Cyware Daily Threat Intelligence February 06, 2018

Flash zero-day vulnerability
A zero-day bug, dubbed CVE-2018-4878 have been spotted in Adobe Flash player 28.0.0.137 and earlier versions. By exploiting this flaw, hackers can take control of the system. Researchers at FireEye suspect North Korean hacker groups to be behind the attacks.

Flaws in MyCloud Device
Several security vulnerabilities found in MyCloud personal storage devices have been patched by Western Digital (WD). These issues have been resolved with the release of firmware version 2.30.172. These flaws had the capabilities of allowing unauthorized file deletion, unauthorized command execution, and authentication bypass.

Chrome extension bug
A Chrome extension bug has been detected by Grammarly that allows sites to assume the identity of a user and view their account’s documents. This bug had already been patched. Misconfigured AWS S3 bucket results in data leak
Identities of around 12,000 social media influencers has been leaked online after a misconfigured Amazon Web Services (AWS) S3 cloud storage bucket was left ‘Public’. Real identities, street addresses, apartment numbers, phone numbers, email addresses, and many more details have been exposed.

Sensitive documents found!
Documents marked "For Official Use Only" and "important for national security" have been found on a seat-back pocket of a commercial airplane. The documents detailed responses to a hypothetical anthrax attack at the Super Bowl. Investigation found that these documents were accompanied by the travel itinerary and boarding pass of the government scientist in charge of BioWatch.

MixPanel Analytics collecting password data
MixPanel Analytics recently informed users that it has been unintentionally collected password data, due to a bug introduced in its SDK. Fortunately, less than 25% of users have been affected.