Tag: Allowed | Page 3

Ring security flaw could have allowed hackers to spy on your saved videos — what to do

August 18, 2022/in Computer Security

A high-severity vulnerability in Amazon’s Ring app for Android which could have allowed hackers to spy on users’ saved camera recordings has been discovered and quickly patched by the video doorbell giant.

As reported by BleepingComputer (opens in new tab), the vulnerability was found by security researchers at the application security testing company Checkmarx who quickly shared their findings with Amazon.

As the Ring app for Android has been downloaded more than 10 million times and is used by people around the world, this flaw is particularly concerning which is why Amazon released a fix within the same month it was discovered.

If you haven’t updated the Ring app for your Android smartphone recently, you should go ahead and install the latest version to prevent hackers from being able to gain access to the saved recordings from your home security cameras.

Ring Android app flaw

In a blog post (opens in new tab) detailing their findings, Checkmarx’s researchers explained that they found the Ring app for Android was exposing an ‘activity’ that could be launched by any other app installed on a user’s device.

The activity in question (com.ringapp/com.ring.nh.deeplink.DeepLinkActivity), was exposed inside the app’s manifest and this allowed other installed apps to launch it. By launching the activity, Checkmarx’s researchers found that they could set up a web server to interact with it. However, only webpages on the ring.com or a2z.com domains were able to interact with it, so the researchers bypassed this restriction by finding a cross-site scripting (XSS) vulnerability.

They then exploited this vulnerability to steal a Ring login cookie which allowed the researchers to use Ring’s APIs to extract personal data from customers including their full name, email and phone number as well as device data from their Ring products such as geolocation, address and saved recordings.

Armed with this knowledge, an attacker could have created a malicious app and uploaded it to the Play Store or another official app store. Once a user installed this app, it would carry out the attack and send Ring customer authentication cookies back to the attacker.

Using Amazon Rekognition for…

Source…

T-Mobile Customer Alleges That ‘Inadequate’ Security Allowed Massive Data Breach in August

October 7, 2021/in Mobile Security

Cyber security IT engineer working on protecting network against cyberattack from hackers on internet. Secure access for online privacy and personal data protection. Hands typing on keyboard and PCB

T-Mobile was slapped with a data breach class action Thursday in New York Western District Court over the recent cyberattack that exposed the personal information of more than 50 million individuals. The suit, filed by Thomas & Soloman LLP, is part of an onslaught of litigation accusing T-Mobile of failing to secure its customer data.

Source…

Amazon Fixes Flaw on Kindle That Could’ve Allowed Hackers Steal Billing Data

August 10, 2021/in Computer Security

Amazon was informed about the flaw back in April.

A report notes Amazon Kindle e-reader could’ve be vulnerable to hacking through free e-books. Additionally, Kindle exploitation could be an easy operation for hackers to target specific audiences.

News18.com
Last Updated:August 10, 2021, 11:21 IST
FOLLOW US ON:

Amazon Kindle remains a popular choice for e-book readers, but its popularity also opens doors for security risks. That’s exactly what security research firm Check Point demonstrated in its latest report that notes Kindle e-reader could’ve be vulnerable to hacking through free e-books. The company states that a malicious book can be published and made available for free on e-libraries, including the Kindle Store, via the “self-publishing” service. These books can often reach end-users directly from the hacker in the guise of services from Amazon. If successfully installed, malware-laden e-books can expose information, billing accounts, and so. Even stolen email IDs can pave the way for sophisticated phishing attacks.

Check Point further claims that anti-viruses do not have signatures for e-books, which essentially means these applications may not detect the malware. The company adds that it successfully uploaded the malware to highlight the vulnerability. In a release, it is said that Kindle exploitation could be an easy operation for hackers to target specific audiences. This was possible by targeting books popular in a particular region. “To use a random example, if a threat actor wanted to target Romanian citizens, all they would need to do is publish some free and popular e-book in the Romanian language.” Speaking more over the possibility of a breach, the company notes that understanding Kindle’s architecture, which uses Linux codes at its core, helped them successfully hack their own e-reader.

Check Point demonstrated how an e-book could function as malware to Amazon back in February, and the issue is seemingly patched. Amazon addressed the vulnerability via an OTA update 5.13.5 version in April 2021. To check the version manually, from Home > Select Menu > Settings. You will see the current software version at the bottom of the screen. To manually update, using a…

Source…

Lawsuit Alleges Lax Cybersecurity Allowed Pipeline Hack

May 27, 2021/in Computer Security

(TNS) — Still reeling from a devastating Russian-based ransomware attack earlier this month, Colonial Pipeline is now the subject of a lawsuit alleging the Georgia-based company employed lax cybersecurity measures that left it vulnerable to such an attack.

The lawsuit was filed May 18 in the U.S. District Court for the Northern District of Georgia, according to Bloomberg Law. Plaintiff Ramon Dickerson said the company breached its duty to employ industry security standards which resulted in system outages that harmed consumers by raising prices at the pump.

“As a result of the Defendant’s failure to properly secure the Colonial Pipeline’s critical infrastructure — leaving it subjected to potential ransomware attacks like the one that took place on May 7, 2021 — there have been catastrophic effects for consumers and other end-users of gasoline up and down the east coast,” Dickerson alleged.

On May 7, hackers locked up the company’s computer systems. The hackers didn’t take control of pipeline operations, but the Alpharetta-based company shut it down to prevent malware from affecting industrial control systems. President Joe Biden later said the attack was the work of Russian-based hackers, though he added the U.S. does not believe the Russian government was responsible.

Colonial Pipeline CEO Joseph Blount said he approved paying more than $4 million to the Russian-based hackers who cyber attacked his company because “it was the right thing to do for the country.”

In a May 19 interview published by The Wall Street Journal, Blount said he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyber attack had breached its systems or how long it would take to bring the pipeline back.

“I know that’s a highly controversial decision,” Blount said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”

The interview was the first time Blount or the company acknowledged paying the ransom. He also said it will take months and cost the company…

Source…

Tag Archive for: Allowed

A report notes Amazon Kindle e-reader could’ve be vulnerable to hacking through free e-books. Additionally, Kindle exploitation could be an easy operation for hackers to target specific audiences.