Security news

Beware! Do not update to iTunes 12.8.1 if you are on OS X Yosemite 10.10.5

iTunes users took to MacRumors Forums, Twitter, Reddit, and Stack Exchange recently to report that upgrading to iTunes 12.8.1 version is breaking Safari 10.1.2, the latest version of the browser for OS X Yosemite 10.10.5.

Users who updated to iTunes 12.8.1 were greeted with following error message when opening Safari on OS X Yosemite 10.10.5:

“Safari cannot be opened because of a problem.

Check with the developer to make sure Safari works with this version of Mac OS X. You may have to reinstall the application. Be sure to install any available updates for the application and Mac OS X.

One Stack Exchange user was of the opinion that the iTunes 12.8.1 update is likely updating the MobileDevice.framework in /System/Library/PrivateFrameworks/ to a version incompatible with Safari 10.1.2.

However, it now appears that Apple has pulled the iTunes 12.8.1 update. Some users have found a workaround to fix Safari. For that, you need to go the Finder app, click on Go > Go to Folder… in the top menu bar, typing in /System/Library/PrivateFrameworks/ and drag MobileDevice.framework to the Trash.

Note: These steps have not been tested by us.

Also Read- What is Mac OS? Pros and Cons Of Using It

Facebook accidentally exposed 6.8 million users’ private photos to developers

Facebook on Friday disclosed a data breach that may have exposed unposted photos of as many as 6.8 million users.

According to the company’s developer blog, a photo API bug accidentally gave hundreds of third-party apps unauthorized access to photos of as many as 6.8 million users during a 12 days period between September 13 and 25. It is believed that up to 1,500 apps built by 876 developers may have been affected by the bug.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” engineering director Tomer Bar said in a message to developers.

“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”

Apparently, the bug inadvertently also gave third-party apps access to photos that were not shared on timelines, for example, if someone uploads a photo to Facebook but doesn’t finish posting it, Bar added.

“We store a copy of that photo so the person has it when they come back to the app to complete their post,” he said.

Bar added that potentially affected Facebook users will get a Facebook notification, which will direct them to a Help Center link where they will be able to see if they have used any apps that were affected by the bug.

“We’re sorry this happened,” Bar said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

Bar also suggested that users should log into any apps with which they have shared their Facebook photos to find out if they have access to photos they shouldn’t.

Besides the Facebook photo API bug discovered in September, the social networking giant was also hit by another data breach the same month where data of some 30 million users were exposed to hackers as a result of a flaw in Facebook’s ‘View As’ feature.

Another data leak forces Google to close down Google+ in April 2019

In October this year, we had reported how personal data of hundreds of thousands of Google+ social media users were exposed after a software glitch between 2015 and March 2018. Following the data exposure, Google had decided to shut down Google+ permanently over a span of 10 months.

However, a newly discovered second data leak has now forced Google to shut down much before it has planned. According to the company, a bug in the Google+ API has exposed the data of 52.5 million users, which has compelled the search giant to kill off Google+ in April 2019. The company also added that the bug was fixed within a week of it being introduced.

“We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” David Thacker, VP, Product Management, G Suite said in a blog post.

“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.”

Profile information of Google+ users such as name, email address, occupation, and age were exposed even when their profile was set to not-public. In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly. However, no access was given to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.

The company has started notifying consumer users and enterprise customers affected by the bug. Although the platform will shut down for consumer users in April 2019, Google will continue to invest in Google+ for businesses.

“We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone,” said David Thacker in the closing statement.

For those who are unaware, Google+ is an Internet-based social network that was launched in June 2011 and is owned and operated by Google. The major reason why Google developed this social media platform was to compete with the exponentially growing social-media platform Facebook.

To increase the active user base Google interlinked Google+ with other services like Gmail and YouTube; however, the integration didn’t work out. In fact, even after massive investments and development Google+ didn’t gain immense popularity among users.

What do you think about Google+ being shut down? Do let us know your thoughts in the comments section below.

Quora hack exposes data of about 100 million users

Quora, the question-and-answer sharing website, announced yesterday that data of about 100 million of its users was compromised as a result of unauthorized access to one of their systems by a “malicious third party”.

“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” Quora CEO Adam D’Angelo said in a security update blog post. “We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing.  We have notified law enforcement officials. We are notifying affected Quora users. We have already taken steps to ensure the situation is contained, and we are working to prevent this type of event from happening in the future. Protecting our users’ information and fostering an environment built on trust remains our top priority so that together we can continue to share and grow the world’s knowledge.”

Quora discovered the breach on Friday, November 30, when they found that user’s data was accessed by an unauthorized third-party.

According to Quora, the following information may have been compromised:

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

However, as a safety measure, the company is currently notifying users whose data was compromised and logging out all affected Quora users. It has also notified law enforcement officials and has retained a leading digital forensics and security firm to assist them.

The users who wrote questions and answers anonymously were not affected by this breach, as the website does store information of people who post anonymous content. Currently, it is unknown how the attacker gained access to Quora’s systems.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” Dylan added.

Quora has advised its users to not reuse the same password as Quora across multiple services, and suggested them to change it if they are doing so. Also, we would advise our readers to use unique passwords for every site that you visit to avoid being a victim of data breach.

Dell.com resets all customer passwords after a network breach

Dell Inc., the U.S. based hardware giant, announced yesterday that the company had suffered a security breach earlier this month, on November 9, 2018. However, the company said that it managed to stop hackers who were looking to access data such as customer names, email addresses and hashed passwords.

“Dell is announcing that on November 9, 2018, it detected and disrupted unauthorized activity on its network attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords,” the company said in its press release.

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

According to reports, Dell did not inform its customers about the breach when it forced the password resets for all customer accounts on November 14, 2018. Also, the company did not mention how the hackers were able to breach its network.

“Our investigations found no conclusive evidence that any information was extracted,” Dell said in its press release. “Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.”

Dell said that it is still investigating the incident, but said the breach wasn’t extensive one, as the company’s engineers were able to detect the intrusion on the same day it took place.

While a Dell spokesperson refused to provide the number of affected accounts, he said that “it would be imprudent to publish potential numbers when there may be none.”

Following the security breach, the company has encouraged its customers to change password for their Dell.com account and also for other online services if they use the same or similar passwords.

Facebook to pay up to $40,000 for finding ways to hack Facebook or Instagram accounts

Facebook has been going through a rough patch this year after suffering two severe security breaches that affected millions of its users.

While every year, Facebook pays millions of dollars to researchers and bug hunters to find security holes in its products and organization, it is still facing security breaches. Facebook has been running its Bug Bounty program since 2011.

Now, in order to step up its efforts to tighten the security of the platform, Facebook on Tuesday announced in a post that it has increased the average payout for account takeover vulnerabilities so as “to encourage security researchers to work on finding high-impact issues”.

The announcement further read, “The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.

“This change applies to all products owned by Facebook, including Instagram, WhatsApp, and Oculus.

“Further, we will not require a full exploit chain in cases where leveraging the vulnerability requires bypassing our Linkshim mechanism.

“While monetary reward may not be the strongest incentive for why bug bounty researchers hack, we believe it remains a strong motivator for our white hat researchers to invest time in helping us identify and mitigate vulnerabilities. We encourage researchers to share their proof of concept reports with us without having to also discover bypasses for Facebook defense mechanisms.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high-quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”

For those unaware, earlier this year, it was the Facebook–Cambridge Analytica data scandal where the personal information of 87 million Facebook users was harvested by Cambridge Analytica without their consent and used for political purposes.

Later, in September this year, Facebook discovered a major security issue that allowed hackers to access information, which could allow them to take over around 50 million accounts.

Source: Facebook 

A few months ago Instagram rolled out the “Download Your Data” feature to comply with the new European data privacy regulations, General Data Protection Regulation (GDPR). Well, this helpful feature had a major bug that accidentally exposed user’s password and made it vulnerable. So here’s everything you need to know about the issue.

Instagram Bug Exposed Passwords: The Issue

Instagram and Facebook are two of the most popular social media platforms with billions of users across the globe. Both Instagram and Facebook have been in news this year due to many major security flaws.

The “Download Your Data” feature on Instagram allowed users to download their activity like recent posts, likes, and comments. As a security measure, Instagram asked users to re-enter their passwords.

Due to the security bug, these re-entered passwords were visible and even saved as plaintext in URL and were also saved on Facebook’s server, Instagram’s parent company.

According to Instagram, these saved passwords were recently deleted from Facebook’s server. In addition to that, every affected user was notified about the security bug. That said, a very small number of people were affected by this issue.

Instagram Bug Exposed Passwords: The Solution

Well, if you are one among those affected users its a wise decision to change your Instagram password and even delete your browser’s history. Furthermore, turning on two-factor authentication (2FA) will further secure your account.

Lastly, if you didn’t receive any notification about the security bug then your passwords are completely safe. That said if you still experience any weird activity with your account, you should definitely follow the above-mentioned security measures and secure your account.

According to Instagram, this security bug has been completely fixed now. Furthermore, any sort of information or password was not exposed to anyone else.

Do share your thoughts and opinions on the above-mentioned issues in the comments section below.

This AI-Generated ‘Master’ Fingerprint Can Unlock Any Smartphone

Like a master key that can open any lock, researchers from the University of Michigan and New York University have created an AI-generated ‘master’ fingerprint that is capable of unlocking most of the modern smartphones.

The research team presented their work in a paper titled DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution.

How Are Master Fingerprints Generated?

The fingerprints dubbed as “DeepMasterPrints” by the researchers can be artificially generated using machine learning algorithm.

These can be used to fool databases protected by fingerprint authentication without essentially requiring any information about the user’s fingerprints.

The artificially generated prints were able to accurately replicate more than one in five real fingerprints in a database, which should only have an error rate of one in a thousand.

DeepMasterPrints takes advantage of two flaws in fingerprint-based authentication systems. The first is that many fingerprint scanners do not read the entire finger at once.

Secondly, some different fingertip portions are more common than others, which means that scanners that only read partial prints are more likely to be tricked by common fingerprint characteristics.

The team trained a neural network to create artificial fingerprints and used evolutionary optimization methods to find their best DeepMasterPrints.

They used a common machine learning method, called “generative adversarial network” (GAN) to artificially create new fingerprints that matched as many certain portions of other fingerprints as possible.

The team points out that the attack using their AI-driven method can be distributed against random devices “with some probability of success.”

The researchers used a NIST public database with 54,000 fingerprints and 8640 finger scans as input for learning and improving their neural networks.

However, such attacks may not be able to break into your phone.

“A similar setup to ours could be used for nefarious purposes, but it would likely not have the success rate we reported unless they optimized it for a smartphone system,” lead researcher Philip Bontrager of the New York University engineering school told Gizmodo. “This would take a lot of work to try and reverse engineer a system like that.”

But, if a hacker is able to use such attacks against many fingerprint-accessible accounts, then the success rate of unlocking devices would be much more.

According to Bontrager, “the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.”

He and his team want their research to motivate companies to step up fingerprint-security efforts. “Without verifying that a biometric comes from a real person, a lot of these adversarial attacks become possible,” Bontrager said. “The real hope of work like this is to push toward liveness detection in biometric sensor.”

Apple Watches bricks after users update to the latest watchOS 5.1, Apple halts the update

All those Apple Watch users who haven’t updated to the latest watchOS 5.1 should refrain from doing so, as Apple has pulled out this software update.

Few users took to Reddit and Twitter to report bricking of Apple Watches after updating to watchOS 5.1. Apparently, the issue seems to only be affecting the new Apple Watch Series 4 models.

After bricking reports, Apple has temporarily removed the watchOS 5.1 software update. In a statement to CNET, Apple said it was aware of the problem and was working on a fix.

“Due to a small number of Apple Watch customers experiencing an issue while installing watchOS 5.1 today, we’ve pulled back the software update as a precaution,” it explained.

“Any customers impacted should contact AppleCare, but no action is required if the update installed successfully. We are working on a fix for an upcoming software update.”

Earlier this week, Apple had released watchOS 5.1 update alongside iOS 12.1. watchOS 5.1 brings support for fall detection, Group FaceTime audio, new emoji, and a new color full-screen watch face. Besides these, the watchOS 5.1 update also included 14 security fixes.

For those who have downloaded the latest watchOS 5.1 update before it was pulled but have not installed it, it is advisable to not do so and wait for Apple to re-release the update.

New iOS Passcode Bypass Found Hours After Apple Releases iOS 12.1

Apple considered as the highly secured device was bypassed shortly after the Cupertino giant released the latest version of its mobile operating system, iOS 12.1 on Tuesday.

Jose Rodriguez, a Spanish security researcher, and an iPhone enthusiast has managed to find a passcode bypass bug that allows attackers to access the contacts list on a locked iPhone.

Rodriguez shared a video (see below) with The Hacker News to show how the bug works.

As detailed in the video, the passcode bypass bug is present in a new feature introduced in iOS 12.1 called Group FaceTime. This bug can be exploited by either receiving a phone call or asking Siri to make a phone, and by changing the call to FaceTime.

Once switched to a FaceTime call, go to the bottom right menu and select “Add Person.” This will give access to the complete contact list of the targeted iPhone in spite of the device being locked. Further, by using the 3D Touch feature, you can see additional information of every contact in the contact list.

According to Rodriguez, the new passcode bypass bug would work on only those iPhone models that support Apple’s Group FaceTime added in the iOS 12.1 release, as the attack utilizes Apple’s Facetime.

The researcher also found that the hack works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone.

Last month, a similar passcode bypass bug was discovered by Rodriguez in iOS 12 that takes advantage of Siri and VoiceOver screen reader and allows an attacker to access photos and contact details on a locked iPhone XS as well as other Apple devices.