Security

1,166 'Security' stories July 2011 - April 2019

See All Stories

Security analyst finds fake cell carrier apps are tracking iPhone location and listening in on phone calls

Benjamin Mayo Apr 8 2019 - 10:22 am PT

fake iPhone apps

In yet another abuse of the enterprise distribution program, security analyst Lookout has identified apps (via TechCrunch) that were pretending to be published by cell carriers in Italy and Turkmenistan. The apps were available for iPhone users to download through Safari as they were signed by an enterprise certificate. These apps used carrier branding and pretended to offer utilities for the users’ cell plans when in reality they would ask for every permission they could to track location, collect contact, photos, and more, and had the capability to listen in on users’ phone conversations.

Apps using enterprise certificates are not available through the App Store, but malicious criminals can target iOS users through Safari (perhaps with a phishing attack-esque email) and get people to download the app over the web, outside of the purview of the App Store review process.

Expand
Expanding
Close

Mark Zuckerberg announces Meta lay

Facebook caught exposing millions of private records from users on Amazon servers

Michael Potuck Apr 3 2019 - 10:51 am PT

In the latest security gaffe for Facebook, millions of private records from the platform’s users have been found unprotected on Amazon’s cloud servers.

Expand
Expanding
Close

Two zero-day Safari exploits found

Two zero-day Safari exploits found, one allowing complete takeover of Mac

Ben Lovejoy Mar 21 2019 - 6:44 am PT

White-hat hackers at a security conference in Vancouver have found two zero-day Safari exploits, one of which allowed them to escalate their privileges to the point that they were able to completely take over the Mac …

Expand
Expanding
Close

Microsoft Defender brings anti-virus protection to Mac, but limited business roll-out initially

Ben Lovejoy Mar 21 2019 - 6:06 am PT

Microsoft Defender begins limited Mac rollout

Microsoft is renaming its Windows Defender antivirus software to Microsoft Defender Advanced Threat Protection (ATP), and bringing it to macOS for the first time.

While Macs are significantly less vulnerable to malware than Windows machines, they are not immune. Examples include fake Flash Player installers and cryptocurrency-stealing browser exploits and apps …

Expand
Expanding
Close

Apple among 90+ companies to have corporate data exposed through their Box accounts

Ben Lovejoy Mar 11 2019 - 7:19 am PT

Box accounts accidentally expose data

Apple is one of a number of high-profile companies which had corporate data exposed through their Box accounts, an enterprise cloud storage service.

In all, cybersecurity firm Adversis found that data from more than 90 companies was exposed …

Expand
Expanding
Close

Xfinity Mobile

Xfinity irresponsibly using 0000 as default PIN, hacker steals customer’s phone number and buys a Mac

Michael Potuck Feb 28 2019 - 1:45 pm PT

In the latest episode of consumers affected by tech companies’ security flaws, Comcast’s Xfinity Mobile wireless service was found to be setting customer PINs by default to 0000. As reported by The Washington Post (via The Verge) one of the users who had their phone number stolen because of Xfinity’s weak PIN default even saw a hacker purchase an Apple computer with his credit card.

Expand
Expanding
Close

EFF launches ‘Fix It Already’ initiative to push Apple and other tech companies for change

Michael Potuck Feb 28 2019 - 9:19 am PT

eff fix it already apple

A new post from the EFF (Electronic Frontier Foundation) today has announced a new initiative called “Fix It Already.” The first post describes specific privacy and security issues that Apple and eight other major tech companies should fix right now.

Expand
Expanding
Close

iPhone and Android hacking tool used by FBI and DHS on sale on eBay for as little as $100

Ben Lovejoy Feb 28 2019 - 4:13 am PT

A Cellebrite UFED extracting data from an iPhone

The Cellebrite Universal Forensic Extraction Device (UFED) is a smartphone hacking tool commonly used by the FBI, Department of Homeland Security and other law enforcement agencies in the US and elsewhere. It’s the most powerful tool yet created by the Israeli company, able to extract a huge amount of data – even data which has been deleted from phones.

A brand new one normally costs $5,000 to $15,000 depending on the model, but older models can be found on eBay for as little as $100 …

Expand Expanding Close

4G and 5G security flaws discovered, users susceptible to call interception and location tracking

Michael Potuck Feb 25 2019 - 12:12 pm PT

4G security flaw

A report from TechCrunch details three new serious security flaws in both 4G and 5G networks and one of them affects all four major US carriers in addition to many more networks around the world. The vulnerabilities allow attackers to track a user’s location as well as intercepting phone calls.

Expand
Expanding
Close

WhatsApp security vulnerability found in share sheet

WhatsApp security vulnerability found in its new Face ID/Touch ID lock feature

Ben Lovejoy Feb 21 2019 - 5:08 am PT

A WhatsApp security vulnerability has been discovered in a new feature introduced earlier this month …

Expand
Expanding
Close

Apple cuts ties with social media utility app that exposed emails of Instagram users shortlisted for Shot on iPhone contest

Benjamin Mayo Feb 14 2019 - 10:21 am PT

apple instagram security flaw

Yesterday, 9to5Mac was alerted to a flaw in a third-party utility app for Instagram, called Exposure. The app helps brands connect with Instagram posters, automating the collection of agreements to use imagery for commercial purposes.

It just so happens that Apple was using this tool for its Shot on iPhone campaign. 9to5Mac contacted Apple to report the security issue. Following an investigation, a few hours later, Apple cut ties with the Exposure service. (Update: Statement from the parent company of Exposure below)

Expand
Expanding
Close

Security hole in Mojave allows rogue apps to access your Safari browsing history

Ben Lovejoy Feb 14 2019 - 5:12 am PT

Safari browsing history accessible by rogue apps

An attempt by Apple to protect your Safari browsing history in macOS Mojave has a security hole which allows full access by a rogue app, says a Mac and iOS developer.

Prior to Mojave, your browsing history was freely available to any app that looked inside ~/Library/Safari. In macOS 10.14, however, Apple locked down access so tightly that you can’t even list the contents in Terminal – in theory …

Expand
Expanding
Close

617 stolen account details for sale

617M stolen account details from 500px, Dubsmash, MyFitnessPal, ShareThis, more, being sold

Ben Lovejoy Feb 13 2019 - 5:28 am PT

Stolen account details from 16 hacked websites have gone on sale on the dark web. In all, 617 million records are available, with data including account holder names, email addresses and hashed passwords …

Expand
Expanding
Close

New Face ID patent application seems likely to fix the 3D-printed mask issue

Ben Lovejoy Feb 11 2019 - 4:17 am PT

Face ID mask

A new Apple patent application suggests that the company has boosted the security of Face ID in order to defeat the attack method demonstrated in 2017, when a specially-designed 3D-printed mask was able to unlock an iPhone X.

The attack was a sophisticated one, meaning that ordinary users didn’t have much to fear, but the security researchers did suggest that high-profile targets – like company CEOs – might want to avoid using Face ID …

Expand
Expanding
Close

iOS
Security

Google researcher says iOS 12.1.4 fixes two zero-day vulnerabilities that ‘were exploited in the wild’

Chance Miller Feb 7 2019 - 6:12 pm PT

Following the release of iOS 12.1.4 this afternoon, a top Google security engineer revealed two zero-day security threats. Ben Hawkes, team leader at Google’s Project Zero security team, revealed the existence of the vulnerabilities on Twitter this afternoon.

Expand
Expanding
Close

[Update: Over 200 bounty hunters bought data ‘tens of thousands of times’] User location data sold by AT&T, T-Mobile, and Sprint is making its way to bounty hunters, says report

Michael Potuck Feb 7 2019 - 12:52 pm PT

A new report from Motherboard today takes a look into the practices of US wireless carriers selling user location data to third-parties. While it’s often credit card and other financial companies buying the location data for fraud detection and more, Motherboard says some rogue third-parties have access to user location data and it’s landing the hands of bounty hunters and the black market.

Expand
Expanding
Close

Hackers using password phishing kits and fake receipts to access iCloud-locked iPhones

Michael Potuck Feb 6 2019 - 9:40 am PT

iPhone X rear

A new report from Motherboard today looks into the world of hacking iCloud-locked iPhones. While turning on Find My iPhone (which enables the iCloud lock) is generally thought to be quite secure, Motherboard highlights several ways that thieves, hackers, and coders are getting around the security feature to sell stolen (and non-stolen) devices.

Expand
Expanding
Close

macOS keychain exploit

Security researcher demos macOS exploit to access Keychain passwords, but won’t share details with Apple out of protest

Benjamin Mayo Feb 6 2019 - 2:32 am PT

Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.

Expand
Expanding
Close

Feature Request: After WhatsApp, I’d like to see Face ID as an option for other apps

Ben Lovejoy Feb 4 2019 - 5:50 am PT

Face ID apps

A WhatsApp update yesterday added the option of using Face ID to protect your chats, and that’s an option I think could be usefully added to other apps – including some of Apple’s own.

One could question the value. After all, locking your phone protects all your apps, so why bother offering app-by-app protection too … ?

Expand
Expanding
Close

WhatsApp updated with ability to lock app behind Face ID or Touch ID

9to5 Staff Feb 3 2019 - 6:44 pm PT

Popular Facebook-owned chat service WhatsApp has updated its iOS app today with support for biometric authentication, allowing users to ‘lock’ the app with Face ID or Touch ID. Although the feature does not work on a per chat basis, enabling the feature does add an extra layer of security to your private WhatsApp conversations.

Expand
Expanding
Close

Apple says iOS fix for Group FaceTime bug now coming next week, issues apology

Michael Potuck Feb 1 2019 - 6:14 am PT

Apple has today released an update on the FaceTime eavesdropping bug and offered an apology. The company says it has patched the flaw on its servers and will roll out an update to iOS users next week to bring back Group FaceTime with the bug fixed. It also makes a promise to improve how it handles bug reports and its escalation process.

Expand
Expanding
Close

UK’s GCQH wants Apple and others to secretly add law enforcement to encrypted chats and calls

Ben Lovejoy Feb 1 2019 - 5:18 am PT

GCHQ Apple

Britain’s Government Communications Headquarters (GCHQ) – the UK equivalent of the NSA – is calling on Apple and other tech companies to secretly add law enforcement agents to Messages chats, FaceTime calls and other forms of encrypted chat on demand.

The American Civil Liberties Union (ACLU) has said this would be like the recently-discovered FaceTime bug, only worse …

Expand
Expanding
Close

2.2 billion unique accounts compromised after ‘Collections #2-5’ dumped on torrent sites, here’s how to check yours

Michael Potuck Jan 31 2019 - 8:27 am PT

Apple security

Earlier this month we saw what was considered to be the largest ever dump of stolen internet accounts with 773 million email addresses and 21 million passwords. The dump of compromised accounts was called “Collection #1”. Now, Collections #2-5 have been dumped and the numbers are staggering: 845GB of stolen data that includes 25 billion total records and 2.2 billion unique usernames and passwords.

Expand
Expanding
Close

CookieMiner Mac malware tries to steal your cryptocurrency – as well as mine more

Ben Lovejoy Jan 31 2019 - 6:38 am PT

CookieMiner

CookieMiner is the latest Mac malware to be discovered. It’s highly targeted, using a clever technique to try to steal your cryptocurrency.

Discovered by security researchers from Palo Alto Networks’ Unit 42, it uses a two-fold attack method to obtain your login credentials and bypass two-factor authentication …

Expand
Expanding
Close