Attackers with "admin access to a Plex Media Server could abuse the
Camera Upload feature to make the server execute malicious code,"
according to an advisory published by the Plex Security Team in May 2020
when it patched the bug with the release of Plex Media Server
"This could be done by setting the server data directory to overlap
with the content location for a library on which Camera Upload was
enabled. This issue could not be exploited without first gaining access
to the server's Plex account."
We have recently been made aware of a security vulnerability related
to Plex Media Server. This issue allowed an attacker with access to the
server administrator’s Plex account to upload a malicious file via the
Camera Upload feature and have the media server execute it.
"We have not been contacted by LastPass so we cannot speak to the
specifics of their incident. We take security issues very seriously, and
frequently work with external parties who report issues big or small
using our guidelines
and bug bounty program. When vulnerabilities are reported following
responsible disclosure we address them swiftly and thoroughly, and we’ve
never had a critical vulnerability published for which there wasn’t
already a patched version released. And when we’ve had incidents of our
own, we’ve always chosen to communicate them quickly. We are not aware
of any unpatched vulnerabilities, and as always, we invite people to
disclose issues to us following the guidelines linked above. Given
recent articles about the LastPass incident, although we are not aware
of any unpatched vulnerabilities, we have reached out to LastPass to be
According to a person briefed on a private report from LastPass who
spoke on the condition of anonymity, the media software package that was
exploited on the employee’s home computer was Plex. Interestingly, Plex
reported its own network intrusion on August 24, just 12 days after the
second incident commenced.
“Yesterday, we discovered suspicious activity on one of our
databases,” company officials wrote in an email sent to customers. “We
immediately began an investigation and it does appear that a third-party
was able to access a limited subset of data that includes emails,
usernames, and encrypted passwords.”
The email said that the passwords were “hashed and secured in
accordance with best practices,” meaning the passwords were
cryptographically scrambled in a way that requires attackers to devote
additional resources to crack the hashes and revert them back to their
plaintext state. A Plex spokesperson said that the passwords were hashed
using bcrypt, among the strongest algorithms for protecting passwords.
bcrypt automatically applies what's known as cryptographic salting and
peppering to make cracking harder.
** DISPUTED ** KeePass through 2.53 (in a default installation)
allows an attacker, who has write access to the XML configuration file,
to obtain the cleartext passwords by adding an export trigger. NOTE: the
vendor's position is that the password database is not intended to be
secure against an attacker who has that level of access to the local
This vulnerability has been modified and is currently undergoing
reanalysis. Please check back soon to view the updated vulnerability
Because the information is stored in cleartext (i.e., unencrypted),
attackers could potentially read it. Even if the information is encoded
in a way that is not human-readable, certain techniques could determine
which encoding is being used, then decode the information.
Whether you are privacy minded or not, it’s very difficult to be
completely anonymous online. Over the years you might have posted on
social media, downloaded apps, entered competitions or opened accounts
which required details such as your email address, phone number, age,
gender and more.
AES is one of the most widely used symmetric cryptography algorithms
and can be used in several modes such as ECB, CBC, CCM and GCM. Out of
these four modes, YubiHSM 2 now supports three most commonly used modes
What is a
Data Breach? A data breach is a security violation, in which
sensitive, protected or confidential data is copied, transmitted,
viewed, stolen, altered or used by an individual unauthorized to do
Malware? Malware (a portmanteau for
malicious software) is any software intentionally designed to cause
disruption to a computer, server, client, or computer network, leak
private information, gain unauthorized access to information or systems,
deprive access to information, or which unknowingly interferes with the
user's computer security and privacy.
a Payload? In the context of a computer virus or worm, the payload
is the portion of the malware which performs malicious action; deleting
data, sending spam or encrypting data. In addition to the payload, such
malware also typically has overhead code aimed at simply spreading
itself, or avoiding detection.
Phishing? Phishing is a form of social
engineering where attackers deceive people into revealing sensitive
information or installing malware such as ransomware. Phishing
attacks have become increasingly sophisticated and often transparently
mirror the site being targeted, allowing the attacker to observe
everything while the victim is navigating the site, and transverse any
additional security boundaries with the victim.
What is a
Vulnerability (computing)? Vulnerabilities are flaws in a computer
system that weaken the overall security of the device/system.
Vulnerabilities can be weaknesses in either the hardware itself, or the
software that runs on the hardware.
What is an
"Attack Surface"? The attack surface of a software environment is
the sum of the different points (for "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract
data from an environment. Keeping the attack surface as small as
possible is a basic security measure.
What is an
"Attack Vector"? In computer security, an attack vector is a
specific path, method, or scenario that can be exploited to break into
an IT system, thus compromising its security. The term was derived from
the corresponding notion of vector in biology. An attack vector may be
exploited manually, automatically, or through a combination of manual
and automatic activity.
Comment #1 posted on 2023-04-14 18:12:39 by brian-in-ohio
New thats entertaining, I like it!
Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.
Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).