Skip to main content

Posts

Mobile Messengers Expose Billions Of Users To Privacy Attacks

When new users install popular mobile messengers (like WhatsApp, Telegram, or Signal), users can start messaging existing contacts based on the mobile numbers stored on their mobile devices instantly. For this, users must allow the app permission to access and transmit their address book to company servers frequently which is called mobile contact discovery . According to a team of researchers from the Secure Software Systems Group and Privacy Engineering Group, currently deployed contact discovery services highly threaten the privacy of billions of mobile messengers users . A team of researchers also demonstrated the practical crawling attack on popular mobile messengers like WhatsApp, Telegram, and Signal. And the results of this experiment show that hackers can collect private sensitive data at a very large scale and without significant restrictions by querying mobile contact discovery services for any random mobile numbers .  For further study, the team of researchers queried aroun
Recent posts

Why You Should Stop Using Facebook Messenger

If you are a user of Facebook Messenger then now would be a time to think about its alternatives. Recently, Facebook revealed a major security feature for Messenger that allows users to unlock their chat messages by scanning faces (Biometric feature) on iOS . However, the sad truth is that Facebook Messenger is lacking on the security front and that issue Facebook can't easily fix. While announcing its latest security feature update for Messenger, Facebook told that this biometric app lock feature would add an additional layer of security to your private chat messages and prevent other people from accessing those private chat messages. However, unfortunately, this security update is like adding additional locks to the front door of a bank while leaving the vault wide open . There are many alternatives that offer most of the similar functionality without the risks. That's why now it's time to switch. What's The Problem? The problem is — encr

Apple Touch ID Vulnerability Could Have Let Attackers Hack iCloud Accounts

Security researcher of security firm Computest discovered the flaw in Apple's implementation of TouchID (biometric feature) that authenticated users to log in (particularly those that use Apple ID logins) to websites on the Safari browser. The security researcher reported the flaw to Apple and the company addressed the flaw in a server-side update.  Apple Touch ID Authentication Flaw When users try to sign in to any site (require an Apple ID), a prompt is showed to authenticate the login using Touch ID (biometric). After login through Touch ID, it skips the 2FA (Two-Factor Authentication) step.  While during login to Apple sites (www.icloud.com) with the standard way with an ID and password , the site embeds an iframe pointing to https://idmsa.apple.com (Apple's login validation server), that handles the authentication task.  This iframe URL also contains two other parameters : 1. client_id — identifying service 2. redirect_uri  — URI to b

New 'Shadow Attack' Can Replace Content In Digitally Signed PDF Files

Security researchers from Ruhr-University Bochum in Germany have found a new attack method called 'Shadow Attack' against digitally signed PDF documents. This new attack method allows an attacker to hide and replace content in a digitally signed PDF document without invalidating its signature . The attacker can create a document with two different content, the first one that the signer expects to see, and the second one that will be displayed to the receiver of the document. Firstly, the signers receive the PDF document, review it, and sign it then the attackers used that signed document, modify it slightly, and send it to the victims. After opening the signed PDF documents, the victims verify whether the signature was correct or not. However, due to a new attack method PDF document was successfully verified and victims see modified content than the signers. 15 out of 28 desktop PDF viewer apps include Adobe Acrobat Reader, Adobe Acrobat Pro, Foxit Reader, L

38 Million Indian DigiLocker Accounts Could Have Been Accessed Without Password

The Indian Government addressed a highly critical flaw in its secure document wallet service Digilocker that could have let an attacker bypass mobile OTP (One-Time Password) mechanism and sign in as other users to unauthorisedly access their sensitive documents. Security researcher, Mohesh Mohan discovered a highly critical flaw in Digilocker wallet service. According to the analysis done by Mohesh Mohan, the OTP (One-Time Password) mechanism did not have the authorization that makes it possible to perform OTP (One-Time Password) validation with submitting any valid users' details and then modification allows to sign in as a different user. Indian Government's secure document wallet service, Digilocker has beyond 38 Million registered users which act as a digital platform to make easier and faster online processing of documents and delivery of different government services. Also, Digilocker is linked to a users' phone number and Aadhar ID (India's natio

Indian Payment App BHIM Exposes Over 7 Million Users Data

Indian e-payment app, BHIM (Bharat Interface for Money) has suffered a massive data breach that exposed private sensitive data of over 7 Million users. The Bharat Interface for Money (BHIM) app is based on the UPI (Unified Payments Interface) mechanism and owned by NPCI (National Payments Corporation of India) to provide better bank to bank money transfer in India. Currently, the BHIM app has over 136 Million users. Security researchers from VPN Mentor discovered the unsecured database on 23rd April 2020 but announced recently. The exposed database belonged to the BHIM app's Website (http://cscbhim.in/) that was being used to promote its usage across India and sign large numbers of business merchants to the app. The data was exposed due to misconfigured Amazon Web Services (AWS) S3 bucket which contains 409 GB of data. The exposed database contains user records from February 2019 onwards. The exposed data include Personally identifiable information (PII

Critical 'Sign in with Apple' Flaw Could Have Let Attackers Hijack Anyone's Account

What if I say, an attacker only require your Email ID to gain access to one of your accounts on your favorite app or a website. Sounds shocking right? Indian security researcher, Bhavuk Jain discovered a critical vulnerability affecting Apple's ' Sign in with Apple ' system that could allow attackers to bypass authentication and take over victim's account on third-party applications which have been providing 'Sign in with Apple' option to its user. Apple also rewarded a security researcher by giving a $1,00,000 bug bounty for reporting a highly critical flaw. Last year, Apple launched 'Sign in with Apple' feature and introduces it as a privacy-protecting login system that allows users to sign up an account with third-party applications without disclosing their actual Email ID. Security researcher, Bhavuk Jain found the critical vulnerability in the way Apple was validating a user on the client-side before initiating a request f