Security

If you haven’t yet updated to iOS 16.1, you may want to do it sooner rather than later: Among the changes is a patch to a zero-day vulnerability. Apple says that exploits may be in active use.

The security vulnerability is of a type often exploited by hackers to enable them to run malicious code on targeted devices …

Security researchers have found a surprising method for exposing location data in otherwise secure messaging apps WhatsApp, Signal, and Threema.

While the method sounds imprecise, tests showed that it provided greater than 80% reliability …

A security researcher back in August found a significant flaw in iOS VPN apps, and a second researcher has now demonstrated another major issue.

The first problem was that opening a VPN app should close all existing connections, but didn’t. The second is that many Apple apps send private data outside the VPN tunnel, including Health (above) and Wallet …

Update: The names of the apps are now known. Apple has removed them from the App Store, but the apps also need to be removed from devices – see the list added to the end of the piece.

Meta has issued a Facebook security warning to around one million users that their login credentials may have been stolen by scam apps. While most of the apps were Android ones, 47 of them were iOS apps found in Apple’s App Store …

A new report reveals that Pegasus spyware was used in Mexico after the president expressly said that the government no longer used the malware.

It was used to capture data from the phones of two journalists specialising in reporting on government corruption, as well as a prominent human rights defender …

One of the important new features in iOS 16 is Safety Check. Designed as a tool for those at risk for domestic abuse or similar situations, Safety Check for iPhone lets users immediately revoke location access others have – including apps – and also walks through a security review.

Brought to you by Mosyle, the only Apple Unified Platform. Mosyle fully integrates 5 different applications on a single Apple-only platform. Businesses can automatically deploy, manage & protect all their Apple devices. Request a FREE account to learn how to put your Apple fleet on auto-pilot at a price point that is hard to believe.

An Uber hacker who has gained access to a number of the company’s internal systems, including its Slack channels, claims to have full control of the company’s cloud-based servers and more. This includes the company’s servers on both Amazon Web Services and Google’s GSuite.

Incredibly, the attack appears to have mimicked the one back in 2016, which compromised the personal data of 57 million. This suggests that Uber failed to fix a massive security hole, enabling the same attack to be made six years later …

Even if you like to wait for new iOS and macOS updates to settle down before you take the plunge, you will want to update your iPhone and Mac asap, even if you opt to remain on iOS 15 for now. On iPhones, Apple is offering a choice between iOS 15.7 and iOS 16 when you update.

An update is urgent because iOS 15.7 (and iOS 16) and macOS Monterey 12.6 fix zero-day security vulnerabilities, which Apple says may currently be in active use by attackers …

Ring doorbell security has been a source of controversy for some time, but the company finally appears to be taking privacy issues seriously. It is now supporting end-to-end encryption of video footage for wireless as well as wired products.

The change will finally address security flaws which have been highlighted as far back as 2019 …

Apple is frequently releasing new updates to its operating systems with bug fixes and security improvements. In addition, macOS also has a system that lets Apple silently deliver anti-malware protections to Mac computers. And according to a recent research, the company this year introduced major under-the-hood security updates to macOS.

A DoorDash hack has been confirmed by the company, with full customer contact details exposed by the security breach: name, address, and phone numbers.

Separately, LastPass has also confirmed an attack on its own systems, but says it doesn’t believe that any user data was obtained …

iPhone Lockdown Mode is an extreme form of security designed to protect people who might find themselves targets of state-sponsored spyware, like Pegasus. However, a privacy activist says it also makes it easy for a website to detect when someone is using it – and has demonstrated this.

So what is designed to be protection against rogue governments could actually end up helping them identify people who may be of interest …

Shown off at this year’s Def Con is an unassuming and powerful hacking tool, the O.MG Elite cable. With the physical appearance of a standard Lightning or USB-C cable, the hidden modifications mean this cable can log keystrokes, perform attacks, and even transmit data stealthily from air-gapped devices with its own WiFi network.

A Twitter investigation has been announced by the Senate Judiciary Committee, following claims of “extreme” security failings at the social network. The claims were made in an 84-page report by the company’s former head of security, Peiter Zatko.

Concerns have been expressed about the national security risks of bad actors being able to fake tweets from the accounts of world leaders and major media organizations …

A Plex data breach has exposed usernames, email addresses, and encrypted passwords. The scale of the security failure is not yet known, but the company is requiring all users to change their passwords.

The issue was compounded by Plex servers not having sufficient capacity to cope with the number of users attempting to do so, and a series of other problems …

Update: Elon Musk’s lawyers have now issued a subpoena to speak to Zatko about the claims.

Former Twitter security head Peiter Zatko has filed a formal complaint that the company has “extreme, egregious deficiencies” in its protections against hackers, and has done little to defeat spam.

He accuses the company of deceiving the Federal Trade Commission (FTC), following promises made back in 2011 after hackers twice took full control of Twitter …

The British government has backed a call by the country’s security services for client-side scanning for child sexual abuse material – aka Apple’s CSAM approach.

Home Secretary Priti Patel has written an op-ed in which she indicates government support for the stance, while also attacking Facebook’s plans to make all Messenger chats end-to-end encrypted by default …

Spyware company NSO, whose Pegasus app can be used to give attackers almost full remote access to an iPhone, has announced that it is downsizing, and losing its CEO.

Bizarrely, the company argues that this is in order to prepare for growth …