(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: https://www.youtube.com/watch?v=EcxNHgYUz6s)

A maker of Internet-connected stuffed animal toys has leaked a database of sensitive customer data. The leak includes more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts.

The data was left in a publicly available database that wasn't protected by a password, according to a blog post published Monday by Troy Hunt. Hunt maintains Have I Been Pwned?, a website devoted to breach disclosure. He said searches using the Shodan computer search engine and other evidence indicated that, since December 25 and January 8, the customer data was accessed multiple times by multiple parties, including criminals who ultimately held the data for ransom.

The data was exposed by Spiral Toys, maker of the CloudPets line of stuffed animals. The toys record and play voice messages that can be sent over the Internet by parents and children. The MongoDB database of almost 2.2 million voice records was stored by a Romanian company called mReady, which Spiral Toys appears to have contracted with. Hunt said that, on at least four occasions, people attempted to notify the toy maker of the breach. In any event, evidence left behind by the ransom demanders made it almost certain company officials knew of the intrusions.

Read 6 remaining paragraphs | Comments


Enlarge (credit: Ccetsnakebite)

A member of Google's Project Zero security research team has disclosed a high-severity vulnerability in Microsoft's Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.

The vulnerability stems from what's known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google's policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said "can be controlled by an attacker (with some limitations)." Asked by a commenter how easy it would be to bypass security measures designed to prevent code execution, Fratric wrote: "I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."

Meanwhile, the National Vulnerability Database entry for the bug, which is indexed as CVE-2017-0037, warned that it "allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a [table-header] element."

Read 8 remaining paragraphs | Comments

Internet Storm Center Infocon Status