SN 1071: Bucketsquatting - Meta and TikTok's Tracking Pixels
Steve Gibson and guest host Micah Sargent discuss a critical security flaw in H&R Block's tax software that installs an untrustworthy root certificate with accessible private keys. They also cover 'bucket squatting' - a major vulnerability where attackers hijack abandoned Amazon S3 buckets to compromise software supply chains.
Summary
This episode of Security Now covers several major security issues. The primary concern is H&R Block's Business 2025 tax software, which installs a root certificate authority called 'WK ATX Server Host 2024' with a 23-year expiration date into users' trusted root stores. Critically, the software also includes the private key for this certificate in a DLL file, allowing anyone to create trusted certificates for any domain and potentially conduct man-in-the-middle attacks on affected systems. Security researcher Yifan Lu discovered this vulnerability and demonstrated how it could be exploited. Gibson explains that while the software might need local web server capabilities for its interface, there are secure ways to implement this without exposing users to such risks. The episode also covers 'bucket squatting,' where researchers at Watchtower Labs discovered they could register abandoned Amazon S3 buckets and received over 8 million requests from various organizations including government agencies, militaries, and Fortune 500 companies still trying to access deleted resources. This represents a massive supply chain vulnerability where attackers could serve malicious updates to critical systems. Other topics include Intoxalock's ransomware attack affecting breathalyzer calibration systems, Firefox's new built-in VPN feature, extensive data collection by TikTok and Meta tracking pixels beyond traditional analytics, Russia's messaging app restrictions affecting businesses, Cisco's multiple CVSS 10.0 vulnerabilities being exploited by ransomware groups, and various listener feedback on coding practices and security observations.
About this episode
<p>When convenience trumps caution, disaster waits in the wings. Join Steve Gibson and Mikah Sargent as they break down the jaw-dropping oversights lurking in mission-critical tax and cloud tools, and examine how a single unchecked decision can upend internet security for years.</p><ul> <li>H&R Block's tax software does something SO WRONG.</li> <li>The Intoxalock breathalyzer calibration cyber attack.</li> <li>Firefox now offers a 100% free built-in VPN.</li> <li>TikTok and Meta's tracking pixels are so much more.</li> <li>Russians beg for the return of Telegram, WhatsApps and others.</li> <li>Never connect your crypto-wallet to an unknown service.</li> <li>What would a week be without a Cisco CVSS of 10.0.</li> <li>Ubiquiti patches a 10.0 critical flaw.</li> <li>Listener feedback and...</li> <li>What's "Bucketsquatting" and what can be done to prevent it</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1071-Notes.pdf">https://www.grc.com/sn/SN-1071-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/mikah-sargent">Mikah Sargent</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://hoxhunt.com/securitynow" rel="sponsored" target="_blank">hoxhunt.com/securitynow</a></li> <li><a href="http://guardsquare.com" rel="sponsored" target="_blank">guardsquare.com</a></li> <li><a href="http://outsystems.com/twit" rel="sponsored" target="_blank">outsystems.com/twit</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> </ul></p>
Key Insights
- H&R Block's tax software installs a 23-year root certificate with an accessible private key, creating a massive security vulnerability for millions of users
- The certificate's private key being stored in a DLL file allows anyone to create trusted certificates for any domain, enabling man-in-the-middle attacks
- H&R Block was aware of this security issue through internal assessments but chose not to fix it despite being contacted by security researchers
- Watchtower Labs demonstrated that abandoned Amazon S3 buckets can be hijacked to serve malicious content to automated systems still requesting files
- Over 8 million requests were made to hijacked S3 buckets from government agencies, militaries, and major corporations over just two months
- TikTok and Meta's tracking pixels collect far more data than traditional analytics, including personal information, checkout details, and site architecture
- These tracking pixels can transmit data before consent management systems have time to block them, potentially violating privacy regulations
- Cisco suffered another CVSS 10.0 vulnerability that was exploited as a zero-day for 36 days before patches were available
- The Interlock ransomware group exploited the Cisco vulnerability to compromise enterprise networks through their supposedly secure firewalls
- Amazon has finally introduced account-regional namespaces for S3 buckets to prevent future bucket squatting attacks
- The bucket squatting vulnerability affects any cloud storage provider with global namespaces, not just Amazon S3
- Firefox introduced a built-in VPN service offering 50GB monthly in select countries as browser market share continues to decline
- Intoxalock's ransomware attack left court-mandated breathalyzer users unable to drive when calibration systems went offline
- Gibson argues that security vulnerabilities increasingly stem from poor design decisions rather than just coding bugs
- The proliferation of CVSS 10.0 vulnerabilities in enterprise security products highlights the critical need for defense-in-depth strategies
Topics
Transcript
Coming up on Security Now, Steve Gibson is here and I am filling in for Leo Laporte. Kick off the show with H&R Block's tax software. Well, it's doing something pretty wild and Steve has a suggested fix for it. We also talk about what happens when breathalyzer firmware needs to be calibrated. Plus, Russians want Telegram and WhatsApp to return to Russia. And very important, we finally learn what bucket squatting means and what can be done to fix it. All of that plus so much more coming up on Security Now. Podcasts you love. From people you trust. This is Twit. This is Security Now, episode 1071 with Steve Gibson and me, Micah Sargent. Recorded Tuesday, March 24th,…
Full transcript available for MurmurCast members
Sign Up to AccessMore from Security Now (Audio)
SN 1086: The Apex Agentic Adversary - Visual Prompt Injection Strikes
Security Now episode 1086 covers Fable 5's degraded performance due to strict safety guardrails, Chrome 150's massive 433 security fixes, visual prompt injection attacks (Inkjet), and severe FATFS library vulnerabilities affecting millions of embedded devices. The episode explores how AI is transforming both offensive and defensive cybersecurity capabilities.
SN 1085: A SOTA State-Sponsored Campaign - AI's New Superpower: Loop Engineering
Security Now Episode 1085 covers Windows 10 receiving another year of extended support, Meta's employee surveillance program backfiring with exposed data, state-sponsored credential attacks on Fortinet devices affecting 86,000+ organizations globally, and AI's emerging capability to discover vulnerabilities at scale through iteration and looping techniques.
SN 1081: AI Captured the Flag - Personal AI: Productivity Superpower or Privacy Threat?
The podcast discusses the significant impact of AI on cybersecurity practices and Capture the Flag (CTF) competitions, noting a shift in the ability to solve challenges using AI tools. This transition raises concerns about the future of skill measurement in the cybersecurity field, as traditional CTF competitions are being undermined by AI's capabilities.
SN 1076: FAST16.SYS - Unmasking the NSA's Most Diabolical Digital Sabotage
Security Now episode 1076 covers the discovery of FAST16.SYS, a sophisticated NSA-linked kernel rootkit from 2005 that subtly corrupted physics and engineering calculation software — predating Stuxnet by five years. The episode also covers a Bitwarden CLI supply chain attack, Iranian router malfunctions before the US/Israeli strikes, Meta's employee activity logging for AI training, and Steve Gibson's GRC e-commerce system rewrite.
SN 1075: Yes. Exactly. - The Zero-Day Ticking Clock
Security Now episode 1075 discusses the growing threat of AI-powered vulnerability discovery, particularly Anthropic's Project Mythos, which Mozilla confirmed found 271 bugs in Firefox. The episode also covers a disgruntled researcher publishing Windows zero-days, Microsoft's record bug bounty payouts, and a formal industry-wide warning signed by top cybersecurity leaders urging immediate action.