Facebook Messenger, Skype for Mac, and Yahoo all have serious security flaws
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

A man working at night in an office at a computer on August 08, 2016 in Berlin, Germany. Photo Illustration by Thomas Trutschel/Photothek via Getty Images Israel

A man working at night in an office at a computer on August 08, 2016 in Berlin, Germany. Photo Illustration by Thomas Trutschel/Photothek via Getty Images Israel

If you have any of these, follow these steps. Especially check Yahoo, since the new disclosure impacts 1 billion people

This week, several reported vulnerabilities across popular social media and email services again illustrated the value of testing for such flaws by experts, and the limits of these mechanisms when there are bigger problems at hand.

Skype

First, Trustwave’s SpiderLabs discovered a vulnerability in Skype for OS X whereby, “A local program could by-pass authentication if they identified themselves as a Skype Dashboard widget program.” Skype insists it doesn’t program backdoors into its platform, but unfortunately this bug effectively acts as one, and the issue has apparently been around for five years without being caught.

Attackers could read notifications and messages, modify content, record calls, access chat, and also pull personal information out through this vulnerability. The Register advises that Mac users “update to version 7.37 or later to steer clear of the security blunder,” as any version before that one presents a risk.

Facebook Messenger

Also this week, Israeli-based cyber security consultants BugSec Group and Cynet discovered a vulnerability in Facebook Messenger that “allows attackers to read messages and view photos and other attachments sent by Messenger both from the web and from the mobile application.”

Facebook has now addressed the problem, but the researchers note that the null workaround “also potentially affects millions of websites using origin null restriction checks.”

Users using Facebook’s secret conversation option, which has end-to-end encryption, were not vulnerable, however.

The “Originull” attack, which can be delivered by code “planted anywhere on an external website controlled by the attacker,” executes a cross-origin bypass. The user does not actually have to click on a fake ad to fall victim: Just being on a website is enough. (Other means could have also been used, such as phishing emails.)

This allows a hacker to redirect the user’s inbox to a website of their choosing, by exploiting the fact that Facebook allows some of its sub-sites access to Messenger. The system normally rejects data requests that don’t have an authorized header that serves as a signature to verify it’s within Facebook, but because it also recognizes a common stand-in value (null), it’s possible to trick Messenger into thinking it’s communicating with an authorized party.

For now, stick to Messenger’s secret conversation option, which is encrypted, to avoid this problem.

Yahoo

On the subject of bug bounties, Yahoo has been working to patch problems with malicious JavaScript that can install malware through an email without users needing to take an extra step of opening a link, image, or file. It’s paid out twice in the space of a year to a Finnish expert, Jouko Pynnonen, to help redress these issues, but even progress here isn’t diminishing concerns about the security of its users. In 2014, 500 million user accounts were compromised and now, the company reports a separate attack compromised 1 billion user accounts in 2013, taking “names, email addresses, telephone numbers, dates of birth,” as well as security questions and some passwords.

No bug bounty setup can help the email service here, and the delayed disclosure further inflames an already heated debate over how seriously Yahoo takes its users’ data privacy.

This would be the largest attack of its kind to date, surpassing not just the latter 2014 incident but any other breaches known to have happened at any other company.

Verizon, which bought Yahoo for $4.83 billion in July, is expected to ask for a discount in the sale price, at a minimum, in light of the move. According to Bloomberg, Verizon may be thinking about walking away from the deal altogether, though Verizon declined to offer any specifics.

If you have had a Yahoo account in some way, they would have emailed you early this morning, advising you to change passwords and check any associated account for suspicious activity.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

More Goodies From Big Data


How Cognitive Search Eliminates Common Struggles Website Users Face

How did Big Data transform the manufacturing industry?

10 ways to save money with AWS Redshift