Security

Apple’s TestFlight is a tool created to help developers distribute their beta apps to users before they are released on the App Store to everyone. However, scammers have been using the platform to distribute malicious apps without Apple’s knowledge.

A company selling password-cracking tools says that a newly-discovered T2 Mac security vulnerability allows it to crack passwords on these machines, bypassing the lockouts.

The method used is far slower than conventional password-cracking tools, but although the total time needed could run into thousands of years, that could fall to as little as 10 hours when the Mac owner has used a more typical password…

9to5Mac has learned that the Cellebrite kit sold to customers can’t unlock iPhones – but the company can and will if customers send the phones to them.

It’s likely Cellebrite wants to keep its methods in-house, fearful of another intervention like the Signal one last year…

There are more than 2,800 US government Cellebrite customers, according to the smartphone hacking company. The tech can be used to extract most data from both iPhones and Android phones.

The company also boasts that its private sector clients include “six out of the world’s 10 largest pharmaceutical companies and six of the 10 largest oil refineries”…

Apple’s two-factor authentication autofill feature makes it painless to enter verification codes sent via SMS, but phishing attackers are getting savvy to this.

When they trick people into clicking on a fake link to a site that prompts for an SMS code, they do the same, so it looks legit when autofill offers to paste it in for you …

While most current Apple devices can verify your identity by fingerprint or face recognition, Apple is also considering adding biometric identification to future AirPods.

A patent application describes two potential ways that AirPods could confirm your identity before allowing access to sensitive data, like asking Siri to read your messages…

Security researchers have released details of DazzleSpy – Mac malware that enabled key-logging, screen captures, microphone access, and more.

DazzleSpy was used to target Hong Kong democracy activists, initially through a fake pro-democracy website, and later through a real one, in a so-called watering hole attack …

Inside of Apple’s latest update for Mac are fixes for a wide range of security flaws. macOS 12.2 patches 13 serious security bugs ranging from the Safari web browsing leak to a flaw that can give malicious apps access to root privileges, kernel privileges, iCloud data, and more.

Along with Apple’s software updates today for iPhone, iPad, Mac, Apple Watch, and more, a variety of security issues have been fixed. iOS 15.3 specifically patches 10 notable security bugs ranging from the Safari web browsing leak to a flaw that can give malicious apps root privileges, and more.

Apple paid a bug bounty of $100K after a cyber security student who successfully hijacked the iPhone camera back in 2019 did the same with the Mac camera.

Ryan Pickren used an imaginative approach that allowed him to run arbitrary code on a target Mac, and received what he believes to be the largest bug bounty Apple has ever paid …

We may still be waiting for some developers to update their apps to run natively on M1 Macs, but the developer of SysJoker Mac malware is already on the case.

Security researcher Patrick Wardle points to what he says is the first Mac malware of 2022, and it runs on both Intel and M1 Macs. SysJoker can be controlled remotely by an attacker, allowing it to be used in many different ways …

Use of the Chinese Olympics app, MY2022, is mandatory for everyone attending this year’s Olympic Games in Beijing, whether as an athlete or simply watching from the stadium.

The app collects sensitive personal data – like passport details, medical data, and travel history – and analysis by security researchers reveals that the code has two security holes that could expose this information …

Apple, Google, Amazon, Meta, and IBM will attend a meeting at the White House to discuss software security after the US suffered several major cyberattacks in 2021. As reported by Reuters, this meeting will take place today and will be hosted by deputy national security advisor for cyber and emerging technology Anne Neuberger.

Another suspected NSO phone hack has come to light, this of journalists and activists in El Salvador. Most of the journalists were working for an online news service that has been reporting extensively on alleged government corruption.

Two journalists contacted Citizen Lab after suspecting that their phones had been compromised, and an investigation confirmed their suspicions, and found that they weren’t the only ones …

We learned earlier this month that NSO’s Pegasus spyware was used to hack US State Department iPhones in Uganda, with no clue at the time who the attacker was.

A new report strongly suggests that the Ugandan government was behind the attacks, as the country – which has an appalling human rights record – is now known to have purchased the spyware. It also appears that this was, indirectly, the tipping point that led to NSO’s downfall…

Pegasus spyware maker NSO Group is reportedly running out of cash following actions by both the US government and Apple. This has led the company to explore options to put itself up for sale.

Two US funds have expressed an interest, claiming that they would change the company’s mission from offensive to defensive, though skepticism has been expressed about this …

Apple has patched the Log4Shell iCloud vulnerability, after it was last week revealed that a security hole in the open-source tool log4j put millions of apps at risk.

Cybersecurity experts described the vulnerability as “setting the internet on fire,” and “the most critical security vulnerability in a decade” …

A new exploit called “Log4Shell” has been giving security teams at large technology companies a headache. When exploited, the vulnerability lets hackers run malicious code on vulnerable servers, and it can reportedly affect platforms such as iCloud and Steam.