Password

Lenovo Watch X was riddled with security bugs, researcher says

Posted by | api, Bluetooth, China, computer security, computing, encryption, Gadgets, lenovo, Password, smartwatches, spokesperson, Wearables, web server, Zhongguancun | No Comments

Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security.

The low-end $50 smartwatch was one of Lenovo’s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts and spoof phone calls.

Because the smartwatch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.

“The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.”

The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account, he said.

Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watch’s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had “already pinpointed my location” before he had even registered his account.

Yalon’s research wasn’t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.

Using a similar malicious Bluetooth command, he could also set the alarm to go off — again and again. “The function allows adding multiple alarms, as often as every minute,” he said.

Lenovo didn’t have much to say about the vulnerabilities, besides confirming their existence.

“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” said spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”

Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.

“Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he said.

Powered by WPeMatico

Fortnite bugs put accounts at risk of takeover

Posted by | computer security, cryptography, fortnite, Gaming, Hack, hacking, Password, Prevention, Security, security breaches, software testing, spokesperson, vulnerability | No Comments

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

Powered by WPeMatico

Opera adds a crypto wallet to its mobile browser

Posted by | Apps, computing, cryptocurrency, freeware, Mobile, online identity, online payments, Opera, Password, Software, TC, telenor, Wallet | No Comments

The Opera Android browser will soon be able to hold your cryptocurrencies. The system, now in beta, lets you store crypto and ERC20 tokens in your browser, send and receive crypto on the fly, and secures your wallet with your phone’s biometric security or passcode.

You can sign up to try the beta here.

The feature, called Crypto Wallet, “makes Opera the first major browser to introduce a built-in crypto wallet” according to the company. The feature could allow for micropayments in the browser and paves the way for similar features in other browsers.

From the release:

We believe the web of today will be the interface to the decentralized web of tomorrow. This is why we have chosen to use our browser to bridge the gap. We think that with a built-in crypto wallet, the browser has the potential to renew and extend its important role as a tool to access information, make transactions online and manage users’ online identity in a way that gives them more control.

In addition to being able to send money from wallet to wallet and interact with Dapps, Opera now supports online payments with cryptocurrency where merchants support exists. Users that choose to pay for their order using cryptocurrency on Coinbase Commerce-enabled merchants will be presented with a payment request dialog, asking them for their signature. The payment will then be signed and transmitted directly from the browser.

While it’s still early days for this sort of technology it’s interesting to see a mainstream browser entering the space. Don’t hold your breath on seeing crypto in Safari or Edge but Chrome and other “open source” browsers could easily add these features given enough demand.

Powered by WPeMatico

This must be the year of mobile security

Posted by | computer security, Europe, iPhone, Mobile, mobile security, national security, Password, Prevention, Safety, Security, surveillance, TC | No Comments

cyber-security-data-phone If I gave you my phone right you’d be able to figure out a lot of stuff about me. If I didn’t unlock it you’d see some of the news I read, the apps I use, and even some of the messages I’ve gotten from my friends. You’d be able to see that my friend Rick just wrote “If she gets desperate enough, let me know?” which, if taken out of context, is pretty… Read More

Powered by WPeMatico