AppSec News Roundup for February 2019: Credential stuffing, Facebook CSRF, public APIs, and more

Themen:

13. März. 2019

Here are a handful of the most significant #AppSec news items from February 2019.

More raw material for Credential stuffing attacks are turning up

Some of the major hacks in the last few years that haven’t leaked out are now turning up for sale. An unidentified hacker has released at least 3 rounds of these credentials for sale, with the last round costing about $9350. They have claimed that the databases include credentials for Pizap, who’ve stated that they are not aware of a hack and will investigate immediately.

Credential Stuffing attacks have also continued unabated, impacting Intuit among others. A related incident revealed that the Indian Railways’s IRCTC website was susceptible to brute force attacks.

Meanwhile, IBM’s 2018 data breach study reveals that 74% of Data Breaches start with Privileged Credential Abuse.

Facebook CSRF protection bypass

CSRF, or Cross-Site Request Forgery, may no longer be part of the OWASP Top 10 list, but that does not mean that hackers are not looking to exploit these vulnerabilities. Samm0uda has posted a bug bounty writeup of their bypass of Facebook’s CSRF protection to perform an Account Takeover.

Public Facing APIs reveal a lot of information…including Identity numbers

JonLuca writes about their experiments with exploring the ways various companies perform A/B testing. There a lot of interesting information available, and this is an absolutely fascinating read.

A lot of people are exploring APIs to identify various things, and an ethical hacker discovered what could be a huge data breach of identity numbers from an Indian LPG company.

As we’ve noted earlier, API protection is absolutely a requirement today.

Another month….

And another critical vulnerability in Drupal.

Magecart isn’t going away either, and it’s rapidly evolving. This time it’s the turn of Topps.com. Meanwhile, the group behind the malware is improving it, in a sign that it is extremely effective.

Get protection for websites and applications from cyber-threats with the Barracuda Web Application Firewall. Visit our corporate site here to learn more and get a free 30-day trial.

Tushar Richabadas

Tushar Richabadas ist Senior Product Marketing Manager für Anwendungen und Cloud-Security bei Barracuda. Zuvor war Tushar Product Manager für die Barracuda Web Application Firewall und Barracuda Load Balancer ADC mit den Schwerpunkten Cloud und Automatisierung. Tushar hat als Leiter von Testteams für Netzwerkprodukte und im technischen Marketing für HCL-Cisco bereits viel Arbeitserfahrung gesammelt. Richabadas verfolgt die rasant zunehmenden Auswirkungen der digitalen Sicherheit sehr aufmerksam und setzt sich mit großer Begeisterung für die Vereinfachung der digitalen Sicherheit für alle ein.

Hier können Sie ihn auf LinkedIn kontaktieren.

Den Blog durchsuchen

Der Ransomware Insights Bericht 2025

Wichtige Erkenntnisse über die Erfahrungen und Auswirkungen von Ransomware auf Unternehmen weltweit

Zum Report

Managed Vulnerability Security: Schnellere Behebung von Schwachstellen, weniger Risiken, einfachere Compliance

Erfahren Sie, wie einfach es sein kann, die von Cyberkriminellen bevorzugte Schwachstellen zu finden.

WEBINAR ANSEHEN