Twin Google flaws allowed researcher to get from YouTube ID to Gmail address in a few easy steps
Infosec In Brief A security researcher has found that Google could leak the email addresses of YouTube channels, which wasn’t good because the search and ads giant promised not to do that.
A security researcher who goes by Brutecat last week explained he found two vulnerabilities that, when chained, make it possible to sniff out the email addresses, despite Google’s promises of privacy.
It all started when Brutecat was digging through Google’s People API and found out that a function that allows blocking a YouTube user relied on an obfuscated “Gaia” ID. Gaia is the ID management system for all Google products. Brutecat pointed out that, per a Google support page, blocking someone on YouTube extends to other Google services, meaning it’s their Gaia ID that’s blocked, not their YouTube account.
“In the past, there’s been several bugs to resolve [Gaia IDs] to an email address, so I was confident there was still a Gaia ID to Email in some old obscure Google product,” Brutecat wrote.
The researcher was right: he found just such a link in the web version of Pixel Recorder, a audio recording app for Google Pixel devices .
By sharing a recording from the web version of Pixel Recorder to a Gaia ID and examining the web request, the target’s email was exposed. Normally, this action would trigger a share notification to the target, but Brutecat bypassed it by running a Python script that assigned an extremely long filename (about 2.5 million characters), causing the notification to fail.
Brutecat submitted the matter for a Google bug bounty, and at first was told it was worth $3,133. After some additional thinking on the matter, Google decided it had a high likelihood of exploitation, and awarded an additional $7,500.
Google fixed the flaws that made this possible.
Critical vuln of the week: FortiOS follies
Last week’s Patch Tuesday means most nasty bugs have already been revealed, so the worst of the rest is a CVSS 8.0 vulnerability in Fortinet’s FortiOS (CVE-2024-40591) spotted by one of the firm’s own employees. This flaw allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin.
According to Fortinet, the exploitation requires connecting the targeted FortiGate system to a another FortiGate controlled by the attacker.
While successful exploitation requires specific conditions, this one looks a strong candidate for attention in your next change window.
Release the data, Kraken, says Cisco; See if we care
The Kraken ransomware gang last week claimed to have hit Cisco, reportedly leaking a bundle of sensitive data, including privileged administrator account credentials, Switchzilla’s Kerberos ticket system, and more.
The networking giant said the leak is nothing to panic about.
“Cisco is aware of certain reports regarding a security incident,” a company spokesperson The Register. “The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time.”
DOGE geniuses build wonky website
Elon Musk’s code crusaders in the Department of Government Efficiency (DOGE) hastily spun up a website last week after Musk claimed his team was being transparent.
It’s not a great site.
Questionable design choices aside, doge.gov appears to have just been built using the Cloudflare Pages webpage building platform connected to a database that, according to a pair of web developers who talked to 404 Media, anyone can write and see their changes appear on the website.
By examining the API endpoints of the database, one of the developers was able to post changes to the site mocking the expertise of its builders and disparaging its design. Both said that it appeared the site wasn’t even running on government servers and was instead hosted by Cloudflare.
Zacks attack: Data on 12M users posted online
Customers of Zacks Investment Research, take note: If you were a customer prior to June, 2024, there’s a good possibility your data is now available online.
Have I Been Pwned added Zacks to its listing – for the second time in recent years – this week after an attacker published 12 million unique email addresses worth of information on a hacking forum. Along with the email accounts, the leak included IP and physical addresses, names, usernames, phone numbers, and unsalted SHA-256 password hashes. The breach in which the data was stolen reportedly took place in June, 2024.
The threat actor reportedly gained access to Zacks’ files via an Active Directory administrator account and used it to steal source code from a number of sites owned by the company.
Zacks hasn’t confirmed the incident to anyone who has asked, but suffice it to say, it’s probably not a bad idea to change your password if you’re a Zacks customer.
FBI pats itself on back for stopping cryptocurrency scams
The FBI last week claimed a year-long operation has seen it prevent over 4,300 folk across the US from falling prey to cryptocurrency investment scams, saving them more than $285 million.
Seventy-six percent of the crypto scam victims that “Operation Level Up” intervened to rescue were unaware they were being ripped off, the FBI said last week. The scams its working to stop frequently involve “unsolicited online contact, a long period of trust building, fake investment opportunities, and a false sense of urgency,” the bureau explained.
That’s the way pig butchering schemes
operate.
The FBI won’t say how it identified potential victims, only mentioning the use of “sophisticated techniques” that are able to identify people “actively being defrauded.”. Once the investigators contact a fraud target, they reportedly educate them about how such scams work in the hope they won’t be fooled again.
“Unfortunately, we continue to see these scams grow and evolve every day,” said FBI CID assistant director Chat Yarbrough. “It doesn’t matter where the subjects are—we will use every tool at our disposal to stop them from targeting U.S. citizens.” ®
READ MORE HERE