SecurityVulnerabilities
Latest
Android apps used by troops in combat contained vulnerabilities
Two Android apps used by the US military in live combat situations contained severe vulnerabilities that could have allowed attackers to gain access to troops' information, a Navy Inspector General report revealed. The mobile apps offered real-time messaging to coordinate with other military branches, displayed mission objectives and goals, showed satellite images of surroundings and highlighted locations of nearby enemy and friendly forces.
New York settles with Equifax and others over lax mobile app security
New York Attorney General Barbara Underwood announced that the state has reached settlements with five companies regarding a security vulnerability present on each of their mobile apps. Going forward, the companies -- Equifax, Western Union, Priceline, Spark Networks and Credit Sesame -- will be required to implement security programs aimed at protecting their customers' information.
Tinder security flaw exposed users' exact locations for several months
Have you been using Tinder (an iOS/Android dating app that shows pictures of users in your area) these past months to try and find the one? Well, if you're deathly scared of stalkers, you might want to sit down. Apparently, there was a flaw on the dating app's API, which made it possible to pinpoint user distances down to a hundred feet. According to a report published by whitehat hacker Max Veytsman from Inside Security, he discovered the vulnerability in October 2013. It could've been around since July, though, as it was a byproduct of the fix issued for a previous flaw that revealed users' latitude and longitude coordinates. To demonstrate how damaging the security loophole could be, Veytsman created an app that automatically shows a user's location on Google Maps by using triangulation, as you can see in the video after the jump. Thankfully, Tinder's management was more receptive to feedback than Snapchat's, and though Veytsman didn't receive a reply to half his emails, tests he conducted on January 1st revealed the issue no longer exists. Now, we can only hope no ne'er-do-well had any success matching up Tinder addresses with Snapchat phone numbers.
Microsoft issues security patches for Flash vulnerabilities in Windows 8 and Internet Explorer
As promised, Microsoft is issuing a security patch for a Flash vulnerability on Windows 8 in Internet Explorer 10. Though the operating system has yet to see its official public release, researchers testing the RTM version found a bug that could cause Flash to crash and allow for attackers to take control of a user's machine. Additionally, the company is rolling out an update to address a security hole in Internet Explorer versions 7 and 8 on Windows XP -- and IE 9 on Windows 7 and Windows Vista -- which left the door open for hackers to spread malware via a specially designed Flash animation. Both security patches are available via Microsoft's Windows Update service.
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
Google search opens SCADA systems to doomsday scenarios
Google, the service so great it became a verb, can now add security risk to its roster of unintended results. The search site played inadvertent host to remotely accessed Supervisory Control and Data Acquisition (SCADA) systems in a Black Hat conference demo led by FusionX's Tom Parker. The security company CTO walked attendees through the steps required to gain control of worldwide utility infrastructure -- power plants, for one -- but stopped short of actually engaging the vulnerable networks. Using a string of code, unique to a Programmable Logic Controller (the computers behind amusement park rides and assembly lines) Parker was able to pull up a water treatment facility's RTU pump, and even found its disaster-welcoming "1234" password -- all through a Google search. Shaking your head in disbelief? We agree, but Parker reassured the crowd these types of outside attacks require a substantial amount of effort and coordination, and "would be extremely challenging to pull off." Panic attack worn off yet? Good, now redirect those fears to the imminent day of robot-helmed reckoning.
