latest
Microsoft saved TikTok from a critical one-click vulnerability
One click and you could have lost your account
When you’re a creator, your social media accounts are your lifeblood. The best two-factor authentication apps and password managers are absolutely critical to keeping those accounts safe, but they can only do so much when the apps you're using themselves are vulnerable. Imagine clicking on a link that gives a random person unrestricted access to your TikTok account, complete with permission to make private videos public, access your messages, change your bio, and even upload new content. One tap on a targeted link could have spelled the end of your account as you knew it, but thankfully, Microsoft swooped in and identified this vulnerability before any widespread disaster.
OnePlus is something of a darling among Android power users, shipping phones that can be bootloader unlocked without any special permissions or codes. But security researcher Roee Hay found that the OnePlus 3 (and the revised OnePlus 3T) are rather more open than was probably intended. With two native fastboot commands, Hay found he could install unverified boot images and disable the verified boot feature, all without actually unlocking the bootloader with the familiar user-accessible command. Which is, well, bad: it basically means anyone can run malicious code on the phone without resetting the user's data.
Calling all hackers and security researchers: Google wants to pay you money. Quite a lot, in fact. The top prize for finding a new critical flaw in Android in the new Project Zero Prize competition is a whopping $200,000, with the second prize at $100,000 and $50,000 split among additional entrants. The contest is being run by Project Zero, the company's own internal team of security researchers that documents critical flaws and bugs in wide-reaching software.
So you might have heard about the Stagefright vulnerability that was published yesterday. While there's no evidence of a widely-used hack, the potential for malicious MMS attacks via Android's built-in media handling system (which could theoretically affect the majority of Android devices currently in operation) is certainly cause for concern. As reported on our original post, Google has known about the vulnerability since April and has been working on patches to fix the problem.
The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.
SuperSU Security Advisory: Update To Version 1.69 (Available Now) To Avoid Potential Exploits
SuperSU Security Advisory: Update To Version 1.69 (Available Now) To Avoid Potential Exploits
If you're a root user, listen up. Chainfire updated SuperSU to v1.69 as of last night, which fixes two exploits that could allow an attacker to leverage root privileges without first prompting the user. Probably nothing to get overly anxious about, but it's definitely a good idea to make sure you're running the latest. Details of these exploits will be released next Monday, so you'll want to grab the update before then.
The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data. Take a look at the video:
Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.
Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad. The original post is in Chinese, but a vaguely comprehensible translation can be had thanks to Google.
While most Android users are waiting on updaters that might patch some of the recently reported security holes, CyanogenMod is already getting a bug fix update out the door. CyanogenMod 10.1.1 is now hitting the stable channel for all supported devices.
When it comes to root and mod action on Motorola devices from the last couple of years, all eyes turn to brilliant Android hacker Dan Rosenberg. Since the Droid 3 was released two years ago, Rosenberg has successfully found root exploits for every Motorola device, including the D3, Bionic, RAZR, Droid 4, Xoom 2, Atrix HD, RAZR HD, and RAZR M. Add to that the fact he just released a tool that unlocks the bootloaders on the most modern Moto phones (RAZR HD, M, and Atrix HD), and it's not hard to see why he's such an important part of the Motorola modding community. Heck, without him, there probably wouldn't even be a Moto modding community.
There are a lot of security apps for Android that go a little ways into overkill territory. Whether you're talking about superfluous task managers or "virus scanners" that may provide some minimal protection while generating more fear than is warranted, Android has a persistent problem with companies applying a Windows-era mentality on a completely different OS. Secunia PSI, however, takes the cake for being one of the least effective apps on the Play Store.
Update 2: This exploit probably won't work on most Galaxy S III's as long as they have the most recent OTA update, as we demonstrate on video here.
[New App] X-Ray For Android From Duo Security Scans Your Device For Root Vulnerabilities, Unfortunately Can't Fix Them
We've all read the horror stories: a new virus is crawling through the third-party stores, aiming to steal your personal information, identity, and first
We've all read the horror stories: a new virus is crawling through the third-party stores, aiming to steal your personal information, identity, and first born child. More often than not, this type of malicious app is made possible because of one of the various root vulnerabilities that have been discovered throughout the various versions of Android.
While not everyone who owns an Android device roots, the Android modding community is at the very heart of everything we love about our little green buddy. Security researcher Dan Rosenberg recently gave a presentation where he elaborates on root and modding methods, as well as expounding on the security implications of modding Android phones.
At the beginning of the month, we broke the news about a huge security vulnerability in several HTC phones, including the Thunderbolt, EVO 3D, EVO 4G, and possibly more. Not long after word of this issue hit the 'net, HTC issued a response acknowledging it, as well as promising to deliver a patch to correct it. Looks like they are making good on that promise now, as several HTC devices are currently receiving an OTA update to correct this vulnerability.
Regardless of where you sit in the tech world, there is one thing that affects us all: security vulnerabilities. Unfortunately, our little green robot is no exception this rule, and The Register recently dropped a report on a potentially bad exploit.
Well, this is fun. Minutes after I completed and published my post further detailing how to root your EVO, I catch a teaser for ‘unrevoked’ - a ‘painless’ EVO rooting method that’s to be released tomorrow. Unrevoked is the work of Matt Mastracci, who gave us our first sneak peek at a rooted EVO, and one of the developers who contributed to the hack.