Daily Archives: April 22, 2020

Stripe Payment Provider is Silently Recording Your Movements On its Customers’ Websites

Posted on by

Among startups and tech companies, Stripe seems to be the near-universal favorite for payment processing. When I needed paid subscription functionality for my new web app, Stripe felt like the natural choice. After integration, however, I discovered that Stripe’s official JavaScript library records all browsing activity on my site and reports it back to Stripe. This data includes:

  1. Every URL the user visits on my site, including pages that never display Stripe payment forms
  2. Telemetry about how the user moves their mouse cursor while browsing my site
  3. Unique identifiers that allow Stripe to correlate visitors to my site against other sites that accept payment via Stripe

This post shares what I found, who else it affects, and how you can limit Stripe’s data collection in your web applications.

Source: Stripe is Silently Recording Your Movements On its Customers’ Websites · mtlynch.io

IBM No-auth remote root exec exploit in Data Risk Manager (an enterprise security program!) drops after Big Blue snubs bug report

Posted on by

IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There’s also a Metasploit module for that attack chain.

The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM’s spokesperson did not respond.

IBM however did say that it had fumbled the report. “A process error resulted in an improper response to the researcher who reported this situation to IBM,” a company spokesperson told The Register. “We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

Ribeiro dismissed IBM’s response in an email to The Register. “Well, what can I say,” he said. “It’s a joke right? I think it’s pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services.”

Source: IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report • The Register

Zoom sex party moderation: app uses machine-learning to patrol nudity – will it record them to put up on the web?

Posted on by

As Rolling Stone reported, the app is now playing host to virtual sex parties,  “play parties,” and group check-ins which have become, as one host said, “the mutual appreciation jerk-off society.”

According to Zoom’s “acceptable use” policy, users may not use the technology to “engage in any activity that is harmful, obscene, or indecent, particularly as such would be understood in the context of business usage.” The policy specifies that this includes “displays of nudity, violence, pornography, sexually explicit material, or criminal activity.”

Zoom says that the platform uses ‘machine learning’ to identify accounts in violation of its policies — though it has remained vague about its methods for identifying offending users and content.

“We encourage users to report suspected violations of our policies, and we use a mix of tools, including machine learning, to proactively identify accounts that may be in violation,” a spokesperson for Zoom told Rolling Stone.

While Zoom executives did not respond to the outlet’s questions about the specifics of the machine-learning tools or how the platform might be alerted to nudity and pornographic content, a spokesperson did add that the company will take a “number of actions” against people found to be in violation of the specified acceptable use.

When reached for comment, a spokesperson for Zoom referred Insider to the “acceptable use” policy as well as the platform’s privacy policy which states that Zoom “does not monitor your meetings or its contents.”

The spokesperson also pointed to Yuan’s message in which he addressed how the company has “fallen short” of users’ “privacy and security expectations,” referencing instances of harassment and Zoom-bombing, and laid out the platform’s action plan going forward.

Source: Zoom sex party moderation: app uses machine-learning to patrol nudity – Insider

It’s not unthinkable that they will record the videos and them just leave them on the web for anyone to download. After all, they’ve left thousands of video calls just lying about before.