35 Companies Including Apple Hacked in Supply Chain Attack

Security researcher Alex Birsan was able to breach over 35 companies’ internal systems, including Apple, Microsoft, PayPal, Spotify, Netflix, and others. He did this through bug bounty programs and pre-approved penetration testing arrangements (aka, he’s one of the good guys). He earned over US$100,000 in bounties.

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications.

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

Apple Apologizes For Mistakenly Removing Student’s Indigenous Language App from App Store

Student, Brendan Eshom, a member of the Gitga’at community of the Ts’msyen First Nation, launched an app that shared his community’s culture and promoted a word each day in its language – Sm’algyax. However, it was removed and the young developer tried to contact Apple to found out. He got no answers, but the company has confirmed to Global News that it was taken down in error, has been reinstated, and apologized.

He says he reached out to Apple multiple times for an explanation, but couldn’t get answers. “It was definitely more discouraging to not even hear why they took it down in the first place,” he said. Eshom contacted Consumer Matters for help. Consumer Matters contacted Apple asking why the app had been removed and why Eshom’s status on Apple had been terminated. In an email, Apple stated: “Maintaining the integrity of the App Store is a responsibility we take seriously to ensure the safety of our customers, and give every developer a platform to share their brightest ideas with the world. Unfortunately, this developer’s app, which is a great example of how technology can be used to bridge cultural understanding, was mistakenly removed from the App Store

Hackers Tried to Poison Florida Town’s Water Supply

Most security news I’ve shared involves purely digital hacking. This story from Reuters is a case of using hacking to affect the physical world, like an attempt to poison a town’s water supply.

The hackers then increased the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small amounts to control the acidity of water, but at higher levels is dangerous to consume.

Oldsmar Mayor Eric Seidel said in a press conference on Monday that the affected water treatment facility also had other controls in place that would have prevented a dangerous amount of lye from entering the water supply unnoticed.

Spotify Finally Testing Live Lyrics Feature in U.S.

Spotify is finally rolling out its Live Lyrics feature to some users in the U.S, Engadget reported. Equivalent features are widely available on rivals Apple Music and Deezer.

It’s worth noting that Spotify’s “new” approach to lyrics — which is once again powered by Musixmatch — isn’t really all that new. The company has been testing the feature in markets around the world for years, and officially launched it in 26 markets — including Brazil, Mexico, Vietnam, Hong Kong, Thailand, India and more — around the middle of 2020. More recently, live lyrics were also made available to users in South Korea when the service launched there earlier this month. At the risk of sounding a little obvious, though, not every test market ultimately gets access to the feature at wide scale. Spotify, for instance, ran a similar test in Canada before discontinuing it around June 2020; to our knowledge, the feature has never reappeared. This move puts Spotify on more even footing with competing services like Apple Music and Deezer, and should help the company from losing competitors to more feature-rich rivals.