Source Code of Tools used by Cambridge Analytica to hijack Facebook accounts leaked

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEduR2TtnILaL7oVBznbPnhekcKb7ZUMzGSSXO-DjClOz4H8ZOa0bA67PKwukye5wjLX20yb_-8wnVZUWw54q9q-qodV4ADTCvDelRzYheXpz1mmbGYVSh5jKd3sff7a1eoufQYu76eayC/s1600/facebook-data-leak.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="800" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEduR2TtnILaL7oVBznbPnhekcKb7ZUMzGSSXO-DjClOz4H8ZOa0bA67PKwukye5wjLX20yb_-8wnVZUWw54q9q-qodV4ADTCvDelRzYheXpz1mmbGYVSh5jKd3sff7a1eoufQYu76eayC/s640/facebook-data-leak.jpg" width="640" /></a></div> AggregateIQ – a Canadian political advertising firm that played a role in the 2016 <a href="http://www.hackerschronicle.com/search/label/US%20Elections">US election</a> and the UK's "Vote Leave" Brexit campaign – left its applications and database credentials publicly accessible, security firm Upguard <a href="https://www.upguard.com/breaches/aggregate-iq-part-one">said </a>on Monday.<br /> <br /> There's no evidence that the <a href="http://www.hackerschronicle.com/search/label/Data%20Leak">exposed code</a> or data was taken. Nor is there evidence it wasn't. It was simply left accessible to the public for an unspecified period of time.<br /> <br /> In a phone interview,  Chris Vickery, Upguard's director of cyber risk research, said AggregateIQ had installed a custom version of the open source <a href="http://www.hackerschronicle.com/search/label/GitLab">GitLab </a>software version control and collaboration system.<br /> <br /> "For whatever reason, they configured it to allow registration of new accounts by the public," he said.<br /> <br /> About a week ago, on March 20, Vickery found the code repo, hosted on a GitLab subdomain of AggregateIQ.com, <a href="http://gitlab.aggregateiq.com/">gitlab.aggregateiq.com</a>.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhpN-mtxQ4JVaPMUSb0JYefIHe4kQbv488xyyirSu5b7ACyuNmM2V_ghqK8u1yoXGKtqPsD0njft9ZvxiSTL0GAMlWStlfg5PpnNQb19J4dbD3d_O0xjYIQ7x8CXnmissJvoTluI_07LKO/s1600/aggregatoriq-gitlab.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="968" data-original-width="1537" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhpN-mtxQ4JVaPMUSb0JYefIHe4kQbv488xyyirSu5b7ACyuNmM2V_ghqK8u1yoXGKtqPsD0njft9ZvxiSTL0GAMlWStlfg5PpnNQb19J4dbD3d_O0xjYIQ7x8CXnmissJvoTluI_07LKO/s640/aggregatoriq-gitlab.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">AggregateIQ GitLab Repository</td></tr> </tbody></table> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOtwotX9_tYp5sm4XP0msxaecuw8sy07HyEmDixBoitOm26hCogCjtEwp9FCmwnY5DP6VmS7MTZQgSsLiK0Rq0E_dQpP7yruyFu-pagphtD4hFsI283U9Bkrl2TSvAJwj13bvZFxMDlBq/s1600/aggregatoriq-mamba-jamba.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="765" data-original-width="989" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOtwotX9_tYp5sm4XP0msxaecuw8sy07HyEmDixBoitOm26hCogCjtEwp9FCmwnY5DP6VmS7MTZQgSsLiK0Rq0E_dQpP7yruyFu-pagphtD4hFsI283U9Bkrl2TSvAJwj13bvZFxMDlBq/s640/aggregatoriq-mamba-jamba.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Explanation of Primary Data Storage</td></tr> </tbody></table> <br /> Accessing the URL allowed him to register simply by providing an email address. After that, he was able to see the firm's tools and data.<br /> <br /> Vickery said he informed federal authorities of his findings but declined to name the specific agency, per the agency's request. He also said he informed AggregateIQ, and the biz shut down access 11 minutes later.<br /> <br /> Upguard suggests the material found – apparently used to support US Senator Ted Cruz's failed 2016 presidential campaign – raises questions about the firm's alleged ties to Cambridge Analytica, which <b>received $5.8 million for services rendered from the Cruz campaign</b>.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3CUX1Yx_mfMsBIVcfaWXoXimw20oSbL7mbopFaBvD1oL2R655bmOanYDHr-UFIeUXgMWKb1JCfv4dh8upTaxvVkDpuY_qaNy_eDv4whWTR_Vjs8rqSGyOpfEKmWRkZGFGK8kWxj9H44y/s1600/ripon_voicemail_script.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="273" data-original-width="766" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3CUX1Yx_mfMsBIVcfaWXoXimw20oSbL7mbopFaBvD1oL2R655bmOanYDHr-UFIeUXgMWKb1JCfv4dh8upTaxvVkDpuY_qaNy_eDv4whWTR_Vjs8rqSGyOpfEKmWRkZGFGK8kWxj9H44y/s640/ripon_voicemail_script.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">US Senator Ted Cruz's VoiceMail Script: Ripon_canvas</td></tr> </tbody></table> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkbL_0FhZWFF1BjqlH0tqpr5avCuvpYFn-e6o7gd1U1mSRyde4al4xu8kdQezEI2JHujT5zyDwJtgMVV_Dlz9fnEN9xpNwvNXzU7_GIqcZkCZH4Jx6hOoagX8Yn3mFNFGKc_ujgTrKSjK/s1600/ripon_dialer_commit.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="288" data-original-width="992" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkbL_0FhZWFF1BjqlH0tqpr5avCuvpYFn-e6o7gd1U1mSRyde4al4xu8kdQezEI2JHujT5zyDwJtgMVV_Dlz9fnEN9xpNwvNXzU7_GIqcZkCZH4Jx6hOoagX8Yn3mFNFGKc_ujgTrKSjK/s640/ripon_dialer_commit.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Ripon_dialer utilizing phonebanking utility.</td></tr> </tbody></table> <br /> <a href="http://www.hackerschronicle.com/search/label/cambridge%20analytica">Cambridge Analytica</a>, a UK-based data analytics firm, stands at the center of the current Facebook privacy scandal, a consequence of the biz obtaining about 50 million Facebook profiles from a researcher who took advantage of the social media site's former policy of letting app devs gather info on app users and all of their friends.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/aggregateiq">AggregateIQ </a>has been linked to Cambridge Analytica in press reports; Cambridge Analytica CEO Alexander Nix (currently suspended after undercover video of him discussing his company's tactics) has acknowledged using AggregateIQ in the past to develop software applications.<br /> <br /> A Guardian/Observer report from May 2017 alleges that Wylie, the whistleblower who helped bring the Facebook data scandal to the fore, brought AggregateIQ and Cambridge Analytica together.<br />   <br /> Read More About: <a href="http://www.hackerschronicle.com/2018/03/facebook-data-breach.html">Facebook Data Leak</a><br /> <br /> The report asserts that at one point, AggregateIQ’s address and phone number were the same as the address and phone listed for SCL Canada on Cambridge Analytica’s website.<br /> <br /> On Saturday, AggregateIQ issued a statement to distance itself from Cambridge Analytica and its parent company SCL and to assert that it has never knowingly been involved in illegal activity.<br /> <br /> "AggregateIQ has never been and is not a part of Cambridge Analytica or SCL," the Canadian company said. "Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ."<br /> <br /> Vickery expressed skepticism about AggregateIQ's disavowal of ties to Cambridge Analytica.<br /> <blockquote class="tr_bq"> I find it hard to believe that there would be such a non-relationship as they describe," he said. "I've seen compelling evidence the to contrary.</blockquote> <br /> Upguard says it discovered "a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads."<br /> <br /> The security biz also said it found various credentials, keys, hashes, usernames, and passwords to access AggregateIQ accounts, which would allow hackers who obtained the information to compromise accounts. Vickery clarified that the databases were not directly exposed.<br /> <blockquote class="tr_bq"> These are the tools used to interact with the data," he said. "These aren't the databases themselves.</blockquote> The credentials to access the databases through these tools were available but he said he did not use them – using someone else's credentials to login without authorization carries a potential legal risk.<br /> <br /> But, said Vickery, there's mention of the Republican National Committee and a significant data store. Upguard's post contains a screenshot of an application described at the Database of Truth that combines RNC data with state voter files, consumer data, third party data providers, and other sources of information. In theory, that database could contain information on millions of US voters.<br /> <br /> Vickery said he is considering further posts about his findings but has yet to determine the details.<br /> <br /> Asked whether it is aware of Upguard's findings, a spokesperson for the Office of the Privacy Commissioner of Canada sent in the following statement:<br /> <br /> <blockquote class="tr_bq"> What we can tell you at this point is that we have been in contact with our provincial counterpart in British Columbia, which has been examining matters related to AggregateIQ and our discussions with them are ongoing. We don’t have further information to share at this time.</blockquote> </div>

aggregateiq cambridge analytica Data Leak facebook GitLab Hacking News Source Code US Elections Source Code of Tools used by Cambridge Analytica to hijack Facebook accounts leaked

AggregateIQ – a Canadian political advertising firm that played a role in the 2016 US election and the UK's "Vote Leave" Brexit campaign – left its applications and database credentials publicly accessible, security fir…

Read more »

Multiple Zero-Day Vulnerabilities found in GitLab

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtGtTc2n2dMoS1A8Ytl8OAzmN-_VfghE3I8KAcA2WI7I4kHBGfjS-21GBkR2a4xxZ_92HdxKzQpaOLp83aSpwsnVYx9Z47I7XTh8Sxp379v_F-XXmtaeLcl-BAwLJ2OsSLCaYnFN4511BC/s1600/Zero-Day-in-GitLab.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Domain Hijacking Vulnerability found in GitLab" border="0" data-original-height="545" data-original-width="770" height="449" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtGtTc2n2dMoS1A8Ytl8OAzmN-_VfghE3I8KAcA2WI7I4kHBGfjS-21GBkR2a4xxZ_92HdxKzQpaOLp83aSpwsnVYx9Z47I7XTh8Sxp379v_F-XXmtaeLcl-BAwLJ2OsSLCaYnFN4511BC/s640/Zero-Day-in-GitLab.jpg" title="Domain Hijacking Vulnerability found in GitLab" width="640" /></a></div> <br /> A security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles domain verification -- a security issue that the company has now fixed.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/GitLab" target="_blank">GitLab</a>, a web-based git repository manager that lets developers track and collaborate on source code and project development, also allows users to host their own content and projects with a custom domain name.<br /> <br /> But the company said in a security notification on February 5 that no validation was being performed when a user added a custom domain to their GitLab accounts. In the little time that a custom domain points to a recently deleted or unclaimed GitLab repo that will be added later, the domain can be hijacked.<br /> <br /> Edwin Foudil, known as EdOverflow, and founder of security consulting firm Penultimate, drew inspiration from a bug report submitted on February 1, which contained proof-of-concept code that listed vulnerable custom domains that were pointing to GitLab. GitLab marked the initial report as informative, which according to documentation means it contains "useful information but did not warrant an immediate action or a fix".<br /> <br /> Because GitLab allows pointing an unlimited number of domains for a single repository, Foudil was able to write a short script weaponizing that initial code, allowing him to mass hijack a limitless number of domains. "This resulted in <b>700 hijacked domains and subdomains in under one minute</b>," he told ina interview. Not only that, any hijacked domain is prevented from creating a GitLab repository with that domain.<br /> <br /> That was enough to catch GitLab's attention, with the company confirming that Foudil's "valuable report" was what "triggered our response" in releasing the security notification less than a day later. "I managed to escalate the issue to the point where the issue was in fact caused by GitLab," said Foudil. "GitLab allowed mass monitoring of domains prior to them even pointing to GitLab's IP address."<br /> <br /> <span class="highlight">Foudil's report was publicly released late Wednesday after the company fixed the bug. </span><br /> <br /> Foudil also said the attack isn't just limited to domains that his script could detect. Hijacking domains was as easy as scraping the domain names of thousands of high-ranking sites. Once a domain is taken over, the attacker can serve any content they want on that domain.<br /> <br /> "The <a href="http://www.hackerschronicle.com/search/label/Exploit" target="_blank">exploits </a>are endless," Foudil said. He gave several examples where an attacker can hijack a subdomain to read and set cookies on other basenames. "I can even mine <a href="http://www.hackerschronicle.com/search/label/Cryptocurrency" target="_blank">cryptocurrency</a>," he said.<br /> <br /> Kathy Wang, director of security at GitLab, said in a phone call this week that the company took responsibility for the security issue. She added that the lack of domain verification is "a widespread problem across the industry". "Implementing domain verification is an exception not a rule -- so a lot of vendors have not yet done it," she said.<br /> <br /> GitLab switched off the feature to add custom domains until a fix was made available. The company said it estimates the fix rollout will complete by the end of the month.</div>

DevOps GitLab Hacking News News Vulnerability Zero-Day Multiple Zero-Day Vulnerabilities found in GitLab

A security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles domain verification -- a security issue that the company has now fixed. GitLab, a web-b…

Read more »