Twitter bug may have been exploited by state-sponsored hackers

A flaw in Twitter support forum API may have been exploited by state-sponsored hackers. Meanwhile, other hackers embedded code in memes posted on Twitter to give infected PCs instructions.

Twitter admitted to a bug in one of its support forum APIs that allowed cyber thugs to discover a Twitter user’s account phone number country code and if the account had been locked. It’s possible, Twitter said, that this might be tied to state-sponsored attacks.

During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.

Twitter detected the attack on Nov. 15 and resolved the issue a day later on Nov. 16.

Other cybersecurity news:

Hackers hid code in memes posted on Twitter to communicate with malware

Speaking of Twitter, Trend Micro researchers discovered that cyber thugs hid code in memes posted to Twitter to communicate with malware. Malware-infected PCs took instructions from an embedded command in the meme. For example, the “print” command was hidden inside the memes, which enabled “the malware to take screenshots of the infected machines. The screenshots are sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.” The malware had support for retrieving a list of running processes, capturing clipboard content, and retrieving usernames and filenames from infected machines.

While the malware was not downloaded from Twitter, Trend Micro said the threat is notable due to the malware’s commands coming from benign-looking, yet malicious, memes posted on a legitimate service — which also happens to be a popular social networking platform. It couldn’t be taken down until the malicious Twitter account was disabled. Twitter disabled the account on Dec. 13.  

Pay $4,000 in Bitcoin, or a hitman is coming for you

As if the fake bomb threat extortion emails, which morphed into a "pay up or acid will be thrown on you" extortion scheme weren’t bad enough, now there’s an hitman extortion email going around that demands victims pay $4,000 in Bitcoin to call off a hitman coming for the victims.

PewDiePie printer hackers strike again

PewDiePie printer hackers are at it again, causing printers to spew out a plea to subscribe to PewDiePie’s YouTube channel, as well as warning victims to up their printer security before it leads to physical damage or attackers capture sensitive documents as they are printed. The latest printer hack message, according to the hackers behind it, has been printed on more than 100,000 printers.

While some people think the hack is “cool,” security researcher Ankit Anubhav pointed out:

WordPress flaw could allow attackers to access admin features

Another day, another WordPress flaw. RIPS Tech revealed a logic flaw in the way WordPress created blog posts that could allow attackers to access features only administrators were supposed to have. The summary states:

Attackers with a user role as low as a contributor, the second lowest role in WordPress, can create posts of post types they usually should not have access to. This gives attackers access to features that were intended for administrators only. We have identified 2 vulnerabilities in WordPress’s Top 5 Popular plugins so far. We estimate that thousands of plugins are potentially vulnerable. Furthermore, a Stored XSS and Object Injection was identified in one of WordPress’s internal post types. The Stored XSS can be triggered via a click-jacking attack. Once the JavaScript is executed, a full site takeover is possible.

Logitech Options update after Google Project Zero’s public disclosure

After Google Project Zero’s Tavis Ormandy publicly disclosed a flaw in Logitech’s Options app for Windows that could potentially allow hackers to send arbitrary keystrokes to take control of a Windows box, Logitech released an update for the Windows and Mac versions. You might want to grab that fix if you use the app.

Mac-address-gobbling security robot in LA mall

While bragging about the cutting-edge tech of a security robot to patrol The Bloc, a mall in Los Angeles, the mall’s general manager said, “It’s picking up video footage. It’s picking up Mac addresses. So, it’s able to pick up a lot of information that humans just aren’t capable of. You want to ask when they’re here? I forgot to turn if off!”

A personality trait that puts you at risk for cyber crime

Impulse shopping, downloading music, and compulsive email use are signs of a low self-control personality trait. And that trait, Michigan State University researchers say, puts you at risk of falling victim to cyber crime involving Trojans, viruses, and malware.

“People who show signs of low self-control are the ones we found more susceptible to malware attacks,” said Tomas Holt, professor of criminal justice and lead author of the research. “An individual’s characteristics are critical in studying how cybercrime perseveres, particularly the person's impulsiveness and the activities that they engage in while online that have the greatest impact on their risk.”

Copyright © 2018 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!