Posts with tag exploit
Some personal information potentially accessed
Late last week, Apple’s Developer Website, the portal used by iOS and OS X developers to access tools and documentation, became unable to be accessed, which many people presumed to be for maintenance purposes. But as the weekend went on and the site remained down, suspicions began to arise; Apple routinely takes their sites down for maintenance, however such an event has never occurred for such an extended among of time.
Last night, Apple finally confirmed what many were beginning to expect – the Developer Site was not down for maintenance, but was rather the victim of an advanced exploration attempt by an intruder. In an email sent to all Apple registered developers, Apple claims that they have been busy “completely overhauling our developer systems, updating our server software, and rebuilding our entire database,” to assure that such a thing never happens again.
While Apple claims that no truly sensitive information was breached, they can not rule out the thought that the intruder may have been given access to names, addresses, and/or email addresses.
You can see Apple’s complete email to developers quoted below. The Apple Developer Website appears to remain down.
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.
In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.
This is one nasty bug.
Hey, are you an Android user? If so, chances are that your device is vulnerable to a massive Android exploit, one that could potentially and easily cripple almost everyone Android device made from Android 1.6 and onwards – that’s roughly 99% of all Android devices currently in active use. The flaw exists in Android’s security protocols that allows malicious code to corrupt third party APKs and applications and through that aspects of the core operating system.
Bluebox Security of San Francisco, who published this discovery in a blog post on their company blog yesterday, wrote about the implications of the discovery:
This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years—or nearly 900 million devices—and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
According to Bluebox, several newer handsets – such as Samsung’s Galaxy S4 – have already seen this exploit fixed. However countless other major phones, including one already in your pocket – sun as the Galaxy Note II, Galaxy S3, HTC One S, HTC One, HTC One X, etc. and so on and so on – are vulnerable to this massive exploit.
Unfortunately, given that Android OEMs don’t often offer software updates to even their most premium devices, many Android devices out there will never see an official fix for this bug, especially damning given how large this bug is.
Source: Bluebox Security
That's quite the exploit
Ubisoft’s UPlay software, which allows is a DRM, game management, and multiplayer service for Ubisoft titles in a similar vein to parts of Origin, has been exploited today allowing hackers to download and play any game compatible with the service totally free of charge, and free of DRM. What’s most interesting is that the exploit also allows for users to download and play unreleased games, many of which have leaked to various public BitTorrent trackers and other forms of P2P software over the last couple of hours.
One only has to search for “Far Cry 3: Blood Dragon”, an unreleased and previously rumored Ubisoft game set in the Far Cry universe, to see the extent of the damage. Little was known about the game prior to this exploit; now we have full plot details, walkthroughs on YouTube, box art, and even the full game available for download free of charge.
Ubisoft has not yet commented on the exploit and sensitive data pertaining to UPlay users are reportedly safe from the exploit, however we will keep a close eye on the situation until we know more.
We love you too, Apple
It seems Apple hasn’t been very secure lately. First a few rounds of iOS lock screen bypasses, and now someone has figured out how to reset your Apple ID’s password with just your date of birth and your email address.
The exploit comes after Apple added two-step verification to their Apple ID and iCloud services. Unfortunately, the change also introduced said reset method for anyone who hasn’t yet migrated their account which at this point will be most people. To perform the reset, all one needs to do is use a malformed URL when visiting the iForgot page, and then entering your date of birth. That’s it.
Scary, right? We hope that this huge flaw will be fixed soon and will keep you up-to-date when it is.
Update 3:28PM CST – Engadget is now reporting that the password reset page has been taken offline. Hopefully when it returns, the hole will be patched.
Source: The Verge
Oh dear. iOS 6.1.3 has barely been out for a day and already someone has found another lock screen bypass. As usual for these bypasses, if it’s performed people will have access to your photos, contacts and phone dialer. This time, you need a little bit more than just an iPhone.
To perform this latest bypass, you need to start a phone call from the voice recognition system, then eject the SIM card halfway through the call. It’s more involved than previous exploits and it appears as if CDMA iPhones are safe, but it’s still amazing to see another exploit so soon after one was supposed to have been patched.
Check out the YouTube video below for a demonstration on how it works.
As one vulnerability closes, another one opens
If you use Origin for whatever reason, we give our condolences. We also give you some rather important news about Origin and PC security: It turns out that if you use Origin, your PC is at risk for a remote execution exploit that apparently takes seconds to perform.
The exploit comes from the way Origin handles game launching; a hacker can give you a link with a remote hosted DLL containing malicious code, and Origin will execute it. A similar attack happened to Steam last October, according to ArsTechnica.
EA has said they are aware of the issue and will be investigating it. There was no mention of when, or even if, the exploit would be patched. Hopefully the exploit will be patched, but we will see.
In the meantime, we advise you not to use Origin. If you absolutely have to, take extreme caution in what links you click. Who knows what evils the black hat hackers might have in mind for your machine?
Last month, we brought you news that there was a security vulnerability that allowed one to bypass the lock screen on your iPhone. Later in the month, we also brought news that there was a developer build of iOS 6.1.3 that fixed this issue, as well as a few minor issues for customers over in Japan.
Today we have word that iOS 6.1.3 has been made final so you do not need a developer unlocked iDevice to use it. It fixes the lockscreen exploit (of course), adds some Maps improvements for customers in Japan and it also fixes some other “security issues.”
Also of note is that this update does patch a few of the holes used by the Evasi0n jailbreak so if you’re one from that crowd you should hold off on this update. Otherwise, check your updates and download this update – it’s available for iPhone, iPad and iPod.
Brings Microsoft Exchange fixes
Apple has today issued its second update to iOS 6.1, iOS 6.1.2. Unlike the previous update that was only released for the iPhone 4S, iOS 6.1.2 is available for all supported iOS 6.1 devices, including the iPhone, iPad, and iPod.
Once again iOS 6.1.2 is a relatively small update that focuses on fixing specific bugs rather than updating the iOS 6.1 experience in any significant way. Apple released the following release notes with the update:
Fixes and Exchange calendar bug that could result in increased network activity and reduced battery life.
Jailbreak your Surface with a single click
As we reported just the other day, Microsoft’s Surface tablet – running Windows RT, a locked down version of Windows 8 for ARM devices – and all other Windows RT devices have been jailbroken, allowing users to execute unauthorized code just like any other Windows device (as long as it’s compiled for the device’s ARM processor, of course). The process was insanely complicated and far beyond the realm of knowledge for most consumers, which is why it’s all the more exciting that a jailbreak tool has just been released that allows users to take advantage of the just discovered exploit with just a single click of a .bat file.
Microsoft has already announced that they may closing the exploit in future versions of Windows RT, so definitely make sure you take advantage of this while you can. Until now, hit up the just released Windows RT jailbreak tool at the source link below.
Source: netham45 (XDA-Developers)
Mozilla is urging users to downgrade from the just released Firefox 16 and has just taken download links offline after discovering a major security flaw that could allow a malicious site to view the entirety of a user’s history.
Mozilla has stressed however that no users had been automatically updated to Firefox 16, so if you’re running the application you should know it – and that there is no actual report of the vulnerability being exploited in the wild… yet.
Firefox 16 users can downgrade to Firefox 15.0.1 using by clicking here and by clicking the “Free download” button.
Yesterday the internet was all about the report that certain model Samsung phones, including the Galaxy S II and the Galaxy S III, were prone to being wiped with the execution of just one line of code in the browser, which was bad enough – but today things got even worse when people discovered that the exploit actually affects other Android devices as well, including HTC’s high end One X device and the slightly older HTC Desire.
Worst yet, it’s not only OEM Android compiles that are prone to this – a Motorola Defy running CyanogenMod has also been shown to be affected to the very same bug. And these are just the devices people have been brave enough to try it on – imagine how many others out of the thousands of existing Android devices are affected by the very same issue, most of which will never see an update to fix the issue?
With reports that the exploit has been linked to a flaw in Android’s built in Phone app, Google could have a very, very large issue on their hands.