Powerful worm on Twitter unleashes torrent of out-of-control tweets

Aurich Lawson / Universal Pictures

Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.

Within a few hours, the cross-site scripting (XSS) attack caused at least 37,000 84,700 users to retweet a single message originally transmitted by the user @derGeruhn. The body of the message contained JavaScript commands that caused anyone viewing it in TweetDeck to automatically retweet it. The message spread virally. The more times it was retweeted, the more times it was viewed and retweeted by other people using the vulnerable app. The BBC News Twitter account alone pushed the message to 10.1 million followers.

It's by no means the first time a worm has slithered through Twitter. Worms based on clickjacking exploits and XSS attacks were documented as long ago as 2009 and were also used maliciously in 2011 to spread scam messages.

Read 5 remaining paragraphs | Comments

14-Year Olds Hack ATM With Default Password

This is actually a pretty good hack and a good use of the word hacking in the original sense, two curious teenagers managed to access the administrator mode of an ATM in Winnipeg, Canada by using the default password they found in a manual they downloaded online. Ingenious and pretty forward thinking, I like the [...] The post 14-Year Olds Hack...

Read the full post at darknet.org.uk

Feedly buckles under DDoS but defies attackers’ extortion demands

News aggregator Feedly was made inaccessible by attackers who are demanding a ransom to stop their crippling assault. Two other cloud-based servers, Evernote and Deezer, have also buckled under distributed denial of service (DDoS) attacks in recent days.

Most or all of Feedly's 12 million or so users were unable to access its website early Wednesday morning. A few hours later, parts of the site gradually came back online. In an advisory, officials wrote:

2:04am PST – Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.

We are working in parallel with other victims of the same group and with law enforcement.

We want to apologize for the inconvenience. Please know that your data is safe and you will be able to re-access your feedly as soon as the attack is neutralized.

On Tuesday, Evernote also experienced connectivity problems that it attributed to DDoS attacks. The service seemed to be working normally as of press time. Cloud-based music service Deezer suffered a DDoS attack over the weekend, according to The Inquirer, which cited e-mails company officials sent to subscribers.

Read 2 remaining paragraphs | Comments

Android no longer reveals app permission changes in automatic updates

Automatically updating Android apps could get riskier thanks to a change Google developers have made to the way the OS discloses new app permissions, such as the ability to send potentially costly text messages or track a user's precise geographic location.

Previously, automatically updated apps displayed explicit details when a new version gained additional privileges. For example, an app that previously tracked only coarse GPS coordinates would warn users if an update would begin receiving fine coordinates. Similarly, a newly assigned ability to send SMS messages would also be disclosed. Under changes implemented through the latest Play store app, neither new privilege is displayed if a user has previously accepted any other permission in the same category as the new permission. In other words, by accepting one permission from a category, users agree that every other permission in that category can be added without notification in future updates.

The change is an attempt by Google to streamline and simplify the process of installing updates. Rather than providing lengthy details many users likely don't understand, the new permission disclosure is much less verbose. Permissions are indicated only by a very general category such as Location, SMS, or Contacts/Calendar. Users who want to track precisely how a permission may have changed must click the category to see if specific new capabilities have been added. As a result, an app update that replaces coarse location with fine location simply shows the location category. End users must manually drill down to learn of the change.

Read 4 remaining paragraphs | Comments