Online Buzz

Security Breach of Tumblr’s 65 Million users, WordPress website at risk and OpenSSL flaws


Security experts are busy for the last couple of days patching these new security breach at WordPress, OpenSSL, Reddit, Tumbler and other social media websites.

The data breach disclosed earlier this month by the Yahoo-owned microblogging platform Tumblr affects 65 million users.

On May 12, Tumblr warned that a third party gained access to the email addresses and hashed passwords of Tumblr users who had registered accounts up until early 2013, before the company was acquired by Yahoo. Tumblr said it had not found any evidence that the leaked information was used to access accounts, but it reset the passwords of affected customers as a precaution.

Tumblr refused to say how many users had been affected by the breach, but it turns out that it’s a significant number. An individual using the online moniker “peace_of_mind” has been offering information associated with 50 million Tumblr accounts on a darknet website called “The Real Deal” for the price of 0.4255 Bitcoin (roughly $225).

Australian security researcher Troy Hunt has analyzed the data and found a total of 65,469,298 records. The information has been added to Hunt’s “Have I Been Pwned” service to allow users to check if they are affected. Hunt reported that 20 percent of the accounts were already present in Have I Been Pwned.

continue reading: http://www.securityweek.com/65-million-users-affected-tumblr-breach

Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.

Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.

Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.

The issue is located in the Shortcode Embeds Jetpack module which allows users to embed external videos, images, documents, tweets and other resources into their content. It can be easily exploited to inject malicious JavaScript code into comments.

continue reading: Computer World

An OpenSSL vulnerability patched in early May with the release of versions 1.0.2h and 1.0.1t still hasn’t been patched on many of the world’s most visited websites, exposing potentially sensitive traffic to man-in-the-middle (MitM) attacks.

Last week, security firm High-Tech Bridge used its free SSL/TLS testing service to determine how many of the Alexa Top 10,000 websites are still plagued by the OpenSSL vulnerability tracked as CVE-2016-2107.

The flaw was introduced in 2013 as part of the fix for the TLS attack dubbed “Lucky 13.” In April, Juraj Somorovsky discovered that an MitM attacker can launch a padding oracle attack to decrypt traffic in cases where the connection uses an AES CBC cipher and the server supports AES-NI instructions.

“The bad news is that support of the AES CBC cipher is widely recommended for compatibility reasons, required by TLS 1.2 RFC and recommended by NIST guidelines. AES CBC cipher is also considered the strongest cipher for TLS 1.0 and TLS 1.1,” the security firm said in a blog post.

continue reading: http://www.securityweek.com/recently-patched-openssl-flaw-still-plagues-top-sites

Reddit co-founder Christopher Slowe announced yesterday that his company had to take precautionary measures and ask 100,000 users to reset their passwords after its security team detected a growing number of account hijackings.

Slowe blames this on the recent wave of data breaches, such as the massive LinkedIn 2012 incident, only recently discovered in full, which, at the time of writing his post, was the biggest data breach ever, with 167 million leaked records. The MySpace data breach announced only a few hours ago has now taken the crown, with 427 million leaked user details.
Read more: http://news.softpedia.com/news/reddit-resets-passwords-for-100-000-users-after-recent-surge-in-hacked-accounts-504584.shtml#ixzz4AL0M3GHa

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s