exploitation one can check the site apache access log var/log/apache/access\_log for entries like /$SITENAME/check\_mk/wato.py?mode=bi\_aggregations&bulk\_moveto=. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter bulk\_moveto.

**Vulnerability Management**: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. We assigned CVE-2023-23548 to this vulnerability.

**Changes**: This Werk introduces escaping for the vulnerable parameter.

To the list of all Werks

CVE-2023-23548: Fix XSS in business intelligence

Categories: News
Categories: Personal
In every scam no matter how sophisticated or how amateur, there are two red flags.



(Read more...)




The post How to spot a scam appeared first on Malwarebytes Labs.

Unfortunately, scams are a fact of life online. The virtual ties that bind us are international now: Our public telephone numbers, social media accounts, email addresses, messaging apps, dating profiles, and even our physical mailboxes, can all be reached by any criminal and con artist from anywhere in the world.

And test us they do, with everything from the preposterous offers of “Nigerian princes” to the slow boiling intimacy of long-term, long-distance romances.

There is a lot of good advice around (and plenty of it on this website) to help you understand which scams are popular right, how they work, and how to spot them.

Though undoubtedly useful, the advice is often specific to a single campaign or type of scam: Watch out for fake DHL emails; Beware of SMS messages from the Royal Mail; Don’t open invoices from unknown senders; Check the spelling and links in emails; Reverse image search too-good-to-be-true dating profile pics, and so on.

Being specific, the advice is narrow. SMS scams are not the same as email scams, and neither has much in common with a romance scam. There is a lot to remember.

So today I’m going to offer you something different. I want to give you the most general advice I can—a template that can be applied to almost any scam, over any media, on any time scale, whether it’s a new scam or something tried and tested.

It doesn’t make the other advice redundant, it’s just another way to look at things.

The advice comes from perhaps the most famous conman in the world, Frank Abagnale, whose alleged exploits were made famous by Leonardo DeCaprio in the movie “Catch me if you can”. Abagnale’s account of his own backstory is either true, partially true, or a total fabrication, depending on who you ask. What isn’t in doubt is that he knows a thing or two about lying to get what he wants.

In 2019 he gave an interview to CNBC in which he gives perhaps the best generalised advice about scams I’ve ever heard, and which I will repeat here.

> In every scam no matter how sophisticated or how amateur, there are two red flags.

These are Abagnale’s red flags:

**An urgent need for money**

The end goal of all scams is to enrich the scammer. And that often involves a direct transfer of money, whether it’s entering credit card details into a fake website or wiring tens of thousands of dollars to a stranded lover.

The demand for money is almost always urgent. Scammers know that their requests don’t stack up, so they want you to rush, and they don’t want you to involve other people.

In a romance scam where the criminal hopes to make the victim fall in love with them, the scammer may take their time to begin. However, when the demand for money comes, it is likely to be urgent.

On a recent Lock and Code podcast, Cindy Liebes, Chief Cybersecurity Evangelist for the Cybercrime Support Network, spelled out just how patient these scammers can be:

> "It can take months, it can take years, but invariably they will seek to get money."

In other situations, such as business email compromise (BEC) scams, the urgency is immediate.

In a BEC scam an attacker spoofs the email account of a senior employee, such as a CEO, and tries to get a more junior employee to send them some of the company’s money.

Requests often come with a deadline and a demand for secrecy. The “CEO” concocts a story with one or more emails, messages or phone calls about needing help with an urgent, confidential deal. The scammer wants to isolate the employee from the company’s checks and balances, and their own common sense.

Underpinning it all is Abagnale’s first red flag: An urgent need for money.

Sometimes victims aren’t told to act urgently, they just want to. A few months ago we covered an Instagram scam in which victims thought they’d stumbled upon a website where they could see naked pictures of an attractive friend.

The urgency here came from the viewer’s desire to act on a sexual impulse, and is reinforced by language like “LIMITED SLOTS ONLY, DON’T MISS OUT” and “What are you waiting for?”

The small print even explained the scam in plain terms—victims were being signed up for a premium rate subscription service—but the scammers were betting that victims would be in too much of a hurry to read it.

**Asking for personal information**

Abagnale’s second red flag is being asked for personal information. Personal information helps the scammer pretend to be you.

Sometimes it’s as simple as stealing your username and password with a fake website, so they can log in as you on the real website.

But it can also be very subtle. In his book The Art of Deception, infamous social engineer Kevin Mitnick describes how he would sometimes make several phone calls to build up the information he needed for a scam.

Each call would capture small details that improved his credibility for the next one. For example, one of Mitnick’s most famous crimes is stealing the source code for a popular Motorola phone in the early 1990s, an attack he described to Vice in 2019.

The attack began with a call to the main Motorola reception, which sent him back-and-forth on several more calls in which he learned the phone number of the VP of Motorola mobility, and that the company had a research centre in Arlington Heights.

This information allowed him to call the VP and credibly introduce himself as “Rick, over in Arlington Heights”, which was enough to convince them to give him the name and phone number of the phone’s project manager.

Mitnick then called the project manager and learned from her voicemail that she was on holiday, and who to contact while she was away. He called the project manager’s stand-in and convinced her that the project manager had not fulfilled a promise to send him the source code before she left on holiday.

Most of the conversations did not ask for enough sensitive information to alert the people he was talking to, but every one of them contained a request for something personal or privileged. Of course, when he finally asked for the source code, he was making a request for hugely privileged information, but he was able to create a plausible enough persona to pull it off.

In fact, the last victim was so convinced of “Rick”’s authenticity that she persuaded a security manager to hand over a username and password for the company’s proxy server, on his behalf.

Thankfully, most of us aren’t faced with a hacker as skilled as Mitnick, and few of us would be able to stop him if we were. Most cons are simpler, more direct versions of the same basic idea.

And that brings me to my final point.

Many scammers are professional criminals and scams are common because they work. It makes sense to prepare yourself as thoroughly as you can to spot them, but we all fall short sometimes. There is no shame in falling for a scam, and it isn’t your fault if you do.

How to spot a scam

An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read.

CVE-2023-38428

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.1.3 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Hello! This is the most practical way to integrate RD Station Marketing with your WordPress site.

It automatically activates the RD Station Marketing tracking code in your WordPress pages, enabling features such as Lead Tracking and Pop ups. It also integrates the contact forms that capture Leads that convert in your website forms directly to RD Station Marketing.

More info about the version 5.0.0: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

Compatible with the following forms:

*   Contact Form 7
*   Gravity Forms
*   WooCommerce (only available for the checkout form)
*   Custom Scripts: you can also add custom integrations scripts in every single page or post you want.

Features:

*   Forms Integrations
*   Tracking code
*   As many integrations as you want
*   RD Station Marketing popups

A configuração do plugin é muito simples, ele já detectou automaticamente um formulário customizado que foi criado sem o uso de outros plugins e já integrou ele ao sistema do RD Station. Usando o Woocommerce ele captura todo processo que o usuário percorre para efetuar uma compra.

Achei muito restrito a dois tipos de formulários. Estou usando OptinMonster que foi pago a U$300 e simplesmente não terei o que fazer com ele. Isto me chocou. Espero que avancem neste quesito.

Olá Felipe, você tem alguma previsão para integração do plugin com o Form Craft 3?

Adicionei este plugin ao meu site para poder fazer a conexão diretamente a partir dos meus formulários em Contact Form 7. O plugin faz com que o formulário entre em looping infinito (a seta embaixo depois que você aperta botão de submit). Pelo que percebi isso aconteceu depois o último update para a versão 2.1. Uma lástima. Plugin mal testado me fez perder um tempo enorme.

Read all 5 reviews

“RD Station” is open source software. The following people have contributed to this plugin.

Contributors

*    filipenasc

**5.1.3**

*   Fixing a bug in sending legal bases using Gravity Forms

**5.1.2**

*   Update constant names

**5.1.1**

*   Removing refresh token error from Log Screen and adding clear log button
*   Fix error in the integration with advanced fields Gravity Forms
*   More info about the version 5.1.1: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

**5.1.0**

*   Log Screen

**5.0.5**

*   Adding products to WooCommerce mapping fields list

**5.0.4**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing invalid data type errors

**5.0.3**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing refresh token error

**5.0.2**

*   Adding company fields to the field mapping list

**5.0.1**

*   Fixing problem with corrupted files in version 5.0.0

**5.0**

*   Mapping fields RD Station
*   API v2 RD Station

**4.0**

*   One-click RD Station integration
*   Add tracking code, popups and new forms integrations

**3.2**

*   Add new translation keys

**3.0**

*   WooCommerce integration

**2.4**

*   Add custom scripts support

**2.3.1**

*   Ignore captcha fields

**2.3**

*   Update RD Station endpoint
*   Improve field mapping of Contact Form 7

**2.2**

*   Check post meta before saving the post

**2.0**

*   Gravity Forms field mapping

**1.1**

*   Add form\_origem field

**1.0**

*   Gravity Forms and Contact Form 7 support.

CVE-2022-38139: RD Station

Lawmakers are increasingly hellbent on punishing the popular social network while efforts to pass a broader privacy law have dwindled.

“We hope that Congress will explore solutions to their concerns about TikTok that won’t have the effect of censoring the voices of millions of Americans,” says TikTok spokesperson Brooke Oberwetter. “The swiftest and most thorough way to address national security concerns is for CFIUS to adopt the proposed agreement that we worked with them on for nearly two years. That plan includes layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to access data or manipulate the platform. These measures go beyond what any peer company is doing today on security.”  

Over in the House, Rubio’s tough-on-tech allies just got new job titles and powers. Representatives Mike Gallagher of Wisconsin, a Republican, and Raja Krishnamoorthi of Illinois, a Democrat, are now the chair and ranking member, respectively, of the new House Select Committee on China established by Speaker Kevin McCarthy. While their new roles go beyond tech and TikTok, the two are eager to use their new perch to punish TikTok, in part, for stonewalling Congress.

“Part of the reason there’s not good data is \[that\] TikTok hasn’t responded to basic questions,” says Gallagher, who’s advocating for TikTok to be fully divested from ByteDance. “We’ve asked for transparency around their algorithms in general. There’s this question about how they intended to use their location tracking service that they would never really answer.”

Bipartisanship has been key to anti-TikTok efforts, but conservatives—and the GOP’s powerful messaging machine—have rallied around what, to them, is a glaring new national security threat. While US tech firms are now the punching bag for America’s right who accuse them of “censoring” them, most Republicans say this TikTok debate supersedes domestic political and corporate squabbles. They say there’s no comparing Silicon Valley to ByteDance.

“Can we just admit that the Chinese Communist Party is an adversary and Silicon Valley is not an actual adversary?” says senator Kevin Cramer of North Dakota, a Republican. “There are similar issues, but they’re not the exact same issues. The Chinese Communist Party is an adversary. Silicon Valley is an unruly child.”

Whether the fears are warranted or ungrounded, Congress isn’t even having the right debate, according to Senate Finance Committee chair Ron Wyden, a Democrat from Oregon. “Banning TikTok would be a godsend for sleazy rip-off data brokers,” the Oregon Democrat says. “TikTok is one piece of the puzzle, but don’t miss the overall challenge—because until you reign in these data brokers … you’re going to have all kinds of people’s personal data in America still on its way to China and hostile powers.”

Nevertheless, bipartisan anti-TikTok energy remains palpable in DC, especially because the app is so popular, with around 113 million users in the US, according to web analytics firm Statista. And with Beijing’s proven willingness to use technology to control its own citizens, US policymakers fear the CCP will soon distort the world for millions of unsuspecting Americans. 

“If you can dial these algorithms to say what kind of content \[people see\], it’s hugely problematic in terms of a propaganda tool,” Warner, the Senate Intelligence Committee chair, says.  

Warner supports reining TikTok in, but he remains skeptical of these new efforts to outright ban the app. He’s been left holding his tongue while awaiting more detailed information and a potential policy solution from the Justice Department. It’s not an either-or, though, according to privacy advocates in Congress. While they argue TikTok is the immediate concern, they also want to regulate Silicon Valley.

“I think there’s a need for both. We still need to get a big privacy bill,” Democratic senator Maria Cantwell of Washington says.

Cantwell chairs the Senate Commerce Committee, which is where many of these bipartisan efforts have died, in part because she’s demanded a higher federal privacy standard—or at least one that doesn’t supersede stout state laws, like California’s—than Republicans have been willing to accept. She says the reason the TikTok ban sailed through in December is that the government funding bill was “held hostage over it” by the GOP.

“With Big Data, there can be abuses, and we need to rein it in. Period,” Cantwell says. “There’s just a lot more work to be done, and my colleagues have to have the same bipartisan zeal to address those issues.”

Why the US Congress Wants to Ban TikTok

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

**Vaikutus**

Low

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34435

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVE-2022-34436

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.  
 

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34435

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVE-2022-34436

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker may potentially exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.  
 

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34435

Dell iDRAC9

Versions before 6.00.30.00

6.00.30.00

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF

CVE-2022-34436

Dell iDRAC8

Versions before 2.84.84.84

2.84.84.84

iDRAC8 firmware is planned to be available March 2023.

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34435

Dell iDRAC9

Versions before 6.00.30.00

6.00.30.00

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverId=D92HF

CVE-2022-34436

Dell iDRAC8

Versions before 2.84.84.84

2.84.84.84

iDRAC8 firmware is planned to be available March 2023.

**Kiitokset**

Dell Technologies would like to thank the Cloud Compute Security Team from Google for reporting this issue.  
 

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022-11-14

Initial release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

iDRAC8, iDRAC9, iDRAC9 - 3.0x Series, iDRAC9 - 3.1x Series, iDRAC9 - 3.2x Series, iDRAC9 - 3.3x Series, iDRAC9 - 3.4x Series, iDRAC9 - 4.xx Series, iDRAC9 - 5.xx Series, iDRAC9 - 6.xx Series

14 marrask. 2022

CVE-2022-34435: DSA-2022-265: Dell iDRAC8 and Dell iDRAC9 Security Update for a RACADM Vulnerability

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

Source: Robert Brown via Alamy Stock Photo

Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group's Pegasus and Intellexa Consortium's Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.

Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.

In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," according to a Sept. 4 report from The Atlantic Council DFRLab.

Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab's report noted. In March of 2024, the US Department of the Treasury also levied sanctions against seven spyware entities. And the following month, the US government also issued Visa restrictions to "promote the accountability for the misuse of commercial spyware," the report added.

It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.

"Most available evidence suggests that spyware sales are a present reality and likely to continue," the Atlantic Council admitted. "Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo."

**Predator Spyware Claws Back With Location Obfuscation**

Take Predator as an example. In 2024 Predator spyware use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved Predator infrastructure has been detected in more countries, including the Democratic Republic of Congo and Angola.

Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.

"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the report added.

But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council's report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.

"The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd," the Atlantic Council's report noted.

The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.

"These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws," the Atlantic Council report said.

The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.

"Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States," according to the report. "For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment."

**Spyware Vendors Concentrated in Three Countries**

The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the Pall Mall Process.

India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.

More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.

"Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible," its report said. "However, much more remains to be done."

Commercial Spyware Use Roars Back Despite Sanctions

An issue found in TCPreplay tcprewrite v.4.4.3 allows a remote attacker to cause a denial of service via the tcpedit_dlt_cleanup function at plugins/dlt_plugins.c.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-27783: dlt_jnpr_ether_cleanup: check subctx before cleanup by Marsman1996 · Pull Request #781 · appneta/tcpreplay

A college student fell victim to a Snapchat sextortion scheme. With a friend's help, she 'hacked back' and sent him to jail.
The post When a sextortion victim fights back appeared first on Malwarebytes Labs.

When Katie Yates suddenly started receiving nude photos of her friend, Natalie Claus, over on Snapchat, she instantly recognized that Claus had just become a victim of a sextortion attack. She also knew how Claus should respond.

This happened in December 2019 when Claus was a sophomore. Both were students at the State University of New York.

Yates has a story of her own, too. Months before receiving those messages from Claus, she was herself a victim of sexual assault. After reporting the abuse, Yates started receiving abusive messages on social media. Seeing the lack of support from anyone on campus, she explored ways to identify her harasser.

This vigilanteism—Yates taking the matter into her own hands because she’s not getting any help—proved beneficial for Claus. So when Yates asked Claus if she wanted to catch her hacker, Claus said, “Yeah.”

**Hacker posed as “Snapchat Security”**

The case of Claus’s hacker, David Mondore (a chef), actually made headlines around 2020 and 2021. Claus is not his sole victim, and a press release revealed that Mondore was involved in a string of Snapchat hijacking activities from July 2018 to August 2020. During this period, the hacker gained unauthorized access to at least 300 Snapchat accounts, including Claus’s.

This Bloomberg article mentioned that Mondore posed as a “security employee” who warned Claus of an alleged breach of her Snapchat account. The Office of the US Attorney of New York provided more detail on the ruse that tricked Claus into handing over her account to Mondore.

According to Claus, whom the press release refers to as Victim 1, she received a Snapchat message from an acquaintance, whom the press release refers to as Acquaintance 1. The person messaging Victim 1 is actually Mondore using Acquaintance 1’s account.

Acquaintance 1 asked Victim 1 for her Snapchat credentials, so they can use the account to check if another user blocked them. In Snapchat, you can’t see anyone who’s blocking you even when you search for their username or full name. It appears the only way to see who’s blocking who is using another account. Several sites use this tactic.

Clearly, Mondore took advantage of this.

After Victim 1 sent her credentials to Acquaintance 1, Mondore sent Victim 1 a text message via an app anonymizing his actual phone number. The message he sent purportedly came from Snapchat Security, requesting Victim 1 to send the passcode for her “My Eyes Only” folder to verify that Victim 1’s account has been legitimately accessed.

“My Eyes Only” is a secure, encrypted, and private folder within Snapchat where users can save potentially sensitive photos and videos. This can only be accessed with a passcode.

After gaining access to Victim 1’s Snapchat account and her “My Eyes Only” folder, Mondore rinses and repeats. He contacted Victim 1’s contacts using her account, asking for their credentials under the pretense of checking who blocked them.

Mondore also used Claus’s private photos, which she had taken for herself as she attempted to recover from a rape, to gather compromising material from her Snapchat contacts. The message sent out with her nude images says, “Flash me back if we’re besties.” It was sent to 116 people, four of whom responded with explicit photos of themselves.

**“Gotcha”**

Claus hatched a plan to trap her hacker with Yates’s help. Using her own Snapchat account, Yates sent a message to Claus’s account, which Mondore had already controlled by then, saying she had nude images to share, with a URL link made to look like a porn site.

The URL, once clicked, collected the IP address of anyone who accessed it using the Grabify IP Logger website. Not only that, Yates and Claus set up the URL to redirect Mondore to the Wikipedia page for the word “gotcha” instead of the porn site he probably expected.

Mondore, upon seeing the Wikipedia redirect, messaged Yates saying, “What the hell is this?” She then blocked Claus’s account after collecting Mondore’s IP: he was in Manhattan and using an iPhone without a VPN.

Claus sent her police report to the campus police, who then forwarded it to the New York state police. One of the officers then knew who to contact within the FBI. The tip eventually led to Mondore’s arrest. He received a sentence of 6 months jail time.

“It was him being an idiot that did it,” Claus said of her hacker. “When I passed all that information to the FBI, they said, ‘There’s a really good chance that we wouldn’t have caught him without this.'”

Despite what happened to her and the “too light” punishment Mondore received, Claus believes he’s not a monster. “He’s a human,” she told Bloomberg. “That’s what makes it scary.”

When a sextortion victim fights back

### Impact

A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

### Patches
Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.

### Workarounds
None.

### Acknowledgements
Many thanks to @quyenheu for reporting this issue.

### For more information
If you have any questions or comments about this advisory:

* Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html)
* Email us at [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).

**Package**

pip wagtail (pip)

**Affected versions**

< 4.1.9

\>= 4.2.0, < 5.0.5

\>= 5.1.0, < 5.1.3

**Patched versions**

4.1.9

5.0.5

5.1.3

**Description**

**Impact**

A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

**Patches**

Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.

**Workarounds**

None.

**Acknowledgements**

Many thanks to @quyenheu for reporting this issue.

**For more information**

If you have any questions or comments about this advisory:

*   Visit Wagtail's support channels
*   Email us at security@wagtail.org (view our security policy for more information).

**References**

*   GHSA-fc75-58r8-rm3h
*   wagtail/wagtail@0bacd29
*   wagtail/wagtail@2231f46
*   wagtail/wagtail@bc96aed
*   https://github.com/wagtail/wagtail/releases/tag/v4.1.9
*   https://github.com/wagtail/wagtail/releases/tag/v5.0.5
*   https://github.com/wagtail/wagtail/releases/tag/v5.1.3

 gasman published to wagtail/wagtail

Oct 19, 2023

Published to the GitHub Advisory Database

Oct 19, 2023

Reviewed

Oct 19, 2023

Last updated

Oct 19, 2023

Search

lenovo warranty check/lookup | check warranty status | lenovo support us