SN 1071: Bucketsquatting - Meta and TikTok's Tracking Pixels Summary — Security Now (Audio)

Summary

This episode of Security Now covers several major security issues. The primary concern is H&R Block's Business 2025 tax software, which installs a root certificate authority called 'WK ATX Server Host 2024' with a 23-year expiration date into users' trusted root stores. Critically, the software also includes the private key for this certificate in a DLL file, allowing anyone to create trusted certificates for any domain and potentially conduct man-in-the-middle attacks on affected systems. Security researcher Yifan Lu discovered this vulnerability and demonstrated how it could be exploited. Gibson explains that while the software might need local web server capabilities for its interface, there are secure ways to implement this without exposing users to such risks. The episode also covers 'bucket squatting,' where researchers at Watchtower Labs discovered they could register abandoned Amazon S3 buckets and received over 8 million requests from various organizations including government agencies, militaries, and Fortune 500 companies still trying to access deleted resources. This represents a massive supply chain vulnerability where attackers could serve malicious updates to critical systems. Other topics include Intoxalock's ransomware attack affecting breathalyzer calibration systems, Firefox's new built-in VPN feature, extensive data collection by TikTok and Meta tracking pixels beyond traditional analytics, Russia's messaging app restrictions affecting businesses, Cisco's multiple CVSS 10.0 vulnerabilities being exploited by ransomware groups, and various listener feedback on coding practices and security observations.

Key Insights

H&R Block's tax software installs a 23-year root certificate with an accessible private key, creating a massive security vulnerability for millions of users

The certificate's private key being stored in a DLL file allows anyone to create trusted certificates for any domain, enabling man-in-the-middle attacks

H&R Block was aware of this security issue through internal assessments but chose not to fix it despite being contacted by security researchers

Watchtower Labs demonstrated that abandoned Amazon S3 buckets can be hijacked to serve malicious content to automated systems still requesting files

Over 8 million requests were made to hijacked S3 buckets from government agencies, militaries, and major corporations over just two months

TikTok and Meta's tracking pixels collect far more data than traditional analytics, including personal information, checkout details, and site architecture

These tracking pixels can transmit data before consent management systems have time to block them, potentially violating privacy regulations

Cisco suffered another CVSS 10.0 vulnerability that was exploited as a zero-day for 36 days before patches were available

The Interlock ransomware group exploited the Cisco vulnerability to compromise enterprise networks through their supposedly secure firewalls

Amazon has finally introduced account-regional namespaces for S3 buckets to prevent future bucket squatting attacks

The bucket squatting vulnerability affects any cloud storage provider with global namespaces, not just Amazon S3

Firefox introduced a built-in VPN service offering 50GB monthly in select countries as browser market share continues to decline

Intoxalock's ransomware attack left court-mandated breathalyzer users unable to drive when calibration systems went offline

Gibson argues that security vulnerabilities increasingly stem from poor design decisions rather than just coding bugs

The proliferation of CVSS 10.0 vulnerabilities in enterprise security products highlights the critical need for defense-in-depth strategies

SN 1071: Bucketsquatting - Meta and TikTok's Tracking Pixels

Summary

Key Insights

Topics

Get AI summaries delivered to your inbox