My Weekly RoundUp #126
This week: new layout and a lots of interesting links!
WhatsApp contains ‘dangerous’ and deliberate backdoors, claims Telegram founder
in a scathing blog post, Telegram Messenger’s founder, Pavel Durov, has added insult to the Facebook-owned instant messaging app’s injury by calling it “dangerous” to use.
WhatsApp uses the words “end-to-end encryption” as some magic incantation that alone is supposed to automatically make all communications secure.
However, this technology is not a silver bullet that can guarantee you absolute privacy by itself.
Telegram rolled out end-to-end encryption for mass communication years before WhatsApp followed suit, and we’ve been mindful not only of the strengths, but also the limitations of this technology. Other aspects of a messaging app can render end-to-end encryption useless. Below are three examples of what can go wrong.
Nightmare Google Photos bug sent private videos to the wrong people
Google has disclosed a nightmare of a security and privacy bug affecting Google Photos users: for a time, it was possible for private videos to be downloaded by unrelated users. The bug happened through Google Takeout, a service that lets you download archives of your Google Data. Apparently, the wrong videos were included in these user-generated archives, resulting in the users getting local copies of somebody else's videos.
Google has been sending emails to affected Takeout users. In the email, which was first spotted by 9to5Google, Google writes, "Some videos in Google Photos were incorrectly exported to unrelated user's archives. One or more videos in your Google Photos account was affected by this issue. If you downloaded your data, it may be incomplete, and it may contain videos that are not yours." Google writes that the bug happened "between November 21, 2019 and November 25, 2019."
Google tracks individual users per Chrome installation ID
This is impressive doublespeak.
> This ... header ... will not contain any personally identifiable >information
> a seed number which is randomly selected on first run ... chosen >between 0 and 7999 (13 bits of entropy)
They are not including any PII... while creating a new identifier for each installation. 13 bits of entropy probably isn't a unique identifier iff you only look at that header in isolation.
Combined with at least 24 additional bits of entropy from the IPv4 Source Address field Google receives >=37 bits of entropy, which is almost certainly a unique ID for the browser. Linking that browser ID to a personal account is trivial as soon as someone logs in to any Google service.
> Experiments may be further limited by country (determined by your IP address)
They even admit to inspecting the IP address...
> operating system, Chrome version and other parameters.
...and many additional sources of entropy.
 why 24 bits instead of 32? The LSB of the address might be zeroed if the packet is affected by Googles faux-"anonymization" feature
OK Google: bypass the authentication!
During a recent assessment of a voice application we found a very intriguing vulnerability that, besides being a lot of fun to exploit, demonstrates how the complexity of modern applications, built on top of several separate components and technologies, may allow chains of bad practices to lead to surprising results.
Our target application, built for Google Assistant, let a user “speak” to a device in order to log into his utilities’ provider account and retrieve some personal information (e.g.: payments statuses, active subscriptions…) as well as perform some dispositive actions.
A combination of the following, led to the discovery of a complete authentication bypass, triggered by pronouncing the Italian words “A capo” (“new line”/”return”)
Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag
On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem.
The security impact is as follows:
- On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).
- On Android 10, this vulnerability is not exploitable for technical reasons and only results in a crash of the Bluetooth daemon.
- Android versions even older than 8.0 might also be affected but we have not evaluated the impact.
Users are strongly advised to install the latest available security patch from February 2020.
Time to patch your lightbulb? Researchers demonstrate Philips Hue exploit
The attack described by Check Point involves first taking over the lamp, updating it with malicious firmware, and then making it misbehave. The user then follows the procedure to reset the lamp by removing it and then re-adding to their Hue controller. This triggers the buffer overflow vulnerability via the specially crafted firmware, executing malware on the Hue Bridge. The bridge is connected to the local TCP/IP network, so the malware can now look for computers to compromise. In the example, the EternalBlue exploit is successfully used against a Windows PC.
Ransomware brought down services of popular TV search engine TVEyes
TVEyes is a company that manages a popular platform for monitoring TV and radio news broadcasts, it is used worldwide by PR agencies and newsrooms.
On Thursday night, a ransomware attack hit the company network causing an outage of its multimedia messaging and data feed services (i.e. TVEyes Media Monitoring Suite (MMS)).
TVEyes reported the incident to its customers by email, one Tweet sent by the company to Medium Buying explained that the root cause of the outage was a ransomware infection.
“We are rebuilding the core system on fresh hardware, and expect to have TVEyes back online soon, but do not have an exact ETA for services to be restored,” the email says. “As you can imagine, TVEyes engineers are working nonstop and will continue to do so until we are back up and running.”
TrickBot Switches to a New Windows 10 UAC Bypass to Evade Detection
The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control (UAC) to deliver malware across multiple workstations and endpoints on a network, researchers have discovered.
Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week. UAC is a Windows security feature designed to prevent changes to an operating system by unauthorized users, application or malware.
State-sponsored actors may have abused Twitter API to de-anonymize users
A Twitter API that’s intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.
The bug itself first became public knowledge on Christmas Eve, when TechCrunch reported on the findings of security researcher Ibrahim Balic.
Balic had discovered that he could generate two billion phone numbers and upload them to Twitter through its official Android app. If the phone numbers in the uploaded lists were not in sequential order, but instead randomized, Twitter’s API would happily fetch information about whichever Twitter user was linked to the number. Balic managed to match 17 million phone numbers to specific Twitter accounts by exploiting the flaw.
Microsoft Teams goes down after Microsoft forgot to renew a certificate
Users of Microsoft’s Slack competitor were met with error messages attempting to sign into the service on Monday morning, with the app noting it had failed to establish an HTTPS connection to Microsoft’s servers.
Microsoft confirmed the Teams service was down just after 9AM ET today, and then later revealed the source of the issue. “We’ve determined that an authentication certificate has expired causing users to have issues using the service,” explains Microsoft’s outage notification. Microsoft then started rolling the fix out at 11:20AM ET, and by 12PM ET the service was restored for most affected users. Microsoft confirmed the fix was successfully deployed at 4:27PM ET.
Tesla Remotely Removes Autopilot Features From Customer's Used Tesla Without Any Notice
One of the less-considered side effects of car features moving from hardware to software is that important features and abilities of a car can now be removed without any actual contact with a given car. Where once de-contenting involved at least a screwdriver (or, if you were in a hurry, a hammer), now thousands of dollars of options can vanish with the click of a mouse somewhere. And that’s exactly what happened to one Tesla owner, and, it seems many others.