Tag Archive for: exposes

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

/in


Unjected, the controversial anti-vaccine dating platform, faces another bout of scrutiny as a recent security breach exposes the private data of over 35,000 users. 

The latest security problem, discovered by security researcher GeopJr, tackles alarming vulnerabilities within the platform’s infrastructure. It could compromise user privacy and safety.

Unjected Hit by a Glitch

Unjected Data Breach: Security Lapse Exposes Thousands of User Accounts

(Photo : Mufid Majnun from Unsplash) 

Unjected, a popular website that promotes anti-vaccine campaigns is now under attack by a glitch. The latest security issue exposes confidential information of some users.


GeopJr’s investigation reveals critical flaws in Unjected’s security measures, allowing unauthorized access to sensitive user information. The breach exposes personal details, including full names, birthdates, email addresses, and location data of thousands of users. Moreover, authentication issues enable malicious actors to manipulate user profiles and access private messages exchanged on the platform.

Related Article: Issue-Plagued AirPower Charges Apple Watch For the First Time: Is this an Upgraded Prototype?

History of Security Concerns

This isn’t the first time Unjected has faced security-related controversies. In July 2022, GeopJr uncovered an open administrator dashboard, granting unauthorized access to crucial site functionalities. Despite attempts to rectify the issue, subsequent glitches and outages persisted, raising concerns among users regarding data protection.

Persistent Security Lapses

Despite being alerted to the security vulnerabilities by GeopJr and the Daily Dot, Unjected has failed to address the issues adequately. Efforts to patch the leak inadvertently exacerbated the situation, introducing additional vulnerabilities, including unauthorized account deactivation.

User Concerns and Insecurity

The breach has left users apprehensive about their privacy and safety on the platform. Direct messages reveal widespread distrust and unease among users regarding Unjected’s security practices. Concerns range from potential government surveillance to fears of hacking and data exploitation.

Response and Lack of Transparency

Blackbaud Must Improve its Poor Security, Data Retention Practices to Avoid Future Breaches, Says FTC

(Photo :…

Source…

United Hack Exposes The Problem With Health Care Monopolies

/in


In a bid to win reelection, the Biden administration keeps trying to sell the country on all the supposed benefits of Obamacare. Before continuing their sales campaign, they might want to check in with the doctors’ offices struggling to make payroll.

For over a month, the multitrillion-dollar health care sector has had to respond to a hack on a payment processor owned by UnitedHealthGroup, the nation’s largest insurer. Axios reported that hospitals, doctors, medical equipment suppliers, and pharmacies are collectively losing as much as $1 billion a day. The chaos is not only caused in no small part by the industry consolidation sparked by Obamacare, but it may make the problem even worse.

Too Big to Fail Redux?

Ignore for a moment the fact that Change Health Care, the UnitedHealth affiliate whose payment processing operations were attacked, reportedly paid $22 million to the ransomware group behind the hack — which will of course only encourage future efforts to target health care entities in cyberspace. The real issue comes via the size and breadth of the network being hacked.

Consider that Change processes 15 billion medical claims per year — the most by any organization in the country. In raw terms, that amounts to more than 41 million medical claims per day. When a company is processing what amounts to a medical claim for more than 1 in 10 Americans each and every day, that is bound to extend its reach far and wide in the health care system.

And so it has proved. Doctors and hospitals are struggling to manage cash flow without regular payments from insurers, as the system for processing payments remains clogged. Patients and pharmacists alike are struggling; pharmacists cannot process a patient’s insurance to determine the proper co-payment or co-insurance, and some patients are having to pay large sums out of pocket (that is, if they can afford to do so) and hope their insurance reimburses them eventually.

Encouraging More Consolidation

How did we get to this point? Why was the nation’s largest health insurer able to buy such a critically important payment processor? Good question.

For years, Obamacare has encouraged hospitals,…

Source…

Group permission misconfiguration exposes Google Kubernetes Engine clusters

/in


GKE also supports anonymous access, and requests made to the Kubernetes API without presenting a client certificate or an authorized bearer token will automatically be executed as the “system:anonymous” user and the “system:unauthenticated” group role. However, if a token or certificate is presented, the API request will be identified as the corresponding identity with its defined roles but also with the roles assigned to the system:authenticated group. By default, this group provides access to some basic discovery URLs that don’t expose sensitive information, but admins could expand the group’s permissions without realizing the implications. “Administrators might think that binding system:authenticated to a new role, to ease their managerial burden of tens or hundreds of users, is completely safe,” the researchers said. “Although this definitely makes sense at first glance, this could actually turn out to be a nightmare scenario.”

To execute authenticated requests to a GKE cluster, all a user needs to do is use Google’s OAuth 2.0 Playground and authorize their account for the Kubernetes Engine API v1. By completing the playgroup authorization process, any user with a Google account can obtain an authorization code that can be exchanged for an access token on the same page. This access token can then be used to send requests to any GKE cluster and successfully identify as system:authenticated, which includes the system:basicuser role.

The system:basicuser allows users to list all the permissions they currently have, including those inherited from the system:authenticated group by querying the SelfSubjectRulesReview object. This provides a simple way for attackers to investigate whether a cluster’s admin has overpermissioned system:authenticated.

The Orca researchers demonstrated the impact with an example where the admin decided to associate any authenticated user with the ability to read all resources across all apiGroups in the cluster. This is “something that can be somewhat useful when there is a real governance around the users which can authenticate to the cluster, but not on GKE,” they said. “Our attacker can now, in the current…

Source…

Hack of Kyivstar exposes gap in IT understanding of cybersecurity, expert says

/in


It will take time to fully restore Kyivstar’s infrastructure after the Dec. 12 hacker attack, and the restoration will be carried out in stages, cyber security expert Kostiantyn Korsun wrote in his column for NV Business on Dec. 14.

“I think voice(calls) will be restored relatively quickly, data transmission – after that, and everything else – later,” the expert said, recalling that Russia has already made attempts to leave Ukraine without communication.

“Almost the entire infrastructure can be restored, even if a missile hits a data center, as long as people are not injured.”

“The Russians tried hard to shut down all Ukrainian operators and providers in February-March 2022, but failed,” Korsun noted.

The operators managed to pull through because the Internet access industry in Ukraine is private, he added.

Read also: Kyivstar’s competitors can only absorb a 10% increase in subscribers

“The Ukrainian Internet access industry is almost entirely private and is still not regulated by the state, which is why it retains amazing resilience,” the expert said.

“And yes, nationalizing Kyivstar is a bad idea.”

Even IT professionals may not fully comprehend cyber risks, so conclusions must be drawn from the attack on Kyivstar, Korsun wrote.

“I would advise CEOs and CISOs of large companies to change the passwords to the domain controller and corporate VPN right now, patch everything that needs to be patched, and then order an infrastructure security audit,” he said.

“This is the first step. And then conduct training with staff and separate specialized training on cybersecurity for IT specialists. Because, oddly enough, quite often an IT specialist does not understand cybersecurity.”

Russian hackers from the Solntsepek group earlier claimed full responsibility for the cyberattack on mobile operator Kyivstar. Ukraine’s SBU security service responded to this information.

Kyivstar, Ukraine’s largest mobile operator, suffered a large-scale outage on the morning of Dec. 12. Service problems have been reported throughout Ukraine.

The company announced a technical failure that may result in the unavailability of communication and Internet access services for part of its subscriber base.

The…

Source…