Search Results for “Forbes”

September 12, 2019
Zak Doffman / Forbes

Zak Doffman / Forbes  
Instagram Had Security Flaw That Could Have Allowed Attackers to Access Account Details, Phone Numbers

Instagram’s parent company Facebook has confirmed and fixed a newly discovered security vulnerability that may have put data at risk, leaving users open to attack by threat actors. The vulnerability, which was discovered by an Israeli hacker who goes by the handle of @ZHacker13 on Twitter, allowed an attacker to access account details and phone numbers by using a simple algorithm to brute force Instagram’s login form, checking one phone number at a time for those linked to a live Instagram account. A single instance of the algorithm enabled the harvest of more than 1,000 genuine Instagram numbers each day. Facebook confirmed that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. The company did not, however, award him a bug bounty because it claims its internal team already knew about it despite the fact that the flaw wasn’t fixed when Forbes initially contacted the company for comment.

September 3, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Android Operating Systems of Uyghur Muslims Outside of China Were Under Heavy Watering Hole Attacks Using the Same Method Deployed to Steal Data From iPhones

Following Forbes’ report that Google and Microsoft operating systems were under assault by the same hackers who tried to steal data from Apple iPhones of Uyghur Muslims inside China, it’s been confirmed that Androids of the target Muslim communities have been under heavy attack using the same methods deployed against iPhones, researchers at Volexity report. Eleven different Uighur and East Turkestan websites that were “strategically compromised” to deliver data-stealing attacks, with four used to target Google’s operating system, according to the researchers. They included sites for the Uighur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber. The compromised websites are inaccessible within China because of the so-called Great Firewall that sites censored by the communist authorities. The researchers have reason to believe the Android hackers ceased their attacks via the Uighur sites shortly after Google’s Project Zero blog detailed the iOS attacks.

Related: Techradar, Tech Insider, TechNadu, BGR, Cult of Mac, TechSpot, MSPoweruser, Softpedia NewsiMore, fossBytes, The GuardianBoing Boing, MacRumors, eHackingNews, Slashdot, Volexity

September 13, 2019
Davey Winder / Forbes

Davey Winder / Forbes  
Uber Pays Bug Bounty to Security Researcher Who Found Flaw That Could Allow Attackers to Compromise and Control Any User Account

A security vulnerability that could allow attackers to compromise and control any Uber account and track a user’s location and take rides from their account was discovered by security researcher Anand Prakash, founder of AppSecure. The flaw, which also affected Uber driver accounts and Uber Eats accounts, involved first acquiring the user universally unique identifier (UUID) of any user by sending an API request that included either their telephone number or email address. Once attackers gained access to the UUID,  they could also gain access to private information like access token (mobile apps), location and address. With the tokens, hackers could gain access to accounts, requesting rides, getting payment information and more. Uber fixed the flaw and paid Prakash a bounty of $6500.

Related: Telegraph, GBHackers On Security, Cybersecurity Insiders, Economic Times, Appsecure


September 2, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Malicious Websites Used to Hack Into iPhones Were Targeting Uyghur Muslims in China in Likely State-Backed Attack, Same Websites Used to Target Android and Windows Users, Sources

A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims in China’s Xinjiang state as part of a state-backed attacked, likely China, according to sources. Google Project Zero researchers discovered the malicious websites but did not disclose who the sites were targeting. Apple fixed the vulnerabilities in February in iOS 12.1.4, days after Google privately disclosed the flaws. Separately, Forbes said the same websites targeting iPhones were also used to target Android and Windows users. The websites also infected non-Uygurs who inadvertently accessed these domains because they were indexed in Google search, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections.

Related: Forbes, Forbes, Digital Journal,,, USA Today, CRN, Newser, Daily Dot, 9to5Mac, MacRumors, Economic Times, Cult of Mac, TechSpot, The Guardian, MSPoweruser, Techradar, Tech InsiderfossBytes, Gizmodo, Telecompaper Headlines, MacRumors, TechNadu, Daily Dot, Slashdot, The Loop, 9to5 Mac, The Next Web, Engadget, AppleInsider, Softpedia

Tweets:@iblametom @HowellONeill @zackwhittaker

Forbes : Apple Just Gave 1.4 Billion Users A Reason To Quit Their iPads, iPhones
Forbes : New iPhone Hack Shock For 1 Billion Apple Users As Attacker Is Revealed
Digital Journal: iPhone flaw shows ongoing concerns with mobile devices : Apple iPhone users exposed to spyware through tainted websites, Google researchers say – ABC News Google Says 1B Apple Users Could Be At Risk Of Hack Attacks
USA Today : Google found iPhone security flaws that allowed websites to hack iOS users ‘en masse’
CRN : iPhone hacking ‘implants’ outed by Google Two-year campaign targeted private data.
Newser : Until Recently, Websites Were Hacking iPhones – Newser
Daily Dot: How China targeted Uyghur Muslims with iPhone-hacking websites
9ot5Mac: Report: China used iPhone website exploit attacks to target Uyghur Muslims
MacRumors: China Reportedly Used iPhone Exploits to Target Uyghur Muslims
Economic Times: Apple iPhone ‘hacking’ websites found by Google also affected Android and Windows devices
Cult of Mac: iPhone security exploit allegedly used to target Uyghur Muslims
TechSpot: iPhone-hacking websites also targeted Google and Windows users
The Guardian: Uighurs in China were target of two-year iOS malware attack – reports
MSPoweruser: Along with iOS, Android and Windows users were also targeted by Chinese government
Techradar: iPhone hack also hit Windows and Android devices
Tech Insider: China may have used a recent massive iPhone hack to target Uighur Muslims
fossBytes: iPhone Hack Uncovered By Google Even Targeted Android And Windows
Gizmodo: The iPhone-Hacking Sites Google Found Apparently Went After Android and Windows Users Too
Telecompaper Headlines: Google reveals two-year-long iOS hacking operation
MacRumors: China Reportedly Used iPhone Exploits to Target Uyghur Muslims
TechNadu: China Was Using the iPhone ‘Watering Hole’ Websites to Spy on Uyghur Muslims
Daily Dot: How China targeted Uyghur Muslims with iPhone-hacking websites
Slashdot: iPhone-Monitoring Crackers Also Targeted Android and Windows, Targeted Ethnic Group in China
The Loop: Sources say China used iPhone hacks to target Uyghur Muslims
9to5Mac : Report: China used iPhone website exploit attacks to target Uyghur Muslims
The Next Web: iPhone spyware campaign reportedly targeted Uyghur Muslims for 2 years
Engadget : Sites stealing iPhone data reportedly targeted Uyghur Muslims – Engadget
AppleInsider: China believed to have used iPhone exploits to track Uyghur Muslims
Softpedia News: iPhone Hackers Going After Windows and Android Users Too

@iblametom: New - iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources
@HowellONeill: The hackers behind the iPhone watering hole attack also targeted Android and Windows
@zackwhittaker: New: @iblametom has confirmed that Android and Windows users were *also* targeted in the same watering hole attacks affecting iPhone users.

August 6, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Justice Department Indicts Pakistani Man for Allegedly Paying More Than $1 Million in Bribes to AT&T Employees to Unlock More Than Two Million Phones

A Pakistani man Muhammad Fahd has been extradited from Hong Kong to the U.S. over allegations he paid more than $1 million in bribes to AT&T employees over five years to unlock more than 2 million phones, according to a Justice Department indictment.  Fahd and his co-conspirator Ghulam Jiwani are accused of paying as much as $420,000 to individual AT&T staff at a call center in Boswell, Washington, asking them to unlock phones tied to the AT&T network on behalf of people who were paying him to help them escape from AT&T contracts. Fahd is further accused of asking employees to install malware on AT&T computers so that he could study how the telecoms giant’s internal processes worked and of creating malware that used AT&T employees passwords to get access to different computers so that he could do the unlocking himself. On top of that, Fahd is accused of paying AT&T employees to install snooping hardware, malicious routers and rogue Wi-Fi access points in the building that again allowed for further access to supposedly protected computers. He faces up to 20 years in jail. Three co-conspirators have already pleaded guilty to accepting thousands of dollars to assist in the scheme.

September 7, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
U.S. Government Seeks to Force Apple and Google to Turn Over Detailed Personal Information on at Least 10,000 Users of Gun Scope App

In an unprecedented reach for app users’ personal data, the U.S. government has filed for a court order to force Apple and Google to turn over information, including names, phone numbers and other identifying data, of at least 10,000 users of Obsidian 4, an app used to control rifle scopes made by night-vision specialist American Technologies Network Corp. The app allows gun owners to get a live stream, take video and calibrate their gun scope from an Android or iPhone device. The Immigration and Customs Enforcement (ICE) department is seeking the information as part of a broad investigation into possible breaches of weapons export regulations. The court order application states that the requested information “will assist the government in identifying networks engaged in the unlawful export of this rifle scope through identifying end users located in countries to which export of this item is restricted.” If the government succeeds, Apple and Google will also have to turn over telephone numbers and IP addresses which can be used to locate the app users.

Related: Cult of Mac, MacRumors, MacRumors, Apple Insider, MacDailyNews, Boing Boing, RT USA, CNET, Slashdot

August 6, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Apple Plans to Give Infosec Rockstars Who Participate in Bug Bounty Program Special iPhones for Testing, Will Launch Mac Bug Bounty Program, Report

Apple reportedly plans to announce plans to give infosec rockstar security researchers who participate in its invite-only bug bounty program special iPhones that will make it easier for them to find weaknesses in the smartphone. The special iPhones will essentially be “dev devices” that allow users to do a lot more than do locked-down iPhones and will be”lite” versions of the phones, without the same level of openness as enjoyed by Apple’s security team. Apple also plans to announce a Mac bug bounty program so that anyone who can find security issues in macOS will get rewarded with bug bounty payments that can run as high as $200,000.

Related: TechSpot, iDownloadBlog, MacDailyNews, Trusted Reviews, Engadget, The Mac Observer, MacDailyNews, BleepingComputer.comSoftpedia News, MacRumors, Apple Insider,iPhone Hacks


TechSpot: Apple to launch macOS Bug Bounty program, will also give ‘special’ iPhones to researchers
iDownload Blog : Apple will supply security researchers with special iPhone variants for bug hunting
MacDailyNews: Apple hands hackers secret iPhones in a bid to boost security; to offer Apple Mac bug bounty
Trusted Reviews: Apple is giving jailbroken iPhones to hackers to tighten iOS security
Engadget : Apple may soon hand special iPhones to security researchers
The Mac Observer: Apple Bug Bounty Program Coming This Month
MacDailyNews: Apple hands hackers secret iPhones in a bid to boost security; to offer Apple Mac bug bounty AT&T Launches Public Bug Bounty Program on HackerOne
Softpedia News: Apple to Give Away Special iPhones to Security Researchers
MacRumors: Apple to Give Security Researchers ‘Special’ iPhones for Bug Testing, macOS Bug Bounty Program Coming
Apple Insider: Apple to reportedly provide ‘dev device’ iPhones for bug hunting, introduce Mac bounty
iPhone Hacks : Apple to Reportedly Provide Security Researchers with Jailbroken iPhones

@radian: Very excited to return to the Black Hat stage this year to talk about some world-class Apple security features! iOS code integrity and Pointer Authentication Codes, Mac secure boot with the T2 Security Chip, the crypto behind the Find My feature, and more: (link:…

August 27, 2019
Dave Winder / Forbes

Dave Winder / Forbes  
Hacker Finds Yet Another Instagram Account Takeover Flaw and Snags $10,000 Bug Bounty Payment

Following his discovery earlier this summer of an Instagram vulnerability that allowed him to “hack any Instagram account without consent permission,” for which he was paid a $30,000 bug bounty, India-based hacker Laxman Muthiyah “identified insufficient protections on a recovery endpoint, allowing an attacker to generate numerous valid nonces to then attempt recovery,” Instagram owner Facebook said and awarded him another $10,000 bug bounty payment. Muthiyah discovered that the same device ID that is sent with an Instagram password recovery request could be used to request password reset codes of multiple accounts.

August 30, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Google Boots Malicious Apps Idea Note and Beauty Fitness From Play Store Which Have Been Downloaded 1.5 Million Times

As many as 1.5 million Android users are having ads clicked for them in what appears to be shady practices by apps hosted on Google Play according to researchers at Symantec. Made by a developer called Idea Master, the shady apps, which have now been removed from Play Store, are Idea Note, a notepad app with more than 1 million downloads, and Beauty Fitness, a workout assistant with at least 500,000 downloads.

July 29, 2019
Thomas Brewster / Forbes

Thomas Brewster / Forbes  
Hackers Can Bypass Limits on Visa Card Contactless Payments, Thieves Able to Drain Accounts With Single Tap, Researchers

The £30 limit (around $37) on Visa card contactless payments that apply in the UK and elsewhere can be bypassed, allowing opportunistic thieves to drain accounts with a single tap, researchers Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies proved. On their own personal cards, the researches made contactless payments as high as £101, though it’s possible more could be stolen. To accomplish the limit bypass, the researchers used a specialized piece of hardware to intercept and insert messages, such as one that relays PIN verification is not necessary, into the communications between the card and the reader. Limits on these payments are higher in some countries, such as the U.S. where the limit is $100.  Visa said they had never recorded a case of contactless fraud in which the card hadn’t been stolen, although the researchers maintain no credit card theft is necessary for the bypass to work. A hacker only needs to get close enough to the victim’s card for a short period of time to take a payment.