Facebook offered $12,500 to security researcher for finding critical photo bug.

An Indian security researcher, Arul Kumar recently discovers a security flaw on Facebook that allows hackers to delete any photo from a user’s account without his/her knowledge or permission via mobile devices. The bug is now fixed and Facebook reward Kumar with $12,500 for finding this critical vulnerability.

Facebook photo bug allows hackers to delete other's photo without permission.

Facebook photo bug allows hackers to delete other’s photo without permission.

In Kumar’s blog, he reveals a way to remove photos from another user’s account without knowing the victim’s login information. Normally, user can request Facebook to remove a photo. If Facebook doesn’t remove it, the user can then appeal to the user who uploaded the photo to request taking it down. He/She will then receive a link with a one-click button to delete the image.

So where is the problem?

According to Kumar, the breach resides in the Support Dashboard on Facebook’s mobile domain. Kumar created two real Facebook IDs and logged in both account at the same time. On one end, he called it the “sender”; while the other called the “receiver.” He reported a photo as the “sender,” in the URL he inserted the photo ID value (a.k.a “cid” parameter) that he would like to remove, and the profile ID value (a.k.a “rid” parameter) of the person that the report supposed to go to (the “sender,” which in this case is also controlled by Kumar).

On Kumar’s blog, he described how to delete other user’s photo with him/her knowledge.

Microsoft is not the only tech giant who encourages hackers to resolve any vulnerability with bounty rewards. Facebook’s White Hat Program offers financial reward to experts who can locate any bug of their site. The minimum reward is $500, while there is no ceiling for the prize amount. It all depends on the severity of the bug.

However, as a reminder, Facebook strongly forbids researchers from testing their exploits on any real accounts. Couple weeks ago, an IT expert, Khalil Shreateh hacked Mark Zuckerberg’s timeline to prove his finding of a bug. As a result, he was disqualified to claim the reward. However, in Kumar’s case, he never actually tested on Mark’s account. The delete button has never been clicked.

Facebook Vulnerability Targets Mark Zuckerberg’s Timeline

After numerous attempts at contacting Facebook’s support team, IT expert Khalil Shreateh used a bug he’d discovered to post a very public message on Facebook founder Mark Zuckerberg’s Timeline. The message has since been removed, but the vulnerability allows users to post to anyone’s wall, regardless if they are not friends.

Shreateh, as noted in his blog post about the bug, tested it and submitted the bug to Facebook’s Whitehat disclosure service – one that awards users who discover security vulnerabilities $500+ per successful bug discovery. A Facebook engineer replied to Shreateh’s submission by saying “This is not a bug.”

In response to the engineer’s immediate dismissal, Shreateh used the vulnerability to post to Mark Zuckerberg’s wall with details of the bug. Within minutes, Shreateh’s account was temporarily disabled. Facebook had to acknowledge his discovery, but refused to pay for his discovery on the premise that the methods he used to unveil it violated Facebook’s Terms of Service.

The bug has since been fixed, but Facebook stands its ground in withholding any reward from Shreateh. Facebook’s Whitehat page notifies all uses that in order to be eligible for the bounty program, users must use test accounts and adhere to existing privacy policy: “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

Bounty programs have become standard in the tech community. Rewards can often be quite substantial. Microsoft recently launched a program that offers up to $150,000 for newly discovered vulnerabilities.

Popular Messaging App Viber Hacked by Syrian Electronic Army

Users of the popular messaging app Viber were struck with a disturbing notification last week. The Syrian Electronic Army claimed responsibility for hacking into Viber’s database and website. The hackers posted a warning on their Twitter last week, recommending that Viber users delete the app from their phones.

Viber is used by over 200 million users worldwide. The website displayed a taunting message from the Syrian hackers: “Dear All Viber Users, the Israeli-based Viper is spying and tracking you.” The message has since been removed from the website.

The company denies that the hackers accessed any sensitive user information but acknowledges their website was breached due to a phishing attack on one of their employees. The Syrian Electronic Army gained access to basic user information, including the user’s country and location, their device’s make and model, and an internal ID used by the company.

In 2013 alone, the Syrian Electronic Army has taken responsibility for numerous public hacks, including hacking the Twitter profiles of the Associated Press, CBS, BBC, NPR and more. Viber promises it is working toward making sure any future attacks will be thwarted.

[News] DES SIM Card Security Breach Puts 750 Million Mobile Phone Users In Danger

Your SIM card is now hackable!

Your SIM card is now hackable!

Thought your mobile phone SIM card is an un-hackable nutshell? Well, you might have to rethink about it because it is now officially “breakable.”

A German researcher, Karstetn Nohl from Security research Labs revealed the hole of GSM encryption. Hackers can remotely break into some outdated DES (Date Encryption Standard) SIM cards and access your personal data with just a personal computer less than 2 minute.

“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl said to Forbes.

With only a couple fake text messages sending to your phone that claims coming from a carrier, there is quarter chance that you will receive an error message back containing a set of 56-bit digital key from DES SIM card. With the code, hackers can send malware to the SIM card via text message. From then on, the hacker can monitor the phone calls, hijacks the data and identity on the phone.

Up to 750 million SIM cards could be hacked. Fortunately, many wireless carriers now adapt the newer and more secure triple DES SIM card. GSMA (Global System for Mobile Association) has already notified the security flaw to the SIM card manufactures and vendors. Experts are now striving to find out the optimal solution for the breach. Nohl will give more detail about the research process in the Black Hat conference in Las Vegas on August 1st.

He suggests the industry to take action on such matter and gradually phase out the SIM cards to eliminate the security vulnerability. Consumers using SIM cards more than 3 years old ideally should request for a new card.

 

Related reading:

Google Releases Patch to OEM for Serious Android Security Loophole

Most Androids Vulnerable Due to Outdated Firmware

Tumblr App Vulnerability Compromises Users Passwords

According to a blog post on Tumblr’s staff blog, a significant vulnerability put many users login information at risk or exposed.  Tumblr has over 300 million monthly unique visitors.

The accounts at risk have used the iPad or iOS application and Tumblr is urging users to download the security update. The popular micro-blogging site is also asking users to update their password immediately, as well as any other accounts of theirs using the same password.

Tumblr offers a brief apology to its users saying, “Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.”

Visit the App Store on your iOS device to update your Tumblr app immediately, and visit the desktop site to change your password.

Most Androids Vulnerable Due to Outdated Firmware

If Android phones all ran the most recent operating system, most threats would be automatically blocked. According to Juniper Network’s Mobile Threat Center, only 4 percent of devices are running Android 4.2 – which was released six months ago.

In a report released this week by Juniper Networks, the number of malicious mobile threats has grown by 614 percent over the last year, compared to only 155 percent in 2011. Almost all mobile malware targets Androids, primarily because cyber criminals want to maximize their ROI. 67.7 percent of smartphones shipped in 2012 were Androids and 92 percent of malware threats targeted the Android OS.

According to Juniper’s MTC, 73 percent of malware exploits the mobile payment process by sending fraudulent premium SMS messages. If Android phones were updated with the latest operating system, 77 percent of these threats would likely be automatically blocked.

Jelly Bean 4.2 is available for many Android smartphones, but is not compatible with all Android devices. Visit Android’s website for more information on 4.2.

Microsoft Offers Bounty to Hackers

Beginning June 26th, Microsoft will launch two rewards programs, aimed toward increasing PC security in machines running Windows 8. The tech giant is offering rewards as high as $150,000 to hackers who can locate and resolve any vulnerabilities.

Hackers as young as 14 years old are eligible to enter. Windows is the predominant operating system throughout the world, and security measures already in place will prove to be difficult to break through for hackers looking for security vulnerabilities.

A rewards system this substantial is sure to attract the world’s top hacking talent. Microsoft is offering $100,000 to anyone who can identify major flaws, and an addition $50,000 for a working solution. Additionally, they are offering $11,000 rewards to anyone who finds a major vulnerability in the beta version of Internet Explorer 11.

 

10 Common Facebook scams 2013 -Part 2.

Have you kept the first 5 common scams on Facebook that we talked about in our last post? If you need a little recap, check out 10 Common Facebook scams 2013 <Part 1>.

Ready? Now, let’s get into the next 5!

6.         Phony message on Facebook

  • Scammer from Facebook team: A phishing scam spotted by GFI Lab early this year. You will go through 5 pages of question for a security check after clicking on the link. Once the scammer has your information, it will start to spam your friends or use your identity and card information to purchase things you will never receive.
Phony message from Facebook Team spotted by GFI Lab

Phony message from Facebook Team spotted by GFI Lab

  • Check out my new Camera: I’ve seen too many times that my friends try to show me their new shopping trophy through Facebook chat; while we all know the link of the pictures will not take you to their new camera or new clothes,  but some spams or malware.
  • I need your help (and money!): Your friend won’t ask for your help by just leaving a Facebook message, especially when s/he needs your financial support. A tip to keep in mind, they usually ask you to transfer money via Western Union or other uncommon financial institute. Be cautious!

7.        Customize you Facebook:  Apps to find out who unfriend you, to change your Facebook color or getting “Dislike” button are just a few tricks of the scammers. Scammers usually insert adware, malware into the browser extension or plugins.

Red Facebook Hoax

Red Facebook Hoax

One of the most popular scam on Facebook early this year is the make-your-Facebook-red scam. After clicking the link 계속 읽기

Tips on Keeping Yourself Protected Online

First and foremost, you should be sure your PC is protected by an up-to-date antivirus. If you don’t have one, or are interested in trying a new software, visit our website and review our products. Roboscan Internet Security updates itself multiple times a day and does so silently – no annoying prompts, no extra work for you! You can even check out this nifty chart and see how Roboscan compares to popular antivirus software.

If you have an antivirus installed, you’ve taken the biggest precaution in keeping your PC protected from malware. Follow the tips below for extra protection.

  • Change your passwords periodically. Try to use letters, numbers and symbols. The more complex your password is, the less likely someone will gain access to your accounts. It’s generally a good idea not to use the same password for some accounts. For example, your online banking password should not be the same as your Facebook password.
  • Update your Wi-Fi password and network name. If your network at home isn’t protected, that’s absolutely essential. Contact your internet provider, or review your router’s manual for instructions on how to secure your network. Your Wi-Fi password should be updated periodically as well. A good general rule of thumb is to change your passwords with each change of season, or four times a year.
  • Lockdown your social media profiles. Consider going private on Twitter, reviewing your privacy settings on Facebook and deleting old social media profiles you no longer use. Awhile ago, I did a Google search on my full name and found a Friendster account from 10 years ago. Horrifying.
  • Don’t reveal too much of your personal information online. Have you ever had to reset a password and answer security questions to do so? Your date of birth, your mother’s maiden name, etc. can easily slip out online, and if your profiles are public, predators can piece together information about you pretty easily.
  • If you’re using shared computers or public networks on your devices, be very careful. Public wi-fi networks are especially dangerous, as we often won’t think twice about checking our account balances online, paying your electricity bill, or writing emails with sensitive content. If you’re shopping online, be sure the site is using a secure channel to process your billing information. Check the address bar. If the URL begins with “https,” you are good to go.

Above all, always be aware that most what you put on the Internet can be accessed by anyone, at any time. Be on defense and stay proactive.

What are your tips for staying safe online?