Major Vulnerability for iOS with Mailbox.app

Mailbox.app is an email application for iOS devices that was recently acquired by Dropbox less than a month after it launched.

According to this blog post by Miki Spag, Mailbox.app will execute any Javascript included in the body of an email. Spag writes that this vulnerability “allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.”

In the video below, Spag demonstrates how simple it is to execute Javascript code from within the app.

Currently Mailbox is only available for iOS and only works with Gmail, but it works to achieve “Zero Inbox.”

Until Mailbox developers are able to patch this substantial exploit, Roboscan recommends iOS users default to the native Mail app or to Gmail’s iOS app.

Microsoft Releases IE Fix for Browser Attack Prevention

Yesterday, Microsoft released a preventative fix for Internet Explorer. Hackers discovered a zero day exploit. Without releasing further information on the newly discovered vulnerability, Microsoft has urged its users to install the aptly dubbed “Fix It” as soon as possible, or stop using Internet Explorer entirely until they are able to release a browser update.

Hackers are likely working on reverse-engineering the Fix It, so it’s only a temporary solution to the exploit.

This exploit appeared at a time when Internet Explorer has shown an increase in market share.

Net Applications' August 2013 browser data for personal computers shows a Chrome decline.

(Credit: Net Applications)

Internet Explorer currently accounts for 56.61 percent of desktop browsers.

Microsoft plans to release Internet Explorer 11 in October. The release preview for Windows 7 will be available later this week.

Facebook Vulnerability Targets Mark Zuckerberg’s Timeline

After numerous attempts at contacting Facebook’s support team, IT expert Khalil Shreateh used a bug he’d discovered to post a very public message on Facebook founder Mark Zuckerberg’s Timeline. The message has since been removed, but the vulnerability allows users to post to anyone’s wall, regardless if they are not friends.

Shreateh, as noted in his blog post about the bug, tested it and submitted the bug to Facebook’s Whitehat disclosure service – one that awards users who discover security vulnerabilities $500+ per successful bug discovery. A Facebook engineer replied to Shreateh’s submission by saying “This is not a bug.”

In response to the engineer’s immediate dismissal, Shreateh used the vulnerability to post to Mark Zuckerberg’s wall with details of the bug. Within minutes, Shreateh’s account was temporarily disabled. Facebook had to acknowledge his discovery, but refused to pay for his discovery on the premise that the methods he used to unveil it violated Facebook’s Terms of Service.

The bug has since been fixed, but Facebook stands its ground in withholding any reward from Shreateh. Facebook’s Whitehat page notifies all uses that in order to be eligible for the bounty program, users must use test accounts and adhere to existing privacy policy: “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

Bounty programs have become standard in the tech community. Rewards can often be quite substantial. Microsoft recently launched a program that offers up to $150,000 for newly discovered vulnerabilities.

Popular Messaging App Viber Hacked by Syrian Electronic Army

Users of the popular messaging app Viber were struck with a disturbing notification last week. The Syrian Electronic Army claimed responsibility for hacking into Viber’s database and website. The hackers posted a warning on their Twitter last week, recommending that Viber users delete the app from their phones.

Viber is used by over 200 million users worldwide. The website displayed a taunting message from the Syrian hackers: “Dear All Viber Users, the Israeli-based Viper is spying and tracking you.” The message has since been removed from the website.

The company denies that the hackers accessed any sensitive user information but acknowledges their website was breached due to a phishing attack on one of their employees. The Syrian Electronic Army gained access to basic user information, including the user’s country and location, their device’s make and model, and an internal ID used by the company.

In 2013 alone, the Syrian Electronic Army has taken responsibility for numerous public hacks, including hacking the Twitter profiles of the Associated Press, CBS, BBC, NPR and more. Viber promises it is working toward making sure any future attacks will be thwarted.

Tumblr App Vulnerability Compromises Users Passwords

According to a blog post on Tumblr’s staff blog, a significant vulnerability put many users login information at risk or exposed.  Tumblr has over 300 million monthly unique visitors.

The accounts at risk have used the iPad or iOS application and Tumblr is urging users to download the security update. The popular micro-blogging site is also asking users to update their password immediately, as well as any other accounts of theirs using the same password.

Tumblr offers a brief apology to its users saying, “Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.”

Visit the App Store on your iOS device to update your Tumblr app immediately, and visit the desktop site to change your password.

Most Androids Vulnerable Due to Outdated Firmware

If Android phones all ran the most recent operating system, most threats would be automatically blocked. According to Juniper Network’s Mobile Threat Center, only 4 percent of devices are running Android 4.2 – which was released six months ago.

In a report released this week by Juniper Networks, the number of malicious mobile threats has grown by 614 percent over the last year, compared to only 155 percent in 2011. Almost all mobile malware targets Androids, primarily because cyber criminals want to maximize their ROI. 67.7 percent of smartphones shipped in 2012 were Androids and 92 percent of malware threats targeted the Android OS.

According to Juniper’s MTC, 73 percent of malware exploits the mobile payment process by sending fraudulent premium SMS messages. If Android phones were updated with the latest operating system, 77 percent of these threats would likely be automatically blocked.

Jelly Bean 4.2 is available for many Android smartphones, but is not compatible with all Android devices. Visit Android’s website for more information on 4.2.

Microsoft Offers Bounty to Hackers

Beginning June 26th, Microsoft will launch two rewards programs, aimed toward increasing PC security in machines running Windows 8. The tech giant is offering rewards as high as $150,000 to hackers who can locate and resolve any vulnerabilities.

Hackers as young as 14 years old are eligible to enter. Windows is the predominant operating system throughout the world, and security measures already in place will prove to be difficult to break through for hackers looking for security vulnerabilities.

A rewards system this substantial is sure to attract the world’s top hacking talent. Microsoft is offering $100,000 to anyone who can identify major flaws, and an addition $50,000 for a working solution. Additionally, they are offering $11,000 rewards to anyone who finds a major vulnerability in the beta version of Internet Explorer 11.

 

Tips on Keeping Yourself Protected Online

First and foremost, you should be sure your PC is protected by an up-to-date antivirus. If you don’t have one, or are interested in trying a new software, visit our website and review our products. Roboscan Internet Security updates itself multiple times a day and does so silently – no annoying prompts, no extra work for you! You can even check out this nifty chart and see how Roboscan compares to popular antivirus software.

If you have an antivirus installed, you’ve taken the biggest precaution in keeping your PC protected from malware. Follow the tips below for extra protection.

  • Change your passwords periodically. Try to use letters, numbers and symbols. The more complex your password is, the less likely someone will gain access to your accounts. It’s generally a good idea not to use the same password for some accounts. For example, your online banking password should not be the same as your Facebook password.
  • Update your Wi-Fi password and network name. If your network at home isn’t protected, that’s absolutely essential. Contact your internet provider, or review your router’s manual for instructions on how to secure your network. Your Wi-Fi password should be updated periodically as well. A good general rule of thumb is to change your passwords with each change of season, or four times a year.
  • Lockdown your social media profiles. Consider going private on Twitter, reviewing your privacy settings on Facebook and deleting old social media profiles you no longer use. Awhile ago, I did a Google search on my full name and found a Friendster account from 10 years ago. Horrifying.
  • Don’t reveal too much of your personal information online. Have you ever had to reset a password and answer security questions to do so? Your date of birth, your mother’s maiden name, etc. can easily slip out online, and if your profiles are public, predators can piece together information about you pretty easily.
  • If you’re using shared computers or public networks on your devices, be very careful. Public wi-fi networks are especially dangerous, as we often won’t think twice about checking our account balances online, paying your electricity bill, or writing emails with sensitive content. If you’re shopping online, be sure the site is using a secure channel to process your billing information. Check the address bar. If the URL begins with “https,” you are good to go.

Above all, always be aware that most what you put on the Internet can be accessed by anyone, at any time. Be on defense and stay proactive.

What are your tips for staying safe online?

First Look at Connor De Phillippi’s Porsche

As some of you may know, Roboscan Internet Security is proud to sponsor Porsche’s Junior American driver, Connor De Phillippi.

As he prepares for upcoming races, he shared a sneak peak of his beautiful Porsche. Check out our logo! Fits perfectly, doesn’t it?

Follow Roboscan Internet Security on Facebook

Follow Connor De Phillippi on Facebook