Subaru, Mastercard, TikTok and Roundup

Introduction

Kyle Fox back again with three stories and a roundup from this last week. First we see a repeat of the Kia telematics story with Subaru, then an underreported issue with Mastercard, and finally the bookend to Arvin's writeup on the TikTok ban, the TikTok Unban. This week also includes a roundup which has some major stories in it, so be sure to check that out.

 

Subaru Starlink Discoveries

This week, Sam Curry and team discovered much the same vulnerabilities in Subaru Starlink as they had in KIA's backend this previous September. As legacy automotive companies push to support connected services in their vehicles they are increasingly turning to contractors or standing up new software teams internally. Without the institutional knowledge of a traditional software company and the management knowledge to prioritize security in these new initiatives, they are creating software and system that are vulnerable, not just in a literal vulnerabilities in the website sense but on a architectural sense. Dealers probably should not be able to administer any vehicle in the Subaru global fleet without any restrictions.

 

Mastercard DNS Problem Hints at Past Exploitation

Security researcher Phillippe Caturegli discovered a typo in the DNS server list for az.mastercard.com instead of the Akamai DNS server address of a22-65.akam.net it pointed towards a22-65.akam.ne, an address at the then-non-existant domain akam.ne, which would need to be registered in the West African country of Niger. Phillippe proceeded to register this domain, which took a while and $300, what he observed through DNS traffic sent to it was that not only MasterCard traffic but traffic from other domains that presumably had similar typos in their DNS configuration.

Where this gets interesting is that after notifying MasterCard, the company said that the misconfiguration did not pose any security risk, so Phillippe posted a summary on his Link-In blog. After posting this, he was notified by BugCrowd that MasterCard had made a complaint about his post through the platform and that it violated the responsible disclosure guidelines. Phillippe acknowledges having a BugCrowd account, but had never participated in MasterCard's bug bounty program nor was any communication about this issue done through the platform.

Finally, Phillippe noted that the domain akam.ne had been previously registered by a user with a Russian email address, much like DNS typo-squatting observed in a 2017 report (PDF Warning) that one of the authors linked to in a comment on Phillippe's post.

 

TikTok Unbanned?

After shutting down in the US, TikTok has secured a promise from the incoming administration that it will not enforce the ban. The service returned to the United States late on Sunday, but there are still issues with availability in app stores. It is not clear what will happen with the platform. A large number of potential suiters have been named in the media, including but not limited to Microsoft, Oracle, Perplexly, Elon Musk, Frank McCourt, and even MrBeast.

 

Roundup

Published Jan 28, 2025
Version 1.0
No CommentsBe the first to comment