Security

Update: Statement from Visible added below

Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged to payment details held for customers. Visible is a Verizon sub-brand that operates entirely online, meaning that customers cannot seek assistance in-store.

“My account got hacked and they shipped out an iPhone 13 worth $1k that was taken from my PayPal,” wrote one customer …

The Federal Communications Commission (FCC) is calling on carriers to implement better security protections against SIM-swap and port-out attacks.

These attacks are a common way for criminals to carry out identity theft, and take over anything from an Apple ID to a bank account …

A security researcher has shown that AirTags can be weaponized by injecting code into the phone number field before placing it into Lost mode and dropping it in strategic places. Apple has confirmed the finding.

When someone finds the AirTag and scans it, they will be redirected to the website of the attacker’s choice, which could include a fake iCloud login to report the find …

Apple overhauled its security bounty program back in 2019 by making it open to anyone, increasing payouts, and more. However, the program has seen a good amount of criticism from the infosec community. Now another security researcher has shared their experience claiming that Apple didn’t give them credit for one zero-day flaw they reported which was fixed and that there are three more zero-day vulnerabilities in iOS 15.

Update 9/27: After sharing his experience publicly, Apple has responded to security researcher illusionofchaos, aka Denis Tokarev.

A Mac shortcut bug can enable an attacker to take over your machine when you open an email, using nothing more than a standard internet shortcut file.

Apple claims to have patched the bug in Big Sur and Monterey, but the security researcher who discovered the issue says that this is only partly true.

Apple giving into Russia twice this week on key civil liberties issues proves that the company’s CSAM misuse assurances cannot be trusted, argues a high-profile security expert.

Apple today pulled from the App Store an opposition tactical voting app after the Russian government threatened specific local company employees with “punishment” if they refused. It turns out that Apple also turned off its Private Relay service in Russia just yesterday, likely also in response to government pressure…

CloudKit is an Apple framework integrated into iOS and macOS that works as a backend for apps. Developer Frans Rosén has found a way to use Apple’s cloud platform to delete public Siri Shortcuts and even content from other Apple apps such as Apple News.

While Apple continues beta testing of macOS 12 Monterey, a new macOS Big Sur update has landed for all Mac users with 11.6. The new software hasn’t been beta tested and brings two important security updates that may have been actively exploited. There’s also an update for those running macOS Catalina.

London police chief Cressida Dick has used the 20th anniversary of 9/11 to attack companies like Apple, WhatsApp, Telegram, and Signal for offering end-to-end encrypted message services.

It follows the British Home Secretary – in charge of policing for the UK – seeking tech companies to find some way to break end-to-end encryption …

The British government has expressed support for Apple’s now-delayed CSAM scanning plans, and says that it wants the ability to scan encrypted messages for CSAM, even where end-to-end encryption is used.

The country is offering to pay anyone who can find a way “to keep children safe in environments such as online messaging platforms with end-to-end encryption” …

A USB-C to Lightning cable with a hidden wireless key-logger can enable an attacker to capture everything you type from a distance of up to a mile.

Any tech-literate person knows you should never plug a USB key into any of your devices unless you trust the person giving it to you, but fewer know that the same applies to USB cables …

The popular messaging app WhatsApp recently faced a major security vulnerability that could lead to sensitive data leakage. Although the exploit has now been fixed by the company, it shows that even end-to-end encryption can be bypassed by hackers.

Update: Apple did make a security announcement, but only a supply-chain related one.

We learned earlier this week about a potential Tim Cook White House visit to attend a cybersecurity summit hosted by President Biden. Cook’s participation has now been confirmed by a list of attendees shared by an administration official, and could provide an excellent opportunity for Apple’s CEO to drive home the company’s stance on privacy and strong encryption.

A new report today also raises the possibility of a security-related announcement by Apple after the meeting has finished …

A newly discovered NSO Pegasus zero-click iPhone attack against a human rights activist managed to succeed despite Apple’s Blastdoor protections, according to security researchers at Citizen Lab.

It is unclear, however, whether the protections Apple added to iOS 14.7.1 would have succeeded in blocking the attack, as it took place at a time when iOS 14.6 was the latest version available …

In a massive data breach we first learned about earlier this week, T-Mobile is continuing to discover the extent of the damage that’s rising beyond 50 million accounts. In an update today, the uncarrier says it has found an additional 5.3 million current postpaid customer accounts had their name, address, date of birth, or other personal information compromised.