Security

Yesterday, 9to5Mac was alerted to a flaw in a third-party utility app for Instagram, called Exposure. The app helps brands connect with Instagram posters, automating the collection of agreements to use imagery for commercial purposes.

It just so happens that Apple was using this tool for its Shot on iPhone campaign. 9to5Mac contacted Apple to report the security issue. Following an investigation, a few hours later, Apple cut ties with the Exposure service. (Update: Statement from the parent company of Exposure below)

Expand
Expanding
Close

An attempt by Apple to protect your Safari browsing history in macOS Mojave has a security hole which allows full access by a rogue app, says a Mac and iOS developer.

Prior to Mojave, your browsing history was freely available to any app that looked inside  ~/Library/Safari. In macOS 10.14, however, Apple locked down access so tightly that you can’t even list the contents in Terminal – in theory …

Expand
Expanding
Close

A new Apple patent application suggests that the company has boosted the security of Face ID in order to defeat the attack method demonstrated in 2017, when a specially-designed 3D-printed mask was able to unlock an iPhone X.

The attack was a sophisticated one, meaning that ordinary users didn’t have much to fear, but the security researchers did suggest that high-profile targets – like company CEOs – might want to avoid using Face ID …

Expand
Expanding
Close

Following the release of iOS 12.1.4 this afternoon, a top Google security engineer revealed two zero-day security threats. Ben Hawkes, team leader at Google’s Project Zero security team, revealed the existence of the vulnerabilities on Twitter this afternoon.

Expand
Expanding
Close

A new report from Motherboard today looks into the world of hacking iCloud-locked iPhones. While turning on Find My iPhone (which enables the iCloud lock) is generally thought to be quite secure, Motherboard highlights several ways that thieves, hackers, and coders are getting around the security feature to sell stolen (and non-stolen) devices.

Expand
Expanding
Close

A WhatsApp update yesterday added the option of using Face ID to protect your chats, and that’s an option I think could be usefully added to other apps – including some of Apple’s own.

One could question the value. After all, locking your phone protects all your apps, so why bother offering app-by-app protection too … ?

Expand
Expanding
Close

Apple has today released an update on the FaceTime eavesdropping bug and offered an apology. The company says it has patched the flaw on its servers and will roll out an update to iOS users next week to bring back Group FaceTime with the bug fixed. It also makes a promise to improve how it handles bug reports and its escalation process.

Expand
Expanding
Close

Britain’s Government Communications Headquarters (GCHQ) – the UK equivalent of the NSA – is calling on Apple and other tech companies to secretly add law enforcement agents to Messages chats, FaceTime calls and other forms of encrypted chat on demand.

The American Civil Liberties Union (ACLU) has said this would be like the recently-discovered FaceTime bug, only worse …

Expand
Expanding
Close

Earlier this month we saw what was considered to be the largest ever dump of stolen internet accounts with 773 million email addresses and 21 million passwords. The dump of compromised accounts was called “Collection #1”. Now, Collections #2-5 have been dumped and the numbers are staggering: 845GB of stolen data that includes 25 billion total records and 2.2 billion unique usernames and passwords.

Expand
Expanding
Close

CookieMiner is the latest Mac malware to be discovered. It’s highly targeted, using a clever technique to try to steal your cryptocurrency.

Discovered by security researchers from Palo Alto Networks’ Unit 42, it uses a two-fold attack method to obtain your login credentials and bypass two-factor authentication …

Expand
Expanding
Close

A spy tool developed by former U.S. government intelligence operatives reportedly allowed the United Arab Emirates government to remotely hack the iPhones of diplomats, activists and even foreign leaders.

The tool apparently didn’t require the victim to click a link, but could somehow be activated simply by loading in the phone numbers or email addresses of the intended targets …

Expand
Expanding
Close

Apple is being hit with its first lawsuit over the FaceTime eavesdropping bug that we first reported on yesterday. As reported by Bloomberg, a Houston, Texas-based lawyer is suing Apple, alleging that the FaceTime flaw allowed an unknown person to listen in on a private conversation with a client.

Expand
Expanding
Close

The revelation that a major FaceTime bug can effectively turn your Apple devices into a hot mic, allowing a caller to hear or even see you before you pick up, would be a massive embarrassment no matter which company was involved. It’s an absolutely crazy security fail.

But when that company is Apple – which has been ceaselessly pushing privacy of late – it becomes so cringeworthy we’re going to have to invent a whole new scale just to measure it …

Expand
Expanding
Close

UPDATE: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim.

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio. There’s a second part to this which can expose video too …

Expand
Expanding
Close

Security on the internet has become more important with each passing year. It seems like every other month there is a major data breach from major retailers or online properties. One of the key things that you can do to minimize the effect these breaches will have on you is to set up and use two-factor (or multi-factor) authentication. Two-factor authentication can be explained as something you know (your password) and something you have (a smartphone or another authorized device). With most implementations, you will log in to a website using your normal login, and you will then prompted to input a secondary code. The secondary code can be generated in multiple ways (more on that later) and changes every thirty seconds. By enabling two-factor authentication on websites that support it, a hacker wouldn’t be able to log in just using your username and password. They’d need access to your two-factor authentication database in order to access the current code.
Expand
Expanding
Close