Polygon Paid Two White Hat Hackers $3.46 Million Bounties For Discovering Critical Flaw
Misconfigured Sega bucket exposed 250K user email list, Missouri governor is still threatening charges against journalist, Huawei faces big revenue drop, Six Netgear routers suffer serious flaws, more
Ethereum scaling project Polygon announced that it successfully fixed a critical network vulnerability that put its MATIC token at risk after a group of whitehat hackers notified bug bounty platform Immunefi of the flaw. However, a hacker was able to steal $2.04 million in MATIC before Polygon implemented the fix.
Polygon executed the fix on December 5 without impacting the liveness and performance of the network in any significant way. Polygon paid a total of about $3.46 million as bounty to the two white hat hackers. (Yogita Khatri / The Block)
Immunefi @immunefiPolygon bugfix postmortem! Whitehat @leonspacewalker receives a big $2.2m bounty for his critical find. https://t.co/yfNZeN0kZO
VPN Overview discovered a misconfigured Amazon Web Services S3 bucket which exposed sensitive information that allowed researchers to arbitrarily upload files to a massive swath of Sega-owned domains and credentials to abuse a 250,000-user email list.
The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta, and Total War, as well as the Sega.com site itself. An improperly stored Mailchimp API key gave VPNO access to the email list. (Bryan Menegus / Engadget)
Missouri Governor Mike Parson said he believed the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.
In October, a Post-Dispatch reporter alerted the state to a data issue contained on a Department of Elementary and Secondary Education website that left Social Security numbers of educators vulnerable to public disclosure. The newspaper didn’t publish its report until after the officials moved to protect the vulnerable information and did not reveal any personal information. The journalist used open-source tools, specifically the ability to view publicly accessible HTML code, to make his discovery. (Jack Suntrup / St. Louis Post-Dispatch)
Related: Boing Boing
Apple’s AirTags that provide location-tracking capabilities are an increasing concern among privacy experts because the evidence is mounting that the devices may be abetting a new form of stalking and theft.
The West Seneca Police Department in New York recently warned of the tracking potential of the devices after an AirTag was found on a car bumper. Apple complied with a subpoena for information about the AirTag in the case, which may lead to charges. A local police department in Canada investigated five incidents of thieves placing AirTags on “high-end vehicles so they can later locate and steal them.” (Ryan Mac and Kashmir Hill / New York Times)
Ryan Mac 🙃 @RMac18@kashhill We spoke to one high school senior who was notified she was being tracked by an unknown AirTag and frantically searched her car, only for her mom to tell her later that she put it on the vehicle to track her whereabouts. https://t.co/4WLsEfJRgw https://t.co/FkoAzzamvA
The Have I Been Pwned data breach notification service now lets users check if their emails and passwords are one of 441,000 accounts stolen in an information-stealing campaign using the information-stealing RedLine malware.
The malware will attempt to steal cookies, credentials, credit cards, and autocomplete information stored in browsers. It also steals credentials stored in VPN clients and FTP clients, steals cryptocurrency wallets, and can download additional software or execute commands on the infected system. Security researcher Bob Diachenko found a server exposing over 6 million RedLine logs, including numerous password keeper LastPass credentials, collected in August and September 2021. (Lawrence Abrams / Bleeping Computer)
Bob Diachenko @MayhemDayOneRedline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020. https://t.co/kv9MNL8hAE
Troubled Chinese telecom tech provider Huawei said it expects revenue for this year will come in at 634 billion yuan ($99 billion), a 28.9% drop from a year ago, as the company suffers from U.S. sanctions, the semiconductor shortage, and a global slump in demand for smartphones.
In 2019, the U.S. put Huawei on a denylist that restricted American companies from selling technology to the Chinese company due to fears that Huawei cooperates with Beijing in placing surveillance or other technology into its gear that might jeopardize U.S. national security. (Evelyn Cheng / CNBC)
Researchers at Tenable found half a dozen high-risk vulnerabilities in the latest firmware version for the Netgear Nighthawk R6700v3 router. Tenable disclosed the issues to the vendor on September 30, 2021, but the flaws remain unpatched at publishing time.
The flaws could allow an attacker on the network to take complete control of the device. Tenable also found several instances of jQuery libraries relying on version 1.4.2, which is known to contain vulnerabilities. (Bill Toulas / Bleeping Computer)