Brief #43: ChatGPT Flaws, Roku Hacked, Tor's WebTunnel

Happy week 11!

Before we jump in you might have missed my post:

This week in cybersecurity, critical vulnerabilities in ChatGPT's plugin ecosystem were discovered, Roku disclosed a data breach impacting over 15,000 customers, and the Tor Project introduced WebTunnel to bypass censorship.

Let's dive in!

🌐 This Week in Cybersecurity

Roku Discloses Data Breach Impacting Over 15,000 Customers

Credential Stuffing Attack: Roku disclosed that 15,363 customer accounts were compromised in a credential stuffing attack, where threat actors used credentials exposed in previous data breaches to gain unauthorized access to Roku accounts.
Account Takeover and Fraudulent Purchases: Once an account was breached, the attackers changed account information like passwords, email addresses, and shipping addresses, effectively locking out legitimate users. They then used stored credit card details to make fraudulent purchases of hardware and streaming subscriptions without the account holders receiving order confirmations.
Stolen Accounts Sold on Dark Web: Threat actors have been conducting these credential stuffing attacks for months using tools like Open Bullet 2 and SilverBullet. Successfully hacked Roku accounts are being sold on stolen account marketplaces for as little as $0.50 each. Buyers then hijack the accounts and make illegal purchases using the stored payment methods.
Roku's Response and Lack of 2FA: Upon detecting the breach, Roku secured the impacted accounts, forced password resets, and refunded unauthorized charges. However, the platform does not currently support two-factor authentication (2FA), which could prevent account takeovers even if credentials are compromised. Roku also recently updated its Dispute Resolution Terms, possibly in part due to the ongoing credential stuffing attacks and fraud.

ChatGPT Plugin Vulnerabilities Allow Access to User Accounts and Sensitive Data

Overview: Salt Labs researchers discovered critical vulnerabilities in ChatGPT's plugin ecosystem that could allow attackers to access user accounts and sensitive data on third-party websites like GitHub without user interaction. The flaws were found in ChatGPT itself and in multiple plugins developed using the PluginLab.AI framework.
ChatGPT Vulnerability: A flaw in ChatGPT's plugin installation process allowed attackers to install malicious plugins on victim accounts without their approval. By exploiting this, attackers could forward almost any chat data, including credentials and sensitive information, to their own plugin. ChatGPT implemented a state parameter but it was not sufficiently random.
PluginLab.AI Framework Flaws: Dozens of plugins developed with PluginLab.AI, such as AskTheCode, were vulnerable to a zero-click account takeover. Unauthenticated requests could be made to retrieve a victim's member ID and generate a code to access their GitHub repositories via the plugin. PluginLab.AI quickly mitigated the issue after disclosure.
OAuth Redirection Manipulation: Several plugins, like Charts by Kesem AI, had a classic OAuth vulnerability allowing attackers to provide a malicious redirect URI and steal user credentials. Proper validation of the redirect URI was lacking. Documentation improvements emphasizing redirect URI security were recommended to OpenAI.

Russian-Canadian "Cyber Terrorist" Sentenced to 4 Years for Ransomware Attacks

Mikhail Vasiliev Pleads Guilty: Vasiliev, a 34-year-old Russian-Canadian, pled guilty to 8 counts of cyber extortion, mischief and weapons charges. He admitted to being part of the LockBit ransomware group.
Targeted Ransomware Attacks: Between 2021-2022, Vasiliev extorted hundreds of thousands of dollars from businesses in Saskatchewan, Montreal and Newfoundland by encrypting their systems and data. LockBit made at least $100M in ransom demands globally.
Sentencing and Restitution: The judge called Vasiliev a "cyber-terrorist" motivated by greed. He was sentenced to nearly 4 years in jail and ordered to pay over $860,000 in restitution to Canadian victims. Vasiliev awaits extradition to the U.S. on additional charges.

Tor Project Introduces WebTunnel to Bypass Censorship

New Bridge Type: The Tor Project has officially introduced WebTunnel, a new bridge type designed to help bypass censorship targeting the Tor network by hiding connections in plain sight.
Blending with HTTPS Traffic: WebTunnel makes it harder to block Tor connections by ensuring that the traffic blends in with HTTPS-encrypted web traffic, effectively circumventing censorship in network environments with protocol allow lists and deny-by-default policies.
Usage and Availability: To use a WebTunnel bridge, users need to obtain bridge addresses and manually add them to Tor Browser for desktop or Android. WebTunnel has been available for deployment by bridge operators since June 2023, with 60 bridges hosted worldwide and over 700 daily active users.
Geopolitical Importance: The Tor Project aims to ensure that Tor works for everyone, especially amid geopolitical conflicts where the internet has become crucial for communication, witnessing events, organizing, defending human rights, and building solidarity.

Google Enhances Safe Browsing in Chrome with Real-Time URL Checks

Real-Time Protection: Chrome's Standard protection mode on desktop and iOS will now check URLs against Google's server-side list of known malicious sites in real-time, expected to block 25% more phishing attempts compared to the previous locally-stored list approach.
Privacy-Preserving Architecture: To protect user privacy, visited URLs are obfuscated into encrypted 4-byte hash prefixes and sent to a privacy server (an Oblivious HTTP relay), which removes user identifiers before forwarding to the Safe Browsing server. This ensures no single party has access to both user identity and URL hash prefixes.
Efficient Threat Detection: The real-time checks address the challenge of rapidly growing phishing domains, 60% of which exist for less than 10 minutes. The new approach enables faster blocking without relying on resource-constrained devices to maintain and update the full list of unsafe sites.
Enhanced Security: The enhanced Safe Browsing feature strengthens Chrome's defenses against malicious websites while preserving user privacy through a thoughtfully designed client-server architecture leveraging hashing, encryption, and an OHTTP relay.

🚀 Startup Watch

Zscaler has acquired Avalor, a startup that provides a Data Fabric for Security, with the goal of transforming AI capabilities in the cybersecurity industry. I believe this acquisition is a smart move by Zscaler, as it will enable them to leverage their vast security data to train more effective AI models and enhance their Zero Trust Exchange platform.
Eye Security, a Dutch cybersecurity start-up, has secured €36 million in a Series B funding round led by JP Morgan Growth Equity Partners. I find it impressive that Eye Security has raised a total of €57.5 million since its founding in 2020, demonstrating strong investor confidence in their cyber insurance, incident response, and managed extended detection and response solutions. As the EU's NIS2 directive approaches its October implementation deadline, I believe Eye Security is well-positioned to help mid-market European businesses strengthen their cybersecurity posture and comply with the new regulations.
Gem Security, an Israeli cybersecurity startup founded by veterans of the IDF's elite 8200 unit, has been acquired by fellow Israeli unicorn Wiz for $350 million. As someone who closely follows the Israeli tech scene, I'm always excited to see homegrown startups achieve successful exits like this. It's a testament to the incredible talent and innovation coming out of Israel's cybersecurity ecosystem, and I can't wait to see what Wiz and Gem accomplish together with their combined expertise and resources.

🛠️ Security Tools

Wireguard - Simple and modern VPN with state-of-the-art cryptography.
Bitwarden - Open-source password manager that can be also self-hosted.
BeEF - A penetration testing tool that specializes in exploiting web browsers for security assessments.

📚 Recommended Reads

The article by vin01 reveals that popular malware and URL analysis tools like urlscan.io, Hybrid Analysis, and Cloudflare Radar URL Scanner store a large number of private and sensitive links, which can be publicly accessed and searched. In my opinion, this is a significant security concern as it exposes sensitive data such as private files, shared secrets, smart home device recordings, and meeting recordings, and the responsibility for protecting this data seems to fall into a gray area between the users submitting the links and the service providers storing them.
Bug bounty hunter received a $5000 bounty from TikTok for "javascript:alert(1)". Looks like this still works in 2024.
Wiz Research has launched "The K8s LAN Party," a Capture the Flag event that challenges participants to exploit misconfigurations and vulnerabilities in a Kubernetes cluster across five scenarios. As someone passionate about hands-on learning I highly recommend enhancing your cloud security skills and putting your knowledge to the test.

⭐️ 3 Ways I Can Help You

Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
Get access to Cyber Strategy OS. My curated collection of valuable resources for every cybersecurity professional..
Looking for something different? Reach out.

If this sparked your interest, I'd love to hear from you in the comments. Stay tuned for more and consider following me on LinkedIn and X.

Nikoloz