Android Browser flaw a “privacy disaster” for half of Android users

Thanks to a bug in the Android Browser, your cookies aren't safe.

A bug quietly reported on September 1 appears to have grave implications for Android users. Android Browser, the open source, WebKit-based browser that used to be part of the Android Open Source Platform (AOSP), has a flaw that enables malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can in turn read cookies and password fields, submit forms, grab keyboard input, or do practically anything else.

Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.

The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.

Read 9 remaining paragraphs | Comments

Apple’s two-factor authentication now protects iCloud backups

Apple has put fixes in place to its iCloud cloud storage service that now prevent an attacker from mining data from an iOS device backup stored in the cloud by gaining access to the user’s password—at least if that user has turned on Apple’s new two-factor authentication.

As we reported last week, iCloud previously did not use two-factor authentication to help protect backup data or the Find My iPhone service. This meant that the accounts of victims of social engineering attacks or those who used passwords based on personal data could be harvested of their backup data—allowing the attacker to gain access to photos, call records, SMS records, e-mail, and other personal data. Apple had said that it was moving to provide additional protection through two-factor authentication in advance of the release of iOS 8.

We tried accessing one of the accounts attacked during our testing just prior to the Apple event last week using Elcomsoft Phone Password Breaker, a forensic tool that uses a reverse-engineered version of Apple’s iOS backup protocols to extract backup data from an iCloud account. The account now has two-factor authentication turned on, and the attempt failed—it yielded an unspecified HTTP error.

Read 2 remaining paragraphs | Comments

Adobe Releases Security Updates for Adobe Reader and Acrobat

Original release date: September 16, 2014

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. Exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB14-20 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Top 3 Phishing Attacks Use Similar Tricks

Phishing scams are immensely popular and we see millions of phishing messages everyday. Today we offer the top three phishing scams that attempt to steal your web mail credentials.

Web Mail Scam

This scam starts with an email that appears to come from Administrator or Helpdesk and requests that you validate or update your account. Clicking on the link in this message will take you to a fake Outlook Web Access Login page. This page is generally hosted on sites that are created by using free services. Attackers also use vulnerable servers (running CMS) to upload these fake pages, which allow scammers to collect your username and password for their own malicious use.

 

WebMail Phish E-Mail Example

iTunes Scam

This attempt starts with an email purporting to be from the Apple Store. The email informs users that their accounts may have been hijacked. Users are asked to click a link and supply information to restore the account.

Those panicked into clicking the link will be taken to a bogus website that looks like a genuine Apple login page. Attackers often use an “apple.com” string in the link to make the link appear legitimate, for example: hxxp://itunes.id.apple.com.example.com/.

iTunes Phish E-mail

Gmail Scam

This Gmail scam is by far the most sophisticated phishing attack. It also starts with an email that urges readers to view an important document on Google Docs. Clicking the link will take them to a fake Google Docs login page.

Recently, attackers used a Google Drive public folder to upload a fake Google Docs login page and then used Google Drive’s preview feature to get a publicly accessible URL to include in their messages. Because the page is hosted on Google’s server and is served over SSL, the page appears more convincing. After discovering the attack, Google has successfully removed the phishing pages, but the attackers are still using other vulnerable servers to upload the fake login page.

It’s quite common to be prompted with a login page when accessing a Google Docs link, and many people may enter their credentials.

Gmail Phish

An ounce of prevention is worth a pound of cure in dealing with phishing. We advise you to watch for such scams and their modus operandi. You can avoid phishing attacks by following these simple steps:

  • Don’t click on links sent via email messages by someone you don’t know
  • Before entering credentials, always check the URL in the browser’s address bar for authenticity
  • Be careful while sharing sensitive personal information over social networking sites
  • Regularly change your account passwords
  • Never share your account credentials over email or text

McAfee customers are protected against these attacks.

The post Top 3 Phishing Attacks Use Similar Tricks appeared first on McAfee.