Silensec Newsletter

LinkedIn bug allowed data to be stolen from user profiles

LinkedIn bug allowed data to be stolen from user profiles

A bug in how LinkedIn autofills data on other websites could have allowed an attacker to silently steal user profile data.

The flaw was found in LinkedIn's widely used AutoFill plugin, which allows approved 3rd-party websites to let LinkedIn members automatically fill in basic information from their profile - such as their name, email address, location, and where they work - as a quick way to sign up to the site or to receive email newsletters.

Read more...

iPhones, iPads Can Be Hacked via 'Trustjacking' Attack

iPhones, iPads Can Be Hacked via 'Trustjacking' Attack

A feature that allows users to wirelessly sync their iPhones and iPads with iTunes can be abused by hackers to take control of iOS devices in what researchers call a "Trustjacking" attack.

This feature can be enabled by physically connecting an iOS device to a computer with iTunes and enabling the option to sync over WiFi.

If an attacker gets the targeted user to connect their iPhone/iPad via a cable to a malicious or compromised device, the hacker gains persistent control over the device as long as they are on the same wireless network as the victim.

Read more...

$3.3 Million stolen from main Coinsecure Bitcoin wallet

$3.3 Million stolen from main Coinsecure Bitcoin wallet

Cryptocurrency exchange Coinsecure, India's second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3M worth of bitcoin, have been transferred from the main wallet to an account that is not under their control. Only the CEO and CSO had private keys to the exchange's main wallet.

The CSO is responsible for the transfer, the company posted two imaged on the websites containing company statement signed by the Coinsecure team and a scanned copy of a police complaint filed by CEO.

Read more...

17-year-old finds screen lock bypass vulnerability in Signal app for iOS

17-year-old finds screen lock bypass vulnerability in Signal app for iOS

The Encrypted Messaging App Signal is Edward Snowden's Favorite App. Leonardo Porpora, a 17-year-old high school student from Italy, discovered an easy to exploit vulnerability in popular encrypted messaging app Signal for iOS that would let malicious hackers bypass the authentication process and access user chats.

Read more...

Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

Microsoft malware protection engine is the core component for malware detection and cleaning of several Microsoft anti-malware software.

The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by a white hat hacker at the Google Project Zero.

Read more...

2.2 billion compromised Facebook accounts!

2.2 billion compromised Facebook accounts!

Facebook drops yet another bombshell on its users by admitting that all of its 2.2 billion users should assume malicious 3rd-party scrapers have compromised their public profile information.

Mark Zuckerberg at an interview revealed that "malicious actors" took advantage of "Search" tools on its platform to discover the identities and collect information on most of its 2 billion users worldwide.

Read more...