Andrew Orr joins host Kelly Guimont to discuss Security Friday news and updates, including fixes and a tip for passwords on iOS.
An iOS exploit called Insomnia was used between January and March 2020 to spy on Uyghurs in China using apps like Signal and ProtonMail.
A contacts exploit was discovered in iOS 13 that lets a person bypass Face ID / Touch ID to see an iPhone’s contacts.
Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.
Little is at stake, but there have been so my iOS exploits in the news lately that we might as well go straight to iOS 13.1.
Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.
An Israeli firm called NSO Group used a WhatsApp exploit to inject spyware on target devices. A fix for the exploit is live.
Given the stealthy way the attack was attempted, it’s impressive that WhatsApp caught it as quickly as they did. Engineers at Facebook have been busy sorting this one out over the weekend…Named CVE-2019-3568…affected versions include…WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51.
Security researcher Linuz Henze found a macOS Keychain bug but won’t share it with Apple out of protest.
Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility. However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.
It is odd that there isn’t a macOS bug bounty but I think withholding security information isn’t the way to go.
The team—Fluoroacetate—was crowned Master of Pwn with 45 points.
- Tripp Mickle's Book 'After Steve' Covers Apple's Rise to Trillions
- 'Everyone But Jon Hamm' is The Best Apple TV+ Advert Yet
- 'The Matrix Resurrections' Now Available to Rent or Buy on Apple TV
- PSA: Neil Young Still on Apple Music, Amidst Joe Rogan Spotify Row [Updated]
- This Decentralized Messenger Claims to be Quantum-Resistant
- Apple TV+ Makes 'The Afterparty' Premiere Episode Available on YouTube
Security researcher Rafay Baloch found an iOS Safari spoofing exploit, and at this time there is no documented fix. Will iOS 12 patch it?