GitHub has said a bug exposed some user passwords -- in plaintext. The code repository site, with more than 27 million users as of last year, sent an email to affected users Tuesday.
"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email, received by some users. The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. "We have corrected this, but you'll need to reset your password to regain access to your account," the email added.Read more
Twitter Inc. sold data access to the Cambridge University academic who also obtained millions of Facebook Inc. users’ information that was later passed to a political consulting firm without the users’ consent.
Aleksandr Kogan, who created a personality quiz on Facebook to harvest information later used by Cambridge Analytica, established his own commercial enterprise, Global Science Research (GSR). That firm was granted access to large-scale public Twitter data, covering months of posts, for one day in 2015, according to Twitter. “In 2015, GSR did have one-time API access to a random sample of public tweets from a five-month period from December 2014 to April 2015,” Twitter said.Read more
At midnight ET last night, MyEtherWallet users started noticing something odd. Connecting to the service, users were faced with an unsigned SSL certificate, a broken link in the site’s verification. It was unusual, but it’s the kind of thing web users routinely click through without thinking.
But anyone who clicked through this certificate warning was redirected to a server in Russia, which proceeded to empty the user’s wallet. Judging by wallet activity, the attackers appear to have taken at least $13,000 in Ethereum during two hours before the attack was shut down. The attackers’ wallet already contains more than $17 million in Ethereum. MyEtherWallet confirmed the attack in a statement on Reddit.Read more
A researcher with AdGuard discovered five fake ad-blocking extensions in the Chrome Web Store that used hidden scripts to manipulate users’ browsers. The good news is, after AdGuard published the report, the Chrome team removed all five of the extensions from its store.
Unfortunately, AdGuard’s Andrey Meshkov reports that the extensions he discovered had more than 20 million users. Posing as ad blockers, the malicious extensions simply copied code from real ad blockers and then added to them. “All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the ‘authors,’” Meshkov wrote.Read more
Google has long struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates.
But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.Read more
Apple Inc. warned employees to stop leaking internal information on future plans and raised the specter of potential legal action and criminal charges, one of the most-aggressive moves by the world’s largest technology company to control information about its activities.
The Cupertino, California-based company said in a lengthy memo posted to its internal blog that it "caught 29 leakers," last year and noted that 12 of those were arrested. "These people not only lose their jobs, they can face extreme difficulty finding employment elsewhere," Apple added. The company declined to comment on Friday.Read more
Kryptos Logic, the cyber-security firm running the main WannaCry sinkhole, announced today plans to allow organizations access to some of the WannaCry sinkhole data.
The security firm cites recurring WannaCry ransomware infections that are still taking place at various companies, even eleven months after the first WannaCry outbreak in May 2017. For example, Boeing, Connecticut state agencies, Honda, and Victoria state police suffered WannaCry infections long after Kryptos Logic researcher Marcus "MalwareTech" Hutchins registered the WannaCry killswitch domain, effectively stopping the global outbreak on May 12, last year.Read more
Vevo’s YouTube account appears to have fallen victim to hackers today, as a number of high-profile music videos have been defaced. The most-viewed YouTube video of all time, Luis Fonsi and Daddy Yankee’s “Despacito,” disappeared from YouTube briefly after being defaced by hackers.
The video’s image was altered and replaced with a masked gang holding guns (from Netflix show Casa de Papel), and the description was changed by hackers calling themselves Prosox and Kuroi’sh. Lots of other popular music videos have also defaced.Read more
Facebook CEO Mark Zuckerberg rejected Apple CEO Tim Cook’s critique of his company’s business model, which Cook characterized as a scheme to monetize customers, calling it “glib” and “not at all aligned with the truth.”
“I think it’s important that we don’t all get Stockholm syndrome and let the companies that work hard to charge you more convince you that they actually care more about you,” Zuckerberg told Vox co-founder Ezra Klein on his podcast. “Because that sounds ridiculous to me.” In an interview with Klein, Zuckerberg described Cook’s assessment that Apple has a sounder business model.Read more
Like most electronic stuff, robots are not immune to cybercriminals. Last year, researchers at IOActive detected as many as 50 vulnerabilities in robots developed by the Japanese firm SoftBank. They informed the manufacturer but never heard back. So this year at the Security Analyst Summit 2018, they decided to demonstrate what can happen.
Robots are all around us, toiling away in factories and warehouses, busting a gut in landfills, and even working in hospitals. For its part, SoftBank Robotics supplies electronic helpers to work with people. The NAO model introduces school kids and students to programming and robotics, and it also teaches children with autism.Read more