The Hacker News — Cyber Security, Hacking, Technology News

Not just Facebook, a new vulnerability discovered in Linkedin's popular AutoFill functionality found leaking its users' sensitive information to third party websites without the user even knowing about it.

LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click.

In general, the AutoFill button only works on specifically "whitelisted websites," but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case.

Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event.

A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.

Since the AutoFill button is invisible, users clicking anywhere on the website would trigger AutoFill, eventually sending all of their public as well as private data requested to the malicious website, Cable explains.

Here's How attackers can exploit the LinkedIn Flaw:

• User visits the malicious website, which loads the LinkedIn AutoFill button iframe.
• The iframe is styled in a way that it takes up the entire page and is invisible to the user.
• The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users' data via postMessage to the malicious site.

Cable discovered the vulnerability on April 9th and immediately disclosed it to LinkedIn. The company issued a temporary fix the next day without informing the public of the issue.

The fix only restricted the use of LinkedIn's AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements, but Cable argued that the patch was incomplete and still left the feature open to abuse as whitelisted sites still could have collected user data.

Besides this, if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature could be abused to send the collected data to malicious third-parties.

To demonstrate the issue, Cable also built a proof-of-concept test page, which shows how a website can grab your first and last name, email address, employer, and location.

Since a complete fix for the vulnerability was rolled out by LinkedIn on April 19, the above demo page might not work for you now.

"We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases, and it will be in place shortly," the company said in a statement. 

"While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsible reporting this, and our security team will continue to stay in touch with them."

Although the vulnerability is not at all a sophisticated or critical one, given the recent Cambridge Analytica scandal wherein data of over 87 million Facebook users was exposed, such security loopholes can pose a serious threat not only to the customers but also the company itself.

The British teenager who managed to hack into the online accounts of several high-profile US government employees sentenced to two years in prison on Friday.

Kane Gamble, now 18, hacked into email accounts of former CIA director John Brennan, former Director of National Intelligence James Clapper, former FBI Deputy Director Mark Giuliano, and other senior FBI officials—all from his parent's home in Leicestershire.

Gamble, who went by the online alias Cracka, was just 15 at the time of carrying out those attacks and was the alleged founder of a hacking group calling themselves Crackas With Attitude (CWA).

The notorious pro-Palestinian hacking group carried out a series of embarrassing attacks against U.S. intelligence officials and leaked personal details of 20,000 FBI agents, 9,000 officers from Department of Homeland Security, and some number of DoJ staffers in 2015.

The teenager was arrested in February 2016 at his home in Coalville and pleaded guilty to 8 charges last October of "performing a function with intent to secure unauthorised access" and 2 charges of "unauthorised modification of computer material."

On Friday afternoon in the Old Bailey central criminal court in London, Gamble was finally sentenced after his first sentencing hearing in January was postponed, and the judge ruled that he'll have to serve 2 years at a youth detention center, BBC reported.

While Gamble's defence said he was "naive" and never meant to "harm" any individuals during the court hearing, the judge said he carried out "an extremely nasty campaign of politically-motivated cyber terrorism."

Between June 2015 and February 2016, Gamble posed as Brennan and tricked call center and helpline staff into giving away broadband and cable passwords, using which his team also gained access to extremely sensitive documents for intelligence operations in Afghanistan and Iran.

Besides hacking into their networks, Gamble also taunted his victims and their families, bombarded them with calls and messages, released their personal details, downloaded and installed porn onto their computers and took control of their iPads and TV screens.

Gamble even made hoax calls to Brennan's home and took control of his wife's iPad. At one point, he also sent DHS secretary Johnson a photograph of his daughter and said he would f*** her.

Gamble also phoned Mr. Johnson's wife, leaving a disturbing voicemail message which said: "Hi Spooky, am I scaring you?," and even managed to display the message "I own you" on the couple's home television.

Gamble said he targeted the US government because he was "getting more and more annoyed about how corrupt and cold-blooded the US Government" was and "decided to do something about it."

According to previous reports, Gamble is suffering from an autistic spectrum disorder, and at the time of his offending, he had the mental development of a 12 or 13-year-old.

Gamble's defence had argued court on Friday for a suspended sentence, so he can sit his GCSEs in June and read computer science studies at university to pursue a "useful" career.

Two other members of Crackas With Attitude—Andrew Otto Boggs and Justin Gray Liverman—were arrested by FBI in September 2016 and had already been sentenced to two and five years in federal prison respectively.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.

"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.

To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.

"These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says.

"Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."

The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

So, you are advised to install as few extensions as possible and only from companies you trust.

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis.

Do you also want to learn real-world hacking techniques but don’t know where to start? This week's THN deal is for you.

Today THN Deal Store has announced a new Super-Sized Ethical Hacking Bundle that let you get started your career in hacking and penetration testing regardless of your experience level.

The goal of this online training course is to help you master an ethical hacking and penetration testing methodology.

This 76 hours of the Super-Sized Ethical Hacking Bundle usually cost $1,080, but you can exclusively get this 9-in-1 online training course for just $43 (after 96% discount) at the THN Deals Store.

9-in-1 Online Hacking Courses: What's Included in this Package?

The Super-Sized Ethical Hacking Bundle will provide you access to the following nine online courses that would help you secure your network and become a certified pentester:

1. Bug Bounty: Web Hacking

Hackers breaching a system or network of a company could end up in jail, but legally hacking and responsibly reporting it to the respective company could help you earn a good amount.

Even Google and Facebook paid out $6 Million and $5 Million respectively last year to hackers and bug hunters for discovering and reporting vulnerabilities in their web services as part of their bug bounty programs.

This course will help you explore types of vulnerabilities such as SQL, XSS, and CSRF injection and how you can use them to legally hack major brands like Facebook, Google, and PayPal and get paid.

2. CompTIA Security + Exam Preparation

If you are a beginner and you want to try your hands and make a career in the cyber world, then you need a good certification.

Beginning with basic security fundamentals, threats and vulnerabilities, this course will help you walk through more advanced topics, providing you with the knowledge you need to pass the globally-recognized CompTIA Security+ certification exam in one go.

3. Ethical Hacking Using Kali Linux From A to Z

Kali Linux is always one of the most modern ethical hacking tools and a favourite tool of hackers and cyber security professionals.

This course offers you with the knowledge about Kali Linux – one of the popular operating systems that come with over 300 tools for penetration testing, forensics, hacking and reverse engineering – and practising different types of attacks using its hacking capabilities.

4. Ethical Hacking From Scratch to Advanced Techniques

Since every single day a company is getting hacked and having its website shut down or customers' data compromised, ethical hackers are in demand. If you want to take steps closer to a new career in ethical hacking, this course is for you.

This course will help you learn how to bypass different security layers, break into networks, compromise computers, crack passwords, crash systems, and compromise apps, emails, social media accounts, and then evaluate their security, and propose solutions.

5. Learn Social Engineering From Scratch

Social engineering has been the primary cause of most high profile cyber-attacks in recent years. The impact of it on an organisation could result in economic loss, loss of Privacy, temporary or permanent Closure, loss of goodwill and Lawsuits and Arbitrations.

This course will help you learn how to hack into all major operating systems, including Windows, macOS, and Linux, use social engineering to deliver Trojans to a target, and interact with the compromised systems, as well as protect your company from such attacks.

6. Learn Website Hacking and Penetration Testing From Scratch

To protect your websites and infrastructure from getting hacked by hackers, you first need to think like a hacker.

This course will help you learn how to hack websites and applications by carrying out different cyber attacks against it as a black hat hacker but fix those holes that allowed you to hack them like a white hat.

7. Hands on, Interactive Penetration Testing & Ethical Hacking

This course will teach you, in real time, each stage of a penetration testing environment so that you can tweak and test your skills.

You will also learn how to use Rapid 7's Metasploit to exploit targets and run post exploitation techniques, utilise PowerShell with Empire, and evade anti-virus software from major vendors.

8. Complete WiFi and Network Ethical Hacking Course 2017

WiFi hacking is an all time hot topic among hackers as well as penetration testers.

This online Wi-Fi and Network Ethical Hacking course are structured in a way to provide you with an in-depth, hands-on, comprehensive information on Wi-Fi hacking and its security to protect it from any cyber attack.

By the end of this course, regardless of experience, you will be able to break all types of WiFi encryption methods and ready to start pursuing your career in network security.

9. Cyber Security Volume I: Hackers Exposed

Internet security has never been as important as it is today with more information than ever being handled digitally around the globe, government conducting mass surveillance, and hackers stealing sensitive data from the ill-equipped networks, websites, and PCs.

This course will walk you through basics of hacking to an understanding of the threat and vulnerability landscape, build a foundation to expand your security knowledge, and protect yourself and others.

Join All Online Training Courses For Just $43

All these impressive courses come in a single bundle — The Super-Sized Ethical Hacking Bundle — that costs you just $43 (after 96% discount on $1,080) at the THN Deals Store.


So, what you are waiting for? Sign up and grab the exclusive discounted deal NOW!

A new job opening post on Facebook suggests that the social network is forming a team to build its own hardware chips, joining other tech titans like Google, Apple, and Amazon in becoming more self-reliant.

According to the post, Facebook is looking for an expert in ASIC and FPGA—two custom silicon designs to help it evaluate, develop and drive next-generation technologies within Facebook—particularly in artificial intelligence and machine learning.

The social media company is seeking to hire an expert who can "an end-to-end SoC/ASIC, firmware and driver development organization, including all aspects of front-end and back-end standard cell ASIC development," reads the job listing on Facebook's corporate website.

SoC (system-on-a-chip) is a processor typically used in mobile devices with all the components required to power a device, while ASIC (application-specific integrated circuit) is a customized piece of silicon designed for a narrow purpose that companies can gear toward something specific, like mining cryptocurrency.

FPGA (field programmable gate array) is an adaptable chip designed to be a more flexible and modular design that can be tuned to speed up specific jobs by running a particular piece of software.

First reported by Bloomberg, building its own processors would help the social media giant reduce dependency on companies such as Qualcomm and Intel, who hold the lion's share of the processor market.

Reportedly Apple, who already makes its own A-series custom chips for iPhones, iPads and other iThings, has planned to use its custom-designed ARM chips in Mac computers starting as early as 2020, replacing the Intel processors running on its desktop and laptop hardware.

Google has also developed its own artificial intelligence chip, and Amazon is reportedly designing its custom hardware to improve Alexa-equipped devices.

The plan to invest in building its own processors could help Facebook to power its artificial intelligence software, servers in its data centers, as well as its future hardware devices, like Oculus virtual reality headsets and smart speakers (similar to Amazon Echo and Google Home).

Using its custom chips would also allow the social media company to gain more control over its own hardware roadmap better and eventual feature set to offer better performance to its users.

Facebook has not commented on the news yet, so at this time, it is hard to say where the company will deploy its in-house chips.