Razer – perfectly happy to sell you a laptop, but when it comes to fixing security holes...

guest · Apr 3, 2019

Razer – perfectly happy to sell you a laptop for over $2,000, but when it comes to fixing security holes...
Slack motherboard firmware controls leave machines open to deep-rooted malware
April 3, 2019
https://www.theregister.co.uk/2019/04/03/razer_laptop_flaw/

Gaming PC specialist Razer has been singled out for leaving its motherboards vulnerable to a well-known and critical firmware vulnerability.

Infosec bod Bailey Fox said Razer's Intel notebook models are still vulnerable to CVE-2018-4251, a security screw-up that potentially allows malware with administrative rights to alter the system's firmware, thus allowing it to burrow deep into the PC and survive reboots and hard drive wipes. The issue has been known about since last year, and has been patched by manufacturers, but not by Razer, it seems.

"Razer has a vulnerability affecting all current laptops, where the SPI flash is set to full read/write and the Intel CPU is left in ME Manufacturing Mode," Fox explained late last month.
"This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things."

[...] Fox claims to have been in contact with Razer, only to have the company decline to acknowledge and put out a fix for the issue.
Click to expand...

guest · Apr 8, 2019

Razer issues fix for well-known Intel ME firmware vulnerability
Problem was discovered in Blade models in February but has existed in Intel motherboards for at least a year
April 8, 2019
https://www.techspot.com/news/79557-razer-issues-fix-well-known-intel-firmware-vulnerability.html

Why it matters: Razer’s has finally addressed a security vulnerability in its Blade gaming laptops. The flaw was discovered in some Intel-based computers last year. The security risk can allow malware to burrow deep into the system.

After struggling for over a month privately through HackerOne to get the company to acknowledge the problem, Fox took to Twitter to get the company’s attention.
The move worked as Razer’s support team quickly responded asking Fox to describe the problem in a private direct message.

Last week, Razer acknowledged the problem and has issued a fix.
Click to expand...

guest · Apr 8, 2019

mood said: ↑

Razer – perfectly happy to sell you a laptop for over $2,000, but when it comes to fixing security holes...
Slack motherboard firmware controls leave machines open to deep-rooted malware
April 3, 2019
https://www.theregister.co.uk/2019/04/03/razer_laptop_flaw/
Click to expand...

Updated article:

"Razer has been alerted to certain Intel Management Engine vulnerabilities in the Intel chipsets of several Razer laptop models," the laptop maker told The Regiser.

"To address this issue, Razer laptops will ship from the factory with an update to remove these vulnerabilities. For currently shipped products, Razer has provided a software tool to apply this update."
It confirmed the affected Razer laptop models are the Blade 15 (Advanced model - 2018, 2019, Base model - 2018), and Blade Stealth 13 (2019).
Click to expand...

guest · Sep 11, 2020

Razer Gaming Fans Caught Up in Data Leak
September 10, 2020
https://threatpost.com/razer-gaming-fans-data-leak/159147/

An estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, have had their private info exposed, according to a researcher.

Security consultant Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that exposed a segment of Razer’s infrastructure to the public internet, for anyone to see. It contained a raft of information of use to cybercriminals, including full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
Click to expand...

[...] he said, in a LinkedIn posting on Thursday. “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.”

I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems. pic.twitter.com/Z6YZ5wvejl
— Bob Diachenko (@MayhemDayOne) September 1, 2020
Click to expand...

Thousands of Razer customers order and shipping details exposed on the web without password

The exact number of affected customers is yet to be assessed as originally it was part of a large log chunk stored on a company's Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines
[...] processed by non-technical support managers for more than 3 weeks until the instance was secured from public access.
Click to expand...

UPDATE from the company:

We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed.
The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public.
Click to expand...

Log in or Sign up

Razer – perfectly happy to sell you a laptop, but when it comes to fixing security holes...

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Razer – perfectly happy to sell you a laptop, but when it comes to fixing security holes...

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches