Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks

Shopify reports that two rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers’ earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Shopify Says ‘Rogue’ Employees Stole Data From Merchants
1:15 Flaw in Medium Partner Program allowed attackers to steal writers’ earnings
2:18 Hackers have spent months hiding out in company networks undetected
4:17 Twitter Warns Developers of API Bug That Exposed App Keys, Tokens

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 89 Transcript

Scott Miller:
Welcome back, everybody. It’s Scott from Wordfence. You’re listening to Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look into this week’s stories.

In our first story this week, rogue employees at Shopify have reportedly accessed and exposed personal details of Shopify customers. A recent report shows that the incident occurred on September 15th when the personal details of Shopify customers were stolen and exposed. The exposed data included order details, addresses, names, and email addresses and was stolen by two employees from over 100 merchants.

The employees who were part of Shopify’s support team were said to be involved in a scheme to obtain this information, which Shopify noted affected fewer than 200 sellers. So, now Shopify is working with the FBI and other agencies after terminating the two employees’ access to their systems. Shopify also mentioned that while customer data was exposed, including order details, addresses, names, email addresses, no sensitive, personal or financial information was exposed in the incident.

In our next story this week, a flaw in the Medium Partner Program left writers earnings exposed. Hackers were able to potentially steal Medium writer’s engagement earnings due to a vulnerability in session cookies. This is a program for select writers to earn money monthly while writing and publishing on Medium. And it’s based on the number of readers and subscribers who access their work.

Mohammad-Ali Bandzar found that Medium would embed any user ID cookie value that you transmitted. The fact that Medium did not validate the user’s logged-in session meant that the submitted user ID was blindly accepted and thought to be correct. Bandzar mentioned that this flaw was very easy to exploit and the amount of money that attackers could have stolen while potentially being undetected had no ceiling at the time. Bandzar also received his first bug bounty for finding this issue and was rewarded $250.

Our next story takes a look at the espionage group Palmerworm and how they’ve remained undetected in information stealing campaigns. New malware is being used to infiltrate organizations in the US, Japan, Taiwan and China, where the group known as Palmerworm have infiltrated multiple organizations related to media, finance, and engineering. This group is focused on stealing company information and have recently begun targeting US-based companies as well. Palmerworm, or BlackTech, as they’re sometimes called were able to go unrecognized on some networks for a year or more while covering their tracks and making it more difficult for companies to trace their steps. It was mentioned that the attackers have previously gained entry via spear phishing email attacks. However, it has not been confirmed how access has been gained in the latest round of attacks. So, the group has been around since 2013 and used network reconnaissance tools to gain access and steal information.

The group then utilizes stolen code signing certificates within their malware to further go undetected. They then use backdoors to maintain access to the networks. The cyber security company Symantec have identified victims of the Palmerworm attacks, however, are not sure who the group is working for. It was mentioned that it is likely that the group is still undetected on some networks and that they still remain a threat. It is best that organizations know their usual server activity and what it looks like in order to identify changes, which may be related to a breach in their security. These sorts of attacks typically involve multiple events and tools and may show activity over a long period of time, rather than a single event. Be sure that you’re regularly monitoring your server and network activity to better be able to identify anomalies, which may relate to unauthorized activity.

And our last story for this week, Twitter warns of a caching issue that could have led to developers exposing API keys and tokens. So, the bug was a caching issue affecting the site, developer.twitter.com. And it could have led to exposure of credentials and other sensitive information. The developer site is a hub for users who create applications for Twitter.

Upon visiting the site, information was temporarily stored in browser cache relating to the developer’s application. The attack is said to be difficult to carry out for a few reasons. First, an attacker would need to use a device just after the developer used the device. And second, they would have needed to have access to developer.twitter.com site and used the sensitive information which would have then been stored in the browser cache as mentioned. Depending on the submitted information by the developer, an attacker could have access to the developer’s API keys, the user access token, and the secret for the developer account. Twitter has since fixed the issue with the cache by changing what is able to be stored regarding sensitive information.

Though, the information that could have been accessed is critical and sensitive to developers, Twitter has mentioned that there is no evidence that the developer app keys were compromised and that it is highly unlikely anyone’s credentials were compromised without their knowledge. Twitter mentioned as a part of their statement, “If you used a shared computer to visit developer.twitter.com with a logged in Twitter account, we recommend that you regenerate your app keys and tokens.” That’s all for this week on Think Like a Hacker. I hope the news found your well, check out wordfence.com for our blog and mailing list to stay up to date with all the latest security news. Until next time, I hope you have a great weekend and thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.