Skip navigation
About Duo
Blog
Careers   Now Hiring!
Admin Login

Categories & Archive

duo labs
Vikas Kumar

The Weekly Ink #3

Duo Labs

THE WEEKLY INK

Hi, everyone! We're excited to announce a new series on our blog called *The Weekly Ink*.

The Weekly Ink is a summary of the top security content of the week injected with our own pointed opinions, and will be posted to our blog...well, weekly.

The Weekly Ink started as an internal newsletter at Duo, but we figured it would be worthwhile to share our pseudo-intelligence, attempted humor, and snark with everyone. We hope you agree.

The Weekly Ink is brought to you by Duo Labs, the advanced research team at Duo Security. Keep an eye out for more from Duo Labs in the coming weeks!

-Jon Oberheide, CTO, and the Duo Labs team

This week's installment includes stories submitted by Vikas Kumar, Duo Labs Intern.

Tweetdeck Suffers From a Huge XSS Vulnerability

Tweetdeck was found to have a serious XSS vulnerability which allows users to inject javascript into their tweets. For example, the tweet below caused anyone who saw it within Tweetdeck to see a popup window and automatically retweet that tweet.

Script Tweet

This is not the first time tweetdeck has had an xss vulnerability either... A very similar bug was found in 2011.

Hackers Demand €30,000 From Domino's to Not Leak 600,000 Customer Details

A few days ago, Domino's Pizza of France and Belgium was breached. Soon after, the hacker group RexMundi claimed responsibility and posted details of the breach. They claimed to have taken over 592,000 customer records including customers' full names, addresses, phone numbers, email addresses, passwords, delivery options and their favorite pizza topping. They originally demanded a payment of €30,000 by 8pm Monday (June 16th) or they would publish the information. Dominos refused to comply.

On Tuesday, at around 5am, they extended the deadline: "If @dominos_pizzafr doesn't pay us tomorrow and we publish your data, u have the right to sue them. Speak to yr lawyer!". Dominos' French CEO stated that they would not pay the ransom demanded. RexMundi has not yet leaked any customer data... This is not the first time RexMundi has demanded a fee to prevent a customer database leak. In 2012, they demanded between 15k and 20k from AmericCash. That company did not pay, and RexMundi did leak the customer data. We have yet to see if RexMundi will do the same now.

LinkedIn Susceptible to Easy MITM Attack

When you log into LinkedIn.com, it sends your username and password over https (basically stuff is encrypted), which is well and good. However, after you are authenticated, it redirects you to http (unencrypted communication) where anyone on your local network can access your account by stealing your cookies. Here's how it works:
  1. User logs in to https://www.linkedin.com
  2. LinkedIn sends back authentication results
  3. Evil person listens in on packets being sent and steals authenticated session cookies
  4. Evil person logs in and changes every picture of User to a picture of Nicholas Cage
  5. ?????
  6. Profit

If you missed our other Weekly Inks, check out:
The Weekly Ink #1
The Weekly Ink #2