Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label App vulnerability. Show all posts

Microsoft Launches New Privacy Features for Windows 11

 

Microsoft is developing a new privacy dashboard to patch its vulnerabilities for Windows 11 that will allow users to view which apps and tools have access to sensitive hardware components such as the camera, microphone, location, phone calls, messages, and screenshots. It's included in one of June Windows 11 Preview Builds and now is ready for testing in the Dev Channel for Windows Insiders.

Users will be able to view the newly implemented tool in the Privacy & Security > App Permissions section, where a "Recent activity" option will be available, as per Microsoft. Users will be able to locate the monitored category of information in this section. "Once clicked, it will show every instance of one of the programs installed on a user's machine that has recently accessed sensitive devices and information," says the next step. Even though the list contains information about the most recent time the program accessed the service, clicking on any of the entries yields no additional information.

Several users would be able to proactively protect themselves from ransomware and phishing attacks that are unwittingly deployed by malicious actors due to this additional layer of privacy. Malware or malicious software may obtain access to a user's privacy in some cases via spying on its camera or microphone, or by reading file paths, process IDs, or process names.

If Windows Hello is turned off, your PC will be unable to access your camera. Some apps use the Camera app to capture pictures, by the Camera app's camera access setting. No images will be taken and sent to the app that accessed them unless you manually select the capture button in the Camera app.

Desktop apps can be downloaded from the internet, stored on a USB drive, or installed by your IT administrator. Microsoft has not yet officially launched this new privacy option, according to its Windows Insider Blog. This information comes from Microsoft's Vice President of Enterprise and OS Security, David Weston, in a tweet on Thursday. 

Windows has never had a privacy feature as useful as this, but it appears that Microsoft is working to strengthen the operating system's privacy controls. With Android version 12, Google provided a similar capability, although its execution is far from satisfactory.

How a Simple Vulnerabilty Turned Out to be University Campus 'Master Key'

When Erik Johnson couldn't make his university's mobile student ID app work properly, he found a different way to get the job done. The app seems to be important, as it lets students in the university paying meals, get into events, and lock/unlock dormitory rooms, labs, and other facilities across campus. The app is known as getting Mobile, made by CBORD, it is a tech company that assists hospitals and universities by bringing access control and payment systems. 

However, Johnson, and other students who gave the app "1 star" due to poor performance, said that it was very slow in terms of loading time. It can be improvised. After studying the app's network data while unlocking his dorm room door, Johnson realized a way to mirror the network request and unlock doors via a one-tap shortcut button on the iPhone. To make it work, the shortcut needs to send an accurate location with the door unlock request, or the doors won't open. For security purposes, students have to be in certain proximity for unlocking doors via the app. 

It is done to avoid accidental door openings on the campus. To make it even better, Johnson decided to take his talents elsewhere too. CBORD has a list of API commands that can be used via student credentials. (API allows two things to interact, in our case, it's a mobile app and university servers that store data). Johnson identified a problem, here the API wasn't checking in case of valid student credentials. It meant that anyone could interact with the API and take control of other students' accounts, without having the need for passwords. 

As per Johnson, the API only looked for student ID (unique). Tech Crunch reports "Johnson described the password bug as a “master key” to his university — at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present — simply by sending back the approximate coordinates of the lock itself." As the bug was discovered in the API, it could affect other universities too. Johnson found a way to report the bug to CBORD, and it was resolved after a short time.

iPhone contacts app vulnerable to hack attack, says security firm


Apple has never shied away from boasting about how secure its systems are, but researchers have found that contacts saved on iPhones are vulnerable to an SQLite hack attack which could infect the devices with malware.

SQLite - the most widespread database engine in the world - is available in every operating system (OS), desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite.

Security firm Check Point has demonstrated a technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances triggers the device to run malicious codes, Apple Insider reported on Saturday.

The vulnerability has been identified in the industry-standard SQLite database.

Documented in a 4,000-word report, the company's hack involved replacing one part of Apple's Contacts app and while apps and any executable code has to go through Apple's startup checks, an SQLite database is not executable.

"Persistence (keeping the code on the device after a restart) is hard to achieve on iOS as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed," the report quoted the Check Point researchers as saying.

As of now, Apple has not commented on Check Point's report.

MyCar exposes thousands of vehicles to hackers




A cybersecurity researcher claim to have found a series of vulnerabilities in a remote-based automobile app 'MyCar' that might have exposed more than 60,000 cars to hackers.

During a conference in Las Vegas on Saturday, the security expert who goes by the name Jmaxxz, identified several issues in an app 'MyCar' developed by a Canadian Automobility company.

According to the exposed database, the expert estimated that roughly 60,000 cars were vulnerable to theft by security flaws, through this exposed data hackers could even choose which car model they want to steal.

The app MyCar connects "to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic using GPS and a cellular connection to extend their range using an Internet connection."

The security flaws are far beyond theft or remote alarm-triggering pranks. However, starting of a car without the owner's knowledge could lead to dangerous carbon monoxide leaks which could be fatally dangerous.

MyCar's parent company has said that they have started investigating into the matter and would promptly solve the flaws.

Google now pays more for disclosing vulnerabilities in Chrome OS and some Play Store apps

One of the hardest aspects of maintaining a cross-platform product is ensuring its security. Vulnerabilities can be exploited on various platforms in various scenarios, and it’s almost impossible for literally any company’s security department to fix all of them on their own. That’s why companies often use vulnerability disclosure rewards programs, which basically means giving money to someone who finds an issue in your product. Google has several programs of this kind. One of them is the Chrome Vulnerability Rewards Program, which awards security researchers for exploiting vulnerabilities in Chromium, Chrome, and Chrome OS. As you already know, there are a lot of Chromium-based browsers on the market, so the security of this product is crucial.

Today, Google is increasing the minimum rewarding amount for this program. Currently, security researchers receive a maximum amount of $5,000 on baseline reports. These exploits are mostly around escaping the sandboxing. Google is tripling the amount of reward for high severity baseline reward, bringing it up to $15,000. The price of high-quality reports with functional exploits of the same category got doubled. Previously it was $15,000, but after today Google will pay $30,000 for these kinds of exploits. Google is also increasing the bonus from $500 to $1,000 for exploits found via Chrome Fuzzer, which lets security researchers use Google’s hardware and scale to replicate the exploits.

The Google Play Security Reward Program got an update, too. This program only covers apps that have specifically opted-in.

- The reward for remote code execution bug went from $5,000 to $20,000
- The reward for theft of insecure private data went from $1,000 to $3,000
- The reward for accessing protected app components went from $1,000 to $3,000

To put it in short, Google decided to show more appreciation for all the security researchers that help ensure the security of their product. The changes will go into action today. You can start looking for vulnerabilities if you are competent enough. Maybe you’ll get some reward from Google.

Flaw in Zoom app could allow Mac webcams to be hacked

Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.

According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.

Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.

All it takes a WhatsApp call for the spyware to enter your phone


It’s been a day of high-profile security incidents. First there was news the popular WhatsApp messenger app was hacked. Updated versions of WhatsApp have been released, which you should install if you’re one of the more than one billion people who use the app.

WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets' smartphones. The spyware install on a host phone via a WhatsApp call. The spyware deletes all WhatsApp call logs to become untraceable.

On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.

What's scary about this spyware is that it can slip on any WhatsApp users' smartphone without giving the slightest clue that their devices have been infected. All it takes is a WhatsApp call.

The WhatsApp news was revealed first by the Financial Times, which says the bug was used in an attempt to access content on the phone of a UK-based human rights lawyer.

That has left many of its 1.5 billion users wondering how safe the "simple and secure" messaging app really is. How trustworthy are apps and devices?

No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender's device. The messages can be decrypted by the recipient's device only.

WhatsApp is arguably one of the most popular social messaging apps in the world. In the recent times, the Facebook-owned social messaging app has been under fire owing to the rampant spread of misinformation on its platform. But never has the app been under seige by a malware. That is until now.

WhatsApp has rolled out an update to its servers. It has also rolled out a security patch on to its Android and iOS apps to safeguard your phone data. Software patches have been released by several vendors, including Microsoft. You should install security updates from vendors promptly, including these.

Qualcomm Chip Security Flaw Poses Risk to App Account Security



Qualcomm technology which was manufactured to safely store private cryptographic keys has been found to be plagued with a security bug. The bug has been found in Qualcomm chipsets and is said to be paving way for Android malware which can potentially steal access to victims' online accounts.

The implemention of the technology should be such that even if the Android's OS has been exploited, the Qualcomm Secure Execution Environment, also known as QSEE should be beyond the reach of exploit and hence, unassailable. However, due to some imperfections in the implementation, such is not the case.

One can go about manipulating the system and leaking the private stored keys into the QSEE, as per a researcher with cybersecurity firm NCC Group, Keegan Ryan.

Ryan documented the vulnerability and came out with a conclusion that the flaw could bave been used by a hacker to exploit the way mobile apps let users sign in on smartphones. After entering the password, a cryptographic key pair would be generated by the app, which can be employed to make sure that all login attempts in the future are from the same device.

Referenced from the statements given by Ryan to PCMag,
"However, if an attacker uses this vulnerability to steal the key pair, the attacker can impersonate the user's device from anywhere in the world, and the user cannot stop it by powering down or destroying their device,"

"The attacker can run the malware one time, and extract the key. They now have permanent and unrestricted ability to create (authentication) signatures," he further added.

The patch is expected to roll out in April itself along with Android's security update.






Google’s security program has caught issues in 1 million apps in 5 years

Security is a common concern when it comes to smartphones and it has always been especially important for Android. Google has done a lot over the years to change Android’s reputation and improve security. Monthly Android security patches are just one part of the puzzle. Five years ago, the company launched the Application Security Improvement Program. Recently, they shared some of the success they’ve had.

First, a little information on the program. When an app is submitted to the Play Store, it gets scanned to detect a variety of vulnerabilities. If something is found, the app gets flagged and the developer is notified (above). Diagnosis is provided to help get the app back in good standing. Google doesn’t distribute those apps to Android users until the issues are resolved.

Google likens the process to a doctor performing a routine physical.

Google recently offered an update on its Application Security Improvement Program. First launched five years ago, the program has now helped more than 300,000 developers fix more than 1 million apps on Google Play. In 2018 alone, it resulted in over 30,000 developers fixing over 75,000 apps.

In the same year, Google says it deployed the following six additional security vulnerability classes:

▬ SQL Injection

▬ File-based Cross-Site Scripting

▬ Cross-App Scripting

▬ Leaked Third-Party Credentials

▬ Scheme Hijacking

▬ JavaScript Interface Injection

The list is always growing as Google continues to monitor and improve the capabilities of the program.

Google originally created the Application Security Improvement Program to harden Android apps. The goal was simple: help Android developers build apps without known vulnerabilities, thus improving the overall ecosystem.

Google understands that developers can make mistakes sometimes and they hope to help catch those issues for years to come. Security will continue to be a big talking point as technology evolves. It’s important for users to be able to trust the apps on their phones.

40.8% Smart Homes vulnerable to attacks




Security researchers have found nearly 40.8% of smart homes have at least one device that could be easily breached by hackers as one-third of them have outdated software with unpatched security issues, while two-thirds of them are exposed due to their weak credentials.

The team of researchers at Avast said that all these vulnerable devices are connected to the internet directly, and routers are the ones most targeted.

"59.7% of routers have weak credentials or some vulnerabilities" and "59.1% of users worldwide have never logged into their router or have never updated its firmware," says Avast.

In their report, Avast says that "a router that is vulnerable to attack poses a risk for the whole home, much like leaving your front door unlocked. Cybercriminals can redirect compromised routers to access exactly what they want, including phones, computers or any other connected device."

Printers lead the list of types of devices which are most vulnerable to attacks. In the US,  the printer's vulnerability percentage is 43.8%, while other devices like NAS devices and security cameras are on the second and third place with 17.7% and 14.7% respectively.

"It only takes one weak device to let in a bad hacker and once they are on the network, they can access other devices, and the personal data they stream or store, including live videos and voice recordings," said Avast President Ondrej Vlcek. "Simple security steps like setting strong, unique passwords and two-factor authentication for all device access, and ensuring software patches and firmware updates are applied when available, will significantly improve digital home integrity."

The Avast's 2019  Smart Home Security Report includes data from 16 million different home from all over the world, the total of 56 million devices having been scanned to gather the data.  

Tinder flaw that let hackers break into accounts with just a phone number

According to a report by Anand Prakash from Appsecure, a specialised cybersecurity company, the company had discovered a vulnerability in the Tinder application that could let hackers have access to user accounts using just their phone numbers.

It has been reported that the flaw has since been patched by Tinder and Facebook, and there have been no reports of any previous exploitation of this flaw as yet.

The attack became possible by exploiting a vulnerability in the Account Kit service provided by Facebook, which is used to login into both the web and mobile application using phone numbers.

Prakash said that just by knowing the phone number the user uses to login with, the attacker would have been able to gain access to their account “within seconds” and would gain full access to the account, including personal chats, information, and interaction with other users.

He reported this flaw to Facebook and Tinder and it has since been fixed, earning him a bounty of $5,000 and $1,250 from Facebook and Tinder respectively through their bounty programs.

Anand Prakash has till now earned more than $350,000 as a full-time bounty hunter, finding out and notifying global companies about major security flaws.

Zero Day Telegram Vulnerability Exploited by Hackers for Cryptomining

Kaspersky Lab has revealed that in October 2017, they had discovered a flaw in Telegram Messenger’s Windows desktop client that was being exploited “in the wild”. According to Kaspersky, the flaw has allegedly been by Russian cybercriminals in a cryptomining campaign.

The Telegram vulnerability involves the use of an RLO (right-to-left override) attack when the user sends a file through the messenger.

RLO Unicode method is primarily used for coding languages that are written right-to-left, such as Hebrew or Arabic, but hackers can use it to trick users into downloading malicious files. When an app is vulnerable to attack, it will display a filename incompletely or in reverse.

Kaspersky has said that it seems that only Russian cybercriminals were aware of this flaw and were exploiting it — not to spread ransomware but cryptomining malware.

The attacks enabled cybercriminals to not just spread the cryptomining malware but also to install a backdoor to remotely control victims’ computers.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017,” read the report Kaspersky published on the flaw.

In the report, Alexey Firsh, cyberthreat researcher at Kaspersky, has outlined several scenarios that show cases of how the vulnerability was actually exploited.

He also wrote that Telegram was informed of this flaw and it no longer occurs in their products.

Play Store Gaming Apps Infected with Malware

An android malware named “AdultSwine” has attacked children-friendly gaming apps in the play store. Over 60 apps have been pulled by Google after recognizing the malware.

The malware causes pornographic content to show on the devices while the infected app is running, aside from trying to get users to install fake security apps and charging for unregistered premium services. The malware reportedly has the ability to steal user credentials.

The malware was discovered by researchers at Checkpoint and the affected apps have since been pulled by Google, and the developers’ accounts banned.

The affected apps have been downloaded as much as 3 to 7 million times, according to Play Store data.

A comprehensive list of affected apps and related research can be found on Checkpoint’s research blog. Google will continue to send notifications to phones that have the affected apps installed.

Facebook messenger falls victim to an anonymous crypto cousin of Bitcoin


With the booming value of digital currency, numerous hackers are rolling out schemes to unwittingly trap or trick more likely, the regular web users into mining for them. The most recent scheme to hoodwink people into mining cryptographic money is exploiting Facebook Messenger by means of some shrewd malware.The malware being distributed by means of Messenger is mining Monero, a contrasting option to the wildly important and volatile Bitcoin. The software is a type of a modified version of the open source mining program XMRig which the bot sets to start automatically.


The bot was detected by cyber security firm Trend Micro, which says "Digimine" is intended to resemble a video file. Security researchers likewise said that "Digmine" is focusing on as many machines as could be allowed, with a specific end goal to earn monero (the alternative to bitcoin) for its makers.

It is spread via a fake video that seems to have been sent from somebody from within the victim's friend list. Once opened the 'video' installs a malevolent code which then proceeds to compromise the desktop version of Facebook Messenger when used with Google Chrome.The hackers at that point gain an off the record access into the users Facebook account where they can get to the contacts lists to additionally spread the malware. The profits made from this illegal computer jacking are sent to the attacker's encrypted Monero wallet.


"If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends," the researchers said. "The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line."

 However this isn't the first or last time mining malware has been utilized to exploit systems, back in October a malignant program called Coinhive was installed into various compromised applications on Google Play.

In a time where on one hand hackers are constantly hijacking devices to mine cryptographic money and are becoming increasingly regular as there is a rapid increase in the value of the digital currencies in the present market, extra caution is thoroughly recommended for the heavy users of social media.


The AirDroid Lesson: Don't let apps take over your life

The popular android app AirDroid which lets users organize their lives by  providing the remote ability to send text messages, edit files, manage other apps and perform GPS tracking suffers from a serious authentication flaw which allows attackers to take control over user's activities.

Th flaw can be exploited  to take photos of the victim via the phone’s camera, track the victim via GPS or harass the victim’s friends and family via contacts.Anything that the app has permission to access to can be accessed by the remote attacker.

The mode of attack is very simple, the attacker would send a innocent-looking link to the user which if clicked leads to the webpage of the attacker. The attacker thus assumes control over the user's phone and can activate the phone's camera to take photos of the user and taunt the user.

This bug has been fixed as of now but the security risk it posed raises questions on how much should an app be permitted to know.

Often for the sake of convenience we offer personal information to the apps thus compromising our security. The long list of permissions that an app asks for is also cumbersome for many users to scan through and they just hit agree.  One never knows how many vulnerabilities are lurking in the apps we freely download and use and how those vulnerabilities can be exploited to take over our daily activities.One must be careful of the things they are agreeing to while installation.

Constant vigilance is the key.