Naked Security
WhatsApp’s pitch: Simple. Secure. Reliable messaging.
Needed marketing addendum: Hole. Update. Now. Evil. MP4s.
Facebook on Thursday posted a security advisory about a seriously risky buffer overflow vulnerability in WhatsApp, CVE-2019-11931, that could be triggered by a nastily crafted MP4 video.
Naked Security
Did Android users celebrate loudly when Google announced support for Accelerated Mobile Pages for Email (AMP4Email) in its globally popular Gmail service in 2018?
Highly unlikely. Few will even have heard of it, nor have any idea why the open source technology might improve their webmail experience.
They might, however, be interested to learn that a researcher, Michał Bentkowski, of Securitum, recently discovered a surprisingly basic security flaw affecting Google’s implementation of the technology.
Naked Security
If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.
Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.
The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).
Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.
Naked Security
Facebook was quick to reassure iPhone users this week that it wasn’t secretly spying on them via its app, after someone found the software keeping the phone’s rear camera active in the background.
Facebook user Joshua Maddux discovered the problem on Saturday 9 November when looking at another user’s profile picture on the iPhone version of the Facebook app.
Naked Security
Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.
Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.
Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers.
DoH isn’t a panacea – you can check out Paul Ducklin’s explanation of the issues it raises in the Naked Security podcast below – but it promises to at least seriously gum up tracking and monetization of data.
In September, Mozilla announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. Within days, Google issued a me-too, officially announcing its own DoH experiment in Chrome.
Naked Security
A flaw in a cross-border EU electronic identity system could have allowed anyone to impersonate someone else, a security consulting company has warned.
SEC Consult issued an advisory warning people of the flaw this week. It demonstrated the problem in the electronic identification, authentication and trust services (eIDAS) system by authenticating as 16th-century German writer, Johann Wolfgang von Goethe.
eIDAS came about because of a 2014 EU regulation that laid out the rules for electronic identification in Europe. The regulation, which came into effect in 2016, made it compulsory for EU countries to identify each other’s electronic IDs by the middle of last year. It covered a range of identification assets like electronic signatures and website authentication.
The problem is that there’s a flaw in the software used to manage this cross-border identification process, known as eIDAS-Node. Each country has to run a copy of this software to connect its own national identity management systems to others in the EU, creating a cross-border ID gateway. Using this gateway, citizens in the UK, say, could identify themselves to use electronic services in Germany, such as enrolling in a university or opening a bank account.
Like many federated identity systems, eIDAS uses the Security Assertion Markup Language (SAML). It’s an XML-based protocol from the nonprofit Organization for the Advancement of Structured Information Standards (OASIS). It lets users prove their identities across multiple service providers using a single login. Version 2, launched in 2005, includes support for features like encryption and the exchange of privacy information such as consent. It’s powerful but complex.
Naked Security
Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.
Discovered on 19 October by data hunter Bob Diachenko and security company Comparitech, the unsecured database contained the email addresses of nearly 7.5 million customers of Adobe’s Creative Cloud, plus the following:
That’s the email addresses of around half of Creative Cloud’s customer base although not, importantly, any of their passwords or payment information. Nevertheless, said Comparitech, spelling out the risk of phishing attacks:
Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.
Judging from clues in the data, Diachenko believes it might have been exposed for around a week. It’s not possible to tell whether anyone else accessed the data during this time.
Naked Security
Firefox just pushed out an update to fix a security glitch…
…in its password manager.
Naked Security
GitHub has been named in a class action lawsuit because the hacker who allegedly stole data from more than 100 million Capital One users posted details about the theft onto the platform.
GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.
The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.
The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”
The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.
The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.
Naked Security
Apple and Google have announced that they will limit the way audio recorded by their voice assistants, Siri and Google Assistant, are accessed internally by contractors.
Our conclusion: F**k Google and Apple!