“After some trial and error with different commands,” he writes, “ was able to use Node.js to execute system commands and read system files. Having learned that Evernote for Windows permitted code to be embedded in the filenames of pictures, which would be executed when the note was opened, Zhu searched Evernote’s installation folders and found NodeWebKit – an application runtime program that Evernote uses in its presentation mode.ĭanny Bradbury of Sophos’s Naked Security blog explains it better than I could. The vulnerability ( CVE-2018-18524) was discovered by TongQing Zhu, a security researcher for the Chinese company Knownsec 404.
The note-sharing app Evernote has patched a persistent XSS ( cross-site scripting) vulnerability that let attackers compromise victims’ computers by sharing infected notes. Needless to say, it did so out of an abundance of caution. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.” We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. The bank said: “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously.
Official information is limited so far, but the FT, among others, reports that credential stuffing was to blame: in other words, criminals used personal information that had been compromised in other data breaches to gain access – once again reinforcing the inadvisability of reusing login credentials across different sites and services. If you’ve been paid by the owner of a compromised account, your account details will have been automatically saved – so unless the account holder made the effort to delete them, they will have been compromised too. However, the compromise of payee account information potentially affects far more individuals and organisations. Online access to the affected accounts was suspended and customers were forced to change their login credentials to prevent further unauthorised access. HSBC’s US division has reported that it suffered a data breach last month, in which customer accounts were accessed by “unauthorized users”.Ĭustomers’ names, postal addresses, phone numbers, email addresses, dates of birth, account numbers, balances, transaction histories, payee account information and statement histories were all compromised.Īccording to the BBC, less than 1% of HSBC’s 1.4 million American customers were affected by the incident, which occurred between 4 and 14 October. Hello and welcome to the IT Governance podcast for Friday, 9 November. This week, we discuss a data breach affecting HSBC’s US customers, an XSS vulnerability in Evernote and a critical RCE vulnerability in Apache Struts
0 kommentar(er)
