Skip to content
Kashif Ali

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al.

July 8, 2014 arstechnica.com

Update: Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack. Later, a cofounder of Olark said that service had been patched, too.

A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.

The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.

Read 11 remaining paragraphs | Comments

  • Adobe

Post navigation

Previous: CryptoWall Ransomware Built With RC4 Bricks
Next: Microsoft Patch Tuesday – July 2014

Archives

Tags

Adobe Android anonymous Apple Biz & IT censorship Crime Cybercrime Cybersecurity Data loss data protection DDoS Exploit Facebook FBI Featured hack hacking Hacks and Cracks https intellectual property iphone Law & order Malware Mobile NEWS & INDUSTRY OS X passwords phishing politics privacy Scam Social networks Spam SSL Stuxnet Surveillance Tech The Courts The Ridiculous Twitter Uncategorized Vulnerability Windows Zero Day
Powered by WordPress | Theme: Design by obaydulla