Jun 13 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that HATES phishing but LOVES fishing. Only catch and release, mind. Like the Scottish police with Nicola Sturgeon 😂
Today’s hottest cyber security stories:
Honda: Password reset hack discovered on ecommerce site. Dw, it’s friendly fire
Porn-lovers rejoice! Updates mean Safari Private Browsing is stealthier than ever
Manchester Uni suffers cyberattack. Data copied in suspected ransomware
A recent report reveals that security vulnerabilities were found in Honda's e-commerce platform, posing a risk of unauthorised access to sensitive dealer information.
According to security researcher Eaton Zveare, broken or missing access controls allowed unrestricted data access on the platform, even when logged in as a test account.
It's important to note that this issue specifically affects Honda's e-commerce platform for power equipment, marine, and lawn and garden businesses, and does not impact their automobile division.
The attack exploits a flaw in Honda's Power Equipment Tech Express (PETE) site, which involves manipulating the password reset mechanism.
By initiating a password reset request using a username or email address, without the need to provide a password associated with the account, any user can gain full admin-level access.
This vulnerability arises from the platform's API, which permits password reset requests without proper authentication.
With this exploit, a malicious actor could hijack another user's account and utilise the sequential nature of the dealer site URLs.
By incrementing the identification number in the URL (e.g., "admin.pedealer.honda[.]com/dealersite//dashboard"), they could gain unauthorised access to various dealers' admin dashboards.
Eaton Zveare explains that this flaw allowed access to the data of all dealers simply by incrementing the ID, bypassing the need for further password resets.
Moreover, the design flaw not only provided access to a dealer's customers but also enabled the modification of their website and product information.
The most concerning consequence was the potential to escalate privileges and gain administrator-level control over the entire platform, a feature typically limited to Honda employees.
This privilege elevation could be achieved by sending a carefully crafted request to view details of the dealer network.
It is crucial for Honda to address these security vulnerabilities promptly to safeguard sensitive dealer information and prevent unauthorised access to the platform.
Apple is set to introduce significant enhancements to Safari Private Browsing, aiming to provide users with improved protection against third-party trackers during their web browsing sessions.
According to the iPhone manufacturer, the updates include advanced measures to combat tracking and fingerprinting techniques employed by websites to identify or monitor a user's device. These measures go the extra mile in safeguarding user privacy.
In addition, Private Browsing will now automatically lock when inactive, allowing users to keep their tabs open even when they step away from their device.
Apple showcased these privacy improvements during its annual Worldwide Developers Conference (WWDC) and plans to incorporate them into iOS 17, iPadOS 17, and macOS Sonoma later this year, benefiting a wide range of users.
One notable change involves Link Tracking Protection, which will be implemented in Mail, Messages, and Safari's private mode. This feature will remove tracking parameters present in URLs, as such parameters are often employed to gather information about users' clicks and online activities.
Apple's Craig Federighi expressed his enthusiasm about Safari's privacy advancements, stating that the browser has been a pioneer in private browsing and has consistently delivered numerous privacy and security features.
He described this year's improvements as a remarkable achievement, acknowledging the internet as a major threat to privacy.
Furthermore, iOS will introduce a new embedded Photos picker, allowing users to share specific photos with other apps while keeping the rest of their photo library private, reinforcing the focus on user privacy.
Apple's ongoing commitment to privacy and security is evident in these updates, empowering users with greater control over their online activities and personal data.
The University of Manchester, one of the largest universities in the UK in terms of enrollment, made an announcement on Friday confirming that it had experienced a cyber incident, leading to unauthorised access to its systems and the potential copying of data.
In an official notice to students, the university expressed its understanding of the concern this incident may cause within the community and extended its apologies for the situation.
The university's internal team, in collaboration with an external support company whose identity remains undisclosed, is currently working to determine the extent of the data accessed.
As they gather more information, the university has assured students that they will be promptly informed.
In an FAQ section addressing the incident, the university disclosed that the unauthorised access was discovered earlier in the week.
The university has verified that certain systems were compromised, emphasising that data is likely to have been copied by the unauthorised party.
So long and thanks for reading all the phish!