New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware on Your Device
Yet again, WhatsApp is experiencing troubles related to the security infrastructure of its messaging platform. Last month, the company quietly patched another critical vulnerability which allowed a malicious actor to compromise devices remotely.
The vulnerability, CVE-2019-11931, is a stack-based buffer overflow issue that resides in the way WhatsApp parses the stream data of an MP4 file. This vulnerability results in denial-of-service or remote code execution attacks in which an attacker can steal secure chat messages and files you store in the application.
To exploit the vulnerability, an attacker first develops a malicious MP4 file and sends it to a vulnerable user. The file then installs a malicious backdoor on the device without the user’s knowledge.
The vulnerability affects all users of WhatsApp, including Apple iOS, Android, and Microsoft Windows devices.
According to a statement by Facebook, the affected app versions include:
Android versions before 2.19.274
iOS versions before 2.19.100
Enterprise Client versions before 2.25.3
Windows Phone versions before and including 2.18.368
Business for Android versions before 2.19.104
Business for iOS versions before 2.19.100
Read more here
TSX Speculative Attack Allows Theft of Sensitive Data from Latest Intel CPUs
A new vulnerability, CVE-2019-11135, which affects the latest Intel CPUs, has been disclosed. And criminals can exploit the vulnerability to launch a TSX Speculative attack.
Transactional Synchronization Extensions (TSX) is a feature within Intel processors that adds hardware transactional memory support. The TSX feature has been implemented within all Intel CPUs manufactured since 2013.
A local attacker or malicious code can exploit this feature to steal sensitive information from the operating system kernel. This type of attack also targets speculative execution that work to improve performance within the processors.
Researchers discovered that “aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.”
You can find technical details on the Zombieload website.
Read more here
Chrome, Edge, Safari Hacked at Elite Chinese Hacking Contest
China’s top hacking competition, Tianfu Cup, is a two-day event, similar to Pwn2Own, where Chinese security researchers test zero-days against some of the most popular applications used throughout the world. On the first competition day, 32 hacking sessions were scheduled; of these, 13 were successful, seven failed, and 12 sessions were abandoned.
According to ZDNet, security researchers were successful in breaking into:
(3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet]
(2) Chrome [tweet]
(1) Safari [tweet]
The organizers of the event plan to report all bugs to the respective organizations when the competition finishes.
On the second day, eight out of the 16 sessions were successful.
Successful exploits targeted:
Team360Vulcan won the competition, earning them $382,500 for hacking “Microsoft Edge, Microsoft Office 365, qemu+Ubuntu, Adobe PDF Reader, and VMWare Workstation.”
Get more information here
Two Charged Over Crypto Theft via SIM Swapping, Death Threats
The Boston U.S. District Court has arrested and charged two men for stealing high-value social media accounts as well as hundreds of thousands of dollars worth of cryptocurrency by using death threats, hacking, and SIM swapping attacks.
The two men, Eric Meiggs and Declan Harrington, “were charged with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse, and one count of aggravated identity theft.”
Both defendants allegedly targeted cryptocurrency executives and other high-profile targets. They stole funds by taking over various victims’ online accounts and siphoning the cryptocurrency from their Block.io or Coinbase wallets.
According to the unsealed indictment, the defendants conducted several attacks, including:
Identifying potential victims who likely had significant amounts of cryptocurrency, for example, executives of cryptocurrency companies.
Researching potential victims using online tools.
Engaging in SIM swapping in order to take control of victims’ cell phone numbers.
Leveraging their control over victims’ cell phones to obtain unauthorized access to the victims’ online accounts, including email accounts, social media accounts, and cryptocurrency accounts.
Using their access to victims’ accounts, to take control of, and steal things of value from, the victims’ online accounts, including their account handles and their cryptocurrency.
Selling or otherwise transferring victims’ log-in credentials, account handles, and cryptocurrency to others in exchange for money or other things of value.
Using victims hacked online accounts to communicate with the victims’ friends and family in order to ask for money and cryptocurrency.
Communicating with co-conspirators via online social media and chat platforms.
Using multiple online accounts to hide their identities and evade detection by law enforcement.
Both Meiggs and Harrington face a maximum of 20 years in prison for wire fraud with an additional two years in prison for aggravated identity theft.
Read more here
GitHub Launches Security Lab to Boost Open-Source Security
Last week, during the GitHub Universe developer conference, GitHub announced plans to launch a global platform for reporting and fixing security vulnerabilities in open-source projects. Google, Oracle, Mozilla, Intel, Uber, VMWare, and more have already partnered up with GitHub for the Security Lab project.
GitHub states that at least 40 percent of security flaws affecting open source code don’t receive a CVE when they’re announced. Therefore, those vulnerabilities are excluded from public databases which would alert customers of the risk.
As an additional security measure, GitHub also offers a token-scanning system to spot hard-coded credentials throughout various formats, a system used by 20 different cloud providers.
Read more here