Google’s Project Zero is now being more considerate with how it discloses security vulnerabilities

Google’s Project Zero cybersecurity team is trialling a new policy where it won’t make security vulnerabilities public early after a fix has been issued. “Full 90 days by default, regardless of when the bug is fixed,” is the team’s new policy, which it will trial for a year before deciding whether to adopt it permanently.

Under the old system, Project Zero’s researchers would give vendors 90 days to fix an issue before making the problem public. However, if a patch was issued within that 90 day window, it would disclose the vulnerability early. This can be a problem, because it means users have to rush to patch a vulnerability before hackers can exploit it. A vulnerability might be fixed by the company, but that doesn’t matter if the patch hasn’t been widely adopted.

So now, regardless of whether a patch is issued 20 days or 90 days after Project Zero makes a vendor aware of the problem, it will still wait 90 days to make the issue public. There are a couple of exceptions, though. One is when there’s “mutual agreement” between the two companies to disclose early, and Project Zero may also extend the deadline by 14 days if it’s taking longer for a vendor to put together a patch. The seven day deadline for vulnerabilities that are being exploited in the wild will remain unchanged.

As well as giving patches more time to be adopted, Project Zero says it hopes the new policy will improve consistency, giving vendors a better idea of when a vulnerability will be made public. It also says it’s eager to see more iterative and thorough patches issued, thanks to the time vendors will now have between a patch initially being issued and the vulnerability it addresses being made public.

Despite the changes, the Project Zero team says it’s broadly happy with how its disclosure period has worked until now. In 2014, when the team started its work, it says that bugs were sometimes not fixed six months after being discovered. Now, of the issues it’s identified (of which there have been many), it says 97.7 percent are patched within its 90 day window.

TikTok vulnerability could have let hackers access users’ videos

Cybersecurity research firm Check Point Research says it found “multiple vulnerabilities” within video sharing app TikTok that demonstrated its insecurity as scrutiny for the Chinese-owned company continues to grow.

Check Point found that it was possible to spoof text messages to make them appear to come from TikTok. Once a user clicked the fake link, a hacker would have been able to access parts of their TikTok account, including uploading and deleting videos and changing settings on existing videos from public to private.

Check Point also found that TikTok’s infrastructure would have allowed a hacker to redirect a hacked user to a malicious website that looked like TikTok’s homepage. This could have been combined with cross-site scripting and other attacks on the user’s account.

Sending links and other secure information over SMS is a well-known security concern and a favorite method for cybercriminals who want to access users’ phones. In 2014, the UK’s Information Commissioner’s Office fined a concert promoter more than $100,000 for sending spoofed text messages to concertgoers that appeared to come from their mothers. Amnesty International documented in 2018 how hackers could get around Gmail and Yahoo’s two-factor authentication safeguards by intercepting 2FA confirmation codes via SMS message.

Check Point says it notified TikTok’s parent company about the security vulnerabilities in November, and the app has since fixed the problem.

“TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” TikTok security team member Luke Deshotels said in a statement. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Oded Vanunu, the lead researcher on Check Point’s report, said an app like TikTok — which is close to 1.5 billion global users in just two and a half years since launching outside of China — is a ripe target for hackers because of the amount of data and potentially private information being transferred. Since apps like TikTok can be used across multiple platforms, it’s easier for a malicious actor to escalate their activity quickly, he said.

“We see huge amounts of malicious activity on IM and social networks,” Vanunu said in an interview with The Verge. “What we’re trying to make sure people understand is that the cyber space is something that doesn’t just start and end on a sophisticated platform, but that if you’re in cyber space, even for day to day activity, your data and privacy are at risk.”

And it’s not just newer apps like TikTok that are vulnerable to attack, Vanunu added. “Even for veteran applications, they are not more or less vulnerable, but there’s potentially much more opportunity since they have so many users,” he said.

TikTok is owned by Chinese company ByteDance. The Committee on Foreign Investment in the United States says the app could pose national security concerns for Americans and possibly be used to influence or monitor them. The US Army has barred soldiers from using the TikTok app on government-owned phones, calling it a cyberthreat.

Vanunu said Check Point’s research didn’t get into whether TikTok posed any specific national security concerns but that it was not difficult to draw certain conclusions based on what it did find. “You can link the dots on what could be the implications for geopolitical cyber warfare,” he said.

Travelex currency exchange is offline following a malware attack

It seems bitcoin has come out swinging against fiat currency — as one of the world’s largest fiat currency exchanges is offline due to a software virus. UK currency exchange site Travelex may be subject to ransom demands to get back online and protect its customers’ data; the attackers are demanding a six-figure ransom to be paid in bitcoin, according to Computer Weekly.

Travelex took its sites offline after a hack apparently compromised some of its services, according to a statement on its US website. The site is being held hostage by ransomware, with attackers seeking about $3 million, according to The Guardian.

The company first discovered the virus on New Year’s Eve, Travelex said in its statement. According to the company, there’s no indication personal or customer data had been compromised in the incident. “The company’s network of branches continues to provide foreign exchange services manually,” the statement said.

The ransomware involved is particularly insidious, which Travelex has confirmed in a new statement to be Sodinokibi (it is also known as REvil). Sodinokibi almost acts like a software-as-a-service that allows criminals to customize it for their specific uses, according to an analysis by McAfee. The ransomware encrypted Travelex’s entire network, and the attackers gave Travelex a seven-day deadline to pay up, Bleeping Computer reported.

While the company has not confirmed how attackers accessed its systems, Travelex was warned last summer about a vulnerability in a VPN it was running and may have failed to apply an available patch, according to Bleeping Computer.

Hackers are threatening to publish personal data of Travelex customers, including social security numbers, birth dates, and credit card information, according to The Guardian. Travelex provides currency exchange services in 70 countries, allowing travelers and others to exchange their home currency for the currency in the country they’re visiting. Customers can place orders for prepaid travel cards online or at a Travelex facility, but as of Tuesday, online orders for new prepaid cards were suspended. Existing Travelex cards were continuing to function normally, according to the BBC.

The London Metropolitan Police’s cyber crime team says it is investigating the incident, CNN reports. The Verge emailed Travelex for comment; we’ll update if they respond.

Update, January 7th, 3:23PM ET: Added link to new statement from Travelex confirming that the ransomware involved was Sodinokibi.

The FBI has asked Apple to unlock another shooter’s iPhone

The FBI has asked for Apple’s help in unlocking two iPhones linked to a shooting at a Pensacola naval base in December, according to a report by NBC News. In a letter sent to Apple on Monday, FBI general counsel Dana Boente said the bureau has obtained court approval to search the device, but was unable to unlock the device using available tools.

“Investigators are actively engaging in efforts to ‘guess’ the relevant passcodes but so far have been unsuccessful,” Boente told the company.

Such requests have been a sore point for Apple, which cannot produce local data from locked phones without attacking the fundamental elements of iOS security. The company routinely provides iCloud data in response to court orders, which often includes backups of the phone’s local hard drive — but without the password for a specific device, Apple can’t provide data stored locally on the phone. The failure to provide that data has become a sticking point for law enforcement and the FBI in particular, which has often lobbied for increased access to locally encrypted data.

Apple’s failure to decrypt local data last came to a head with the San Bernardino shooting, in which the FBI sought to decrypt a phone linked to another domestic shooting. In particular, the FBI hoped to force Apple to create a modified, encryption-free version of iOS, which would then be signed by Apple and installed on the San Bernardino phone. After months of legal fighting, the FBI abruptly withdrew its case when a vendor solution became available.

When the phone was finally unlocked, it produced no additional leads. A subsequent Inspector General report found that the bureau had failed to explore its internal vendor resources before bringing the case.

Reached by The Verge, Apple declined to confirm the existence of the letter, but said it had turned over all available data related to the case in response to a court order. “We have the greatest respect for law enforcement and have always worked cooperatively to help in their investigations,” a company representative said. “When the FBI requested information from us relating to this case a month ago we gave them all of the data in our possession and we will continue to support them with the data we have available.”

Apple sues security vendor for DMCA violations

Apple is suing an iOS virtualization vendor called Corellium for trafficking under the Digital Millennium Copyright Act (DMCA). Apple initially sued the company for copyright infringement in August, alleging that Corellium’s virtualization of iOS was violating Apple’s ownership of the code. The more recent filing expands the case, alleging that Corellium’s sale of the virtualization software counts as trafficking in copyright-protected goods.

“Corellium’s business is based entirely on commercializing the illegal replication of the copyrighted operating system and applications that run on Apple’s iPhone, iPad, and other Apple devices,” Apple’s revised complaint alleges. “Corellium simply copies everything: the code, the graphical user interface, the icons—all of it, in exacting detail…providing its users with the tools to do the same.”

The software in question allows users to run a facsimile of iOS in a controlled desktop environment. With no conventional connectivity, the program cannot be used as a phone, but it allows researchers to examine how specific software performs on iOS in minute detail. It is particularly useful when researching malware, and it was most recently used to uncover surveillance-related protocols in the United Arab Emirates’ ToTok app.

In a statement after the filing, Corellium described the motion as part of a broader crackdown against jailbreaking by Apple.

“Apple is using this case as a trial balloon in a new angle to crack down on jailbreaking,” said Corellium CEO Amanda Gorton. “Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device…. Not only do researchers and developers rely on jailbreaking to protect end users, but Apple itself has directly benefited from the jailbreak community in a number of ways.”

Apple declined to comment.

Consumer jailbreaking was widespread in early versions of iOS, but it has declined significantly in recent years, and some of the most prominent jailbreak-reliant app sources have closed down as a result. The most common way of installing non-authorized software is now through Apple’s enterprise certificate system, which leaves the basic architecture of iOS intact. Still, there’s significant competition for finding gaps in Apple’s software control systems, most recently with a bootrom exploit called Checkm8 that was released publicly in September.

Correction: An earlier version of this piece stated that Apple had filed charges against Corellium; in fact, Apple is suing the company in civil court. The Verge regrets the error.

Go read this ‘Cloud Hopper’ hacking investigation by the WSJ

The global hacking campaign known as “Cloud Hopper” perpetrated by government-sponsored Chinese hackers was much worse than originally reported, according to an investigation by the Wall Street Journal you should read in full.

The report says that “at least a dozen cloud providers” were affected, but focuses on HP to illustrate the severity of the intrusions and the tactics used to attack and defend.

”The Journal found that Hewlett Packard Enterprise Co. was so overrun that the cloud company didn’t see the hackers re-enter their clients’ networks, even as the company gave customers the all-clear.”

”Inside the clouds, the hackers, known as APT10 to Western officials and researchers, had access to a vast constellation of clients. The Journal’s investigation identified hundreds of firms that had relationships with breached cloud providers, including Rio Tinto, Philips, American Airlines Group Inc., Deutsche Bank AG, Allianz SE, and GlaxoSmithKline PLC.”

[…]

“They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators’ attempts to kick them out for years.”

A lot of this was known in broad terms, as revealed by a Reuters investigation in June. The more detailed WSJ investigation shows just how vulnerable our data is when stored by a third party, and how aggressively state-sponsored hackers continue to pursue it.

Wyze server leak exposes customer data of 2.4 million users

An unsecured server exposed the data of Wyze customers over a period of three weeks, the smart security camera manufacturer has admitted. The leak was first discovered by the cybersecurity firm Twelve Security, which published its findings on December 26th, while IPVM, a blog focused on video surveillance products, was able to verify that its own data had been affected by the leak. According to Twelve Security, the data of around 2.4 million Wyze customers was compromised.

In a forum post announcing the leak to its users, Wyze co-founder Dongsheng Song wrote that the exposed server was not a production server, but was instead a “flexible database” that was created to allow for customer data to be more quickly queried. The co-founder said that an employee error led to the server’s security protocols being removed on December 4th, and the data was exposed until December 26th when the company was made aware of the problem.

In its blog post on the leak, Twelve Security said that the server included information like usernames, email addresses, camera nicknames, device models, firmware information, Wi-Fi SSID details, API tokens for iOS and Android, and Alexa tokens from users who’d connected Amazon’s voice assistant with their security cameras. (Wyze says that the database did not include user passwords.) The cybersecurity firm also claimed that the database included a huge array of health information, including height, weight, bone density, and daily protein intake. Song confirmed that some health information was present thanks to a beta test of a new smart scale product, but disputed that it had ever collected information on bone density and daily protein intake.

Twelve Security even claimed that there were “clear indications” that the data was being sent to the Alibaba Cloud in China. Song’s forum post disputes this. He said that Wyze does not use Alibaba Cloud, and that although it has employees and manufacturing partners it China, it does not share user data with any government agencies.

In response to the security lapse, Song says that Wyze has begun conducting an audit of all its servers and databases, and has discovered another unprotected database. He also said that the company is revisiting “all aspects” of its security guidelines. In the meantime, the co-founder said that Wyze users should beware of phishing attacks, and that the company has logged all its users out of their accounts and unlinked their third-party integrations to try to close the security loophole caused by the compromised API and Alexa tokens.

The data leak comes at the end of a difficult year for Wyze. The company announced a new AI-powered people detection feature back in July for its affordable security cameras, only to have the AI startup it partnered with on the feature drop out in November, casting doubt on the feature’s future. The launch of its subscription service also needed to be delayed that same month due to unspecified “critical issues.”

Song was keen to emphasize that the company’s budget prices don’t mean that it takes security any less seriously. “We’ve often heard people say, ‘You pay for what you get,’ assuming Wyze products are less secure because they are less expensive. This is not true,” the co-founder wrote. “We’ve always taken security very seriously, and we’re devastated that we let our users down like this.”

Twitter bans animated PNG files after online attackers targeted users with epilepsy

Twitter is banning animated PNG image files (APNGs) from its platform, after an attack on the Epilepsy Foundation’s Twitter account sent out similar animated images that could potentially cause seizures in photosensitive people.

Twitter discovered a bug that allowed users to bypass its autoplay settings, and allow several animated images in a single tweet using the APNG file format.

“We want everyone to have a safe experience on Twitter,” the company says in a tweet from the Twitter Accessibility handle. “APNGs were fun, but they don’t respect autoplay settings, so we’re removing the ability to add them to Tweets. This is for the safety of people with sensitivity to motion and flashing imagery, including those with epilepsy.”

Tweets with existing APNG images won’t be deleted from the platform, but only GIFs will be able to animate images moving forward. According to Yahoo, Twitter has further clarified that APNG files were not used to target the Epilepsy Foundation, but the bug meant such files could have been used to do so in the future had Twitter not moved to squash it.

The attacks on the Epilepsy Foundation’s Twitter handle occurred last month — National Epilepsy Awareness Month — with trolls using its hashtags and Twitter handle to post animated images with strobing light effects. It’s not clear how many people may have been affected by the attack, but the foundation said it’s cooperating with law enforcement officials and has filed criminal complaints against accounts believed to have been involved.

An animated image can be considered a deadly weapon, a Texas jury found in 2016, after a man sent a flashing GIF to journalist Kurt Eichenwald, who has epilepsy. The image did indeed cause Eichenwald to have a seizure.

Twitter said Monday it will “look into building a similar feature that’s better for you and your Twitter experience” in lieu of APNGs.

Popular chat app ToTok is reportedly secret United Arab Emirates spying tool

A report from The New York Times has revealed that messaging app ToTok, popular in the United Arab Emirates, is in fact a government spy tool, created for the benefit of UAE intelligence officials and used to track citizens’ conversations and movements.

ToTok launched earlier this year and has been downloaded by millions in the UAE, a nation where Western messaging apps like WhatsApp and Skype are partially blocked. It promised “fast, free, and secure” messages and calls, and attracted users across the Middle East and beyond, even becoming one of the most downloaded social apps in the US last week.

But, citing classified briefings from US intelligence officials and its own analysis, the NYT reports that ToTok is really a way for the UAE government to spy directly on its people. Citizens who used the app were sharing messages, pictures and videos, and even their location (supposedly being tracked to provide weather updates) with Emirati intelligence.

ToTok offered users “fast and secure messaging.”
Image via The New York Times

The Times notes that this is something of a new development in the history of digital spying by authoritarian regimes. Although many governments routinely hack citizens’ phones, not many set up an ostensibly legitimate app and simply ask for access to their data.

“There is a beauty in this approach,” security researcher Patrick Wardle, who conducted an independent forensic analysis of ToTok, told the Times. “You don’t need to hack people to spy on them if you can get people to willingly download this app to their phone. By uploading contacts, video chats, location, what more intelligence do you need?”

The Times reports that the company that runs ToTok, Breej Holding, is most likely a front for Abu Dhabi-based cybersecurity firm DarkMatter. The app is also connected to UAE data-mining firm Pax AI, which shares offices with the Emirates’ signals intelligence agency.

Breej Holding, DarkMatter, and the UAE government have yet to comment on the Times report, but both Google and Apple have removed ToTok from the Play Store and App Store. The FBI also refused to comment, but a spokesperson for the bureau told the Times: “[W]hile the FBI does not comment on specific apps, we always want to make sure to make users aware of the potential risks and vulnerabilities that these mechanisms can pose.”