Month: August 2023

Duolingo is one of the largest language learning sites in the world, with over 75 million monthly users worldwide. The scraped data of 2.6 million people, which was on sale in January 2023 with a starting price of $1,500, is now available on the cybercrime marketplace BreachForums for just 8 credits, worth $2.13.

The shared data contains email addresses, usernames, names, phone numbers, information about social networks, and other generic info such as language studies, experience, progress and achievements.

This data was scraped using an exposed application programming interface (API). The API allows anyone to submit a username and retrieve the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account. Scrapers can feed millions of email addresses, likely exposed in previous data breaches, into the API, and confirm if they belong to DuoLingo accounts. These email addresses can then be used to create the dataset containing public and non-public information.

Read more about it here.

The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows.

The Cybernews research team has deep-dived into an issue that’s quite often overlooked by developers – HTTP security headers. They have analyzed the top 100 most visited websites, including Facebook, Pinterest, IMDB, PayPal, Wikipedia, and AliExpress.

The conclusion? Many developers of the most popular websites could enhance their cybersecurity practices. Not to give threat actors any ideas, the actual web sites that need some work have been omitted.

HTTP security headers are instructions on how the web browser should interact with the webpage. HTTP security headers are mostly useful for client-side attacks, aiming to exploit security flaws running on the user’s device to gain unauthorized access, steal information, and perform other malicious activities. This includes:

• X-Frame-Options
• Content-Security-Policy (CSP)
• The Referrer-Policy
• The Permissions-Policy
• The X-Content-Type-Options
• Strict-Transport-Security (HSTS)

Read more about it here.

The Open Worldwide Application Security Project (OWASP) has recently released version 1.0 of its Top 10 for LLM (Large Language Model) Applications.

OWASP’s Top 10s are community-driven lists of the most common security issue, designed to help developers implement their code safely.

“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs). This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists” says their annoouncement.

The Top Ten is the result of the work of nearly 500 security specialists, AI researchers, developers, industry leaders and academics. Over 130 of these experts actively contributed to this guide.

Following is the OWASP Top 10 for LLM version 1.0, listed in order of criticality.

1. Prompt Injection
2. Insecure Output Handling
3. Training Data Poisoning
4. Model Denial of Service
5. Supply Chain Vulnerabilities
6. Sensitive Information Disclosure
7. Insecure Plugin Design
8. Excessive Agency
9. Overreliance
10. Model Theft

Read more about it here.