Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mobile Application Hacking. Show all posts

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities

 

Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

Data of 200,000 Shareholders Exposed due to a Vulnerability in the BrewDog App

 

BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners. 

The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company. 

These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint. 

Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders. 

Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential." 

"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!" Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner. 

The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.

The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement. 

"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure." 

BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO." 

However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.