Hey all,
Here are this week’s cyber updates.
(1) I’m pretty sure most of you are aware of Google Chrome’s (as well as other browser’s) auto fill feature. This feature allows Chrome to automatically fill your personal information in websites in order to speed up registration processes.
What most of you don’t know is that hidden fields are auto-filled, and thus submitted to the website’s owner. This allows the website to collect personal information without the user’s consent.
Here is a link to a PoC website: https://anttiviljami.github.io/browser-autofill-phishing/
If you didn’t understand this one, please let me know and I’ll send you a link to another website, with an example of stealing your credit card info J
(2) Cellebrite, the Israeli-based company that allegedly helped the FBI to hack the iPhone, was hacked.
The my.Cellebrite database has been hacked, allowing the hackers to extract over 900GB of customers’ data.
(3) The Brazilian government has accidentally twitted a link to a Google Drive Excel spreadsheet, which contained a list of plain text passwords for social media accounts (Facebook, Gmail, Twitter, Instagram and more).
It appears as if the tweet contained by accident a copy-paste link to the spreadsheet instead of the intended URL.
They really should be more careful with their tweets, but more than that, I couldn’t help but wonder why they didn’t enforce any permissions on Google Drive…
Here are all the details: https://www.hackread.com/brazilian-govt-twitter-posts-social-media-passwords/
Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit