TechnicalNews

SN 1071: Bucketsquatting - Meta and TikTok's Tracking Pixels

Security Now (Audio)2h 47m

Steve Gibson and guest host Micah Sargent discuss a critical security flaw in H&R Block's tax software that installs an untrustworthy root certificate with accessible private keys. They also cover 'bucket squatting' - a major vulnerability where attackers hijack abandoned Amazon S3 buckets to compromise software supply chains.

Summary

This episode of Security Now covers several major security issues. The primary concern is H&R Block's Business 2025 tax software, which installs a root certificate authority called 'WK ATX Server Host 2024' with a 23-year expiration date into users' trusted root stores. Critically, the software also includes the private key for this certificate in a DLL file, allowing anyone to create trusted certificates for any domain and potentially conduct man-in-the-middle attacks on affected systems. Security researcher Yifan Lu discovered this vulnerability and demonstrated how it could be exploited. Gibson explains that while the software might need local web server capabilities for its interface, there are secure ways to implement this without exposing users to such risks. The episode also covers 'bucket squatting,' where researchers at Watchtower Labs discovered they could register abandoned Amazon S3 buckets and received over 8 million requests from various organizations including government agencies, militaries, and Fortune 500 companies still trying to access deleted resources. This represents a massive supply chain vulnerability where attackers could serve malicious updates to critical systems. Other topics include Intoxalock's ransomware attack affecting breathalyzer calibration systems, Firefox's new built-in VPN feature, extensive data collection by TikTok and Meta tracking pixels beyond traditional analytics, Russia's messaging app restrictions affecting businesses, Cisco's multiple CVSS 10.0 vulnerabilities being exploited by ransomware groups, and various listener feedback on coding practices and security observations.

About this episode

<p>When convenience trumps caution, disaster waits in the wings. Join Steve Gibson and Mikah Sargent as they break down the jaw-dropping oversights lurking in mission-critical tax and cloud tools, and examine how a single unchecked decision can upend internet security for years.</p><ul> <li>H&amp;R Block's tax software does something SO WRONG.</li> <li>The Intoxalock breathalyzer calibration cyber attack.</li> <li>Firefox now offers a 100% free built-in VPN.</li> <li>TikTok and Meta's tracking pixels are so much more.</li> <li>Russians beg for the return of Telegram, WhatsApps and others.</li> <li>Never connect your crypto-wallet to an unknown service.</li> <li>What would a week be without a Cisco CVSS of 10.0.</li> <li>Ubiquiti patches a 10.0 critical flaw.</li> <li>Listener feedback and...</li> <li>What's "Bucketsquatting" and what can be done to prevent it</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1071-Notes.pdf">https://www.grc.com/sn/SN-1071-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/mikah-sargent">Mikah Sargent</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://hoxhunt.com/securitynow" rel="sponsored" target="_blank">hoxhunt.com/securitynow</a></li> <li><a href="http://guardsquare.com" rel="sponsored" target="_blank">guardsquare.com</a></li> <li><a href="http://outsystems.com/twit" rel="sponsored" target="_blank">outsystems.com/twit</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> </ul></p>

Key Insights

  • H&R Block's tax software installs a 23-year root certificate with an accessible private key, creating a massive security vulnerability for millions of users
  • The certificate's private key being stored in a DLL file allows anyone to create trusted certificates for any domain, enabling man-in-the-middle attacks
  • H&R Block was aware of this security issue through internal assessments but chose not to fix it despite being contacted by security researchers
  • Watchtower Labs demonstrated that abandoned Amazon S3 buckets can be hijacked to serve malicious content to automated systems still requesting files
  • Over 8 million requests were made to hijacked S3 buckets from government agencies, militaries, and major corporations over just two months
  • TikTok and Meta's tracking pixels collect far more data than traditional analytics, including personal information, checkout details, and site architecture
  • These tracking pixels can transmit data before consent management systems have time to block them, potentially violating privacy regulations
  • Cisco suffered another CVSS 10.0 vulnerability that was exploited as a zero-day for 36 days before patches were available
  • The Interlock ransomware group exploited the Cisco vulnerability to compromise enterprise networks through their supposedly secure firewalls
  • Amazon has finally introduced account-regional namespaces for S3 buckets to prevent future bucket squatting attacks
  • The bucket squatting vulnerability affects any cloud storage provider with global namespaces, not just Amazon S3
  • Firefox introduced a built-in VPN service offering 50GB monthly in select countries as browser market share continues to decline
  • Intoxalock's ransomware attack left court-mandated breathalyzer users unable to drive when calibration systems went offline
  • Gibson argues that security vulnerabilities increasingly stem from poor design decisions rather than just coding bugs
  • The proliferation of CVSS 10.0 vulnerabilities in enterprise security products highlights the critical need for defense-in-depth strategies

Topics

H&R Block Certificate VulnerabilityBucket SquattingSupply Chain SecurityAmazon S3 SecurityTracking PixelsCisco VulnerabilitiesRansomware Attacks

Transcript

Coming up on Security Now, Steve Gibson is here and I am filling in for Leo Laporte. Kick off the show with H&R Block's tax software. Well, it's doing something pretty wild and Steve has a suggested fix for it. We also talk about what happens when breathalyzer firmware needs to be calibrated. Plus, Russians want Telegram and WhatsApp to return to Russia. And very important, we finally learn what bucket squatting means and what can be done to fix it. All of that plus so much more coming up on Security Now. Podcasts you love. From people you trust. This is Twit. This is Security Now, episode 1071 with Steve Gibson and me, Micah Sargent. Recorded Tuesday, March 24th,…

Full transcript available for MurmurCast members

Sign Up to Access

More from Security Now (Audio)

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.