Skip to main content

security flaw

See All Stories

FBI tips Apple about security flaw in iOS and Mac software … but it had already been fixed with iOS 9

The FBI has decided it will not divulge the details of how it successfully hacked into the San Bernardino iPhone to Apple, having found a method at the last-minute just hours before going to court in late March. However, in an attempt to appear helpful and cooperative, the FBI gave Apple its first security tipoff under the Vulnerability Equities Process this month.

Reuters reports the FBI informed Apple of a security flaw affecting iOS and Mac software  on April 14th, as part of a process that balances the needs of law enforcement to hack devices and the needs of manufacturers to patch found flaws before criminals can use them …


Expand
Expanding
Close

HTTPS bug leaves 1,500 iOS apps vulnerable to man-in-the-middle attacks, finds analytics company

Site default logo image

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … 
Expand
Expanding
Close

Site default logo image

Delta security flaw enables passengers to access someone else’s online boarding pass

Hackers of NY founder Dani Grant has discovered (via Engadget) a security flaw that enables Delta passengers to access the boarding passes of others, even those flying with different airlines like Southwest. Grant realized that she could share a link allowing anyone to download her boarding pass, and then change one digit in the URL and be presented with a completely different boarding pass belonging to someone else.
Expand
Expanding
Close

U.S. Department of Homeland Security warns iOS users about ‘Masque Attack’ security flaw

The U.S. Department of Homeland Security on Thursday issued an alert warning iOS users about the recent “Masque Attack” security flaw that can affect both non-jailbroken and jailbroken iPhone, iPad and iPod touch devices. The United States Computer Emergency Readiness Team outlines how the technique works and offers solutions on how iOS users can protect themselves.
Expand
Expanding
Close

Site default logo image

CNN iPhone app exposing login info of its iReporters unencrypted, according to security researchers

Update: Apple tells us CNN submitted fixes for both their iPhone and iPad apps that are now live on the App Store.

Security researchers at Zscaler claim to have found a security flaw in CNN’s iPhone app that exposes personal login and passwords of its users. The CNN app for iPhone, which includes an iReport feature that allows users to sign-up and submit news stories, is reportedly not using SSL encryption for registration/login and SSL certificate pinning like its Android app counterpart and sending the personal user info to and from the app unencrypted. The report notes that CNN’s iPad app is not subject to the same vulnerability as it currently doesn’t have the iReport feature:

The current CNN for iPhone App (verified on Version 2.30 (Build 4948)) has a key weakness whereby passwords for iReport accounts are sent in clear text (unencrypted). While this is always a problem, it’s especially concerning that this relates to functionality which permits people to anonymously submit news stories to CNN. This occurs both when a user first creates their iReport account and during any subsequent logins.

As can be seen, both transmissions are sent in clear text (HTTP) and the password (p@ssword) is sent unencrypted, along with all other registration/login information. The concern here is that anyone on the same network as the user could easily sniff the victim’s password and access their account. Once obtained, the attacker could access the iReport account of the user and compromise their anonymity. The same credentials could be used to access the user’s web based iReport account where any past submissions are also accessible.

Zscaler said it notified CNN of the security flaw on July 15th and that the company confirmed it’s investigating. The CNN app for iPhone received an update today with “bug fixes” listed in the release notes, but the company is yet to confirm if the update was to address the security flaw detailed by Zscaler.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications