Security Newsletter
24 June 2019
Mozilla patches Firefox zero-day abused in the wild
The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day -- tracked as CVE-2019-11707.
Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß also said he did not have details about how the zero-day was used, and indicated that Coinbase Security may know more about the in-the-wild attacks.
Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser.
Read More on ZDNet
 
Android Malware Bypasses 2FA by Stealing One-Time Passwords
Researchers monitoring malware that affects Android devices discovered malicious apps that can steal one-time passwords (OTP) from the notification system. This development bypasses Google's ban on apps that access SMS and call logs without justification. Google enforced the restriction earlier this year specifically to lower the risk of sensitive permissions where they are not necessary. Cybercriminals found a way around this limitation and instead tap into the notifications to obtain the sensitive information. This method also opens up the door to getting short-lived access codes that are delivered via email.
Multiple malicious apps impersonating the Turkish cryptocurrency exchange BtcTurk were uploaded to Google Play between June 7 and June 13.Their purpose was to steal the login credentials to the service, and most likely try them with other services where 2FA protection against unauthorized access may be available.
One drawback to this technique, Stefanko points out, is that it can steal only the text that fits in the notification. Anything outside it remains hidden to the attacker. While this may not always include the one-time access code, a hacker would be successful in most cases. It appears that this technique is actively tried on Turkish cryptocurrency users, as another app was discovered last week operating in the same way.
Even More on BleepingComputer
Read More on ZDNet
 
More #News
 
#Patch Time!
 
#Tech and #Tools
Kingred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us: Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.
This content was created by Kindred Group Security. Please share if you enjoyed!
Kindred Group in brief
Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.
You can access the previous newsletters at https://news.infosecgur.us
If you no longer wish to receive this newsletter, you can unsubscribe from this list.