Month: August 2018

A Man-in-the-Disk attack can occur when an Android app stores on the mobile device’ external storage, that is shared by all apps. A malicious app could tamper with files stored on the external storage.

In this case, the Fortnite app installer stored the install file on external storage, and then runs that install file. Another app already installed can observe that, replace the file with its own, and cause any code to run.

Epic Games has released a fix.

Read more about it here.

T-mobile announced on August 24 that on August 20, 2018, hackers accessed certain unauthorized information on their servers. The information included customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid). The incident affected more than 2 million customers, or 3 percent of its 77 million customers.

The hackers were able to exploit an internal API (application programming interface) on its servers that handled personal information. Luckily, the API doesn’t provide financial data or sensitive information.

Affected customers have been contacted by T-Mobile.

Read more about it here and here.

Check Point Research discovered multiple vulnerabilities in the most popular messaging app in the world, WhatsApp, allowing attackers to alter the content of messages sent in both private as well as group chats.

The flaws allow attackers to abuse the “quote” feature in a WhatsApp group conversation, to alter the identity of the sender, to alter the content of members’ reply to a group chat, or to send private messages to one of the group members disguised as a group message.

Check Point was able to discover these flaws by decrypting the communications between the mobile and desktop version of WhatsApp.

The security experts pointed out that the flaws could not be exploited to access the content of end-to-end encrypted messages, because in order to exploit them, the attackers must already be part of group chats.

Read more about it here.

Google stated that it hasn’t had any account takeover from its 85,000 employees for more than a year.

How did they do it ? They deployed a physical security key – a $20 USB gadget. Google employees that wish to login, need to provide their username and password, and insert this USB device into their workstation. This is an example of the use of two-factor authentication. The idea behind a two-factor authentication is that even is thieves were able to phish your password, they still wouldn’t be able to login to your account, unless they also hack or posses the second factor – the USB key device in this case.

Job well done, Google!

Read more about it here.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months

TCM Bank, a subsidiary of ICBA Bancard, issues credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves. TCM announced the a web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018. Exposed data includes names, addresses, dates of birth and Social Security numbers.

The number of affected customers was less than 10,000, which is less than 25% of the applications processed during that time period, and less than 1% of the TCM cardholder base.

The breach was reportedly discovered on July 16, 2018, then fixed the following day.

Read more about it here.