hpr-knowledge-base/hpr_transcripts/hpr3821.txt

Episode: 3821
Title: HPR3821: The Oh No! News.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3821/hpr3821.mp3
Transcribed: 2025-10-25 05:57:57

---

This is Hacker Public Radio Episode 3821 from Monday the 27th of March 2023.
Today's show is entitled The Oh No News.
It is hosted by some guy on the internet and is about 13 minutes long.
It carries a clean flag.
The summary is, Oh No News is Good News.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet, also known as Scotty.
And this is The Oh No News.
Oh no!
Go Daddy, the web hosting provider, suffers multiple attacks from an advanced persistent
threat.
In March of 2020, a phishing attack on an employee resulted in the compromised login credentials
to other employees and approximately 28,000 Go Daddy customers.
In November of 2021, attackers stole Go Daddy source code and data related to approximately
1.2 million Go Daddy customers by using compromised credentials, including website admin
credentials, SFTP credentials, and private SSL keys.
In December of 2022, attackers access Go Daddy C panel hosting servers, installed malware
that redirected some customer websites to malicious sites.
In short, if you're a Go Daddy customer, you need to start finding some new web hosting
services.
For our next story, Chick-fil-A data breach.
Chick-fil-A suffered a data breach.
It involved the membership numbers, mobile pay numbers, QR codes, last four digits of
credit and debit card numbers, credits on Chick-fil-A accounts, birthdays, phone numbers,
and any addresses you may have had on file.
So if you're a Chick-fil-A customer and you use their apps or anything like that to order
your food, you want to go ahead and edit your account, change your password, and possible
simply remove as much of that data from there as you can.
Do the same thing for any other restaurant apps and accounts you may use.
For our next article, a new chat GPT fishing scam for eager investors.
This is just an email-based scam and it's targeting people who are looking to invest
in, well, crypto or the chat GPT.
This type of fishing scam is targeting basically your name, your data birth address, any kind
of payment information you're willing to hand over, phone number, contact information
like email addresses and things like that.
If any financial information you're going to provide and I believe specifically what's
at credentials, I believe that's how they keep in communication with you once the scam
begins.
So yeah, if you're interested in playing with chat GPT, just be careful, they're launching
new scams surrounding it for our next article.
Bitwarden flaw can let hackers steal passwords using iFrame.
A group known as Flashpoint has discovered a weakness in the password manager Bitwarden.
But to be fair, it sounds like any password manager can fall for this type of flaw.
Quote.
While the embedded iFrame does not have access to any content in the parent page, it can
wait for input to the login form and forward the entered credentials to a remote server
without further user interaction.
Close quote.
So the iFrame is an HTML object and here's a little bit of information I dug up from
Wikipedia.
An iFrame, also known as an inline frame, places another HTML document in a frame, unlike
an object, element, an iFrame can be the target frame for links defined by other elements
and it can be selected by the user agent as the focus for printing, viewing its source
and so on.
Flashpoint points out that if you're using Bitwarden with the autofill feature turned
on, Bitwarden will simply fill the fields on the page.
Now if the page was compromised by attackers, the attackers would embed these hidden iFrames
and Bitwarden will fill the attackers fields as well as the legitimate ones.
So when the user submits their credentials to the legitimate site, it would also submit
the credentials to the attacker and that's what it boils down to.
That's why I'm including any password manager in this because anyone that uses the autofill
feature would allow attackers to also gain access to your credentials by these hidden
iFrames.
So long story short, don't use autofill, I know it's a very convenient thing to have where
as soon as you load a page, your password manager if you're logged in would automatically
fill the fields on the page.
If you avoid using that feature which Bitwarden has disabled by default, you have nothing
to worry about, just manually fill the fields that you can see by copying your password
in your username and pasting them into the correct field, you're fine.
I'd also like to include this quick little note I just thought about it that this may
be more of an accessibility feature, so I understand those who may use this for a benefit,
such as being visually impaired, having an automatic feature like this would be helpful.
But for now, if you can navigate the page using tabs to get to your credential fields
and enter your credentials manually using keyboard shortcuts and tabs, that would be
a lot safer for you, even though it might be slightly more inconvenient.
A final quote from Flashpoint,
This means an attacker hosting a phishing page under a subdomain that matches the stored
login for the given base domain will capture the credentials upon the victim visiting the page
with autofill enabled.
Close quote, for our next story,
LastPass Security Incident update and recommended actions.
Attackers targeted one of four DevOps engineers with access to
the decryption keys needed to access lastPass production cloud storage services.
Quote,
This was accomplished by targeting the DevOps engineers home computer and
exploring a vulnerable third-party media software package which enabled remote code
execution capability and allowing the threat actor to implement key logger malware.
The threat actor was able to capture the employee's master password as it was entered
after the employee authenticated with multi-factor authentication and gain access to
the DevOps engineers lastPass corporate vote.
Close quote,
The attackers then exported corporate vote entries and shared voters,
which contained encrypted secured notes with access to decryption keys needed to access the
AWS S3 LastPass production backups, other cloud-based storage resources and some related
critical database backups. Yikes!
All right, this summary here folks, I wouldn't tell you to just switch away from something
that you're comfortable with, but if you're using LastPass,
it's starting to seem as though it's very difficult for them to get from underneath this attack,
so I believe it's best for you, the user, to move on to a different password manager
while LastPass figures out what's happening with their systems.
It's not just because of the attack while I'm offering this information to you, this suggestion,
because eventually all of these companies last pass in any other password managers,
they'll all eventually face an advanced persistent threat, and when you have such a threat on you,
it's only a matter of time. My advice to move comes because of the policies that LastPass
seem to either have a lack of or lack of enforcement. It sounds as though the DevOps engineer
was using a personal computer instead of a corporate computer to manage all of these secrets,
and with a personal computer, I mean, there's no telling where he was getting his software or
he or she, where this engineer was getting their software from, not pointing any fingers at any
particular package managing system or distribution. However, when you're working with the keys to
everyone's kingdom, this should definitely be a division in the hardware as well as the software,
and that was not the case here. So until LastPass can prove that they've gotten their act together,
policy and procedurally, I believe it is safer for you, the user to simply move away from this
password manager. Here's some options for you, you don't have to select these, but just options
that you can look at in the time being. You can try key pass XC, Bitwarden, or any of the other
open source options that are available to you. Also, you're going to definitely want to go through
each of your accounts that you store in LastPass and begin changing all of your passwords for those
accounts, as well as updating your multi-factor authentication, any accounts without multi-factor
authentication, you definitely want to enable it. Let's switch over to UserSpace.
FlatHub has got big plans for 2023. I've been keeping an eye on the FlatHub, checking out the
new beta, and man, I've got some wonderful features coming up. I want you to keep in mind that all of
this is just projections with their hoping to add. They're planning to add direct uploads, verified
apps, a payment support system for the FlatHub website. Right now, the Gnome Foundation
is managing the whole thing, and that's a problem for them because of the way the Gnome Foundation
structured. So part of the plan is to establish an independent legal entity to own and operate the
FlatHub. So far, the Gnome Foundation has acted as an incubator and legal host for FlatHub,
even though it is not purely a Gnome product or initiative. Distributing software to end users
along with processing and forwarding payments and donations also has a different legal profile
in terms of risk exposure and nonprofit compliance than the current activities of the Gnome Foundation.
Consequently, we plan to establish an independent legal entity in order to operate the FlatHub,
which reduces risk to the Gnome Foundation. This battery reflects the independent and cross-destop
interest of FlatHub and provides flexibility in the future should we need to change the structure.
We're currently in a process of reviewing legal advice to ensure we have the right structure
in place before moving forward. Close quote.
The plan is also to raise $250,000 in funding and sponsorships. The inlist network provided
a $100,000 grant toward the infrastructure, legal and operation cost of running the FlatHub
in the next round of funding and development, hiring a second full-time staff member in addition to,
and I don't want to butcher the name here, there's a name in there. I think I could say the last name,
Pio Trozky. Sorry if I got that wrong. To handle inquiries, reviews, documentation,
and partner outreach. The plan will also include establishing governance to oversee the project,
and start a FlatHub focus group for feedback from devs. Now I also want to talk security just for
a moment here I got a quote for you. For FlatHub to succeed, we need to make sure that as we grow,
we continue to be the platform that can give users confidence in the quality and security of the
apps we offer. At that end, we are planning to set up infrastructure to help ensure developers
are shipping the best products they possibly can to users. For example, we'd like to set up
automated, linting, and security scanning on the FlatHub back in to help developers avoid bad
practices, unnecessary sandboxing permissions, outdated dependencies, etc, and to keep users informed
and as secure as possible. Close quote.
All right, ladies and gentlemen, this concludes another episode of the Oh No News.
Let me know what you think about the show notes and everything I'm playing around with different
formats, trying to provide you the most information and not draw out certain articles too long,
so the formats constantly being massaged. I'd like to see your comments, maybe do a show as a
response, or hit me up over in Matrix. I'm also enlisted on. Thank you guys for coming by HPR. Good day.
You have been listening to Hacker Public Radio, as Hacker Public Radio does work. Today's show was
contributed by a HPR listener like yourself. If you ever thought of recording podcasts,
you click on our contribute link to find out how easy it really is. Hosting for HPR has been
kindly provided by an honesthost.com, the internet archive, and our sync.net. On the Sadois
stages, today's show is released on their creative comments, attribution, 4.0 International