#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Data Leak | Breaking Cybersecurity News | The Hacker News

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

Dec 23, 2021
A security flaw has been unearthed in Microsoft's Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017. The vulnerability, codenamed " NotLegit ," was reported to the tech giant by Wiz researchers on October 7, 2021, following which mitigations have been undertaken to fix the information disclosure bug in November. Microsoft  said  a "limited subset of customers" are at risk, adding "Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers." The  Azure App Service  (aka Azure Web Apps) is a cloud computing-based platform for building and hosting web applications. It allows users to deploy source code and artifacts to the service using a local  Git  repository, or via repositories hosted on GitHub and Bitbucket. The insecure default be
Twitch Suffers Massive 125GB Data and Source Code Leak Due to Server Misconfiguration

Twitch Suffers Massive 125GB Data and Source Code Leak Due to Server Misconfiguration

Oct 07, 2021
Interactive livestreaming platform Twitch  acknowledged  a "breach" after an anonymous poster on the 4chan messaging board leaked its source code, an unreleased Steam competitor from Amazon Game Studios, details of creator payouts , proprietary software development kits, and other internal tools. The Amazon-owned service said it's "working with urgency to understand the extent of this," adding the data was exposed "due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." "At this time, we have no indication that login credentials have been exposed," Twitch  noted  in a post published late Wednesday. "Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." The forum user claimed the hack is designed to "foster more disruption and competition in the online video streaming space" because "their communi
SaaS Compliance through the NIST Cybersecurity Framework

SaaS Compliance through the NIST Cybersecurity Framework

Feb 20, 2024Cybersecurity Framework / SaaS Security
The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS a
Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

Sep 23, 2021
An unpatched design flaw in the implementation of Microsoft Exchange's Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide. "This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," Guardicore's Amit Serper  said  in a technical report. "Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains]." The Exchange  Autodiscover  service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and pas
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers

Colombian Real Estate Agency Leak Exposes Records of Over 100,000 Buyers

Sep 23, 2021
More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase. The breach was discovered by Ata Hakçıl and his team in a database owned by Coninsa Ramon H, a company that specializes in architecture, engineering, construction, and real estate services. "There was no need for a password or login credentials to see this information, and the data was not encrypted," the researchers  said  in an exclusive report shared with The Hacker News. The data exposure is the result of a misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket, causing sensitive information such as clients' names, photos, and addresses to be disclosed. The details stored in the bucket range from invoices and income documents to quotes and account statements dating between 2014 and 2021. The complete list of information contained in
Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers

Critical Cosmos Database Flaw Affected Thousands of Microsoft Azure Customers

Aug 27, 2021
Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers' database instances without any authorization. The flaw, which grants read, write, and delete privileges, has been dubbed " ChaosDB ," with Wiz researchers noting that "the vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies." Cosmos DB is Microsoft's proprietary  NoSQL database  that's advertised as "a fully managed service" that "takes database administration off your hands with automatic management, updates and patching." The Wiz Research Team reported the issue to Microsoft on August 12, after which the Windows maker took steps to mitigate the issue within 48 hours of r
Can Data Protection Systems Prevent Data At Rest Leakage?

Can Data Protection Systems Prevent Data At Rest Leakage?

May 13, 2021
Protection against insider risks works when the process involves controlling the data transfer channels or examining data sources. One approach involves preventing USB flash drives from being copied or sending them over email. The second one concerns preventing leakage or fraud in which an insider accesses files or databases with harmful intentions. What's the best way to protect your data? It seems obvious that prevention is the best way to solve any problem. In most cases, DCAP (data-centric audit and protection) and DAM (database activity monitoring) is sufficient. Both serve the purpose of protecting data at rest. The following example illustrates the approach we found in the Russian legal system. An employee of the Federal Migration Service in one of the Russian regions was approached by his friend, who asked him to hide information about two offenses in his file in the migrant database. The employee knew that this could be done remotely, accessed the database from home,
533 Million Facebook Users' Phone Numbers and Personal Data Leaked Online

533 Million Facebook Users' Phone Numbers and Personal Data Leaked Online

Apr 04, 2021
In what's likely to be a goldmine for bad actors, personal information associated with approximately 533 million Facebook users worldwide has been leaked on a popular cybercrime forum for free—which was harvested by hackers in 2019 using a Facebook vulnerability. The  leaked data  includes full names, Facebook IDs, mobile numbers, locations, email addresses, gender, occupation, city, country, marital status broken, account creation date, and other profile details broken down by country, with over 32 million records belonging to users in the U.S., 11 million users the U.K., and six million users in India, among others. Also included in the leak are  phone numbers  from Facebook CEO Mark Zuckerberg, and co-founders Chris Hughes, and Dustin Moskovitz, who are the fourth, fifth, and sixth members to have registered on Facebook. Interestingly, it appears that the same phone number is also registered to his name on the privacy-focussed messaging app Signal. "Mark Zuckerberg als
Incomplete 'Go SMS Pro' Patch Left Millions of Users' Data Still Exposed Online

Incomplete 'Go SMS Pro' Patch Left Millions of Users' Data Still Exposed Online

Dec 01, 2020
A week after cybersecurity researchers disclosed a flaw in the popular GO SMS Pro messaging app, it appears the developers of the app are silently taking steps to fix the issue from behind the scenes. The  security misstep  made it possible for an attacker to come up with a trivial script to access media files transferred between users, including private voice messages, photos, and videos, stored on an unauthenticated, publicly accessible server. Although the behavior was observed on version 7.91 of GO SMS Pro for Android, the app makers have since released three subsequent updates, two of which (v7.93 and v7.94) were pushed to the Google Play Store after public disclosure of the flaw and Google's removal of the app from the marketplace. Google reinstated the app back to the Play Store on November 23. Now following an analysis of the updated versions, Trustwave researchers said , "GOMO is attempting to fix the issue, but a complete fix is still not available in the app.&
Cybersecurity Resources