flaw
Latest
Google Photos flaw let attackers grab users' location data
Researchers have revealed a now-patched flaw that would allow hackers to track your location history using Google Photos. Ron Masas, from security company Imperva, explains in a blog post that Google Photos -- which was recently subject to an Android TV bug -- was vulnerable to browser-based timing attacks, which could leverage a photo's image data to approximate the time of a visit to a specific place or country.
App flaw let anyone access UK Conservative politicians' data
The UK Conservative party is learning a hard lesson about the importance of basic security measures in mobile apps. Users have discovered that you could log into the party's conference app using only an attendee's email address, providing access to all kinds of sensitive data. And when many of the conference participants are politicians who registered with their email addresses at Parliament... you can guess what happened next.
Intel discloses another set of processor vulnerabilities
Intel disclosed another set of processor flaws today that could let attackers steal information stored on computers or third party clouds. Discovered by a number of researchers and reported to Intel in January, the vulnerability includes three varieties. The company said in a blog post that when combined with updates released earlier this year, new updates being released today should protect most users from the vulnerability. "We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices," said Intel.
Android exploit targeted apps' shoddy use of external storage
Many mobile security flaws revolve around obvious avenues like websites or deep, operating system-level exploits. The security team at Check Point, however, has discovered another path: apps that make poor use of external storage like SD cards. While apps would ideally stick to internal storage (which Google sandboxes against outside influence) as much as possible, some apps have relied unnecessarily on unprotected external storage and didn't bother to validate the data coming from that space. An intruder could take advantage of that poor security policy to manipulate the data and cause havoc -- Check Point called it a "man-in-the-disk" attack.
Phones sold by the four major US carriers could have a major security flaw
Customers using devices from four major cell phone carriers could unknowingly be exposing sensitive data to hackers, according to the Department of Homeland Security (DHS). Fifth Domain reports that DHS-funded researchers from mobile security firm Kryptowire have found vulnerabilities in phones used by Verizon, AT&T, T-Mobile and Sprint. The flaws are built into phones by manufacturers, and include a loophole that could exploit data, emails and text messages.
Apple ignored a major HomeKit security flaw for six weeks
Apple's HomeKit home automation platform is sold on the basis of security, privacy and trust -- users had to buy brand-new accessories with Apple-approved security components just to get it up and running. But back in October a developer uncovered a huge vulnerability which essentially meant a stranger, with some basic tech know-how and an Apple Watch, could waltz right on in to your home. And Apple has only just fixed it.
Amazon Key flaw could let a courier disable your Cloud Cam
Amazon recently weirded out much of the internet when it unveiled its Key delivery service that lets its couriers open your home and deliver packages while you're away. A key part of that is the Cloud Cam security camera that confirms deliveries and shows that your house remains un-ransacked. Now, researchers from Rhino Security Labs have shown that it's possible, under rare circumstances, to hack the camera so that everything looks fine while someone takes all your stuff.
Severe WiFi security flaw puts millions of devices at risk
Researchers have discovered a key flaw in the WPA2 WiFi encryption protocol that could allow hackers to intercept your credit card numbers, passwords, photos and other sensitive information. The flaws, dubbed "Key Reinstallation Attacks," or "Krack Attacks," are in the WiFi standard and not specific products. That means that just about every router, smartphone and PC out there could be impacted, though attacks against Linux and Android 6.0 or greater devices may be "particularly devastating," according to KU Leuven University's Mathy Vanhoef and Frank Piessens, who found the flaw.
Intel fixed a business security bug after almost a decade
Intel has released a firmware upgrade that can patch up a security hole that has reportedly been lurking in various enterprise PCs for almost a decade. In a note that came with the update, the chipmaker said the vulnerability can be found in Active Management Technology, Standard Manageability and Small Business Technology, all of which are parts of Intel's suite of processor features for enterprise systems. Your company's IT division uses those to manage its computer fleet, but since they have a security flaw, an unauthorized network attacker can also use them to hijack PCs in your network.
Luxury AGA ovens aren't safe from hackers
In the kitchen, nothing screams "I have money" like an AGA. The expensive British-made cast-iron stoves (or cookers, depending on where you're from) have barely changed in terms of looks much over the last century, but they have got smarter. Thanks to the company's iTotal Control technology, owners of certain models -- costing $10,000 and upwards -- have been able to switch their oven on and off via an app or by sending it a simple text message. It's no doubt helped them remotely prepare dinner, but a security flaw in the system has also left them open to mischievous third parties.
Owners of bricked G4 and V10 phones sue LG
It's been years since LG's G4 and V10 smartphones launched, but the people burned by a flaw that made those devices non-functional haven't forgotten. Four G4 and V10 owners filed a class-action lawsuit against LG earlier this week, alleging that the company "was aware, or reasonably should have been aware" of a hardware flaw that would force those two smartphones into a "boot loop" -- a state of endless rebooting that basically made the devices bricks. The filing (obtained by Ars Technica) goes on to say LG failed to make customers whole again by refusing to perform repairs or offering those customers refurbished units that were as prone to boot loop syndrome as the devices sent in for repair in the first place.
Google reveals unpatched Windows bug that hackers are exploiting (update)
Google has revealed that it came across previously undiscovered Flash and Windows vulnerabilities in October, and one of them remains unpatched. The tech titan gave both Adobe and Microsoft a heads-up on October 21st -- Adobe issued a fix on October 26th through a Flash update, but Microsoft hasn't released one for its platform yet. The real problem is, according to Google, that unpatched Windows flaw is "being actively exploited."
Ancient Windows printer flaw exposes you to malware
Security holes don't always originate in relatively recent bugs... sometimes, they can stem from code written in an entirely different era. Researchers at Vectra Networks have discovered a roughly 20-year-old flaw in Windows Print Spooler (which oversees the printing process) that lets attackers slip malware on to a PC. As the spooler doesn't verify that a printer's drivers are legitimate when you plug the hardware in, it's possible for attackers to install maliciously-coded drivers thorough either the internet or the printer itself. The exploit can not only infect numerous computers if it's shared on a network, but keep infecting as computers discover the peripheral.
Critical security flaw found in Lenovo PCs... again
If you are sick of hearing about how Lenovo Machines are riddled with security flaws, then this ain't the story for you. Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers circumvent Windows' basic security protocols. According to his post on Github, the vulnerable firmware driver was copy-and-pasted from data supplied by Intel. His concern was that other manufacturers might have adopted the same code -- with at least one HP Pavillion laptop from 2010 already identified as packing the flaw.
Millions of Android devices have flawed full disk encryption
Hackers can use brute force to break into tens of millions of Android devices using full disk encryption, thanks to a series of security issues linked specifically to Android kernel flaws and Qualcomm processors, Neowin reports. The vulnerabilities were uncovered by security researcher Gal Beniamini, who is working with Google and Qualcomm to patch the problems -- and some of the flaws have already been addressed. However, a few of the issues may not be patchable, instead requiring new hardware, the report says.
Apple fixing iMessage flaw that lets hackers steal photos
Apple has put a lot of work into making its phones hard to crack, much to the consternation of US law enforcement officials. It's still not perfect, however, as researchers from John Hopkins University have discovered a flaw that lets attackers intercept and decrypt video and images sent on iMessage. The exploit only works on versions prior to iOS 9, because Apple partially fixed the problem in that version. However, John Hopkins professor Matthew D. Green told the Washington Post that a modified exploit could possibly be developed for iOS 9 versions, provided hackers have skills of a "nation state."
Google denies Linux flaw is a serious Android security issue
Red Hat and security company Perception Point recently revealed a Linux flaw they say could affect servers, PCs and up to 66 percent of Android phones on the market. The vulnerability directly affects the OS's kernel, and could give attackers a way to gain code execution and take over a device, according to Perception Point. Google, however, fired back strongly at the claim, particularly because it wasn't given the usual window to address the flaw before it was publicly released. "Since this issue was released without prior notice to the Android Security Team, we are now investigating the claims ... [however,] we believe that the number of Android devices affected is significantly smaller than initially reported."
Software error overinflates thousands of UK divorce settlements
An error in an electronic form used to help calculate the financial aspects of a divorce could potentially open old wounds for thousands of UK couples, the Ministry of Justice has confirmed. The Guardian reports that the software, known as a "Form E" on the HM Courts and Tribunals website, would wrongly state that wife or husband was worth more than they really were. If a minus figure was entered against the financial liabilities of each partner, the form failed to recognise them, boosting the overall value of their assets significantly.
Kardashian website security flaw exposes data for over 600,000 users
The Kardashian's new mobile apps may be extremely popular, but the websites recently launched alongside those offerings had a major flaw. An open unsecured API provided developer Alaxic Smith access to the names and email addresses of hundreds of thousands of subscribers when poked around Kylie Jenner's site -- over 600,000 on that site alone. What's more, Smith discovered that the same API was used across the other sister's sites, too. However, no payment info was accessible due to the fact that the sites themselves don't handle any funds, leaving that up to app stores and third-party services.
'Stagefright' vulnerability files released to the wild
On the heels of its Stagefright detection app, Zimperium (the outfit that discovered the Android security flaw) has released its exploit to the public. But before you get your hands dirty tinkering with it to find a fix there are a few things you need to consider. Zimperium says that it was tested on a Nexus device that was running Ice Cream Sandwich 4.0.4 and that "due to variances in heap layout" this exploit isn't entirely reliable. The Python script does work to take advantage of "one of the most critical" vulnerabilities the outfit discovered in the security flaw's library, however. Perhaps the biggest caveat, though, is that since the file was tested with Ice Cream Sandwich, Zimperium says that elements of Android 5.0 Lollipop, the fast-growing OS of choice for Android users, basically nullify its attempts to address the problem.
