iPhone ‘Call Recorder’ App Leaked User Conversations

An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”

Cryptee Adds DOCX Support for File Editing

Hot on the heels of its big 3.0 update, the next announcement for Cryptee is support for DOCX uploading and editing. You can also export documents as DOCX, making Cryptee a viable cloud-based private alternative to Microsoft Word and Google Docs. However, there is an extra security bonus to Cryptee:

A little known fact about docx files is that, due to the fact that they support macros, and other ways to execute code in them, they are commonly used by malicious third parties to distribute and spread malware viruses. Cryptee does not run / execute macros while opening docx files, allowing you to open / edit / save DOCX files safely, without having to worry about your computer getting infected.

Mac App Electrum Wallet With Backdoor Spotted in Wild

An Electrum wallet with a backdoor has been spotted in the wild by ConfiantIntel. They noticed that it’s another example of a piece of malware notarized by Apple. Link to tweet thread below.

These fake wallets were introduced during a Malvertising attack our security team discovered early this week, involving the hacking of a Major SSP. The hackers redirected the victims to https://electrum-4.github[.]io/ asking them to install an update of the electrum wallet.

In a separate tweet, it looks like one of Patrick Wardle’s tools can detect it.

47,000 iOS Apps Have Misconfigured Cloud Servers

Researchers at Zimperium analyzed 1.3 million Android and iOS apps to detect common cloud misconfigurations. They found that nearly 84,000 Android apps and 47,000 iOS apps have errors.

The researchers found almost 84,000 Android apps and nearly 47,000 iOS apps using public cloud services—like Amazon Web Services, Google Cloud, or Microsoft Azure—in their backend as opposed to running their own servers. Of those, the researchers found misconfigurations in 14 percent of those totals—11,877 Android apps and 6,608 iOS apps—exposing users’ personal information, passwords, and even medical information.

How Apple’s Walled Garden is a Double-Edged Security Sword

Patrick Howell O’Neill shared an interesting argument for MIT Technology Review: Apple’s locked-down ecosystem is both good and bad for security.

He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior.

Put another way: Apple’s locked down systems naturally select for the best hackers. And the best hackers have the skill to create the most devastating hacks. “This means that even to know you’re under attack, you may have to rely on luck or vague suspicion rather than clear evidence.”

Mysterious ‘Silver Sparrow’ Malware Confuses Researchers

Over the weekend we got news of a mysterious piece of malware called Silver Sparrow. It has infected 30,000 machines so far and there is a version of it built for M1 Macs. But security researchers can’t figure out its purpose.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Email Spy Pixels are a Widespread Problem, Says BBC

At the BBC’s request, email service “Hey” analyzed its traffic and found two-thirds of emails sent to users contained a spy pixel.

Defenders of the trackers say they are a commonplace marketing tactic. This information can then be used to determine the impact of a specific email campaign, as well as to feed into more detailed customer profiles. Hey’s co-founder David Heinemeier Hansson says they amount to a “grotesque invasion of privacy”. And other experts have also questioned whether companies are being as transparent as required under law about their use.

These pixels are tiny 1×1 images embedded in photos that can track a variety of data points. You could turn off “Load Remote Images” automatically in Settings > Mail, but then of course they would load along with other photos when you want to see them.

35 Companies Including Apple Hacked in Supply Chain Attack

Security researcher Alex Birsan was able to breach over 35 companies’ internal systems, including Apple, Microsoft, PayPal, Spotify, Netflix, and others. He did this through bug bounty programs and pre-approved penetration testing arrangements (aka, he’s one of the good guys). He earned over US$100,000 in bounties.

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications.

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

Hackers Tried to Poison Florida Town’s Water Supply

Most security news I’ve shared involves purely digital hacking. This story from Reuters is a case of using hacking to affect the physical world, like an attempt to poison a town’s water supply.

The hackers then increased the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small amounts to control the acidity of water, but at higher levels is dangerous to consume.

Oldsmar Mayor Eric Seidel said in a press conference on Monday that the affected water treatment facility also had other controls in place that would have prevented a dangerous amount of lye from entering the water supply unnoticed.

Browser Favicons Can be Used to Track You Online

Software designer Jonas Strehle discovered that browser favicons can be used to give you a unique ID that can be used to track you across the web. It works even if you use privacy tools like a VPN, incognito browsing, deleting cookies/browser cache, and others.

To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild. Strehle’s supercookie program (which uses a Cookie Monster favicon) is a proof of the concept described by the university researchers.

Washington State Suffers Data Breach due to Contractor ‘Accellion’

Washington’s state government reported a data breach on Monday that could affect over 1.6 million people. The breach is connected to Accellion, a contractor involved with the state auditor’s office.

During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion’s file transfer service. Some of the SAO data files contained personal information of Washington state residents who filed unemployment insurance claims in 2020 […] may also include the personal information of other Washington residents who have not yet been identified but whose information was in state agency or local government files under review by the SAO.

How Apple Improved iMessage Security in iOS 14

Project Zero, Google’s security team, reverse-engineered iMessage to see how Apple improved it in its latest OS 14 releases. Specially, how it has gained new protections against zero-day attacks using BlastDoor, resliding of the shared cache, and exponential throttling.

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads). Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.

Password Manager Bitwarden Adds Touch ID to Browser Extension

Password manager Bitwarden announced the addition of a couple of new features. One feature adds support for Touch ID and Windows Hello to its browser extensions.

Browser extensions will now be able to access this authentication inside the Desktop application. This allows a more streamlined integration with hardware that does not require a unique browser-level integration. Biometric authentication requires macOS users to download the Mac App Store version.

Buffer Overflow Bug Found in SUDO Dubbed ‘Baron Samedit’

Tracked as CVE-2021-3156, a heap overflow bug found in sudo and dubbed “Baron Samedit” has been found recently. It allows an unprivileged user to gain root privileges on a vulnerable machine using a default sudo configuration.

The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

2020-02-03: Looks like macOS is affected after all.