Security researchers have uncovered 89 malicious Google Chrome extensions on the official Chrome store that can inject ads, code to secretly mine cryptocurrency, and load a tool to record and replay a person's browsing activities. This collection of extensions affected over 423,000 users and was used to form a new botnet called "Droidclub."
In November 2017, Princeton's Center for Information Technology highlighted the use of legitimate session-replay scripts on popular, high-traffic websites by third-party analytics firms. These scripts are used to record and replay a user's visit to a website, allowing the site owner to figure out what the user saw.Read more
Similar to Uber’s “God View” scandal, Lyft staffers have been abusing customer insight software to view the personal contact info and ride history of the startup’s passengers.
One source that formerly worked with Lyft tells that widespread access to the company’s backend let staffers “see pretty much everything including feedback, and yes, pick up and drop off coordinates.” When asked if staffers, ranging from core team members to customer service reps, abused this privilege, the source said “Hell yes. I definitely looked at my friends’ rider history and looked at what drivers said about them. I never got in trouble.”Read more
IN 2018, YOU'D be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, so that the stranger two tables away at the coffee shop can't pull your secrets off the local Wi-Fi. That goes double for apps as personal as online dating services.
But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken: As one application security company has found, Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops.Read more
Sega has said it is looking into claims that a trio of its Sonic games for Android are leaking personal data.
Security company Pradeo said late last week that it had discovered the Android games -- Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom -- were leaking user location data and device info. Based on the download ranges offered by the Play Store, collectively the leaks could impact between 120 million and 600 million users. Among the tracking and advertising issues, the security firm also said it found two issues that could result in man-in-the-middle attacks, and a bagful of others that could potentially lead to encryption weakness and denial of service.Read more
Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages, siphoning private data off phones and allowing adversaries to open reverse shell modules on targeted devices, giving attackers ultimate remote control.
Researchers said the malware was developed three years ago and has evolved significantly since then to include 48 unique commands in it most recent iteration. Several of those features have never been seen before in Android malware, according to researchers at Kaspersky Lab who discovered the Skygofree strain last year and disclosed its findings Tuesday.Read more
There’s more misery ahead for Huawei, which just saw AT&T pull out of a deal to carry its first smartphone, and fellow Chinese tech firm ZTE.
The duo are well known for their growing smartphone businesses worldwide, but it is their more established telecom networking and equipment units that are again under fire in Washington. A new bill introduced to Congress proposes a ban preventing branches of the U.S. government from working with service providers that use any equipment from either company for security reasons. The bill is sponsored by Texas-based Republican Michael Conaway, who is leading the investigation into Russia’s alleged election interference.Read more
In 2013, Edward Snowden revealed that the National Security Agency was legally collecting millions of Americans’ phone calls and electronic communications—including emails, Facebook messages, and browsing histories—without a warrant.
Congress has now decided not only to reauthorize these programs, but also to expand some of their most invasive techniques. The spying initiatives Snowden brought to light are authorized under Section 702 of the 2008 FISA Amendments Act, which was set to expire later this month. On Thursday, Congress voted down an effort to reform Section 702, and instead passed a bill that expanded warrantless surveillance.Read more
Early last year, a piece of Mac malware came to light that left researchers puzzled. They knew that malware dubbed Fruitfly captured screenshots and webcam images, and they knew it had been installed on hundreds of computers in the US and elsewhere, possibly for more than a decade.
Still, the researchers didn't know who did it or why. An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.Read more
If you happen to have an old Android device lying around and a reason to worry about people messing with your business, Edward Snowden has an app for that.
Haven is an open-source project that Snowden developed in conjunction with Freedom of the Press Foundation and Guardian Project. You can find directions and links for downloading and installing it on the latter organization's Github page. This isn't your typical security app. Haven doesn't lock down a single device or prevent tampering; instead, it repurposes an Android device — an old, unused one, preferably — and, using an assortment of built-in sensors, turns it into a multi-functional security gadget.Read more
Moscow-based security software maker Kaspersky Lab said on Monday it has asked a U.S. federal court to overturn a Trump administration ban on use of its products in government networks, saying the move deprived the company of due process.
The Department of Homeland Security (DHS) in September issued a directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. It came amid mounting concern among U.S. officials that the software could enable Russian espionage and threaten national security.Read more