Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 17, 2014. Covers enterprise, controversies, reports and more.
This week, Drupal had a SQL faceplant, Dropbox wasn't hacked, controversy erupted over a Kickstarter privacy gadget, nobody wanted a POODLE, and Ebola is infecting inboxes.
Snapchatsorta-promised to cook up a public API to fix the 3rd party app free-for-all that exploits its flawed business model to hack Snapchat's users... sooner or later. In a Facebook post this weekend, Snapsaved.com said its servers were breached due to a "misconfiguration." The site allows Snapchat users to save images without the sender knowing. Despite its obviously careless business model, Snapchat still blamed the violated users for what it termed as their own victimization by the use of 3rd party apps.
The Drupal security team is reporting that versions of Drupal 7 prior to 7.32 are vulnerable to a "Highly Critical" SQL injection bug. Larry Seltzer reported, "Version 7.32 is now available to address the bug and the Drupal team strongly recommends that Drupal 7 admins update their sites immediately." SC Magazine reports that in a Wednesday post, Daniel Cid, CTO of Sucuri, wrote that proofs of concept were being shared on underground forums; in a Thursday post, Steven Adair, founder of Volexity, wrote that the company has observed the vulnerability being actively exploited.
Google's Security Teamrevealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw. In an example attack called Padding Oracle On Downgraded Legacy Encryption (POODLE), an attacker can steal "secure" HTTP cookies or other bearer tokens such as HTTP Authorization header contents. According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker." The OpenSSL Initiative issued a patch on Thursday.
Web founder Tim Berners-Lee is one of the privacy advocates behind a newly launched service that combines social media, cloud storage, person-to-person, and group communications for privacy-conscious users. The MeWe private communications network spun out of online privacy company Sgrouples — founded by online privacy advocate Mark Weinstein — doesn't own, track or share information its members provide or share among one another.
Ebola is the flavor of the week for phishing. The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory alerting users of email scams and cyber campaigns using the highly publicized Ebola virus disease as phishing bait. "Phishing emails may contain links that direct users to websites which collect personal information, such as login credentials, or contain malicious attachments that can infect a system,” read the advisory.