Major Vulnerability for iOS with Mailbox.app

Mailbox.app is an email application for iOS devices that was recently acquired by Dropbox less than a month after it launched.

According to this blog post by Miki Spag, Mailbox.app will execute any Javascript included in the body of an email. Spag writes that this vulnerability “allows advanced spam techniques, tracking of user actions, hijacking the user by just opening an email, and, using an exploiting framework, potentially much worse things.”

In the video below, Spag demonstrates how simple it is to execute Javascript code from within the app.

Currently Mailbox is only available for iOS and only works with Gmail, but it works to achieve “Zero Inbox.”

Until Mailbox developers are able to patch this substantial exploit, Roboscan recommends iOS users default to the native Mail app or to Gmail’s iOS app.

Advertisements

iPhone5S TouchID – Hacked

The generous slew of pledged rewards go to Starbug of the Chaos Computer Club  from Germany.

Starbug of CCC Hacks iPhone5S Touch ID

Starbug of CCC Hacks iPhone5S Touch ID

A few days before Apple released the iPhone5S, security researchers Nick Depetrillo, Robert David Graham, et al. challenged other security researchers and hackers to hack Apple’s new security measure, Touch ID, a fingerprint sensor (here’s a link to that blog post if you want to read the details). The announcement was made on Twitter, with a guide line, and the rewards were pledged by various techies all over the world on a website.

The contest started when Apple released the iPhone 5S on September 20th. The hackers say the sensor for the Touch ID is identical to any other sensor. Bypassing the system can be done very easily with everyday tools. All you need is a camera, a laser printer, and some wood glue.

1. Enroll a fingerprint

2. Photograph the enrolled user’s fingerprint with 2400 dpi resolution

3. Clean up the image, invert, print the fingerprint on a transparent sheet with a thick toner setting, with 1200 dpi resolution

4. Smear woodglue over the print on the transparent sheet. Wait until the woodglue cures.

5. Lift the woodglue print carefully, breathe onto it to add moisture (just enough to replicate moisture on a human body)

6. Place print on the sensor and unlock the enrolled user’s iPhone 5S

Roboscan offers our congratulations to Starbug for successfully hacking Apple’s security method without cutting off any limbs or taking advantage of the user. How do you think this information will influence the future of security measure development?

Related Reading: http://gizmodo.com/hackers-iphone-5s-fingerprint-security-is-not-secure-1367817697

iPhone 5S Feature becomes New Target for Hackers

A couple days ago, Apple released information about the upcoming release of the iPhone5S. Of the updates implemented to the newest version, the embedded fingerprint sensor feature called “Touch ID” has grabbed the attention of people all over the world; including that of hackers.

Security researchers Nick Depetrillo, Robert David Graham, Dam Kaminsky and others, were talking about the safety of the fingerprint sensor on Twitter when Mr. Depetrillo decided to post a challenge.

Nick Depetrillo announces hack challenge on Twitter

Nick Depetrillo announces hack challenge on Twitter

Soon after, istouchidhackedyet.com was created. More security researchers and hackers pitched in, offering more incentives. The grand prize for the first person to “enroll print, place it, lift it, reproduce it, use the reproduction to unlock the phone without being locked. Video”, the basic conditions dictated by Depetrillo’s tweet,  is now over $13,000, a couple bottles of wine and hard liquor, and even books.

With the iPhone 5S due to launch this Friday, the competition hasn’t begun yet. But once hackers get their hands on the iPhone 5S, who knows what the coming weekend will bring?

Related reading: Hackers Set Sights on iPhone 5S Fingerprint Scanner

 

Microsoft Releases IE Fix for Browser Attack Prevention

Yesterday, Microsoft released a preventative fix for Internet Explorer. Hackers discovered a zero day exploit. Without releasing further information on the newly discovered vulnerability, Microsoft has urged its users to install the aptly dubbed “Fix It” as soon as possible, or stop using Internet Explorer entirely until they are able to release a browser update.

Hackers are likely working on reverse-engineering the Fix It, so it’s only a temporary solution to the exploit.

This exploit appeared at a time when Internet Explorer has shown an increase in market share.

Net Applications' August 2013 browser data for personal computers shows a Chrome decline.

(Credit: Net Applications)

Internet Explorer currently accounts for 56.61 percent of desktop browsers.

Microsoft plans to release Internet Explorer 11 in October. The release preview for Windows 7 will be available later this week.

Facebook offered $12,500 to security researcher for finding critical photo bug.

An Indian security researcher, Arul Kumar recently discovers a security flaw on Facebook that allows hackers to delete any photo from a user’s account without his/her knowledge or permission via mobile devices. The bug is now fixed and Facebook reward Kumar with $12,500 for finding this critical vulnerability.

Facebook photo bug allows hackers to delete other's photo without permission.

Facebook photo bug allows hackers to delete other’s photo without permission.

In Kumar’s blog, he reveals a way to remove photos from another user’s account without knowing the victim’s login information. Normally, user can request Facebook to remove a photo. If Facebook doesn’t remove it, the user can then appeal to the user who uploaded the photo to request taking it down. He/She will then receive a link with a one-click button to delete the image.

So where is the problem?

According to Kumar, the breach resides in the Support Dashboard on Facebook’s mobile domain. Kumar created two real Facebook IDs and logged in both account at the same time. On one end, he called it the “sender”; while the other called the “receiver.” He reported a photo as the “sender,” in the URL he inserted the photo ID value (a.k.a “cid” parameter) that he would like to remove, and the profile ID value (a.k.a “rid” parameter) of the person that the report supposed to go to (the “sender,” which in this case is also controlled by Kumar).

On Kumar’s blog, he described how to delete other user’s photo with him/her knowledge.

Microsoft is not the only tech giant who encourages hackers to resolve any vulnerability with bounty rewards. Facebook’s White Hat Program offers financial reward to experts who can locate any bug of their site. The minimum reward is $500, while there is no ceiling for the prize amount. It all depends on the severity of the bug.

However, as a reminder, Facebook strongly forbids researchers from testing their exploits on any real accounts. Couple weeks ago, an IT expert, Khalil Shreateh hacked Mark Zuckerberg’s timeline to prove his finding of a bug. As a result, he was disqualified to claim the reward. However, in Kumar’s case, he never actually tested on Mark’s account. The delete button has never been clicked.

Facebook Vulnerability Targets Mark Zuckerberg’s Timeline

After numerous attempts at contacting Facebook’s support team, IT expert Khalil Shreateh used a bug he’d discovered to post a very public message on Facebook founder Mark Zuckerberg’s Timeline. The message has since been removed, but the vulnerability allows users to post to anyone’s wall, regardless if they are not friends.

Shreateh, as noted in his blog post about the bug, tested it and submitted the bug to Facebook’s Whitehat disclosure service – one that awards users who discover security vulnerabilities $500+ per successful bug discovery. A Facebook engineer replied to Shreateh’s submission by saying “This is not a bug.”

In response to the engineer’s immediate dismissal, Shreateh used the vulnerability to post to Mark Zuckerberg’s wall with details of the bug. Within minutes, Shreateh’s account was temporarily disabled. Facebook had to acknowledge his discovery, but refused to pay for his discovery on the premise that the methods he used to unveil it violated Facebook’s Terms of Service.

The bug has since been fixed, but Facebook stands its ground in withholding any reward from Shreateh. Facebook’s Whitehat page notifies all uses that in order to be eligible for the bounty program, users must use test accounts and adhere to existing privacy policy: “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

Bounty programs have become standard in the tech community. Rewards can often be quite substantial. Microsoft recently launched a program that offers up to $150,000 for newly discovered vulnerabilities.

Popular Messaging App Viber Hacked by Syrian Electronic Army

Users of the popular messaging app Viber were struck with a disturbing notification last week. The Syrian Electronic Army claimed responsibility for hacking into Viber’s database and website. The hackers posted a warning on their Twitter last week, recommending that Viber users delete the app from their phones.

Viber is used by over 200 million users worldwide. The website displayed a taunting message from the Syrian hackers: “Dear All Viber Users, the Israeli-based Viper is spying and tracking you.” The message has since been removed from the website.

The company denies that the hackers accessed any sensitive user information but acknowledges their website was breached due to a phishing attack on one of their employees. The Syrian Electronic Army gained access to basic user information, including the user’s country and location, their device’s make and model, and an internal ID used by the company.

In 2013 alone, the Syrian Electronic Army has taken responsibility for numerous public hacks, including hacking the Twitter profiles of the Associated Press, CBS, BBC, NPR and more. Viber promises it is working toward making sure any future attacks will be thwarted.

[News] DES SIM Card Security Breach Puts 750 Million Mobile Phone Users In Danger

Your SIM card is now hackable!

Your SIM card is now hackable!

Thought your mobile phone SIM card is an un-hackable nutshell? Well, you might have to rethink about it because it is now officially “breakable.”

A German researcher, Karstetn Nohl from Security research Labs revealed the hole of GSM encryption. Hackers can remotely break into some outdated DES (Date Encryption Standard) SIM cards and access your personal data with just a personal computer less than 2 minute.

“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl said to Forbes.

With only a couple fake text messages sending to your phone that claims coming from a carrier, there is quarter chance that you will receive an error message back containing a set of 56-bit digital key from DES SIM card. With the code, hackers can send malware to the SIM card via text message. From then on, the hacker can monitor the phone calls, hijacks the data and identity on the phone.

Up to 750 million SIM cards could be hacked. Fortunately, many wireless carriers now adapt the newer and more secure triple DES SIM card. GSMA (Global System for Mobile Association) has already notified the security flaw to the SIM card manufactures and vendors. Experts are now striving to find out the optimal solution for the breach. Nohl will give more detail about the research process in the Black Hat conference in Las Vegas on August 1st.

He suggests the industry to take action on such matter and gradually phase out the SIM cards to eliminate the security vulnerability. Consumers using SIM cards more than 3 years old ideally should request for a new card.

 

Related reading:

Google Releases Patch to OEM for Serious Android Security Loophole

Most Androids Vulnerable Due to Outdated Firmware