Search This Blog

Showing posts with label Bug. Show all posts

Expert finds a Bug in Twitter that can Expose your Account Information


As if it wasn't enough already, the famous social networking and microblogging website Twitter has suffered yet another data vulnerability recently. In a recent data breach incident, an expert claimed that he was able to exploit a Twitter bug and used it to match more than 17 Million mobile numbers to user profiles. The list of the accounts targeted includes prominent lawmakers and officials. This hack was achieved by exploiting a bug in Twitter's Android application.


According to the reports of TechCrunch, Safety expert, Ibrahim Balic discovered that it is attainable to post complete records of created contact information via the contact upload option in the Twitter app. "If you put your contact information .i.e the phone number, the app in return, retrieve user information," says Ibrahim. The users whose phone numbers were matched were from countries like Germany, France, Armenia, Iran, Greece, Turkey, and Israel. In one particular incident, the user whose number was matched was found to be a prominent Israeli politician, reports TechCrunch.

About the Bug-
Ibrahim Balic started to alert the users of this issue 2 months earlier, through a WhatsApp group. When Twitter came to know this, the micro-blogging platform immediately obstructed his attempts. Ibrahim was able to create more than 2 Billion mobile numbers, steadily, after rearranging the numbers created, he uploaded them online via the Twitter Android application. However, the vulnerability didn't exist in the web-based Twitter app. It is yet to confirm whether Ibrahim's activity was associated with what Twitter issued in a statement earlier this week, saying it had suffered a data exploit. Twitted admitted that a malicious bug was implanted into its application by an anonymous cyber-criminal, which could've jeopardized numerous Twitterites information across the world, including Indian users. Twitter, however, did not reveal the person responsible for the exploit.

What can this Vulnerability do? 
This exploit in the Twitter android application can allow hackers to see personal information of the users, and also gives them the command of user accounts, by allowing hackers to tweet or send messages. The researcher Balic is known for exposing the security flaw in Apple's developer center in the year 2013. "We are working our best to ensure that the bug couldn't be exploited again," said the Twitter spokesperson. Twitter has faced various security issues in the past this year.

All Android Users Beware! All The Android Versions Vulnerable To This New Bug 'StrandHogg'


Android is vulnerable anew owing it to a new bug that goes by the name of “StrandHogg”. It is a serious issue as the bug could penetrate the entire security mechanism with a single wrong click of the user.

This bug has a special provision where it allows malicious applications and malware to pose as legitimate applications. The applications look so real that the user is unaware at all times.

The fake applications then find a way to the users’ sensitive data that too in real-time. Per reports, all the versions of Android are susceptible to this bug even the latest Android 10.

Surprisingly, the worst part about the bug is that the users would have no idea at all that they have been attacked and they’d be completely unaware of the malicious applications on their device.

Listening in on conversations and recording them, accessing login credentials, read/sending unwanted texts and even complete control of the photo album, call logs and contacts are allegedly a few of the many things the bug can do.

“StrandHogg” can let the hackers have a complete hold over the affected device’s camera which is pretty disconcerting given the hackers could turn on visuals whenever they find fit which could be a massive breach of privacy.

All of the senior police personnel have been alerted regarding the hazard. Several measures have also been scheduled to be taken along the lines of public awareness about the bug.

Things to steer clear off include pop up notifications asking permission for sending notifications, messages or other related things and applications asking to log in again despite being already logged in.

If such requests are allowed, the bug would let the hackers have almost complete access to the device from the camera to live conversations be it a cell phone or a tablet.

Other warning signs include suddenly non-functional links and permissions being asked by applications that have never needed them before.

The Home Ministry’s Cyber Crime Coordination Centre reportedly cited that over 500 Android applications are under the peril of an attack by this bug. They also released to all the states, a list of the plan of action of the bug.

Manipur Engineer Enters Facebook’s “Hall Of Fame 2019” By Discovering a Privacy Breach Bug



Zonel Sougaijam, a 22-year-old civil engineer, was recently honoured by Facebook for discovering a WhatsApp bug that violated the privacy of a user.

Mr. Sougaijam told PTI, in the wake of discovering the bug, that he had reported the issue to the Bug Bounty Program of the Facebook, which manages infringement of privacy matters, in March.

“During a voice call through WhatsApp, the bug used to allow the caller to upgrade it to a video call without the authorisation and knowledge of the receiver. The caller was then able to see what the other person was doing, violating the privacy of the receiver,” he said.

Zonel Sougaijam, the 22-year-old civil engineer

His report was hence acknowledged by the Facebook Security Team the immediate next day and its technical department fixed the bug under 15-20 days. The social media giant then proceeded to award him with a bounty of $5000 at the same time incorporating him in the 'Facebook Hall of Fame 2019', for detecting the WhatsApp bug.

Sougaijam's name is right now at the 16th position in a rundown of 94 people, in the 'Facebook Hall of Fame' for the current year.

Facebook had obtained Instagram in 2012 and WhatsApp in 2014. The organization has been entangled in data privacy concerns and political ramifications of its calculations throughout the most recent couple of years.


Bug in Microsoft RDP allows hackers perform WannaCry level attack


A critical remote execution vulnerability in Microsoft remote desktop services enables let attackers compromise the vulnerable system with WannaCry level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old version of Windows.

A WannaCry attack was one of the notorious cyber attacks in this decade, and it shut down million of computer around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create a malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out of support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.

Google Warns Users to Update Their Browser Immediately Due To a Disruptive Bug




A security breach revealed by hackers on the desktop version of Chrome has driven Google into warning its users to update Chrome as soon as they can or risk having their system 'hijacked'.

A part of Chrome called FileReader is supposedly thought to have been connected with the exploit, as it clearly lets software incorporated into websites access the information stored on the user's computer.

Being the most commonly utilized internet browser on the planet, with in excess of approximately two billion active users, the search giant is quite guarded about the details of the manner in which the exploit operates so as to keep the copycat hackers from utilizing comparable methods to attempt and break into user's accounts.

The fact that the security risk 'CVE-2019-5786' wasn't identified by Google in the first place accordingly implies that Chrome browsers were 'actively under attack  ' even before a fix could be released for the users, which thusly on the other hand gave hackers a 'head start' and left the user's systems at high risk even before an update is installed.

Google's lead security engineer Justin Schuh writing on Twitter, warned users: 'Seriously update your Chrome installs... like right this minute.'  Adding later that ‘unlike previous bugs found in Chrome which have targeted third-party software linked to the browser, this bug targeted Chrome code directly. 

Therefore he says that it is 'worth' cautioning user's all the more freely as the fix expects them to make the additional stride of manually restarting the browser after the update to invalidate the exploit had been downloaded.

‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix, we will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.’ says Google.

Whatsapp Asks Apple Users to Beware Of the Touch ID, Face ID Feature




A recently discovered bug in the Touch ID, Face ID feature rolled out on WhatsApp is progressively turning into a grave threat to the iPhone users as it enables anyone to effortlessly sidestep the authentication systems. The support for Touch ID or Face ID to unlock the application is accessible for WhatsApp version 2.19.20 and when enabled correctly, the application requires the user to utilize the Touch ID or Face ID each time they get to access the application.

The Android users are safe, since this specific feature isn't made available for them.

A Reddit user explained in a post with respect to how simple the bypassing of the system is and how nearly anybody can do it. The method fundamentally begins to work when the user gets the choice to unlock the application either immediately or after one moment, after 15 minutes or after an hour and he/she chooses some other option than "Immediately".

It doesn't work in the event that it is set to immediately and this can be changed when "Require Face ID" is enabled from WhatsApp Settings > Account > Privacy > Screen Lock. In the event that the user wishes to sidestep the Touch ID and Face ID feature on the iPhone, they will need to open the iOS Share Sheet on any application and pick WhatsApp.


In the interim, WhatsApp issues an announcement with respect to its awareness with the issue and said that, “We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to immediately,”


A Programmer Exploits a Crazy Bug in ATMs and Withdraws Over A Million


Qin Qisheng, a 43-year-old programmer discovered and exploited a loophole in ATMs being operated by his employer Huaxia Bank to withdraw over a million.

On a report by the South China Morning Post, Qin discovered a loophole in the bank's core OS which implied that the cash withdrawals made around midnight were not being recorded. In spite of the fact that the bank knew that he had been testing the inner security framework and the cash being taken was resting in a spurious account.

In any case, so as to carry out the exploit as cryptically as possible, Qin embedded a couple of scripts in the banking system that enabled him to test the proviso without setting off the alarm about any withdrawals. Because strangely, the bug was found in 2016 and for over a year, he kept making money withdrawals.

Be that as it may, he had moved the amassed cash to his own account and invested some in the stock market this, at long last lead to his arrest.

While the court has condemned Qin to 10 and a half years in jail, the bank 'acknowledged' that he had been testing the loophole however conceded that a few exercises were not reported which was in 'violation' of the formal systems and procedures.

Bug in Google Breaking Search Result Links




Discovered by a Twitter account of the site wellness-heaven.de , there exists a bug in Google Search known to break the search results when utilizing Safari in macOS if the connection contains a plus symbol.


First observed on around September 28th, when there was critical drop in the site's activity from Safari users.For example, on the off chance that you search for a specific keyword and one of the search results contains a plus symbol, similar to https://forums.developer.apple.com/search.jspa?q=crash+app+store&view=content,
then when you tap on the connection it won't do anything.

At the point when the issue was accounted for to John Mu, a webmaster trends analyst at Google, he answered back that it was undoubtedly unusual and that he would pass on the bug report.

The BleepingComputer could affirm this bug utilizing the search results for Apple found on Safari in macOS Sierra. They have likewise reached out to Google as well for more comments in regards to this bug, however did not heard back.

This bug is likewise influencing Firefox 61.0.1 in macOS, however seems, by all accounts to be working fine with Chrome 69.


Anyway, it is recommended for the users who may have seen a plunge in traffic beginning around September 28, to check their analytics software to decide whether this is originating from Safari users being unable to click on their links.