SecurityFlaw
Latest
Apple says Group FaceTime bug will be fixed next week
Apple announced Friday that it has come up with a fix for a bug in the Group FaceTime feature that allows users to listen in on the activity of others before they pick up the call. The company said a software update will be released next week that will fix the issue, according to BuzzFeed News. Group FaceTime has been disabled since the bug was discovered earlier this week.
A 14-year-old tried to warn Apple about the group FaceTime bug
Before the FaceTime bug that lets people listen in to others before the call starts blew up yesterday, a 14-year-old Arizona high schooler tried to warn Apple of the issue. According to the Wall Street Journal, Grant Thompson and his mother Michele spent more than a week trying to contact Apple but didn't make much progress with the company while trying to report the bug.
Twitter bug exposed private tweets of some Android users for five years
A bug that has plagued Twitter since 2014 exposed the tweets of some Android users that were intended to be private. Twitter first disclosed the issue on its Help Center today after apparently fixing the issue on January 14th. The bug didn't affect people using Twitter on iOS or desktop.
Twitter security flaw uses text spoofing to hijack UK accounts
A Twitter security flaw gives hackers a way to post unauthorized tweets via text messaging, and British cybersecurity firm Insinia has proven its existence by hijacking some celebrities' accounts. The company was able to post tweets as other people without having to enter their passwords by spoofing their mobile numbers. It's easy to forget the feature if you have data and a smartphone, but Twitter still allows you to tweet via SMS. You simply have to link your digits to your account and then text what you want to post to a number Twitter designated for your country and carrier.
Anonymous social network Blind left user data exposed
Blind is a workplace social network that lets employees at various companies discuss sensitive topics anonymously. The company describes it as a safe place where workers can talk about salaries, workplace concerns and employee misconduct without being identified. But Blind recently left a database server unsecured, exposing some of its users' account information, including their corporate email addresses.
Google refutes reported Home Hub security flaw
A security researcher discovered a series of commands that could be used to brick the Google Home Hub. According to Jeremy Gamblin, it's possible to exploit a "undocumented (and amazingly unsecured)" API. It can be used to force the device to reboot or reveal data about a victim's network.
Security flaw left Safari and Edge users vulnerable to fake websites
A security researcher uncovered a flaw in both Safari and Microsoft's Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch's report.
LifeLock ID theft protection leak could have aided identity thieves
LifeLock's identity theft protection service suffered from a security flaw that put users' identities in jeopardy. The event forced its parent company, Symantec, to pull part of its website* down to fix the issue after it was notified by KrebsOnSecurity. According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability through a newsletter email he received from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.
Intel faces multiple lawsuits over chip security vulnerabilities
Intel is already facing multiple lawsuits over the chip security flaws revealed earlier this week. Gizmodo reports that three have been filed so far -- in California, Oregon and Indiana. All three are class action complaints and note Intel's delay in disclosing the vulnerabilities -- it knew about them for months -- as well as reduced performance caused by subsequent security patches. The Register reported that PC slow downs could amount to as much as five to 30 percent, but Intel has said that its solution's impacts are "highly workload-dependent" and won't be noticed much by the typical user.
DJI threatens legal action after researcher reports bug
In August, DJI announced that it was launching a bug bounty program that would give out rewards to people who could find flaws in its software. The company said it would pay between $100 and $30,000 depending on the flaw. But according to an essay written by security researcher Kevin Finisterre, and reported by the Verge, the program isn't off to a great start.
Estonia freezes resident ID cards due to security flaw
Estonia's residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the chip the ID used that makes it possible for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that's half the small country's population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability.
Latest Adobe Flash vulnerability allowed hackers to plant malware
Adobe Flash may be on its way out, but apparently, its goodbye tour is going to be marred by security issues just as the software has for most of its existence. Kaspersky Labs reports that a new Adobe Flash vulnerability was exploited by a group called BlackOasis, which used it to plant malware on computers across a number of countries. Kaspersky says the group appears to be interested in Middle Eastern politics, United Nations officials, opposition activists and journalists, and BlackOasis victims have so far been located in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
Millions of Android devices have flawed full disk encryption
Hackers can use brute force to break into tens of millions of Android devices using full disk encryption, thanks to a series of security issues linked specifically to Android kernel flaws and Qualcomm processors, Neowin reports. The vulnerabilities were uncovered by security researcher Gal Beniamini, who is working with Google and Qualcomm to patch the problems -- and some of the flaws have already been addressed. However, a few of the issues may not be patchable, instead requiring new hardware, the report says.
Microsoft patches up IE flaw that gives hackers access to your PC
Microsoft has issued a critical update to patch up an Internet Explorer hole that can give hackers access to your system. Hackers could create websites capable of exploiting the zero-day vulnerability -- discovered by Google researcher Clement Lecigne -- and get you to click on the URL via email or instant messenger. They will then get the same user rights you have, making the flaw more dangerous if you have administrative access or if you're handling a server or a workstation. With admin powers, intruders can remotely install applications and steal your data.
Researchers find Android factory reset faulty and reversible
Android's factory reset function isn't as effective as we'd all like it to be, according to a team of Cambridge University researchers. The group estimates that as many as 500 to 630 million Android devices might not be capable of completely wiping the data saved in their internal disks and SD cards. They came to that conclusion after testing 21 devices running Android 2.3 to 4.3 from five different manufacturers that already went through factory reset. During their tests, they were able to recover at least part of the data stored in each sample device -- even if it was protected with full-disk encryption.
Researcher says Apple hasn't fixed major OS X security flaw
Earlier this month, Apple released an update that was supposed to patch a serious flaw in OS X, albeit only for Yosemite users. But, according to a recent finding by an independent researcher, the company from Cupertino failed to fix the problem. Objective-See, a website that provides tools to prevent OS X malware, reports that the backdoor security flaw, known as "RootPipe," can still be exploited. The root access vulnerability is a major one too, as it could give anyone with bad intentions a way to take over a user's machine and, if they want, inject malware into the operating system. We've reached out to Apple for comment and will be updating this story if and when it gets back to us.
Russian hackers used Windows flaw to steal NATO data
According to security firm iSight Partners, hackers from Russia recently gained access to sensitive NATO documents using a major flaw in Windows. The attack, which targeted data from a NATO summit last month, was reportedly part of an espionage campaign against members of the organization (such as the US, UK, France and Germany) to learn more about how it planned to react to Russia's "military intervention" in Ukraine. Furthermore, the same zero-day flaw is believed to be affecting "tens of millions of computers" that are running Microsoft's operating system -- a definite cause for concern. The great news, however, is that the Redmond-based technology titan is now aware of this security flaw and will be patching it today, the company told Bloomberg in a statement.
Tinder security flaw exposed users' exact locations for several months
Have you been using Tinder (an iOS/Android dating app that shows pictures of users in your area) these past months to try and find the one? Well, if you're deathly scared of stalkers, you might want to sit down. Apparently, there was a flaw on the dating app's API, which made it possible to pinpoint user distances down to a hundred feet. According to a report published by whitehat hacker Max Veytsman from Inside Security, he discovered the vulnerability in October 2013. It could've been around since July, though, as it was a byproduct of the fix issued for a previous flaw that revealed users' latitude and longitude coordinates. To demonstrate how damaging the security loophole could be, Veytsman created an app that automatically shows a user's location on Google Maps by using triangulation, as you can see in the video after the jump. Thankfully, Tinder's management was more receptive to feedback than Snapchat's, and though Veytsman didn't receive a reply to half his emails, tests he conducted on January 1st revealed the issue no longer exists. Now, we can only hope no ne'er-do-well had any success matching up Tinder addresses with Snapchat phone numbers.
Android and iOS expose your photos to third party apps, promise fixes
2012 is still young, yet it's already shaping up to be a bad year for privacy and security on the mobile front. Apple found itself embroiled in a bit of a brouhaha over the iPhone address book and an app called Path. And, of course, Google was put under the microscope when mobile Safari was found to have a security flaw that its mobile ads were exploiting. Then, earlier this week, it was discovered that granting iOS apps access to your location could also expose your photos. Now it's been discovered that Android also exposes your images, though, it's doing so without asking for any permissions at all. While Apple was masking photo access with other permissions, Google is simply leaving your pics vulnerable as a part of a design quirk that came from the OS's reliance on microSD cards. Both companies have acknowledged the flaws and have said they're currently working on fixes. We're just hoping things start to quiet down soon, though -- our mobile operating systems are running out of personal data to expose. Check out the source links for more details.
HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us: "HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public." Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
