Apple Inc has added a security feature across its operating systems to battle hacks into its devices that rely on incoming iMessages. iOS 14 added a new “BlastDoor” sandbox security system to iPhones and iPads to prevent attacks carried out with the Messages app. Apple didn’t share information on the new security addition, but it was explained by Samuel Groß, a security researcher with Google’s Project Zero, and highlighted by ZDNet.
Groß describes BlastDoor as a tightly sandboxed service that’s responsible for parsing all of the untrusted data in iMessages. A sandbox is a security service that executes code separately from the OS, and this one operates within the Messages app. BlastDoor takes a look at all incoming messages and inspects their content in a secure environment, which prevents any malicious code inside of a message from interacting with iOS or accessing user data. The feature has been designed to thwart specific attack types, such as those where hackers used shared cache or brute force attacks. As ZDNet points out, security researchers have been finding iMessage remote code execution bugs over the past few years that could allow an iPhone to be infiltrated with just a text, which BlastDoor should address. Groß found the new iOS 14 feature after investigating a Messages hacking campaign that targeted Al Jazeera journalists. The attack wasn’t working in iOS 14, and investigating why led to his discovery of BlastDoor. According to Groß, Apple’s BlastDoor changes are “close to the best that could’ve been done given the need for backward compatibility,” and will make the iMessage platform significantly more secure.
Those interested in the full rundown on how BlastDoor works can visit the Project Zero blog post on the subject.
A bug bounty hunter claims he has earned a $5,000 reward from Apple for reporting stored cross-site scripting (XSS) vulnerability on iCloud.com. Vishal Bharad, a researcher and penetration tester from India, published a blog post earlier this week describing his findings. Bharad said he had attempted to find cross-site request forgery (CSRF), insecure direct object reference (IDOR), logic bugs, and other types of issues on Apple’s icloud.com website, but ultimately ended up discovering a stored XSS flaw.
Bharad said he reported his findings to Apple in August 2020 and in October the tech giant informed him that the security hole had earned him $5,000.
The researcher has published a blog post detailing his findings, as well as a video showing how an attack worked.
Users of the Android version of a file-sharing app called ShareIt are being warned of vulnerabilities that could allow their data to be leaked to an attacker or their mobile device has taken over. The warning comes from security vendor Trend Micro, which created a proof of concept attack to prove the vulnerabilities. It alerted the app developer, a company called Smart Media 4U Technology, three months ago but has got no response. As a result Trend Micro is releasing its findings now. ShareIt’s site in the Google Play store says the app has been downloaded a billion times.
Hackers continue to find new ways of stealing payment card data from point of sale devices in stores. Security reporter Brian Krebs reported a new one this week: A Bluetooth-enabled device that crooks fit on top of payment card terminals to skim off the data from credit and debit cards. People paying for goods with their cards don’t realize the device has been tampered with. The goal is to copy customers’ PINs, as well as the data on the black stripe on the back of the card.
Then crooks can clone the card. It’s been known for some time that the data on the black stripe can be hacked, so payment card companies are switching to cards with a security chip that has encrypted data. It’s very hard to clone those cards. Fighting back, this new skimmer device blocks the payment terminal from reading the chip, so customers are forced to swipe their cards. Swiping reads the black stripe on the back.
So this discovery is a warning: If for some reason the card reader in a store refuses to let you tap your card or won’t read the chip if you insert it in the bottom of the reader, don’t swipe the card. Either pay cash or say you won’t buy the product. There’s a good chance the card reader has been compromised.