Intercepting LinkedIn Passwords

At the Microsoft TechDays 2012 in Belgium, white hat Paula Januszkiewicz shows how the tool Fiddler can be used to intercept the password of a LinkedIn user. The reason is because the password is not being encrypted by LinkedIn, although https is being used. Not that wow imho, as it’s basically a man in the …

Facebook flaw allows access to private photos

Looks like the newly appointed Facebook Chief Privacy Officers have some explaining to do: Users are able to report “inappropriate profile photos” on a user’s profile. By checking the box “nudity or pornography”, the user is granted an opportunity to help Facebook “take action by selecting additional photos to include with your report”. Facebook will …

BozoCrack MD5 Password Hash Cracker

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password … via Google. Specifically, it Googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results. It works way better than it …

iPad 2 + iOS5 + Smart Cover = Fail

In a pretty sizable and scary (and weird!) security bug, Apple’s Smart Cover can be used to unlock any iPad 2, even if there’s a passcode on it. Ouch! Should be noted though that you don’t get full access to the device, only the last app that was up (or the homescreen if no app …

Security Vulnerability of the day: Skype

Security researchers discovered several serious security and privacy flaws in Skype that even a ‘high school-age hacker’ could use to track not only users’ locations over time but also their P2P file-sharing activity. The security team warned that this information could easily be used for “stalking, blackmail or fraud.” And For example, they tracked one …

Security/Data Vulnerability of the day: HTC Android

Regarding HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others): In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. Currently, any app that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its …