Five People Hacked Apple for 3 Months and Here’s What They Found →

October 9, 2020 · 09:43

Sam Curry:

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.

As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).

I was genuinely surprised Apple reacted so fast. The whole thing is well worth a read.


Reuters: Flaw in iPhone and iPads May Have Allowed Hackers to Steal Data for Years →

April 22, 2020 · 21:11

Christopher Bing:

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins. 

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally. 

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.


Vulnerability in Safari Allowed Unauthorized Websites to Access iOS and macOS Webcams →

April 3, 2020 · 23:55

Ryan Pickren:

This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads).

Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.

If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom […]

[…] Apple considered this exploit to fall into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category and awarded me $75,000.


How Rob Lost Control of His Bank Accounts to a Phone Scammer →

April 1, 2020 · 14:32

Rob Griffiths, on Robservatory:

Yesterday, instead of having a productive afternoon at home, I had the privilege of sitting at the bank for a couple of hours, resolving a problem completely of my own doing: I fell for a phone scammer. My wife and I had to close our accounts—which were in excess of 25 years old—and set up new ones. I then spent hours updating our various bill paying services, Quicken account access, etc.

Do yourself a favor, and don’t be me. I never thought I’d be “that guy” either, as I keep current on scams, look for signs of fishiness on phone calls, etc. Still, they got me, and it was painful—not necessarily in terms of financial loss (we’re out $500 for maybe 60 to 90 days while they investigate), but in terms of time: Time to fix what I did, and even more time spent beating myself up over my stupidity.

I have a strict rule — I do not give out any personal data or passwords to anyone, especially over the phone, even if I know it’s the bank calling me. I will either ask to call them back, to make sure I’m dialling the correct number, or I’ll go down to their branch personally.

Luckily Rob should pull through this one fine — he’s out some $500, which he’ll probably get back. It could have been much worse.


A Message About iOS Security →

September 6, 2019 · 19:17

Apple:

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

We now have two sides to the story. Where does the truth lie?


SIM Swap Horror Story: I’ve Lost Decades of Data and Google Won’t Lift a Finger →

June 19, 2019 · 09:22

Matthew Miller, on ZDNet:

First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase. I’m stuck in my own personal Black Mirror episode. Why will no one help me?

I use a password manager but I made it a point many years ago to keep some passwords only in my head. My banking login information included.

Regarding the part about Google and Twitter — it’s 2019 and getting help from those companies, in critical situations, is basically impossible. Baffling.


The Most Expensive Lesson of My Life: Details of SIM Port Hack →

May 22, 2019 · 11:36

Sean Coonce:

I lost north of $100,000 last Wednesday. It evaporated over a 24-hour time span in a “SIM port attack” that drained my Coinbase account. It has been four days since the incident and I’m gutted. I have zero appetite; my sleep is restless; I am awash in feelings of anxiety, remorse, and embarrassment.

This was the single most expensive lesson of my life and I want to share my experience + lessons learned with as many people as possible. My goal is to increase awareness about these types of attacks and to motivate you to increase the security of your online identity.

I try to take all my security very seriously, but since “I know what I’m doing”, I do like to cut corners a bit. Not as much as Sean though. His piece has motivated me to review my whole setup.


Facebook Demanding Some New Users’ Email Passwords →

April 3, 2019 · 18:42

Kevin Poulsen:

Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network.

Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”

A form below the message asked for the users’ “email password.”

“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

The people running Facebook need to be criminally charged for all the wrong that they’ve done and continue to do.

And please just go and delete your Facebook account.


Teenager Finds MacOS Exploit That Steals Password From the Keychain →

February 8, 2019 · 11:57

Thomas Brewster, writing for Forbes:

[…] German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.

To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.

This is bad and while I understand why he doesn’t want to disclose it to Apple, all MacOS users are susceptible to a security breach.


Hackers Are Passing Around a Megaleak of 2.2 Billion Records →

February 1, 2019 · 14:06

Andy Greenberg, reporting for Wired:

When hackers breached companies like Dropbox and LinkedIn in recent years—stealing 71 and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 _billion_ unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.

You can (allegedly) safely check which of your accounts have been breached on Have I Been Pwned. Oh and if you aren’t yet doing so, I strongly recommend using a password manager, such as 1Password.


UAE Used Cyber Super-Weapon to Spy on iPhones of Foes →

January 31, 2019 · 08:54

Joel Schectman, for Reuters:

The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.

It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.

How many tools are currently out in the world, whose existence we are completely oblivious to?


Revolut Typeform Breach: What Happened and Is My Data Safe? →

July 5, 2018 · 10:16

We have been alerted that Typeform, a company that we frequently use to survey our customers, has been compromised in a data breach […]

We would like to assure our customers that no sensitive data, such as personal account details or passwords, have been compromised in this breach. Upon reviewing previous surveys, we have only ever asked for details such as your email address and Twitter handle […]

Our focus right now is to contact everyone who has been affected, letting them know exactly what kind of data of theirs was breached, what they should do and how we will stop something like this from happening again.

If you don’t get an email from us on this matter, that means that none of your data was compromised and you have nothing to worry about.


Teen Hackers Snatched the Keys to Microsoft’s Videogame Empire →

June 25, 2018 · 11:20

Brendan Koerner, for Wired:

Pokora had long been aware that his misdeeds had angered some powerful interests, and not just within the gaming industry; in the course of seeking out all things Xbox, he and his associates had wormed into American military networks too. But in those early hours after his arrest, Pokora had no clue just how much legal wrath he’d brought upon his head: For eight months he’d been under sealed indictment for conspiring to steal as much as $1 billion worth of intellectual property, and federal prosecutors were intent on making him the first foreign hacker to be convicted for the theft of American trade secrets. Several of his friends and colleagues would end up being pulled into the vortex of trouble he’d helped create; one would become an informant, one would become a fugitive, and one would end up dead.

It’s amazing how fast someone’s judgement can become skewed the wrong way.


MyFitnessPal Hacked →

April 10, 2018 · 00:42

From their FAQ:

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts […]

The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.

I still have an account over there which I don’t use. Time to get rid of it.


iPhone iBoot Source Code Gets Posted On Github →

February 8, 2018 · 15:22

Lorenzo Franceschi-Bicchierai, writing for Motherboard:

Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.

Apple has already filed a copyright takedown request with GitHub, which resulted in the code being removed, but that won’t help much — the code is out in the wild.


Repair File Sharing After Security Update 2017-001 for macOS High Sierra 10.13.1

November 30, 2017 · 06:13

Apple pushed a security update for the huge High Sierra vulnerability yesterday, introducing a bug while they were at it. You should install the update as soon as possible and then do this, if File Sharing isn’t working:

Open the Terminal app, which is in the Utilities folder of your Applications folder.

  1. Type sudo /usr/libexec/configureLocalKDC and press Return.
  2. Enter your administrator password and press Return.
  3. Quit the Terminal app.

John Gruber summarized the problem, which seems to have been around for a few months now:

So the exploit was floating around, under the radar, for weeks at least, but it seems as though no widespread harm came of it.

Personally, I’d call this much too optimistic — people could have been hacked without them even realizing it.


Hacker Decrypts Apple’s Secure Enclave Processor Firmware →

November 28, 2017 · 09:03

iClarified:

Hacker xerub has posted the decryption key for Apple’s Secure Enclave Processor (SEP) firmware.

The security coprocessor was introduced alongside the iPhone 5s and Touch ID. It performs secure services for the rest of the SOC and prevents the main processor from getting direct access to sensitive data. It runs its own operating system (SEPOS) which includes a kernel, drivers, services, and applications […]

Decryption of the SEP Firmware will make it easier for hackers and security researchers to comb through the SEP for vulnerabilities.


32 Million Twitter Passwords Leaked →

June 9, 2016 · 15:37

LeakedSource:

This data set contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and a visible password. We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.

Change your password.


How to Avoid Clipboard Poisoning Attacks on the Mac →

June 4, 2016 · 14:56

Thomas Reed:

Graham Cluley drew my attention the other day to an issue that has apparently been known to some for years, but was new to me: clipboard poisoning, an issue where a website can replace what you think is on your clipboard with something else (…)

It turns out that there’s a possibility that this could lead to remote code execution. In other words, it could lead to someone else’s malicious code being run on your computer without your knowledge!

Once malicious code has been run on your computer, that code can download and install other processes, and in no time, your Mac has been pwned.

The key to this issue lies with any code that the user might copy from a website, then copy somewhere else in such a way that it is automatically executed. It turns out that this is possible with shell scripts pasted into the Terminal.

As an example, consider the following command, which is commonly cited as a way to make your Mac show hidden files:

defaults write com.apple.finder AppleShowAllFiles TRUE; killall Finder

Read his full post for tips how to keep yourself safe.

via @qurczaq


Apple Pencil Hacks →

April 12, 2016 · 12:25

Myke Hurley:

By this point, my love of the Apple Pencil has been well documented, and it is now an essential part of the iPad experience for me.

I use my Apple Pencil for taking notes, sketching out ideas, and for navigating the iOS user interface. The latter use of my Apple Pencil is the one that’s most important to me. After having used a Wacom tablet on a Mac for the last 6-8 months, I have come to truly appreciate the benefits of pen input. The fact that the Apple Pencil lets me do this, is easily my favourite use of the device.

As with most devices that I love, I have taken it upon myself to make some customisations to it, and the iPad Pro it is connected to.

Love the skin.


Kevin Roose Dared Two Hackers to Destroy His Life — Here’s What Happened

February 25, 2016 · 16:00

Kevin Roose:

Several months ago, while I was typing a few e-mails at my dining room table, my laptop spoke to me.

“You…look…bored,” it said in a robotic monotone, out of nowhere.

Startled, I checked my browser tabs and my list of open applications to see if anything had been making noise. Nothing had. I hadn’t been watching any YouTube videos, browsing any pages with autoplay ads, or listening to any podcasts when the voice appeared.

Then I realized: this was the hacker. The same hacker who, for the prior two weeks, had been making my life a nightmare hellscape — breaking into my email accounts, stealing my bank and credit card information, gaining access to my home security camera, spying on my Slack chats with co-workers, and—the coup de grâce—installing a piece of malware on my laptop that hijacked my webcam and used it to take photos of me every two minutes, then uploaded those photos to a server owned by the hacker.

Hence the robot voice. From his computer on the other side of the country, the hacker spied on me through my webcam, saw that I was unenthused, and used my laptop’s text-to-speech function to tell me “you look bored.”

I had to admit, it was a pretty good troll.


MacKeeper Leaks 13 Million Mac Owners’ Data →

December 15, 2015 · 08:42

Thomas Fox-Brewster:

Anti-virus provider MacKeeper is known for pushing the message Apple Mac owners need protection. It needed some extra protection of its own today, after a white hat hacker discovered a database containing 13 million customer records was accessible by just visiting a selection of IP addresses, no username or password required.

Do not install this crap. Ever. And delete it if already installed. It does not help in any meaningful way, and is harmful in many others.