Apple Security Advisory 2022-08-31-1 - iOS 12.5.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-31-1 iOS 12.5.6iOS 12.5.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213428.iOS 12 is not impacted by CVE-2022-32894.WebKitAvailable for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPadmini 2, iPad mini 3, and iPod touch (6th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 12.5.6".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmMPsMkACgkQ4RjMIDkeNxmXTQ//TeGVIwqrnMbCv1iIzp5NfxAMYv0pnALmXOkXFFEWLmowM3zGknGHYk5SHyMTDhpbMVEoNtyY/CKH71gZC08mt7p13Y08lbAphMZzbsSvsEjnxiKHE1cqaIp+Txv9kZXHo4C1xT2LSJtfxy9EgF6aqjD8nYgNUueE8vZUg7KIOYdnCPACcGuWOonGNkg4bsgGhMHuWay7Om6kjoyYv2AVDisfaF4lkFKD+c+5E1A2BYbz+OQt68XLqFT9LZJY8LvUTWuYC6dmaZ3VJKDmlu3fybWyn1EAL5tpYzgEwmR/ooRkRuDWI4muj+Mm+WfuQdF53RlKSB91Mw1djMJu2puhcNkVNjLKiz22XFqt3MXaYkAcx/Ih7Bvt9AjgGkH+asd7HvgODgiQNXq/PTz6+7JUx8XHlef+efBjIITNuAbTBO1bvdaojUQ8rd3QpWXIUoMht6YlzYETf/ZeyZOvltIIdHxFnplh7YBI4Alw11NFFXeUyynjSQc14/Q0ne1LT/JBNxaT0s8tudyRiqOZGn+xdgsDA63lWnOcuoqSCDEXlNhkJECFr492xzsApe93jpskXfMeAw8FNXhl8UrRav5TbxOhMz60lac6hO7KPodbKh2fiIYZairZrEJhWrAmWos4/sYLMQyafQSCkTs7sy2jNQxjMWPhoZhsXZTy/w/ty1g=/yG9-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-31-1

Summary: Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication.  We value the role …
  Vulnerability Fixed in Azure Synapse Spark Read More »

**Summary:**

Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication.  We value the role the security research community plays in helping secure Microsoft products and services and the broader ecosystem. 

Orca Security is one of those researchers. Under Coordinated Vulnerability Disclosure (CVD), they informed Microsoft on June 1, 2022, of an Elevation of Privilege (EoP) vulnerability affecting Azure Synapse Spark. **Microsoft fixed this EoP vulnerability on June 18, 2022. No customer action is required.** 

**Vulnerability Details:**

Azure Synapse provided users the capability to mount Azure File Shares to their Apache Spark Pools via a script called _filesharemount.sh_ that would execute with elevated privileges. This script would mount the File Share to the _/synfs_ directory. There was a race condition in the script where, if successfully exploited, a user could execute the _chown_ command to change the ownership of any directory—including the one containing the _filesharemount.sh_ itself. This enabled a user to execute additional code with root privileges.   

While the EoP behavior was not intended, the impact was limited only to the user’s Spark pool. It did not permit unauthorized access to other customers’ workloads or sensitive secrets. 

We mitigated this EoP in Synapse Spark through the following: 

1.  We removed the capability to mount Azure File Shares to Spark pools indefinitely to redesign a more secure alternative. 
2.  We updated the documentation for How to use file mount/unmount API in Synapse to provide an alternative approach for safely mounting storage to Spark pools. 

As with all our products and services, we continue to prioritize security enhancements from the inside out. For Synapse Spark, we: 

*   Implemented additional layers of defense-in-depth  
*   Improved detection capabilities to alert our security teams of anomalous activity, to include: 
    *   Interactive shell escalation 
    *   Data exfiltration 
    *   Anomalous API calls 
    *   Usage of specific command line tools 
*   Conducted variant analysis of key components used by Synapse Spark to enumerate possible attack paths 
*   Conducted proactive hunting for additional exploits and tested security boundaries  

Further hardening Synapse Spark is one example of our continual work to enhance the security of our products and protect our customers. To learn more about Azure Security offerings, please visit the Azure Security catalog.  

**Customer Guidance:**

**To reiterate, no action is required by customers.** 

Our internal investigations determined this is a local privilege escalation within the user’s Spark pool and does not result in any cross-tenant scenarios or exposure of sensitive secrets or customer data. 

We would like to thank Orca for reporting this vulnerability and working with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure to help keep Microsoft customers safe. For more information on our bug bounty program, visit our Microsoft Bug Bounty Program page, review the program’s Terms and Conditions, and read our recent “Microsoft Bug Bounty Program Year in Review” blog post. 

**Additional References:**

Questions? Open a support case through the Azure Portal at aka.ms/azsupt.

**Timeline:**

Date

Action Taken

2022-06-01 

Orca submits initial report to Microsoft

2022-06-15 

Synapse Spark provides initial assessment of findings

2022-06-16 

Internal audit of Synapse Spark service begins

2022-06-18 

Elevation of Privilege bug mitigated 

2022-06-18 

Variant analysis of Synapse Spark service begins 

2022-06-18 

Internal audit of Synapse Spark service complete 

2022-06-21 

Investigations complete. _No impact to customer data, secrets, or tenant boundaries discovered._  

2022-06-21 

Full threat surface analysis of Spark service begins 

2022-08-10 

Orca provides MSRC with a draft of their blog

Vulnerability Fixed in Azure Synapse Spark

By Waqas
There are many different parental control apps available, so it is important to research which one will best fit the needs of your family.
This is a post from HackRead.com Read the original post: What is a parental control app and what are your options

A parental control app is a software application that parents can use to monitor their children’s activities on their smartphones. SMS, or short message service, is a way for parents to track their children’s text messages and see who they are communicating with. Smartphone parental control apps can also track the child’s location, restrict access to certain websites, and set time limits for app usage.

While some parents may feel comfortable trusting their children with a smartphone, others may want to have more control over what their children can do on their devices. For parents who want to monitor their child’s smartphone usage, a parental control app can be a helpful tool.

There are many different parental control apps available, so it is important to research which one will best fit the needs of your family. Here is a list of some of the parental control apps popular among users worldwide.

When it comes to keeping tabs on their children, parents have a lot of options these days. One such option is the mSpy parental control app. This app allows parents to track their child’s SMS messages, phone calls, and location. It can also be used to block certain apps and websites.

mSpy is a reliable and affordable option for parents who want to keep a close eye on their children’s activities. The app is easy to use and can be installed on most smartphones. Parents can also set up alerts so they’re notified if their child attempts to access something they’re not supposed to.

If you’re concerned about your child’s safety or want to make sure they’re not spending too much time on their phone, the mSpy parental control app is definitely worth considering.

**Google Family Link**

Did you know there is a parental control app offered by Google? Yes, Google Family Link is an app that helps parents manage their children’s online activity. It lets parents set up restrictions on what apps and websites their children can use, and also allows them to see how much time their children are spending on their devices.

Google Family Link can be a helpful tool for parents who want to make sure their children are staying safe online. The app is available for Android and iOS devices. Parents can also control the app on their web browser.

**Kidslox**

Kidslox is a parental control app that helps parents manage their children’s screen time. It allows parents to set limits on how much time their children can spend on devices, as well as what apps and websites they can access. Kidslox also has features that allow parents to monitor their children’s activity and whereabouts.

Kidslox is available for Android and iOS devices.

**Boomerang**

Boomerang is a parental control app that helps parents manage their children’s screen time. Boomerang lets parents set limits on how much time their children can spend on their devices, as well as track their child’s activity and internet usage.

Boomerang also provides parents with insights into their child’s online activity, helping them to better understand what their child is doing online. The app is available on App Store for iOS devices, on Google Play Store for Android devices, and on Galaxy Store as well.

**eyeZy**

The eyeZy parental app is a great way for parents to keep track of their children’s whereabouts and activities. The app is simple to use and easy to navigate, making it a great choice for anyone who wants to stay organized while they are away from home. The app includes features like an activity log, location history, and a message board where parents can communicate with each other.

**XNSPY**

The focus of the XNSPY application is mainly on parental control or monitoring a group of employees. It has a control panel designed to monitor various devices easily. Available in a version without root and with root; as well as without jailbreak and with jailbreak.

Seeing the functionality of this application, the general impression is that its developers designed it so that the user can monitor their company’s devices at the same time. Moreover, its control panel allows you to easily switch between all the devices added to the account.

**Choosing The Best Parental Control App**

When it comes to choosing parental control app, there are a few things you need to take into consideration. Here are some factors that you should look for:

*   **Ease of use**: The app should be easy to use and understand. Even if you’re not tech-savvy, you should be able to use it with ease.
*   **Reliability**: The app should be reliable and provide accurate information. You don’t want a parental control app that provides inaccurate information.
*   **Customer support**: If you run into any problems while using the app, you’ll want to ensure that customer support is available to help you.
*   **Value for money**: Make sure you’re getting an app worth the price. Some apps are expensive but don’t offer desired features. Choose an app that has an excellent price-to-feature ratio.
*   **Sharing Data:** Make sure that the app you are about to use does not store your data or sell it to the advertisement of malicious third parties. You must ensure your child’s data does not end up with an outsider.

1.  5 Ways to Ensure Your Child’s Online Safety
2.  Parents lose custody of kids after YouTube pranks
3.  Teen “Hackers” on Discord Selling Malware for Quick Cash
4.  Germany bans kids smartwatches, asks parents to destroy them
5.  Parental control spyware app Family Orbit hacked; 281 GB of data exposed

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

What is a parental control app and what are your options

Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.

Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a user's device.

An update released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.

The flaw in question (CVE-2022-32893) is described by Apple as an out-of-bounds write issue in WebKit. It was addressed in the patch with improved bounds checking. Apple acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.

Apple had already patched the vulnerability for some devices — alongside a kernel flaw tracked as CVE-2022-32894 — earlier in August in iOS 15.6.1. That's an update that covered iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The latest round of patches appears to be Apple covering all its bases by adding protection for iPhones running older versions of iOS, noted security evangelist Paul Ducklin.

"We're guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution," he wrote in a post on the Sophos Naked Security blog.

The dual coverage by Apple to fix the bug in both versions of iOS is due to the change in which versions of the platform run on which iPhones, Ducklin explained.

Before Apple released iOS 13.1 and iPadOS 13.1, iPhones and iPads used the same operating system, referred to as iOS for both devices, he said. Now, iOS 12.x covers iPhone 6 and earlier devices, while iOS 13.1 and later versions run on iPhone 6s and devices released after.

The other zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that can allow for entire device takeover. But while iOS 13 was affected by that flaw — and thus got a patch for it in the earlier update — it does not affect iOS 12, Ducklin observed, "which almost certainly avoids the risk of total compromise of the operating system itself" on older devices, he said.

**WebKit: A Wide Cyberattack Surface**

WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS. By exploiting CVE-2022-32893, a threat actor can build malicious content into a website. Then, if someone visits the site from an affected iPhone, the actor can remotely execute malware on his or her device.

WebKit in general has been a persistent thorn in Apple's side when it comes to exposing users to vulnerabilities because it spreads beyond iPhones and other Apple devices to other browsers that use it — including Firefox, Edge, and Chrome — putting potentially millions of users at risk from a given bug.

"Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple's own Safari browser isn't the only app at risk from this vulnerability," Ducklin observed.

Moreover, any app that displays Web content on iOS for purposes other than general browsing — such as in its help pages, its _"About"_ screen, or even in a built-in "minibrowser" — uses WebKit under the hood, he added.

"In other words, just 'avoiding Safari' and sticking to a third-party browser is not a suitable workaround \[for WebKit bugs\]," Ducklin wrote.

**Apple Under Attack**

While users and professionals alike have traditionally considered Apple's Mac and iOS platforms as more secure than Microsoft Windows — and this has generally been true for a number of reasons — the tide is beginning to turn, experts say.

Indeed, an emerging threat landscape showing more interest in targeting more ubiquitous Web technologies and not the OS itself has widened the target on Apple's back, according to a threat report released in January, and the company's defensive patching strategy reflects this.

Apple has patched at least four zero-day flaws this year, with two patches for previous iOS and macOS vulnerabilities coming in January and one in February — the latter of which fixed another actively exploited issue in WebKit.

Moreover, last year 12 of 57 zero-day threats that researchers from Google's Project Zero tracked were Apple-related (i.e., more than 20%), with issues affecting macOS, iOS, iPadOS, and WebKit.

Apple Quietly Releases Another Patch for Zero-Day RCE Bug

Cloud breaches are inevitable — and so is cloud ransomware. (Second of two parts.)

In Part 1 of our tales of real-world cloud attacks, we examined real-world examples of two common cloud attacks. The first starting from a software-as-a-service (SaaS) marketplace, demonstrating the breadth of potential access vectors for cloud attacks and how it can enable lateral movement into other cloud resources, including a company's AWS environment. The second cloud attack demonstrated how attackers take over cloud infrastructure to inject cryptominers for their profit.

As we have witnessed, more attacks have moved onto the cloud, so it was only a matter of time before ransomware attacks did, too. Let's look at two scenarios where attackers leveraged ransomware to gain profits, and how unique cloud capabilities helped victims avoid paying the ransom.

**MongoDB Ransomware Demand Mitigated**

The first case (or rather cases, as this attack has appeared numerous times) is the notorious MongoDB ransomware, which has been ongoing for years. The attack itself is simple— attackers use a script to scan the internet (and now, common cloud vendor address spaces) for hosts running MongoDB exposed to the internet. The attackers then try to connect to the MongoDB with the empty admin password. If successful, the attack erases the database and replaces it with a double ransomware note: _pay, and your data will be returned; don't pay, and your data will be leaked._

Intervention was necessary to address the second part of the extortion scheme: data leakage. Luckily, the company had data backups, so recovery was easy, but the database contained considerable amounts of personally identifiable information (PII), which, if leaked, would be a major crisis for the company. This forced them into the position of either paying a hefty ransom or dealing with the press. MongoDB default logging, unfortunately, cannot provide a definitive answer regarding the data accessed, as not all potential types of data collection commands are logged by default.

This is where the cloud infrastructure became an advantage. While MongoDB may not log every command, AWS logs the traffic going in and out of servers, because it charges for network costs. Correlating the network traffic going out of the attacked server with the times when the attackers were connected to the compromised MongoDB server provided proof that the data could not have been downloaded by the attackers.

    

AWS traffic log over 10 day period. The marker represents the incident time. Source: Mitiga

This allowed the company to avoid paying the ransom _and_ ignore the threat. As expected, nothing further was heard from the attackers.

**Mitigating Ransomware in a Cloud Environment**

Another company experienced an attack on its main servers running on AWS EC2, where it was hit by a ransomware Trojan, not unlike those seen on on-premises servers. As often occurs these days, this was another double-extortion ransomware attack and the company needed help dealing with both issues.

Luckily, due to the company's cloud architecture and preparedness, there were AWS snapshots of the environment going back 14 days. The attackers were unaware of the snapshots and had not disabled them in their attack. This allowed the company to immediately revert to the day before the data encryption, resolving the first part of the attack with minimal effort. That still left two challenges to deal with: the potential data leak and the eradication of the attackers from the environment.

To address these challenges, there was a full investigation of the breach, which turned out to be quite complex due to the hybrid nature of their environment. The attackers compromised a single account with limited access, used by an IT person. They then identified a legacy on-premises server where that individual was an admin and used it to take over the Okta service account, allowing privilege escalation. Finally, using a decommissioned VPN service, they were able to hop to the cloud environment. Using the elevated privileges, they took over the EC2 servers and installed the malware.

The investigation yielded two significant findings. The first was the attack timeline. It showed that the compromise of all hosts occurred before the earliest snapshots were taken, indicating that the recovered servers were compromised and could not be used. New servers were installed, the data was transferred to them, and the original affected servers were purged.

The second finding was even more surprising. Malware analysis identified that the attackers used _rclone.exe_ to copy the files to a remote location. The connection credentials were hardcoded in the malware, so the company was able to connect to the same location, identify, and remove their files, eliminating the attackers' access to the files, eradicating the extortion aspect of the attack.

**Cloud Breaches Are Here to Stay**

As these real-life scenarios reveal, attackers are infiltrating the cloud and cloud breaches are on the rise. It's time for organizations to prepare for cloud incidents. Cybercriminals are leveraging cloud capabilities in attacks, and you should use them, too, to protect your organization and prevent a crisis from hitting the headlines.

Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk.
"Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.
Interestingly, a

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk.

"Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.

Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, indicating a supply chain vulnerability.

"The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps," the researchers said.

These credentials are typically used for downloading appropriate resources necessary for the app's functions as well as accessing configuration files and authenticating to other cloud services.

To make matters worse, 47% of the identified apps contained valid AWS tokens that granted complete access to all private files and Amazon Simple Storage Service (S3) buckets in the cloud. This included infrastructure files, and data backups, among others.

In one instance uncovered by Symantec, an unnamed B2B company offering an intranet and communication platform that also provided a mobile software development kit (SDK) to its customers had its cloud infrastructure keys embedded in the SDK for accessing the translation service.

This resulted in the exposure of all of its customers' private data, which encompassed corporate data and financial records belonging to over 15,000 medium-to-large-sized firms.

"Instead of limiting the hard-coded access token for use with the translation cloud service, anyone with the token had full unfettered access to all the B2B company's AWS cloud services," the researchers noted.

Also uncovered were five iOS banking apps relying on the same AI Digital Identity SDK that contained the cloud credentials, effectively leaking more than 300,000 users' fingerprint information.

The cybersecurity firm said it alerted the organizations of the issues uncovered in their apps.

The development comes as researchers from CloudSEK revealed that 3,207 mobile apps are exposing Twitter API keys in the clear, some of which could be utilized to gain unauthorized access to Twitter accounts associated with them.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Researchers found that mobile applications contain keys that could provide access to both user information and private files from unconnected apps.

As with any piece of software, mobile apps can create an array of security issues and exposures, from rogue programs that are intentionally malicious to apps that contain an obscure but significant flaw. Now, new research is shedding light on systemic oversights in mobile app cloud infrastructure that are all too common and create the risk that users' data could leak where it shouldn't or be compromised.

Researchers from Broadcom's Symantec Threat Hunter team published findings on Thursday about the prevalence of hard-coded authentication credentials lurking in the cloud services that underlie hundreds of mainstream apps. These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company's website or run text through a translation service at a user's request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components. And when multiple apps have been created by the same third-party development firm or incorporate the same publicly available software development kits (SDKs), these static authentication tokens may even grant access to the infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they could potentially unlock massive and disparate troves of sensitive data all by finding one key under one doormat.

“The cloud is still kind of a new frontier. And sometimes when you hear about the practices being used, you realize that a lot of organizations may not be where they are with security on other fronts,” says Symantec's Dick O’Brien. “It’s hard to say whether it’s people cutting corners or whether it’s just an ignorance of what you’re exposing by putting those credentials out there, but it’s certainly obvious that data isn’t being ring-fenced anywhere near the way it should be."

The researchers found 1,859 publicly available apps on both Android and iOS that contained hard-coded Amazon Web Services credentials. The vast majority were iOS apps, a discrepancy Symantec says it has tracked for years but hasn't fully explained. The credentials present in more than three-quarters of the apps granted access to private cloud services, and nearly half of those additionally gave access to private files. Fifty-three percent of the apps contained access tokens that were also found in other, often totally unrelated, apps.

“Initially it was very surprising, but this is a systemic thing,” O’Brien says. “People need to do a complete audit of what they’re using and realize that there are multiple layers there. The practice of implementing hard coded access keys is not great. Temporary credentials that expire after a short period of time are probably the way to go, and also there needs to be greater awareness that you need to silo information.” 

Symantec says it has notified the developers of the apps where it sees the most pressing issues and hopes to raise awareness about how insecure development practices and shared resources can create exposures without careful consideration and segmentation. 

In one case, the researchers realized that several mainstream iOS banking apps were all using the same third-party AI digital identity software development kit that exposed cloud credentials of the shared service. While none of the banking apps themselves created the SDK, the credentials exposed its server structure and infrastructure blueprints, source code, and the AI models underlying the identity service. And more than 300,000 biometric fingerprint files from users of five of the mobile banking apps were leaking and potentially exposed.

In another case, the researchers noticed what it calls a large hospitality and entertainment company working with a technology company on sports betting apps. In total, hard-coded credentials gave infrastructure access to 16 online gambling apps, exposing their cloud services and even granting root access to take control of this backend platform. 

Symantec's O’Brien emphasizes that while the company isn't naming the impacted apps, it hopes the findings will raise awareness about these common pitfalls and their potentially outsize impact on users. “The things we found—it illustrates the significance of what we’re dealing with here,” he says.

Careless Errors in Hundreds of Apps Could Expose Troves of Data

Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.

**Description**

I found XSS in the file upload function of the message function.

**Proof of Concept****Step**

1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php"

2.Then log in with your student account. Student: username and password “student“

3.After logging in, access "MESSAGING > Write" from the menu on the left. (/demonstration/Modules.php?modname=Messaging/Write.php)

4.Then enter the title and message as appropriate.

5.Now upload the SVG file containing XSS to "File Attached".

6.Finally, select "Teach Teacher" as the destination and send.

7.Log in from here with your teacher's account. Teacher: username and password “teacher“

8.After logging in, access "MESSAGING > Messages" from the menu and select the message you just sent.

9.Then click on the last attached file and a pop-up screen will appear.

**Summary**

\-Endpoint: POST /demonstration/Modules.php?modname=Messaging/Write.php&search_modfunc=list&recipients_key=staff_id&subject=<title>&message=<message>&recipients_ids[0]=2&send=Send

\-Attachment: SVG file

\-Test Payload: <script type="text/javascript">alert(document.cookie)</script>

**Impact**

This vulnerability can steal a user's cookie.

**References**

*   https://owasp.org/www-community/vulnerabilities/Unrestricted\_File\_Upload
*   https://owasp.org/www-project-top-ten/2017/A7\_2017-Cross-Site\_Scripting\_(XSS)

CVE-2022-3072: Cross-site Scripting (XSS) - Stored in rosariosis

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link.
"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link.

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up.

Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos. Attackers could also have abused the bug to send messages and upload videos on behalf of users.

The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, where it's banned). Combined, the apps have more than 1.5 billion installations between them.

Tracked as CVE-2022-28799 (CVSS score: 8.8), the vulnerability has to do with the app's handling of what's called a deeplink, a special hyperlink that allows apps to open a specific resource within another app installed on the device rather than directing users to a website.

"A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website," according to an advisory for the flaw. "This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click."

Put simply, the flaw makes it possible to circumvent the apps's restrictions to reject untrusted hosts and load any website of the attacker's choice through the Android System WebView, a mechanism to display web content on other apps.

"The filtering takes place on the server-side and the decision to load or reject a URL is based on the reply received from a particular HTTP GET request," Valsamaras explained, adding the static analysis "indicated that it is possible to bypass the server-side check by adding two additional parameters to the deeplink."

A consequence of this exploit designed to hijack WebView to load rogue websites is that it could permit the adversary to invoke over 70 exposed TikTok endpoints, effectively compromising a user's profile integrity. There's no evidence that the bug has been weaponized in the wild.

"From a programming perspective, using JavaScript interfaces poses significant risks," Microsoft noted. "A compromised JavaScript interface can potentially allow attackers to execute code using the application's ID and privileges."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Summary Summary Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication.

**Summary Summary**

Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication. We value the role the security research community plays in helping secure Microsoft products and services and the broader ecosystem.

Orca Security is one of those researchers. Under Coordinated Vulnerability Disclosure (CVD), they informed Microsoft on June 1, 2022, of an Elevation of Privilege (EoP) vulnerability affecting Azure Synapse Spark. **Microsoft fixed this EoP vulnerability on June 18, 2022. No customer action is required.**

**Vulnerability Details Vulnerability Details**

Azure Synapse provided users the capability to mount Azure File Shares to their Apache Spark Pools via a script called _filesharemount.sh_ that would execute with elevated privileges. This script would mount the File Share to the \_/synfs \_directory. There was a race condition in the script where, if successfully exploited, a user could execute the _chown_ command to change the ownership of any directory—including the one containing the \_filesharemount.sh \_itself. This enabled a user to execute additional code with root privileges.

While the EoP behavior was not intended, the impact was limited only to the user’s Spark pool. It did not permit unauthorized access to other customers’ workloads or sensitive secrets.

**Microsoft’s Response Microsoft’s Response**

We mitigated this EoP in Synapse Spark through the following:

1.  We removed the capability to mount Azure File Shares to Spark pools indefinitely to redesign a more secure alternative.
2.  We updated the documentation for How to use file mount/unmount API in Synapse to provide an alternative approach for safely mounting storage to Spark pools.

As with all our products and services, we continue to prioritize security enhancements from the inside out. For Synapse Spark, we:

*   Implemented additional layers of defense-in-depth
    
*   Improved detection capabilities to alert our security teams of anomalous activity, to include:
    
    *   Interactive shell escalation
    *   Data exfiltration
    *   Anomalous API calls
    *   Usage of specific command line tools
*   Conducted variant analysis of key components used by Synapse Spark to enumerate possible attack paths
    
*   Conducted proactive hunting for additional exploits and tested security boundaries
    

Further hardening Synapse Spark is one example of our continual work to enhance the security of our products and protect our customers. To learn more about Azure Security offerings, please visit the Azure Security catalog.

**Customer Guidance Customer Guidance**

**To reiterate, no action is required by customers.**

Our internal investigations determined this is a local privilege escalation within the user’s Spark pool and does not result in any cross-tenant scenarios or exposure of sensitive secrets or customer data.

We would like to thank Orca for reporting this vulnerability and working with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure to help keep Microsoft customers safe. For more information on our bug bounty program, visit our Microsoft Bug Bounty Program page, review the program’s Terms and Conditions, and read our recent “Microsoft Bug Bounty Program Year in Review” blog post.

**Additional References Additional References**

Questions? Open a support case through the Azure Portal at aka.ms/azsupt.

**Timeline:**

Date

Action Taken

2022-06-01

Orca submits initial report to Microsoft

2022-06-15

Synapse Spark provides initial assessment of findings

2022-06-16

Internal audit of Synapse Spark service begins

2022-06-18

Elevation of Privilege bug mitigated

2022-06-18

Variant analysis of Synapse Spark service begins

2022-06-18

Internal audit of Synapse Spark service complete

2022-06-21

Investigations complete. _No impact to customer data, secrets, or tenant boundaries discovered._

2022-06-21

Full threat surface analysis of Spark service begins

2022-08-10

Orca provides MSRC with a draft of their blog

Tag

#ios