BlogNews21ST MAR 2024
AuthorSamir Yawar
9 min read
News

Unsaflok flaw, Grand Prix Phishing Scam, Firebase Password leak make headlines

Twitter
Facebook
WhatsApp
Email
LinkedIn
Here's the list of major cybersecurity incidents that made the news during March 2024

This week we cover the Unsaflok flaw, a phishing email that targeted fans at the Belgian Grand Prix, and a Firebase password leak that underscores how cybersecurity remains as essential as ever

News Roundup Mar 22, 2024

Here’s what went down this week:

Hackers unlock millions of hotel room doors with Unsaflok exploit

Researchers have unveiled critical vulnerabilities affecting 3 million Saflok electronic RFID locks utilized across 13,000 hotels and residences worldwide. These flaws, collectively dubbed "Unsaflok," were unearthed by a team comprising Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana back in September 2022.

Initially reported by Wired, the researchers participated in an exclusive hacking event held in Las Vegas, where they vied with other teams to identify vulnerabilities within a hotel room and its associated devices. Their focus honed in on dissecting the security of Saflok electronic locks, resulting in the discovery of exploitable flaws capable of granting unauthorized access to any door within the confines of a hotel.

The affected models are used in three million doors on 13,000 properties in 131 countries, and while the manufacturer is actively working to mitigate the flaw, the process is complicated and time-consuming.

Some of the door models affected by the Unsaflok exploit
Unsaflok targets RFID vulnerabilities present in these doors

The flaw affects multiple Saflok models, including the:

  • Saflok MT

  • Quantum Series

  • RT Series

  • Saffire Series

  • Confidant Series

All these locks are managed by the System 6000 or Ambiance software.

Promptly following their discovery, the researchers promptly communicated their findings to the lock's manufacturer, Dormakaba, in November 2022. This proactive measure allowed Dormakaba to initiate remedial actions and notify affected establishments of the security jeopardy, all while keeping the matter discreetly contained.

However, despite the preemptive efforts, the researchers caution that these vulnerabilities have been latent for over 36 years. While there's no documented evidence of exploitation in the wild, the prolonged exposure duration heightens the risk of potential breaches.

"Although there haven't been any documented instances of real-world exploits leveraging these vulnerabilities, we cannot rule out the possibility that malicious actors may have knowledge of and utilized them," elucidates the Unsaflok team.

Today marks the public disclosure of the Unsaflok vulnerabilities by the researchers, underscoring their widespread impact on nearly 3 million doors fortified with the Saflok system.

To check if the locks on their rooms are vulnerable, guests are encouraged to use the NFC Taginfo app (Android, iOS) to check their keycard type from their phone.

Belgian Grand Prix email account gets phished, steals banking information from fans

In an alarming development, hackers have seized control of the official contact email for the Belgian Grand Prix event, exploiting it to entice fans with a deceptive offer of a €50 gift voucher.

The Spa Gran Prix, a revered fixture in the Formula 1 World Championship, unfolds annually at the esteemed Circuit de Spa-Francorchamps in Stavelot, Belgium. Scheduled this year between July 26 and 28, the event draws legions of enthusiasts from across the globe, captivated by its storied legacy, formidable circuit layout, and unpredictable weather conditions.

According to the press release by the race organizer, on Sunday, March 17, 2024, malevolent actors commandeered the email account, subsequently dispatching phishing emails to an undisclosed number of recipients.

The fraudulent correspondence purported to offer recipients a €50 voucher redeemable for purchasing tickets to the F1 Grand Prix, enticing them to click on an embedded hyperlink.

Regrettably, the link redirected unsuspecting recipients to a counterfeit website mirroring the appearance of the authentic Spa Grand Prix portal, where they were duplicitously prompted to divulge personal information, including sensitive banking details.

Promptly upon detecting the breach, SPA GP sprang into action, swiftly issuing a series of cautionary emails to its clientele, unequivocally denouncing the prior communication as a phishing scheme and advising against interaction with any embedded links.

Not content with merely reactive measures, SPA GP has also taken proactive steps to address the breach, lodging a formal complaint with the Belgian cyber police on March 18, 2024, signaling its steadfast commitment to safeguarding the integrity of its operations and the security of its patrons.

The organizers also released this statement regarding the phishing attack:

“The criminal investigation currently underway should make it possible to determine the causes and circumstances that led to this situation. For the time being, therefore, we must let the courts do their work while respecting the confidentiality of the investigation.”

Users who have tickets and feel worried about the possibility of their data having been exposed to cybercriminals have been informed to contact SPA GP’s secretariat.

Firebase instances leak 19 million plaintext passwords

Three cybersecurity researchers have unveiled a concerning revelation: nearly 19 million plaintext passwords have been laid bare on the public internet due to misconfigurations in instances of Firebase, a prominent Google platform utilized for database hosting, cloud computing, and application development.

Researchers Logykk, xyzeva/Eva, and MrBruh embarked on an extensive exploration, scanning over five million domains. Their investigation unearthed 916 websites belonging to various organizations, either devoid of security protocols altogether or configured incorrectly.

Within this trove of compromised data, over 125 million sensitive user records were exposed, encompassing a plethora of personal information such as emails, names, passwords, phone numbers, and even billing details, including bank information.

Firebase instances leak passwords
Database with samples of exposed user records | Source: xyzeva

The researchers' inquiry led them to Firebase instances lacking any security parameters or improperly configured ones, granting unwarranted read access to databases. Eva, in conversation with BleepingComputer, underscored the prevalence of these security oversights, noting that a significant number of the identified websites also allowed write access, compounding the severity of the situation. Remarkably, among the exposed entities was a banking institution.

To provide a comprehensive assessment of the scope of the breach, Eva's script, Catalyst, systematically inspected each exposed database, extracting a sample of 100 records. These findings were then meticulously cataloged within a private database, painting a stark picture of the extent of sensitive user data left vulnerable due to inadequate security configurations:

  • Names: 84,221,169

  • Emails: 106,266,766

  • Phone Numbers: 33,559,863

  • Passwords: 20,185,831

  • Billing Info (including bank details, invoices, etc.): 27,487,924

The gravity of the situation is compounded by the alarming revelation that a staggering 98% of the exposed passwords, totaling 19,867,627, are stored in plaintext—an egregious lapse in security protocols.

Eva emphasized the perplexing nature of this oversight, noting that Firebase offers a robust end-to-end identity solution, Firebase Authentication, explicitly designed to ensure secure sign-in processes without exposing user passwords in plaintext within records. This underscores the need for organizations to prioritize robust security practices and adhere to industry-standard protocols to mitigate the risk of such breaches in the future.

Previous Coverage

Want to catch up on the latest security news? Check out:


Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Your digital privacy is like a shield for your personal information. It helps prevent identity theft, keeps your data under your control, defends against cyber threats, and ensures your reputation stays intact in the online world.