Google first introduced a Password Checkup Chrome extension this February to help you check if your login information had been breached, which it integrated with the password manager inside your Google Account in October. After testing this feature natively in the beta of its browser, the company is now rolling it out with the new stable version of Chrome 79. While it's at it, Google is also enhancing some phishing protection mechanisms. Read More
A serious vulnerability that affected the way some popular HTC Android phones handle 802.1x usernames, passwords, and SSIDs was disclosed publicly today by engineers Chris Hessing and Bret Jordan. The bug allowed applications with only an ACCESS_WIFI_STATE permission to read your Wi-Fi SSIDs, usernames, and, most importantly, passwords on at least the following devices:
- Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
- Glacier - Version FRG83
- Droid Incredible - Version FRF91
- Thunderbolt 4G - Version FRG83D
- Sensation Z710e - Version GRI40
- Sensation 4G - Version GRI40
- Desire S - Version GRI40
- EVO 3D - Version GRI40
- EVO 4G - Version GRI40
Of course, if a malicious application also happens to have access to the Internet, SMS, or other means of sending out information, credentials could leak out from a vulnerable device to a remote location. Read More
Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
The vulnerability could only be exploited on public Wi-Fi networks - either by a sniffing attack, or SSID spoofing (a much more common method), and allowed an attacker to take a user's authToken for a particular service (eg, Calendar, Twitter, Facebook, etc.), and then use it to log in to the respective service and engage in whatever unscrupulous behavior they so desired. Read More
Before you panic, you should know that this isn't a huge deal, and Comcast is aware of the situation and has promised a fix "within a week or two." There, feel better? Good, because if you use the XFINITY app, any other app that has permission to read logs can read your Comcast username and password (aLogCat, for example).
The details, courtesy of aBSuRDiST, who discovered the issue:
My system log shows <userName>[email protected]</userName> and <password>MYPASSWORD</password> on a line that starts with "D/HTTPManager". I read the log using aLogcat (app available in the market). Open aLogcat, press menu and filter for "password".