Are they looking to be bored to death?: Cisco has fixed three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants (Fun….Wow!). Threat actors abusing the now patched flaws could become ‘ghost’ users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco’s collaboration tool for vulnerabilities. ‘Ghost’ users are meeting participants that can’t be seen in the user list and were not invited to the meeting, but they can hear, speak, and share media within the meeting. The three bugs also enabled attackers to remain in the Webex meeting and maintain a bidirectional audio connection even after admins would remove them and access Webex users’ information like email addresses and IP addresses from the meeting room lobby.Read more here.
Money! Money! Money!: According to HackerOne, which organised the events that Paxton-Fear attended and organises bug bounties for big businesses and government agencies, nine hackers have now earned more than $1m each in rewards for spotting vulnerabilities. Thirteen more have hit $500,000 in lifetime earnings, and 146 hackers have now earned $100,000 each. Researchers hacking on HackerOne’s platform earned nearly $40m in bounties in 2019. That’s nearly equal to the $82m in bounties the company has paid out on behalf of its customers to date – and that doesn’t take into account corporate bug bounty programs that are also paying out millions a year. Read more here.
AWS has widespread vulnerabilities? You don’t say : Nearly two dozen application programming interfaces (APIs) across 16 different Amazon Web Services offerings can be abused to allow attackers to obtain the roster and internal structure of an organization’s cloud account in order to launch targeted attacks against individuals. All that a threat actor would require in order to carry out the attack is the target organization’s 12-digit AWS ID — something that is used and shared publicly — Palo Alto Networks said this week. Read more here.
