Category Archives: bug

Whatsapp Asks Apple Users to Beware Of the Touch ID, Face ID Feature




A recently discovered bug in the Touch ID, Face ID feature rolled out on WhatsApp is progressively turning into a grave threat to the iPhone users as it enables anyone to effortlessly sidestep the authentication systems. The support for Touch ID or Face ID to unlock the application is accessible for WhatsApp version 2.19.20 and when enabled correctly, the application requires the user to utilize the Touch ID or Face ID each time they get to access the application.

The Android users are safe, since this specific feature isn't made available for them.

A Reddit user explained in a post with respect to how simple the bypassing of the system is and how nearly anybody can do it. The method fundamentally begins to work when the user gets the choice to unlock the application either immediately or after one moment, after 15 minutes or after an hour and he/she chooses some other option than "Immediately".

It doesn't work in the event that it is set to immediately and this can be changed when "Require Face ID" is enabled from WhatsApp Settings > Account > Privacy > Screen Lock. In the event that the user wishes to sidestep the Touch ID and Face ID feature on the iPhone, they will need to open the iOS Share Sheet on any application and pick WhatsApp.


In the interim, WhatsApp issues an announcement with respect to its awareness with the issue and said that, “We are aware of the issue and a fix will be available shortly. In the meantime, we recommend that people set the screen lock option to immediately,”


Google Researchers Say Software Alone Can’t Mitigate Spectre Chip Flaws

A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

Read more of this story at Slashdot.

Apple’s Newest Macs Seem To Have a Serious Audio Bug

An anonymous reader writes: Apple's new Mac products might have a serious audio glitch for professional users. The company's newest Mac products with its T2 security chip suffer from a software-related bug that leads to issues with audio performance. The issue seemingly affects devices with the T2 chip -- that includes the iMac Pro, Mac Mini 2018, MacBook Air 2018, and MacBook Pro 2018. Although Apple's T2 chip is designed to offer improved security, it's affecting users in the pro audio industry. As CDM reports, there is a bug in macOS that leads to dropouts and glitches in audio whenever a Mac automatically updates its system clock through the system time daemon. Users have been reporting the issue across a bunch of different pro audio forums for months, and it seems like the issue has never been acknowledged by Cupertino. The issue here is pretty simple to understand, as explained by a DJ software developer on Reddit: whenever the system time daemon automatically updates the system time, it somehow sends a 'pause-audio-engine' message to the kernel, leading to dropouts and glitches in audio.

Read more of this story at Slashdot.

Apple’s Newest Macs Seem Have To Have a Serious Audio Bug

An anonymous reader writes: Apple's new Mac products might have a serious audio glitch for professional users. The company's newest Mac products with its T2 security chip suffer from a software-related bug that leads to issues with audio performance. The issue seemingly affects devices with the T2 chip -- that includes the iMac Pro, Mac Mini 2018, MacBook Air 2018, and MacBook Pro 2018. Although Apple's T2 chip is designed to offer improved security, it's affecting users in the pro audio industry. As CDM reports, there is a bug in macOS that leads to dropouts and glitches in audio whenever a Mac automatically updates its system clock through the system time daemon. Users have been reporting the issue across a bunch of different pro audio forums for months, and it seems like the issue has never been acknowledged by Cupertino. The issue here is pretty simple to understand, as explained by a DJ software developer on Reddit: whenever the system time daemon automatically updates the system time, it somehow sends a 'pause-audio-engine' message to the kernel, leading to dropouts and glitches in audio.

Read more of this story at Slashdot.

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine on Latest Hacking News.

Xiaomi’s Popular Electric Scooter M365 Can Be Hacked To Speed Up or Stop

The fleets of electric scooters that have inundated cities are alarming enough as is. Now add cybersercurity concerns to the list: Researchers from the mobile security firm Zimperium are warning that Xiaomi's popular M365 scooter model has a worrying bug. From a report: The flaw could allow an attacker to remotely take over any of the scooters to control crucial things like, ahem, acceleration and braking. Rani Idan, Zimperium's director of software research, says he found and was able to exploit the flaw within hours of assessing the M365's security. His analysis found that the scooters contain three software components: battery management, firmware that coordinates between hardware and software, and a Bluetooth module that lets users communicate with their scooter via a smartphone app. The latter leaves the devices woefully exposed. Idan quickly found that he could connect to the scooter via Bluetooth without being asked to enter a password or otherwise authenticate. From there, he could go a step further and install firmware on the scooter without the system checking that this new software was an official, trusted Xiaomi update. This means that an attacker could easily put malware on a scooter, giving herself full command over it. "I was able to control any of the scooter features without authentication and install malicious firmware," Idan says. "An attacker could brake suddenly, or accelerate a person into traffic, or whatever the worst case scenario you can imagine."

Read more of this story at Slashdot.

A Programmer Exploits a Crazy Bug in ATMs and Withdraws Over A Million


Qin Qisheng, a 43-year-old programmer discovered and exploited a loophole in ATMs being operated by his employer Huaxia Bank to withdraw over a million.

On a report by the South China Morning Post, Qin discovered a loophole in the bank's core OS which implied that the cash withdrawals made around midnight were not being recorded. In spite of the fact that the bank knew that he had been testing the inner security framework and the cash being taken was resting in a spurious account.

In any case, so as to carry out the exploit as cryptically as possible, Qin embedded a couple of scripts in the banking system that enabled him to test the proviso without setting off the alarm about any withdrawals. Because strangely, the bug was found in 2016 and for over a year, he kept making money withdrawals.

Be that as it may, he had moved the amassed cash to his own account and invested some in the stock market this, at long last lead to his arrest.

While the court has condemned Qin to 10 and a half years in jail, the bank 'acknowledged' that he had been testing the loophole however conceded that a few exercises were not reported which was in 'violation' of the formal systems and procedures.

Insects Could Vanish Within a Century At Current Rate of Decline, Says Global Review

An anonymous reader quotes a report from The Guardian: The world's insects are hurtling down the path to extinction, threatening a "catastrophic collapse of nature's ecosystems," according to the first global scientific review. More than 40% of insect species are declining and a third are endangered, the analysis found. The rate of extinction is eight times faster than that of mammals, birds and reptiles. The total mass of insects is falling by a precipitous 2.5% a year, according to the best data available, suggesting they could vanish within a century. The planet is at the start of a sixth mass extinction in its history, with huge losses already reported in larger animals that are easier to study. But insects are by far the most varied and abundant animals, outweighing humanity by 17 times. They are "essential" for the proper functioning of all ecosystems, the researchers say, as food for other creatures, pollinators and recyclers of nutrients. Insect population collapses have recently been reported in Germany and Puerto Rico, but the review strongly indicates the crisis is global. The researchers set out their conclusions in unusually forceful terms for a peer-reviewed scientific paper: "The [insect] trends confirm that the sixth major extinction event is profoundly impacting [on] life forms on our planet. The analysis, published in the journal Biological Conservation, says intensive agriculture is the main driver of the declines, particularly the heavy use of pesticides. Urbanization and climate change are also significant factors. "One of the biggest impacts of insect loss is on the many birds, reptiles, amphibians and fish that eat insects," the study says, noting a recent study in Puerto Rico where there was a 98% fall in ground insects over 35 years. Butterflies and moths are among the worst hit.

Read more of this story at Slashdot.

Apple Security updates released for Facetime bugs

A recently reported bug in Facetime, caused privacy concerns last month as individuals were able to eavesdrop on users.  The

Apple Security updates released for Facetime bugs on Latest Hacking News.

Hackers can hack an Android smartphone just by looking at a PNG image

Vulnerability in PNG file can allow hackers to hack Android smartphones

Beware, while opening a harmless-looking image downloaded from the internet, emails, social media apps, or messaging apps, as it could compromise your smartphone.

Google has discovered three new critical vulnerabilities that allow hackers to hack an Android smartphone just by looking at a PNG image. This bug has affected millions of devices that run on Android OS versions, ranging from Nougat 7.0 to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, were, however, patched in Android Open Source Project (ASOP) by Google as part of their Android Security Updates for February 2019.

According to Google’s Android Security Bulletin, the vulnerability that allows “a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” is the most severe vulnerability.

This means that if a hacker successfully manages to deceive a user to open or download an image from any webpage, or received through an instant messaging service, or as an attachment in an email, he or she can get access to your smartphone.

Besides the three flaws, Google also included fixes for 42 vulnerabilities in the Android OS in total in its 2019 February update, of which 11 are considered as critical, 30 high impact and one medium-gravity.

Google has said that it has no reports of anyone exploiting the vulnerabilities listed in its February security bulletin against real users or in the wild. The search giant also said that it has alerted its Android partners of all vulnerabilities a month before publication, adding that “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.”

Unfortunately, it is unknown when third-party handset manufacturers will roll out the security updates on their phones, as many of them take weeks, if not months, to do roll them out. This means your Android handset is still not protected even after receiving the 2019 February update. It is suggested that one should patch their Android smartphone as soon as a security update available from the handset manufacturer.

The post Hackers can hack an Android smartphone just by looking at a PNG image appeared first on TechWorm.

Teenager Who Found FaceTime Bug Will Be Eligible For Bug Bounty Program

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate. Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

Read more of this story at Slashdot.

Apple Says It Will Fix The FaceTime Bug That Allows You To Access Someone’s iPhone Camera And Microphone Before They Pick Up

Apple said Friday morning that it had a fix for a bug discovered in Apple's video and audio chat service FaceTime this week, which had allowed callers to access the microphone and front-facing video camera of the person they were calling, even if that person hadn't picked up. The security issue is fixed on its servers, the company said, but the iPhone software update to re-enable the feature for users won't be rolled out until next week. From a report: "We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," Apple said in an emailed statement to BuzzFeed News. "We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process."

Read more of this story at Slashdot.

Lawyer Sues Apple Over FaceTime Eavesdrop Bug, Says It Let Someone Record a Sworn Testimony

A lawyer in Houston has filed a lawsuit against Apple over a security vulnerability that let people eavesdrop on iPhones using FaceTime. "His lawsuit, filed Monday in Harris County, Texas, alleges that Apple 'failed to exercise reasonable care' and that Apple 'knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping,'" reports CNBC. "It alleged Apple did not adequately test its software and that Apple was 'aware there was a high probability at least some consumers would suffer harm.'" From the report: The suit says that Williams was "undergoing a private deposition with a client when this defective product breached allowed for the recording" of the conversation. Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future." The lawsuit also says that iOS 12.1, the latest major release of the iPhone operating system, was defective and "unreasonable dangerous" and that Apple "failed to provide adequate warnings to avoid the substantial danger" posed by the security flaw. Williams is seeking compensatory and punitive damages as a result of the exploit.

Read more of this story at Slashdot.

Apple Was Notified About Major FaceTime Eavesdropping Bug Over a Week Ago

An anonymous reader writes: Twitter user MGT7500 tagged the official Apple Support account in a January 20 tweet claiming that her 14-year-old son discovered a "major security flaw" that allowed him to "listen in to your iPhone/iPad without your approval." The user also tagged Tim Cook on the issue in a follow-up tweet on January 21." Once the bug started making headlines on Monday, the Twitter user then shared additional tweets claiming that they had also emailed Apple's product security team over a week ago. A screenshot of the email was shared, and it appears the team did respond, but what they said is not visible in the screenshot. [...] All in all, there is evidence that Apple Support was tagged about an eavesdropping bug eight days before it made headlines, and if the rest of the tweets are truthful, the company was also alerted about the bug via several other avenues. The original story has been updated to include another example of a user -- John Meyer -- who has shared a video about the FaceTime bug that he says was recorded and sent to Apple on January 23.

Read more of this story at Slashdot.

Apple’s FaceTime privacy bug allowed possible spying

Social media caught fire yesterday as the news of a new Apple bug spread. It seemed that there was a flaw in FaceTime that allowed you to place a call to someone, but listen in on their microphone if they didn’t pick up. Worse, as the news spread, it turned out that there was also a way to capture video from the camera on the target device, and that this issue was affecting not just iPhones and iPads, but Macs as well.

The result was a chorus of voices all saying the same thing: turn off FaceTime. The good news, though, if you’re just tuning in now, is that this is completely unnecessary, as Apple has disabled the service that allowed this bug to work.

How did the bug work?

The bug relied entirely on a feature of iOS 12.1 and macOS 10.14.1 called Group FaceTime. If you are using an older version of iOS or macOS, you have nothing to fear.

The bug involved doing something a bit unusual with Group FaceTime. First, you would have to place a FaceTime call to your intended victim. Next, while the call is still ringing, you would need to bring up the Add Person screen and add yourself to the call. Doing this would invoke Group FaceTime, and the microphone of the intended target would be activated, even if they didn’t answer.

Capturing video from the target phone’s camera required one of two known techniques. One would be to hope that the recipient pressed the power button on the phone to “decline” the call, in which case the camera would turn on as well. (Of course, if they pressed it twice, as some have become accustomed to doing on iPhones in these days of scam calls, that would cut the video off again. But you’d still see a flash of video.)

Alternately, you could apparently join the call from another device, which would also turn on the recipient’s camera. (Although I was able to test and verify everything else, I didn’t know about this trick until after Apple disabled Group FaceTime, so I can’t verify this one from personal experience.)

What were the dangers?

To make this work, you would need to rely on the target not answering, which could potentially be orchestrated if the target’s activities were known and it was likely that he or she would both be disinclined to answer at the time of the call, and be doing or saying something of interest. (I think we can all think of at least one such activity!)

Fortunately, this did pretty much rule out generalized surveillance, though nonetheless, there were some valiant efforts (most likely pranks) in the brief time the bug was known.

This also didn’t open up an open-ended wiretap. FaceTime rings for a while, but not forever. At most, you might get about a minute or so of spying. It’s also not the stealthiest of attacks, since you’d literally be announcing yourself in the process.

All this means that the risks were fairly low for anything beyond a prank. I personally did not feel it necessary to turn off FaceTime on my devices. Once I was aware, I could have simply covered the camera and ended the call—or had a little fun with the caller by playing Rick Astley into the phone’s mic!

How was this resolved?

Apple temporarily solved the problem by disabling Group FaceTime on their servers. This means that you can no longer add people to a FaceTime call, so the bug currently cannot be triggered. Apple will undoubtedly release iOS and macOS updates with a fix for this bug.

It’s unknown how soon Apple will re-enable Group FaceTime after that update is released, so if you’re on iOS 12.1 or macOS 10.14.1, it will be of great importance to install the next update in a timely fashion! You don’t want to be caught with your pants down (possibly literally) on a vulnerable system after the Group FaceTime switch is turned back on.

How did this happen?

Apple has had an unusually large number of high-profile and embarrassing bugs of late, which has led many people to ask what has happened to Apple’s quality assurance process. This bug is no exception.

Worse, it appears that at least one person knew about the bug almost two weeks before the news broke, and had been trying to alert Apple.

It’s unknown at this point exactly which points of contact for Apple this person was using, so it’s entirely possible that the right people at Apple didn’t learn about it until they saw it on the news. Since Apple didn’t disable Group FaceTime until after the news broke, I would hope that this is the case. It would be far more concerning if the right people at Apple knew about the bug, but didn’t make the call to disable Group FaceTime.

What’s the takeaway?

Bottom line, at this point, there’s absolutely no reason to panic or to turn off FaceTime. If you turned off FaceTime, and you want to turn it back on, it’s safe to do so, as long as you don’t delay installing the next update. There’s no indication that FaceTime can be abused without having Group FaceTime available.

There will be some who cite this as a reason to delay installing system updates. They will say that you should wait and let others work out the bugs. However, this is questionable advice. If you stay on an old version of iOS or macOS, you are using a system that has known security issues. That’s a far riskier proposition than updating to a newer version of the system where there aren’t (yet) any known security issues. From a security perspective, you should always install updates in a timely fashion.

The post Apple’s FaceTime privacy bug allowed possible spying appeared first on Malwarebytes Labs.

FaceTime bug exposes live audio & video before recipient picks call

By Waqas

FaceTime bug is exposing calls and videos – Here’s how to disable FaceTime until this issue is fixed. According to reports, there is a major bug in iPhone FaceTime’s video calling function that lets users hear audio from the call even before the recipient has accepted the video call. Moreover, the flaw also lets people see […]

This is a post from HackRead.com Read the original post: FaceTime bug exposes live audio & video before recipient picks call

Major Apple Security Bug Lets You Spy on Your Buddies

Earlier today Apple users from all over the world, including US citizens and permanent residents, realized that they could spy on each other by taking advantage of a FaceTime exploit that allows eavesdropping. First reported by 9 to 5 Mac, the bug in Apple’s videotelephony app allowed users without any technical skills to eavesdrop on virtually anyone in the world who uses FaceTime. By simply making a FaceTime video call users were able to listen through the callee’s device, even if the call recipient was not picking up. All users had to do was to create a “group call” by adding themselves to a standard two-way video call. The self-addition was tricking the system into thinking that all participants have picked up the phone. This ended up resulting in eavesdropping on the callee’s device. Here’s a video that shows the exploit in action:

What made the bug even worse was the fact that the caller was able to see a video stream directly from the recipient’s device should the recipient hit the power button to “reject” the video call. In response to the major privacy breach, Apple decided to turn off the group FaceTime feature, until they figure out how to get it fixed.

The FaceTime bug is currently one of the trending stories on all social media platforms. Dozens of users have already uploaded videos replicating the exploit. Some users even reported that they have managed to reproduce the FaceTime bug with an iPhone calling a Mac.

After the bug was discovered Apple issued a statement acknowledging it and stated that they plan to issue a fix later this week. New York City governor Andrew Cuomo called the FaceTime bug an “egregious breach of privacy that puts New Yorkers at risk.” Governor Cuomo added that he is “deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes.” It is currently unknown for long has the exploit been active.

The bug comes only weeks after Apple started using the following slogan “What happens on your iPhone, stays in on your iPhone.”, a wordplay from the famous Las Vegas slogan “What happens in Vegas, stays in Vegas.” Coincidently, the bug was also discovered on the national Data Privacy Day.  Unaware of the exploit, and hours after the bug was discovered, Apple’s CEO Tim Cook tweeted that people “must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real, and the consequences are too important.”

What has Apple done to stop the bug?

Apple managed to anger the crowds by stating that they will patch the bug “later this week” but failed to take any immediate action to prevent people from spying on each other. However, hours after they realized the seriousness of the issue, they completely turned off the group FaceTime feature on all Apple devices and issued an update to patch the exploit. The group FaceTime feature is still temporarily unavailable.

What should you do?

First and foremost, you can delete the FaceTime app from your iPhone or Mac and reinstall it after Apple confirms that the issue has been officially fixed. If you do not wish to remove the app, you can disable the app through the settings of your iPhone or Mac.

This is a yet another great example why keeping your OS fully up-to-date is vital. Apple just issued a patch that fixes the exploit so if you are an Apple user, now is a good time to go and update your OS if you haven’t done so already.

Last but not least, install antivirus software on all your connected devices. Having another layer of protection on all your Apple products will prevent hackers from obtaining any missing pieces they may need from you to commit cybercrimes.

The post Major Apple Security Bug Lets You Spy on Your Buddies appeared first on Panda Security Mediacenter.

Do Debian APT and PHP Pear Patches Highlight Vulnerability In Package Management Infrastructure?

"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries.... In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.

Read more of this story at Slashdot.

LinkedIn Says Glitch, Not FSB, to Blame for Russian Job Postings

LinkedIn Wednesday blamed an issue with its job ingestion tool–not Russian hackers or an online scam–as the reason the business social network was erroneously posting jobs located in Russia for a number of U.S.-based companies. The custom software tool that pulls in jobs from third-party websites onto LinkedIn’s site failed to...

Read the whole entry... »

Related Stories

Twitter bug exposed private tweets of Android users to public for years

By Carolina

A security bug in Twitter exposed private tweets of users to the public. The flaw only affected Android users of the Twitter app while iPhone users were not affected. According to Twitter, private tweets of users from November 3, 2014, to January 14, 2019, were exposed. Although the company did not say how many people were affected […]

This is a post from HackRead.com Read the original post: Twitter bug exposed private tweets of Android users to public for years