Twitter Details Security Threat

Yesterday it emerged that Twitter had distributed a message to a bundle of its users asking them to change their passwords due to a potential phishing attack. Indeed, those users were forced to change their login details, and now Twitter has opened up about just why.

The word from the folks at Twitter, who updated the Twitter status blog a few hours ago with some details of the phishing attack that led to its request for users to change passwords. Indeed, it seems that Twitter has seen the culmination of a fairly long-term plan to grab user’s passwords on a large scale. The description of events from Twitter’s point of view essentially details the setting up of filesharing services, complete with security vulnerabilities and then using user’s data on those sites to gain control of their Twitter profiles.

(more…)

Advertisements

Microsoft Questions Firefox’s Security

Microsoft seems to be having a hard time lately, with government bodies in both France and Germany now having advised their relative web-based populations against the use the company’s web browser, Internet Explorer.

The criticisms of Internet Explorer from both France and Germany seem to stem from the revelation that a vulnerability in Internet Explorer was used during last week’s Chinese attack on Google, revealed during security firm McAfee’s investigation of the attack. Initially, Microsoft had responded to the criticism by pointing out that the security issue is easily solved by users changing their security settings to “High,” which should see them protected from the exploit in question.

(more…)

RIM Warns BlackBerry Users About PDFs

Research in Motion, the company behind the now practically ubiquitous BlackBerry range, has warned its users of a vulnerability discovered in its PDF software that poses a fairly pronounced security risk.

According to the folks at RIM, there are already maliciously coded PDFs floating around designed specifically to allow the viewer’s device to be controlled remotely by the source of the dodgy document. RIM’s official word on the topic has been to advise its users to download and install the relevant patch, which should shore up the various holes in RIM’s PDF viewer that allow the current exploit to run.

(more…)

Worm Hits Facebook Walls

Thanks to the fact that it stores so much of users’ personal data, Facebook has long been the source of security concerns, but now a new worm is taking advantage of Facebook’s relative openness, spreading via wall posts.

You can tell this isn't my facebook, beacuse it's not in Latin.

AVG is carrying word that the latest worm to hit Facebook isn’t really all that destructive, but is plenty inconvenient and potentially embarrassing. Essentially, the exploit takes advantage of the fact that users are logged into Facebook when they click the link in the first place, an exploit that was highlighted earlier this month by a Facebook application developer, who then said he hoped it to be fixed shortly. According to AVG’s Nick Fitzgerald’s description of the worm itself,

“The worm’s objective, of course, is that others viewing the victim’s page will click the link, and as they are logged into Facebook, the worm will propagate its link to that victim’s wall, and so on…

(more…)

First Malicious iPhone Worm Appears

Word cropped up over the weekend of a new worm hitting jailbroken iPhones, while it might not be the first iPhone worm to appear, it’s certainly one that’s more interesting for the panic-mongers out there, given the amount of activity it manages once it’s infected a device.

Those of you who keep up with iPhone news probably be aware that last week saw the arrival of the first worm for the device, which took advantage of the fact that very few users change their root password when they jailbreak and activate SSH, meaning that just anyone can effectively run code from your hardware. The first one just rickrolled your iPhoe, but the second is a significantly more devious affair.

(more…)

Slippery Flash Exploit Hits Gmail, YouTube, Flikr

Word has emerged of a new vulnerability in Adobe’s Flash that seems as though it may well be entirely unpatchable, leaving web users in a fairly untenable position securitywise.

While Flash has long been criticised as something of a security risk, a large portion of that risk normally tends to be associated with the manner in which users are expected to keep a Flash player up to date in their own browsers. In that respect, if in no other, the emergence of a Flash exploit that could well prove to be entirely unpatchable is very worrying indeed. Moreover, the list of potentially exploitable sites includes names as big as Gmail, Flikr and YouTube.

(more…)

Flash Vulnerability Endangers Facebook Data

A Facebook developer has discovered a fairly major issue in the way that both Facebook and MySpace present their apps that could lead to unscrupulous developers having access to all of a user’s data.

Word comes via TechCrunch of the Facebook developer who found the initial exploit, Yvo Schaap, immediately posted about it in his blog, and it was from there that news of the possible exploit spread. The exploit itself takes advantage of the fact that most Facebook users will have their account set to auto-sign-in, using a cookie. It only gets worse when you consider how quickly an exploit taking advantage of that automatic login could spread.

(more…)

Firefox to Warn Users of Outdated Flash

As a general rule, Firefox tends to be quite good about informing users when extensions are in need of an update, but far less capable when users are running an outdated version of Flash. That’s something Mozilla intends to sort out with the release of Firefox 3.5.3 and 3.0.14.

According to a post on the Mozilla blog, from Firefox 3.5.3 and 3.0.14 the browser will notify users that their version of Adobe’s Flash Player plugin is in need of an update and provide them with a message that gets that point across with the requisite sense of immediacy. In Mozilla’s own words,

(more…)

iPhone OS 3.0.1 Jailbroken

It’s always impressive to see how quickly the iPhone and iPod Touch communities break through new OS releases and manage to run non-Apple approved code. In this case, they’ve already managed to break this weekend’s OS 3.0.1 release.

To be a touch more accurate about the whole thing, there doesn’t appear to have been too much work involved in cracking iPhone OS 3.0.1; those applications that previously were used to crack devices running OS 3.0 (namely “redsn0w”) will still work on OS 3.0.1. If nothing else this might be seen as evidence that Apple’s latest update was released far more with actual security in mind, rather than just the security of the closed platform.

(more…)

Firefox 3.5.1 Released

We reported during the week on a critical vulnerability in the way Firefox’s 3.5 JIT (just in time) handled JavaScript. Now the Mozilla Foundation has released a new update, bringing Firefox to 3.5.1, fixing the vulnerability.

Mozilla’s definition of a “critical” vulnerability does make the whole thing sound a bit scary, “Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.“ Still, it’s always nice to get a prompt fix, especially when you consider the position this vulnerability had put Firefox users in. Given that the biggest advantage of Firefox 3.5 was its speedier browsing (250% quicker than Firefox 3.0) and since the remedy involved turning off JIT, Firefox users can be forgiven for being a little miffed about the security hole.

(more…)