Application Security News

Print Friendly, PDF & Email

Activists release nearly 100 years of time magazine issues for free

Activists have downloaded nearly 100 years' worth of TIME magazine issues from the publication's paywalled digital archive and dumped them all online for anyone to grab for free…

When browsing The Vault, Best noticed that the URL for each page is simply based on the issue's date and page number. Best took that information and figured out the URLs for each issue and page, and then used a tool called DownThemAll to quickly scrape each page.

Activists have downloaded nearly 100 years' worth of TIME magazine issues from the publication's paywalled digital archive and dumped them all online for anyone to grab for free…

When browsing The Vault, Best noticed that the URL for each page is simply based on the issue's date and page number. Best took that information and figured out the URLs for each issue and page, and then used a tool called DownThemAll to quickly scrape each page.

 Polish telco operator Netia suffers massive data breach, exposing 300,000 customer credentials

Netia, the second-largest telecoms operator in Poland, has suffered a serious data breach that has exposed private information, potentially impacting at least 300,000 customers.

The telco has confirmed that on 7 July, its official website was hacked by attackers, who accessed and compromised two different online forms that customers can use to contact the firm or to start an online contract for new services …

It is believed that the hackers might have exploited a vulnerability in the web forms and used it to access a large log file containing session identifiers associated with various customer accounts. With the session identifiers, the hackers might have been able to connect to Netia's SQL databases without having to prove authentication with user credentials.

Zero-Days in BMW Web Portal Let Hackers Tamper with Customer Cars

ConnectedDrive is the name of BMW's in-car infotainment system. The system can be used as it is, in the car, or via a series of connected mobile apps that allow the driver to manage vehicle settings through their mobile devices. Besides the mobile apps, this service also has a counterpart for the Web

The first issue is a session vulnerability that allows a user to get access to another person's VIN – Vehicle Identification Number

The second issue is an XSS (cross-site scripting) bug on the portal's password reset page.

This XSS bug can lead to any of the regular complications that come from such Web attacks, such as browser cookie harvesting, subsequent CSRF attacks, phishing attacks, and more.

Web Application attacks are on the rise. This month’s news stories show attacks across three different industries, with three different motivations. The Time attack as by someone who was against paywalls. The Netia hack was by people who wanted to sell the data. And the BMW vulnerabilities were discovered by a researcher. Two out of three were malicious. All of them were preventable by continual testing and patching, given enough time and resources – both of which are luxuries in most cases.


The Barracuda WAF is available
in the Microsoft Azure Security Center.
Read more here

It is not easy to continually keep up with the vulnerabilities on your web, mobile and API applications. As seen in the case of Netia, the site was secure – except for some vulnerabilities in web forms that let the bad guys steal sensitive data. The Barracuda Web Application Firewall makes it easy to secure your web, mobile and API applications. It sits in front of your servers, inspects all traffic and intercepts all application attacks. It provides URL encryption to ensure that your sensitive URL’s are not exposed to site visitors – avoiding the possibility of a hack like that of Time Magazine’s. It secures your web forms, encrypts session identifiers and blocks XSS scripting and other OWASP attacks.

Securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks, including DDoS and web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air.  Try it in your environment for 30 days, risk-free.

Earlier this year we announced the release of the Barracuda Vulnerability Manager.  This is a tool that is used to assess vulnerabilities in websites and applications, and is easily integrated with the Barracuda Web Application Firewall.  It is available to Barracuda customers and authorized resellers at no cost for a limited time. Try it today via Barracuda Cloud Control.

 

 

 


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office.  You can connect with him on LinkedIn here.

 

 

Scroll to top
Tweet
Share
Share