Tag Archive for: Google

WhatsApp Ensures Secure Android Google Drive Backups

/in


WhatsApp, an immensely popular messaging application available on Android devices, has taken significant measures to enhance security and privacy for its users. As part of this initiative, WhatsApp has introduced end-to-end encryption for its Google Drive backups on Android, ensuring that users’ data remains protected and inaccessible to unauthorized individuals.

Enhanced Security Measures

With the implementation of end-to-end encryption for Google Drive backups, WhatsApp aims to provide its users with an additional layer of security. This encryption ensures that the content of the backups, including text messages, photos, and videos, is securely stored and can only be accessed by the authorized user. Even WhatsApp itself cannot decrypt the data, providing peace of mind to users concerned about their privacy.

Furthermore, this encryption applies to both the backup file stored on Google Drive and the transfer of data during the backup process, furthering the protection of users’ personal information.

Seamless user experience

WhatsApp has taken great care to ensure that implementing end-to-end encryption for Google Drive backups does not compromise the user experience. Backing up and restoring data remains a seamless process with minimal user interference, allowing users to continue enjoying the convenience and accessibility of their backups whilst knowing that their data is being protected.

The encryption does not inhibit users from efficiently navigating, searching, or accessing their backups, ensuring the preservation of their individual preferences and prior usage patterns.

Opting for Encryption

WhatsApp encourages all Android users to enable encryption for their Google Drive backups. By enabling this feature, users can enhance the security of their backups and fortify their privacy, making it significantly more difficult for unauthorized individuals to gain access to their personal data.

To activate encryption, users simply need to navigate to the settings within the WhatsApp application on their Android device and access the ‘Chats’ section. Here, they can select the ‘Chat backup’ option and proceed to toggle on the ‘Include videos’ and ‘Include voice…

Source…

Group permission misconfiguration exposes Google Kubernetes Engine clusters

/in


GKE also supports anonymous access, and requests made to the Kubernetes API without presenting a client certificate or an authorized bearer token will automatically be executed as the “system:anonymous” user and the “system:unauthenticated” group role. However, if a token or certificate is presented, the API request will be identified as the corresponding identity with its defined roles but also with the roles assigned to the system:authenticated group. By default, this group provides access to some basic discovery URLs that don’t expose sensitive information, but admins could expand the group’s permissions without realizing the implications. “Administrators might think that binding system:authenticated to a new role, to ease their managerial burden of tens or hundreds of users, is completely safe,” the researchers said. “Although this definitely makes sense at first glance, this could actually turn out to be a nightmare scenario.”

To execute authenticated requests to a GKE cluster, all a user needs to do is use Google’s OAuth 2.0 Playground and authorize their account for the Kubernetes Engine API v1. By completing the playgroup authorization process, any user with a Google account can obtain an authorization code that can be exchanged for an access token on the same page. This access token can then be used to send requests to any GKE cluster and successfully identify as system:authenticated, which includes the system:basicuser role.

The system:basicuser allows users to list all the permissions they currently have, including those inherited from the system:authenticated group by querying the SelfSubjectRulesReview object. This provides a simple way for attackers to investigate whether a cluster’s admin has overpermissioned system:authenticated.

The Orca researchers demonstrated the impact with an example where the admin decided to associate any authenticated user with the ability to read all resources across all apiGroups in the cluster. This is “something that can be somewhat useful when there is a real governance around the users which can authenticate to the cluster, but not on GKE,” they said. “Our attacker can now, in the current…

Source…

Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine

/in


Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari.

The bug, assigned as CVE-2024-23222, stems from a type confusion error, which basically is what happens when an application incorrectly assumes the input it receives is of a certain type without actually validating — or incorrectly validating — that to be the case.

Actively Exploited

Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. “Apple is aware of a report that this issue may have been exploited,” the company’s advisory noted, without offering any further details.

The company has released updated versions of iOS, iPadOS, macOS, iPadOS, and tvOS with additional validation checks to address the vulnerability.

CVE-2024-23222 is the first zero-day vulnerability that Apple has disclosed in WebKit in 2024. Last year, the company disclosed a total of 11 zero-day bugs in the technology — its most ever in a single calendar year. Since 2021, Apple has disclosed a total of 22 WebKit zero-day bugs, highlighting the growing interest in the browser from both researchers and attackers.

In parallel, Apple’s disclosure of the new WebKit zero-day follows on Google’s disclosure last week of a zero-day in Chrome. It marks at least the third time in recent months where both vendors have disclosed zero-days in their respective browsers in close proximity to each other. The trend suggests that researchers and attackers are probing almost equally for flaws in both technologies, likely because Chrome and Safari are also the most widely used browsers.

The Spying Threat

Apple has not disclosed the nature of the exploit activity targeting the newly disclosed zero-day bug. But researchers have reported seeing commercial spyware vendors abusing some of the company’s more recent ones, to drop surveillance software on iPhones of target subjects.

In September 2023, Toronto University’s Citizen Lab warned Apple about two no-click zero-day vulnerabilities in iOS that a vendor of surveillance software had exploited to drop the Predator spyware tool on an iPhone belonging to an employee at a Washington, D.C.-based organization. The same month,…

Source…

Russian Group Delivering Malware Via Using PDFS: Google

/in


SAN FRANCISCO, CA (IANS) – Google researchers have observed that the notorious Russian threat group — COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering “malware via campaigns using PDFs as lure documents”.

Also known as ‘UNC4057’, ‘Star Blizzard’ and ‘Callisto’ has focused on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs.

To gain the trust of targets, the group often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.

According to new research by Google’s Threat Analysis Group (TAG), Coldriver has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” Google said in a blogpost on January 18.

The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.

If the target responds that they cannot read the encrypted document, the Coldriver impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.

“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving Coldriver access to the victim’s machine,” the researchers said.

In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.

SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by Coldriver

The researchers have observed SPICA being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022.

Source…