Intercepting LinkedIn Passwords

At the Microsoft TechDays 2012 in Belgium, white hat Paula Januszkiewicz shows how the tool Fiddler can be used to intercept the password of a LinkedIn user. The reason is because the password is not being encrypted by LinkedIn, although https is being used.

Not that wow imho, as it’s basically a man in the middle attack using a self-signed (thus forged) certificate (on which the browser will give you a notification). Quite sure lots of sites are “hackable” in this manner.

Facebook flaw allows access to private photos

Looks like the newly appointed Facebook Chief Privacy Officers have some explaining to do:

Users are able to report “inappropriate profile photos” on a user’s profile.

By checking the box “nudity or pornography”, the user is granted an opportunity to help Facebook “take action by selecting additional photos to include with your report”.

Facebook will then display a number of additional photos that are not otherwise publicly available to the user.

The trick has also been used to get some of Zuck’s private photos.

Facebook flaw allows access to private photos →.

(via )

BozoCrack MD5 Password Hash Cracker

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password … via Google.

Specifically, it Googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.

Clever.

BozoCrack →

(via inventis)

iPad 2 + iOS5 + Smart Cover = Fail

In a pretty sizable and scary (and weird!) security bug, Apple’s Smart Cover can be used to unlock any iPad 2, even if there’s a passcode on it.

Ouch! Should be noted though that you don’t get full access to the device, only the last app that was up (or the homescreen if no app was active) can be seen.

Anyone with a Smart Cover Can Break into Your iPad 2 →

Security Vulnerability of the day: Skype

Security researchers discovered several serious security and privacy flaws in Skype that even a ‘high school-age hacker’ could use to track not only users’ locations over time but also their P2P file-sharing activity. The security team warned that this information could easily be used for “stalking, blackmail or fraud.”

And

For example, they tracked one vacationing volunteer from New York to Chicago, back to New York, and then to his home in France. “If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when.”

Better call Saul! … but not via Skype.

Skype Exploits: I know where you are, what you are sharing, and how to best stalk you →
Security Flaw Links BitTorrent Users to Skype Accounts →

Security/Data Vulnerability of the day: HTC Android

Regarding HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others):

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information.

Currently, any app that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Ouch.

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More →