GitHub has said a bug exposed some user passwords -- in plaintext. The code repository site, with more than 27 million users as of last year, sent an email to affected users Tuesday.
"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email, received by some users. The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. "We have corrected this, but you'll need to reset your password to regain access to your account," the email added.Read more
Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR to programmatically read the text found in the image.
The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.Read more
The passwords of some people using sites monitored by popular analytics provider Mixpanel were mistakenly pulled into its software. Until experts’ inquiry, Mixpanel had made no public announcement about the embarrassing error beyond quietly emailing clients about the problem. Yet some need to update to a fixed Mixpanel SDK to prevent an ongoing privacy breach.
It’s unclear which clients were impacted due to confidentiality agreements, but Mixpanel lists Samsung, BMW, Intuit, US Bank and Fitbit as some of the companies it works with. “We can tell you that less than 25 percent of our customers were impacted,” the company’s spokesperson told.Read more
Ancestry.com has confirmed that a leaky server on RootsWeb, its free community-driven genealogical website, inadvertently exposed a file containing 300,000 usernames, email addresses and passwords online.
In a statement issued over the weekend, Ancestry's chief information security officer Tony Blackham said a security researcher notified the company of the unsecured file on 20 December. Troy Hunt, security expert and creator of the data breach repository "HaveIBeenPwned.com" reported the existence of the file to Ancestry and said the data was compromised in 2015.Read more
For the second year in a row, "123456" remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers. While having "123456" as your password is quite bad, the other terms found on a list of Top 100 Worst Passwords of 2017 are just as distressing and regretful.
Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).Read more
An Amazon AWS server believed to contain files on all of California’s registered voters was left exposed this year due to a misconfigured database, according to researchers at the Kromtech Security Center. The database was later stolen by cybercriminals demanding a ransom only payable in bitcoin.
Kromtech told that it collected samples from the database earlier this year while examining thousands of servers left publicly exposed. Each of the servers had installed a database platform known as MongoDB, which was widely misconfigured and vulnerable to attack. Kromtech discovered what appeared to be 4 GB of voter files linked to the State of California.Read more
If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely. Starting from Windows 10 Anniversary Update, Microsoft added a new feature called Content Delivery Manager that silently installs new "suggested apps" without asking for users’ permission.
According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called "Keeper," on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.Read more
If you're running macOS High Sierra, don't let anyone near your Apple Mac. It's possible for anyone to login to the Mac and get the admin level of access to change passwords, get access to all data on the main account and lock the original user out.
Fortunately, there's a fix that should solve the problem, even as Apple works to patch. First, the bug. In what may go down as one of the most embarrassing vulnerabilities in Apple history, all a "hacker" needs to do is sign in as an "Other" user, type in "root" for a username and no password. Then they're in. Experts tested the vulnerability and found it wide open, allowing a change of passwords for other accounts on the Mac.Read more
One day, your household items and accessories could become a new way to authenticate yourself online, according to researchers. Many websites and online services are now enforcing or at least offering two-factor authentication (2FA) as a way to enhance the security of your accounts.
We all know passwords are less than ideal these days, being susceptible to brute-force hacking as many of us use simple, repetitive phrases -- not to mention the flood of data leaks taking place every day -- and so other methods are now needed. Two-factor authentication utilizes a second method of verification to check someone's identity.Read more
One of iOS' rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task.
The prompts have grown so common most people don't think twice about them. Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup.Read more