Search the Community

Devs have not updated a crucial library inside their apps, leaving users exposed to dangerous attacks. Some of the vulnerable apps include Microsoft's Edge browser, Grindr, OKCupid, and Cisco Teams. Image: Check Point Around 8% of Android apps available on the official Google Play Store are vulnerable to a security flaw in a popular Android library, according to a scan performed this fall by security firm Check Point. The security flaw resides in older versions of Play Core, a Java library provided by Google that developers can embed inside their apps to interact with the official Play Store portal. The Play Core library is very popular as it can be used by app developers to download and install updates hosted on the Play Store, modules, language packs, or even other apps. Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library that a malicious app installed on a user's device could have abused to inject rogue code inside other apps and steal sensitive data — such as passwords, photos, 2FA codes, and more. A demo of such an attack is available below: Google patched the bug in Play Core 1.7.2, released in March, but according to new findings published today by Check Point, not all developers have updated the Play Core library that ships with their apps, leaving their users exposed to easy data pilfering attacks from rogue apps installed on their devices. According to a scan performed by Check Point in September, six months after a Play Core patch was made available, 13% of all the Play Store apps were still using this library, but only 5% were using an updated (safe) version, with the rest leaving users exposed to attacks. Apps that did their duty to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp, and Chrome; however, many other apps did not. Among the apps with the largest userbases that failed to update, Check Point listed the likes of Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. Via zdnet.com

Prosecutors said the technician accessed more than 200 customer CCTV systems on more than 9,600 occasions to spy on them getting naked and engaging in sexual activity. Image: Cyrus Crossan A Texas-based CCTV technician pleaded guilty this week to illegally accessing the security cameras of hundreds of families to watch people in their homes get naked and engage in sexual activities. According to a criminal complaint [PDF], Telesforo Aviles, a 35-year-old, committed his crimes between November 2015 and March 2020 while working as a support technician for ADT, a provider of home security services. Aviles's job involved installing home video surveillance cameras at customer premises and configuring the devices to work with the company's proprietary ADT Pulse app. But prosecutors said that Aviles strayed from company policy and started adding his personal email address to customers ADT Pulse app during the installation and testing process. Investigators said the technician usually targeted attractive women, and he used the backdoor account to access the camera's real-time video feed and spy on customers in intimate moments in their homes and with their partners. The technician's scheme was discovered in January and February 2020 when several customers discovered Aviles' email address in their app's configuration panel and reported the incidents to ADT, which later referred the case to authorities. Aviles was charged in April 2020 and pleaded guilty [PDF] this week, on Thursday. Prosecutors said Aviles accessed more than 200 customer CCTV systems on more than 9,600 occasions. The former ADT technician now faces a sentence of up to five years in prison and a fine of up to $250,000, according to court documents. He was conditionally released earlier this week [PDF]. ADT notified its customers of the incident in April 2020. The New York Post reported at the time that the company tried to convince customers to sign a confidentiality agreement in exchange for a monetary payment so Aviles' actions wouldn't leak online. Their efforts didn't work, and the company is currently facing three class-action lawsuits[1, 2, 3] as a result of its former employee's actions. Via zdnet.com

The ContentFilterExclusionList has been removed in macOS 11.2 beta 2. Image: Markus Spiske Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist. Image: Simone Margaritelli Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software. Besides security pros, the exclusion list was widely panned by privacy experts alike, since macOS users also risked exposing their real IP address and location when using Apple apps, as VPN products wouldn't be able to mask users' location. APPLE SAID IT WAS TEMPORARY Contacted for comment at the time, Apple told ZDNet the list was temporary but did not provide any details. An Apple software engineer later told ZDNet the list was the result of a series of bugs in Apple apps, rather than anything nefarious from the Cupertino-based company. The bugs were related to Apple deprecating network kernel extensions (NKEs) in Big Sur and introducing a new system called Network Extension Framework, and Apple engineers not having enough time to iron out all the bugs before the Big Sur launch last fall. But some of these bugs have been slowly fixed in the meantime, and, yesterday, with the release of macOS Big Sur 11.2 beta 2, Apple has felt it was safe to remove the ContentFilterExclusionList from the OS code (as spotted by Wardle earlier today). Once Big Sur 11.2 is released, all Apple apps will once again be subject to firewalls and security tools, and they'll be compatible with VPN apps. Via zdnet.com