Password

Google is making autofill on Chrome for mobile more secure

Posted by | Access Control, Android, biometrics, Chrome, computing, cryptography, Google, Identification, identity management, internet security, Mobile, Password, password manager, Security, smartphones, TC | No Comments

Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.

Image Credits: Google

Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .

If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.

Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, as you’re not required to enroll in this new system.

As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”

Image Credits: Google

 

Powered by WPeMatico

Gift Guide: Essential security and privacy gifts to help protect your friends and family

Posted by | Apple, facial recognition, Gadgets, Gift Guide 2019, hardware, hong kong, journalist, online ads, Password, password manager, privacy, Security, webcam | No Comments

There’s no such thing as perfect privacy or security, but there’s a lot you can do to lock down your online life. And the holiday season is a great time to encourage others to do the same. Some people are more likely to take security into their own hands if they’re given a nudge along the way.

Here we have a selection of gift ideas — from helpful security solutions to unique and interesting gadgets that will keep your information safe, but without breaking the bank.

A hardware security key for two-factor

Your online accounts have everything about you and you’d want to keep them safe. Two-factor authentication is great, but for the more security minded there’s an even stronger solution. A security key is a physical hardware key that’s even stronger than having a two-factor code going to your phone. These keys plug into your USB port on your computer (or the charger port on your phone) to prove to online services, like Facebook, Google, and Twitter, that you are who you say you are. Google’s own data shows security keys offer near-unbeatable protection against even the most powerful and resourced nation-state hackers. Yubikeys are our favorite and come in all shapes and sizes. They’re also cheap. Google also has a range of its own branded Titan security keys, one of which also offers Bluetooth connectivity.

Price: from $20.
Available from: Yubico Store | Google Store

Webcam cover

Surveillance-focused malware, like remote access trojans, can infect computers and remotely switch on your webcam without your permission. Most computer webcams these days have an indicator light that shows you when the camera is active. But what if your camera is blocked, preventing any accidental exposure in the first place? Enter the simple but humble webcam blocker. It slides open when you need to access your camera, and slides to cover the lens when you don’t. Support local businesses and non-profits — you can search for unique and interesting webcam covers on Etsy

Price: from $5 – $10.
Available from: Etsy | Electronic Frontier Foundation

A microphone blocker

Now you have you webcam cover, what about your microphone? Just as hackers can tap into your webcam, they can also pick up on your audio. Microphone blockers contain a semiconductor that tricks your computer or device into thinking that it’s a working microphone, when in fact it’s not able to pick up any audio. Anyone hacking into your device won’t hear a thing. Some modern Macs already come with a new Apple T2 security chip which prevents hackers from snooping on your microphone when your laptop’s lid is shut. But a microphone blocker will work all the time, even when the lid is open.

Price: $6.99 – $16.99.
Available from: Nope Blocker | Mic Lock

A USB data blocker

You might have heard about “juice-jacking,” where hackers plant malicious implants in USB outlets, which steal a person’s device data when an unsuspecting victim plugs in. It’s a threat that’s almost unheard of, but proof-of-concepts have shown how easy it is to implant malicious components in legitimate-looking cables. A USB data blocker essentially acts as a data barrier, preventing any information going in or out of your device, while letting power through to charge your battery. They’re cheap but effective.

Price: from $6.99 and $11.49.
Available from: Amazon | SyncStop

A privacy screen for your computer or phone

How often have you seen someone’s private messages or document as you look over their shoulder, or see them in the next aisle over? Privacy screens can protect you from “visual hacking.” These screens make it near-impossible for anyone other than the device user to snoop at what you’re working on. And, you can get them for all kinds of devices and displays — including phones. But make sure you get the right size!

Price: from about $17.
Available from: Amazon

A password manager subscription

Password managers are a real lifesaver. One strong, unique password lets you into your entire bank of passwords. They’re great for storing your passwords, but also for encouraging you to use better, stronger, unique passwords. And because many are cross-platform, you can bring your passwords with you. Plenty of password managers exist — from LastPass, Lockbox, and Dashlane, to open-source versions like KeePass. Many are free, but a premium subscription often comes with benefits and better features. And if you’re a journalist, 1Password has a free subscription for you.

Price: Many free, premium offerings start at $35.88 – $44.28 annually
Available from: 1Password | LastPass | Dashlane | KeePass

Anti-surveillance clothing

Whether you’re lawfully protesting or just want to stay in “incognito mode,” there are — believe it or not — fashion lines that can help prevent facial recognition and other surveillance systems from identifying you. This clothing uses a kind of camouflage that confuses surveillance technology by giving them more interesting things to detect, like license plates and other detectable patterns.

Price: $35.99.
Available from: Adversarial Fashion

Pi-hole

Think of a Pi-hole as a “hardware ad-blocker.” A Pi-hole is a essentially a Raspberry Pi mini-computer that runs ad-blocking technology as a box that sits on your network. It means that everyone on your home network benefits from ad blocking. Ads may generate revenue for websites but online ads are notorious for tracking users across the web. Until ads can behave properly, a Pi-hole is a great way to capture and sinkhole bad ad traffic. The hardware may be cheap, but the ad-blocking software is free. Donations to the cause are welcome.

Price: From $35.
Available from: Pi-hole | Raspberry Pi

And finally, some light reading…

There are two must-read books this year. NSA whistleblower Edward Snowden’s “Permanent Record” autobiography covers his time as he left the shadowy U.S. intelligence agency to Hong Kong, where he spilled thousands of highly classified government documents to reporters about the scope and scale of its massive global surveillance partnerships and programs. And, Andy Greenberg’s book on “Sandworm”, a beautifully written deep-dive into a group of Russian hackers blamed for the most disruptive cyberattack in history, NotPetya, This incredibly detailed investigative book leaves no stone unturned, unravelling the work of a highly secretive group that caused billions of dollars of damage.

Price: From $14.99.
Available from: Amazon (Permanent Record) | Amazon (Sandworm)

Powered by WPeMatico

‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

Posted by | Bucket, computer security, cryptography, database, Europe, game developer, Gaming, General Data Protection Regulation, Government, information commissioner's office, Password, player, Prevention, Security, spokesperson, United Kingdom, washington | No Comments

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing anyone to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.

A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.

Powered by WPeMatico

Yubico launches its dual USB-C and Lightning two-factor security key

Posted by | Apps, authentication, computer security, cryptography, Gadgets, gmail, hardware, iPad, iPhone, macbooks, mobile devices, Password, password manager, Security, security token, Yubico, Yubikey | No Comments

Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for iPhones, Macs and other USB-C compatible devices.

Yubico’s newest YubiKey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad and MacBooks, in a single device. Announced in June, the company said the security keys would cater to cross-platform users — particularly Apple device owners.

These security keys are small enough to sit on a keyring. When you want to log in to an online account, you plug in the key to your device and it authenticates you. Your Gmail, Twitter and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.

Powered by WPeMatico

Security flaws in a popular smart home hub let hackers unlock front doors

Posted by | Gadgets, Home Automation, Password, privacy, private key, search engine, Security, smart device, smart devices, smart home devices, smart lock, spokesperson, wi-fi | No Comments

When is a smart home not so smart? When it can be hacked.

That’s exactly what security researchers Chase Dardaman and Jason Wheeler did with one of the Zipato smart hubs. In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.

Smart home technology has come under increasing scrutiny in the past year. Although convenient to some, security experts have long warned that adding an internet connection to a device increases the attack surface, making the devices less secure than their traditional counterparts. The smart home hubs that control a home’s smart devices, like water meters and even the front door lock, can be abused to allow landlords entry to a tenant’s home whenever they like.

In January, security expert Lesley Carhart wrote about her landlord’s decision to install smart locks — forcing her to look for a new home. Other renters and tenants have faced similar pressure from their landlords and even sued to retain the right to use a physical key.

Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed.

The researchers found they could extract the hub’s private SSH key for “root” — the user account with the highest level of access — from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler.

They later discovered that the private SSH key was hardcoded in every hub sold to customers — putting at risk every home with the same hub installed.

Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a “pass-the-hash” authentication system, which doesn’t require knowing the user’s plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner.

All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub.

The proof-of-concept code letting the hackers unlock a smart lock (Image: Chase Dardaman, Jason Wheeler)

Worse, Dardaman said that any apartment building that registered one main account for all the apartments in their building would allow them to “open any door” from that same password hash.

The researchers conceded that their findings weren’t a perfect skeleton key into everyone’s homes. In order to exploit the flaws, an attacker would need to be on the same Wi-Fi network as the vulnerable smart hub. Dardaman said any hub connected directly to the internet would be remotely exploitable. The researchers found five such vulnerable devices using Shodan, a search engine for publicly available devices and databases.

Zipato says it has 112,000 devices in 20,000 households, but the exact number of vulnerable hubs isn’t known.

We asked SmartRent, a Zipato customer and one of the largest smart home automation providers, which said fewer than 5% of its apartment-owning customers were affected by the vulnerable technology. A spokesperson wouldn’t quantify the figure further. SmartRent said it had more than 20,000 installations in mid-February, just weeks before the researchers’ disclosure.

For its part, Zipato fixed the vulnerabilities within a few weeks of receiving the researchers’ disclosure.

Zipato’s chief executive Sebastian Popovic told TechCrunch that each smart hub now comes with a unique private SSH key and other security improvements. Zipato has also since discontinued the ZipaMicro hub in favor of one of its newer products.

Smart home tech isn’t likely to go away any time soon. Figures from research firm IDC estimate more than 832 million smart home devices will be sold in 2019, just as states and countries crack down on poor security in internet-connected devices.

That’s also likely to bring more scrutiny to smart home tech by hackers and security researchers alike.

“We want to show that there is a risk to this kind of tech, and apartment buildings or even individual consumers need to know that these are not necessarily safer than a traditional door lock,” said Dardaman.

Powered by WPeMatico

Samsung spilled SmartThings app source code and secret keys

Posted by | Android, Apps, computing, data breach, Dubai, Gadgets, gitlab, Password, Samsung, Security, smartphones, smartthings, SMS, Software, spokesperson, Stratics Networks | No Comments

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens (Image: supplied)

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Powered by WPeMatico

After account hacks, Twitch streamers take security into their own hands

Posted by | computer security, credential stuffing, cryptography, Gaming, johnny xmas, multi-factor authentication, Password, Prevention, salem, Security, SMS, Twitch, twitch tv, video hosting | No Comments

Twitch has an account hacking problem.

After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked.

It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath.

In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.

Jakubowski blamed the attacks on automated account takeovers — bots that cycle through password lists stolen from breached sites, including Town of Salem.

“Twitch knows it’s a problem — but this has been going on for months and there’s no end in sight,” Jakubowski told TechCrunch.

Credential stuffing is a security problem that requires participation from both tech companies and their users. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts. Customers of DoorDash and Chipotle have in recent months complained of account breaches, but have denied their systems have been hacked, offered little help to their users or shown any effort to bolster their security, and instead washed their hands of any responsibility.

Jakubowski, working with fellow security researcher Johnny Xmas, said Twitch no longer accepting email addresses to log in and incentivizing users to set up two-factor authentication would all but eliminate the problem.

The Russia connection

In new research out Tuesday, Jakubowski and Xmas said Russian hackers are a likely culprit.

The researchers found attackers would run massive lists of stolen credentials against Twitch’s login systems using widely available automation tools. With no discernible system to prevent automated logins, the attackers can hack into Twitch accounts at speed. Once logged in, the attackers then change the password to gain persistent access to the account. Even if they’re caught, some users are claiming a turnaround time of four weeks for Twitch support to get their accounts back.

On the accounts with a stored payment card — or an associated Amazon Prime membership — the attackers follow streaming channels they run or pay a small fee to access, of which Twitch takes a cut. Twitch also has its own virtual currency — bits — to help streamers solicit donations, which can be abused by the attackers to funnel funds into their coffers.

When the attacker’s streaming account hits the payout limit, the attacker cashes out.

The researchers said the attackers stream prerecorded gameplay footage on their own Twitch channels, often using Russian words and names.

“You’ll see these Russian accounts that will stream what appears to be old video game footage — you’ll never see a face or hear anybody talking but you’ll get tons of people subscribing and following in the channel,” said Xmas. “You’ll get people donating bits when nothing is going on in there — even when the channel isn’t streaming,” he said.

This activity helps cloak the attackers’ account takeover and pay-to-follow activity, said Xmas, but the attackers would keep the subscriber counts low enough to garner payouts from Twitch but not draw attention.

“If it’s something easy enough for [Jakubowski] to stumble across, it should be easy for Twitch to handle,” said Xmas. “But Twitch is staying silent and users are constantly being defrauded.”

Two-factor all the things

Twitch, unlike other sites and services with a credential stuffing problem, already lets its 15 million daily users set up two-factor authentication on their accounts, putting much of the onus to stay secure on the users themselves.

Twitch partners, like Jakubowski, and affiliates are required to set up two-factor on their accounts.

But the researchers say Twitch should do more to incentivize ordinary users — the primary target for account hijackers and fraudsters — to secure their accounts.

“I think [Twitch] doesn’t want that extra step between a valid user trying to pay for something and adding friction to that process,” said Jakubowski.

“The hackers have no idea how valuable an account is until they log in. They’re just going to try everyone — and take a shotgun approach.”
Matthew Jakubowski, security researcher and Twitch partner

“Two-factor is important — everyone knows it’s important but users still aren’t using it because it’s inconvenient,” said Xmas. “That’s the bottom line: Twitch doesn’t want to inconvenience people because that loses Twitch money,” he said.

Recognizing there was still a lack of awareness around password security and with no help from Twitch, Jakubowski and Xmas took matters into their own hands. The pair teamed up to write a comprehensive Twitch user security guide to explain why seemingly unremarkable accounts are a target for hackers, and hosted a Reddit “ask me anything” to let users to ask questions and get instant feedback.

Even during Jakubowski’s streaming sessions, he doesn’t waste a chance to warn his viewers about the security problem — often fielding other security-related questions from his fans.

“Every 10 minutes or so, I’ll remind people watching to set-up two factor,” he said.

“The hackers have no idea how valuable an account is until they log in,” said Jakubowski. “They’re just going to try everyone — and take a shotgun approach,” he said.

Xmas said users “don’t realize” how vulnerable they are. “They don’t understand why their account — which they don’t even use to stream — is desirable to hackers,” he said. “If you have a payment card associated with your account, that’s what they want.”

Carrot and the stick

Jakubowski said that convincing the users is the big challenge.

Twitch could encourage users with free perks — like badges or emotes — costing the company nothing, the researchers said. Twitch lets users collect badges to flair their accounts. World of Warcraft maker Blizzard offers perks for setting up two-factor, and Epic Games offers similar incentives to their gamers.

“Rewarding users for implementing two-factor would go a huge way,” said Xmas. “It’s incredible to see how effective that is.”

The two said the company could also integrate third-party leaked credential monitoring services, like Have I Been Pwned, to warn users if their passwords have been leaked or exposed. And, among other fixes, the researchers say removing two-factor by text message would reduce SIM swapping attacks. Xmas, who serves as director of field engineering at anti-bot startup Kasada — which TechCrunch profiled earlier this year — said Twitch could invest in systems that detect bot activity to prevent automated logins.

Twitch, when reached prior to publication, did not comment.

Jakubowski said until Twitch acts, streamers can do their part by encouraging their viewers to switch on the security feature. “Streamers are influencers — more users are likely to switch on two-factor if they hear it from a streamer,” he said.

“Getting more streamers to get on board with security will hopefully go a much longer way,” he said.

Read more:

Powered by WPeMatico

Lenovo Watch X was riddled with security bugs, researcher says

Posted by | api, Bluetooth, China, computer security, computing, encryption, Gadgets, lenovo, Password, smartwatches, spokesperson, Wearables, web server, Zhongguancun | No Comments

Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security.

The low-end $50 smartwatch was one of Lenovo’s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts and spoof phone calls.

Because the smartwatch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.

“The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.”

The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account, he said.

Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watch’s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had “already pinpointed my location” before he had even registered his account.

Yalon’s research wasn’t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.

Using a similar malicious Bluetooth command, he could also set the alarm to go off — again and again. “The function allows adding multiple alarms, as often as every minute,” he said.

Lenovo didn’t have much to say about the vulnerabilities, besides confirming their existence.

“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” said spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”

Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.

“Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he said.

Powered by WPeMatico

Fortnite bugs put accounts at risk of takeover

Posted by | computer security, cryptography, fortnite, Gaming, Hack, hacking, Password, Prevention, Security, security breaches, software testing, spokesperson, vulnerability | No Comments

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm that says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to log in first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

Powered by WPeMatico

Opera adds a crypto wallet to its mobile browser

Posted by | Apps, computing, cryptocurrency, freeware, Mobile, online identity, online payments, Opera, Password, Software, TC, telenor, Wallet | No Comments

The Opera Android browser will soon be able to hold your cryptocurrencies. The system, now in beta, lets you store crypto and ERC20 tokens in your browser, send and receive crypto on the fly, and secures your wallet with your phone’s biometric security or passcode.

You can sign up to try the beta here.

The feature, called Crypto Wallet, “makes Opera the first major browser to introduce a built-in crypto wallet” according to the company. The feature could allow for micropayments in the browser and paves the way for similar features in other browsers.

From the release:

We believe the web of today will be the interface to the decentralized web of tomorrow. This is why we have chosen to use our browser to bridge the gap. We think that with a built-in crypto wallet, the browser has the potential to renew and extend its important role as a tool to access information, make transactions online and manage users’ online identity in a way that gives them more control.

In addition to being able to send money from wallet to wallet and interact with Dapps, Opera now supports online payments with cryptocurrency where merchants support exists. Users that choose to pay for their order using cryptocurrency on Coinbase Commerce-enabled merchants will be presented with a payment request dialog, asking them for their signature. The payment will then be signed and transmitted directly from the browser.

While it’s still early days for this sort of technology it’s interesting to see a mainstream browser entering the space. Don’t hold your breath on seeing crypto in Safari or Edge but Chrome and other “open source” browsers could easily add these features given enough demand.

Powered by WPeMatico