Security Weekly 35

Security Weekly 35 Main Logo

Security Weekly 35: Literacy To The Detriment Of Security, Mining At The Highest Level, Site That Is Not For People

An illiterate letter to a partner or customer can greatly impair the reputation. But having checked its spelling and punctuation, as it turned out, you can make it public. In Grammarly, designed to search for errors in the English text, a serious vulnerability was discovered that allowed outsiders to receive user authorization tokens via an uncomplicated script – and, accordingly, access to their documents.

Security Week 35 Photo 1

The Grammarly service has extensions for popular browsers, including Chrome. In it, in fact, an error was found that allowed any site to generate tokens corresponding to cookies Grammarly. Using them manually or using a script, attackers could enter the main site of the service on behalf of registered users and view records, documents, journals and other personal data.

To the credit of the service developers, they reacted to the message almost instantly. By joint efforts, Grammarly and Google specialists literally eliminated the problem in just a few hours and released an updated extension – not only for Chrome but also for Firefox.

Mining At The Highest Level

Security Week 35 Photo 2

The popular Coinhive script for mining has hit 4275 sites, including manchester.gov.uk, nhsinform.scot, uscourts.gov and other state portals around the world. Within four hours, the malware threw Monero through them, using 40% of the power of the CPUs of the visitors. As it turned out later, the fault was the compromised TextAloud’s BrowseAloud plug-in – it converts text to speech, and it is usually used to make it easier for people with poor eyesight to work with the site.

Having received information about the problem from the researchers, Texthelp disconnected the plug-in and promptly conducted the study. Fortunately, the problem was really limited to crypto mining: taking into account the specificity of the extension, which passes through all the text on the page to voice it, and the nature of the affected sites, some of which have private offices with access to financial and other personal information, one would expect also a large-scale leak of confidential data, but it did not happen.

reCAPTCHA-vice versa

Security Week 35 Photo 3

We are used to treating IS seriously, but meanwhile, someone uses protection tools as … a material for creativity! For example, online actor Danjan Pita, known by the nickname Damjanski, arranged a virtual performance, “turning inside out” captcha. The artist decided to create a site exclusively for bots.

  • reCAPTCHA, on the contrary, is nine pictures, blurred so much that it is possible to see objects in them only a specially trained program or a very short-sighted person who has never worn glasses in his life. The user is asked to choose those that show something specific, such as a computer or a lamppost. The visitor who failed to solve the problem, designed for the possibility of artificial intelligence, the page reports: You’re a human. You’re not invited (“You are a man.”)

According to Damjanski himself, he constantly improves the test, complicating the blur mechanism, and visitors actively come up with ways to decode the pictures. However, in addition to the selection of algorithms for solving the problem, there is a simpler, albeit an unreliable way to choose the right pictures-by typing. Some people get it.