security flaw
Latest
Security flaws at NFT marketplace OpenSea left users' crypto wallets open to attack
After finding itself embroiled in a controversy over insider trading, NFT marketplace OpenSea is getting some more bad press.
Senators question whether Facebook is doing enough to protect kids’ privacy
Senators are questioning Facebook again. This time their concerns are related to a technical error that let thousands of kids join group chats with unauthorized users, The Verge reports. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) wrote a letter to Mark Zuckerberg today, asking whether Facebook has done enough to protect children's online safety.
Verizon patches FiOS routers to fix three security flaws
Of all the home network devices we need to keep secure, there might not be any one more important than the router itself. For Verizon (the owner of Engadget's parent company) FiOS home internet customers, it's time to double check that your gear has been updated with the latest firmware update after Tenable Research identified several vulnerabilities in the Quantum Gateway G1100. If exploited, someone could control it and According to a breakdown of the vulnerabilities, they would mostly require someone to be connected on the local network itself, however it could also be vulnerable if remote administration is enabled and someone had the credentials that are printed on a sticker attached to the device. Tenable notified Verizon of the problem in December, and a firmware update to fix affected devices started rolling out March 1st. As Bleeping Computer notes, at least one person reported some issues after it was installed, although it was resolved after a factory reset of the device.
Researcher says Apple hasn't fixed major OS X security flaw
Earlier this month, Apple released an update that was supposed to patch a serious flaw in OS X, albeit only for Yosemite users. But, according to a recent finding by an independent researcher, the company from Cupertino failed to fix the problem. Objective-See, a website that provides tools to prevent OS X malware, reports that the backdoor security flaw, known as "RootPipe," can still be exploited. The root access vulnerability is a major one too, as it could give anyone with bad intentions a way to take over a user's machine and, if they want, inject malware into the operating system. We've reached out to Apple for comment and will be updating this story if and when it gets back to us.
Russian hackers used Windows flaw to steal NATO data
According to security firm iSight Partners, hackers from Russia recently gained access to sensitive NATO documents using a major flaw in Windows. The attack, which targeted data from a NATO summit last month, was reportedly part of an espionage campaign against members of the organization (such as the US, UK, France and Germany) to learn more about how it planned to react to Russia's "military intervention" in Ukraine. Furthermore, the same zero-day flaw is believed to be affecting "tens of millions of computers" that are running Microsoft's operating system -- a definite cause for concern. The great news, however, is that the Redmond-based technology titan is now aware of this security flaw and will be patching it today, the company told Bloomberg in a statement.
Android and iOS expose your photos to third party apps, promise fixes
2012 is still young, yet it's already shaping up to be a bad year for privacy and security on the mobile front. Apple found itself embroiled in a bit of a brouhaha over the iPhone address book and an app called Path. And, of course, Google was put under the microscope when mobile Safari was found to have a security flaw that its mobile ads were exploiting. Then, earlier this week, it was discovered that granting iOS apps access to your location could also expose your photos. Now it's been discovered that Android also exposes your images, though, it's doing so without asking for any permissions at all. While Apple was masking photo access with other permissions, Google is simply leaving your pics vulnerable as a part of a design quirk that came from the OS's reliance on microSD cards. Both companies have acknowledged the flaws and have said they're currently working on fixes. We're just hoping things start to quiet down soon, though -- our mobile operating systems are running out of personal data to expose. Check out the source links for more details.
HTC acknowledges long-running WiFi security flaw, says it kept it quiet to prevent exploits
As far back as September, security researchers discovered a "critical" bug in many HTC Android handsets that exposed users' WiFi credentials to any hacker who cared to look. The flaw affected recent devices like the Thunderbolt and EVO 4G all the way back to the Desire HD. The researchers promptly notified HTC, but the manufacturer waited a full five months before acknowledging the flaw publicly a few days ago. Sounds shady, perhaps, but HTC sent us a statement clarifying that this is standard policy to protect customers. It says it waited to develop a fix before it alerted the big bad world to the vulnerability. Most newer devices have already received their fix OTA, but owners of some older phones -- we'll update this post when we know exactly which ones -- will need to check the HTC Support site for a manual update next week. Meanwhile, in the manufacturer's defense, the guys at the Open1X group who discovered the bug say that HTC was "very responsive and good to work with." Here's HTC's statement to us: "HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed. For this specific WiFi bug issue, we worked closely with Google and the security researchers from the date of notification and throughout this process to ensure that the majority of affected HTC phones had already received the fix prior to the vulnerability being made public." Update: We changed our original headline to make it clearer that HTC deliberately kept quiet to protect its customers. We're certainly not accusing HTC of any wrong-doing here.
Sprint issues OTA fix for HTC Android handset vulnerability
Earlier this month, we found out that after a software update HTC's Android handsets had a serious security flaw -- any app could gain access to user data, including recent GPS locations, SMS data, phone numbers, and system logs. To its credit, HTC responded quickly to the security issue, and now an OTA update with the fix is going out to those on the Now Network. Sprint users with an EVO 4G, 3D, Shift 4G, Design 4G or View 4G can get the download, as can Wildfire S owners. The patch available now for a manual download, and more info on the fix can be found at the source below. [Thanks, Korey]
HTC confirms security hole, says patch is incoming
HTC held true to its promise to look into the security vulnerability that surfaced over the weekend, an apparent glitch that allows any app requesting internet access to take a peek at a user account information, GPS location, system logs, and other potentially private data. While HTC assured us that user data isn't at risk of being harmed by its own software, a third party malware app could exploit the security flaw and cause some trouble. The outfit is already building a patch, and will ship it out in an over the air update after a short testing period with its carrier partners. Until then? HTC recommends steering clear of apps from publishers you don't trust. Hit the break to see the official statement.
HTC security vulnerability said to leak phone numbers, GPS data, and more, HTC responds (video)
The folks at Android Police seem to have stumbled across a rather jarring security vulnerability in HTC handsets running Android, giving common apps with internet access a peek at the device's vital statistics, user information and more. Demonstrated in the above video, developer Trevor Eckheart found that a recent HTC update packed in a suite of logging tools that collects data on user accounts (including email addresses), recent GPS locations, SMS data and encoded text, phone numbers, system logs, running processes and more -- all of which can be accessed by common apps requesting access to android.permission.INTERNET. HTC is already looking into the issue, stating, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." If you're too antsy to wait for HTC's update, head on over to the source link below -- Eckheart says the issue can be resolved by removing HTCloggers from a rooted device.
Researchers use children's toy to exploit security hole in feds' radios, eavesdrop on conversations
Researchers from the University of Pennsylvania have discovered a potentially major security flaw in the radios used by federal agents, as part of a new study that's sure to raise some eyebrows within the intelligence community. Computer science professor Matt Blaze and his team uncovered the vulnerability after examining a set of handheld and in-car radios used by law enforcement officials in two, undisclosed metropolitan areas. The devices, which operate on a wireless standard known as Project 25 (P25), suffer from a relatively simple design flaw, with indicators and switches that don't always make it clear whether transmissions are encrypted. And, because these missives are sent in segments, a hacker could jam an entire message by blocking just one of its pieces, without expending too much power. What's really shocking, however, is that the researchers were able to jam messages and track the location of agents using only a $30 IM Me texting device, designed for kids (pictured above). After listening in on sensitive conversations from officials at the Department of Justice and the Department of Homeland Security, Barnes and his team have called for a "substantial top-to-bottom redesign" of the P25 system and have notified the agencies in question. The FBI has yet to comment on the study, but you can read the whole thing for yourself, at the link below.
Apple to patch PDF vulnerability in iOS
Apple said it will issue a patch that will close a PDF hole in iOS. Though this security hole is well known by iOS owners, it made headlines recently when the German government issued a malware warning about this "critical weakness" in Apple's iOS operating system. As it has done in the past with other security issues, Apple will release an update in the coming weeks to close this hole. Those that jailbreak their iOS devices will want to avoid this update. The exploit that Apple will patch is the same one used by Comex in jailbreakme, an online jailbreak tool. Ironically, those that want to close this exploit now can do so using this jailbreak tool. Just jailbreak your iOS device and install a security patch from Cydia.
Square's Jack Dorsey calls VeriFone's vulnerability claims 'not fair or accurate'
We had a feeling that Square wouldn't let VeriFone call it out without issuing some sort of statement, and CEO Jack Dorsey has responded to the claims of a gaping security hole in the form of an open letter on the company's website. Dorsey calls its competitor's accusations "not fair or accurate" and says that many of the necessary security measures are already built-in to your credit card itself. He also points out that this sort of credit card number thievery is possible every time you hand your plastic over to a waiter or salesperson, and that its partner bank, JPMorgan Chase, stands behinds all aspects of the service. To us, it seems like Verifone is more than a little scared at the prospect of Square undercutting its fees and potentially upending the POS business -- but we're just theorizing. One thing is for sure though, we'll be hearing a lot more about this as the mobile payment war heats up in the future.
Security experts unearth unpleasant flaws in webOS
Researchers from security firm SecTheory have described a handful of flaws in webOS, saying that the platform -- by its very nature -- is more prone to these sorts of things than its major competitors because Palm puts web technologies like JavaScript closer to webOS' core where system functions are readily accessible. At least one of the flaws, involving a data field in the Contacts app that can be exploited to run arbitrary code, has already been fixed in webOS 2.0 -- but the others are apparently still open, including a cross-site scripting problem, some sort of floating-point overflow issue, and a denial-of-service vector. We imagine Palm will get these all patched up sooner or later, but as SecTheory's guys point out, how long is it until mobile malware becomes a PC-sized problem?
IE security flaw exploited in recent Google attacks
This next item's for any rogue states out there that might be planning a comprehensive wave of cyber-attacks: It looks like Microsoft has admitted that indeed it was a security flaw in Internet Explorer that hackers based in China exploited in the recent attacks on Google. As is often the case, the flaw is neatly summed up in the title of the advisory: "Vulnerability in Internet Explorer could allow remote code execution." According to news agency AFP, the incident (which targeted Chinese human rights activists) shows "a level of sophistication above that of typical, isolated cyber criminal efforts." (Which is, evidently, how we like to think of our own cyber criminal efforts.) Microsoft has yet to release a formal software update. In the meantime, if you think your machine could be at risk, hit the source link for all the details. Or just switch to Firefox.
Droid security flaw makes lock screen a mere inconvenience for evil-doers
You might recall Apple having a hard time keeping its lock screen locked at one point, and it looks like we've got a common theme brewing here now that Android's suffering from the same drama. Turns out that Android 2.0.1 -- the build currently deployed on the Droid -- suffers from a flaw whereby you can back out to a locked phone's home screen simply by pressing the Back button after accepting an incoming call. Of course, you'd either have to know a phone's number or wait for a call to actually take advantage of this, but we'd argue that it's a pretty low barrier of entry. The bright side of the story, we suppose, is that the phone goes back to being locked as soon as the call ends, but then again it doesn't take much time to peep your juicy emails. Google's aware of the issue, so we're thinking this'll make it into the Droid's next software update; we don't have a launch window for that just yet, so in the meantime... you know, just make sure no one ever calls you and you should be good to go.
iPhone OS 3.0.1 update released, fixes SMS vulnerability (updated with statement from Apple)
Looks like Apple pulled the trigger on patching that nasty iPhone SMS vulnerability a little earlier than we expected -- the iPhone OS 3.0.1 update just hit iTunes. It's not some lightweight, either: you're looking at 280MB of love here, so get downloading, friends. Update: Here's what Apple rep Tom Neumayr had to say about this little episode. We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit. Well... what do you know about that? [Thanks to everyone who sent this in]
iPhone OS 3.0.1 update released, fixes SMS vulnerability
Looks like Apple pulled the trigger on patching that nasty iPhone SMS vulnerability a little earlier than we expected -- the iPhone OS 3.0.1 update just hit iTunes. It's not some lightweight, either: you're looking at 280MB of love here, so get downloading, friends.[Thanks to everyone who sent this in]
O2 claims iPhone security patch will hit iTunes on Saturday, Apple stays silent
According to UK carrier O2, the SMS-based iPhone security hole that Charlie Miller unveiled on Black Hat this week should be patched by this weekend. An O2 spokesperson claimed the update would be pushed through iTunes this Saturday, says BBC. Apple hasn't made a comment yet, and it's not perfectly clear that this will be an update for iPhones worldwide, but hopefully that's the case -- the security flaw certainly isn't geographically limited. [Thanks to everyone who sent this in]
