By Jeff Benjamin on Aug 27, 2015
Two days ago, we told you about an attack on jailbroken iPhones that compromised the accounts of some 220,000 iCloud users. New details have since emerged about the breach, that confirm what we initially speculated in the post on Tuesday evening.
The vast majority, if not all of the accounts, were of Chinese origin. On Wednesday morning, I personally confirmed this with someone directly in the know about the attack.
To that extent, a website has been created for potential victims of the attack to see if their account was compromised. That website is in Chinese, further emphasizing the origin and the region that was affected by this recent breach.
In all, there are a whopping 105,275 valid iCloud accounts out of the 220,000 compromised. That means that nearly half of those accounts captured contain active username and password combinations.
As speculated, this was indeed the result of a jailbreak tweak, but it was also self-inflicted, meaning users installed both the repo and the tweak responsible for the intrusion. Read More
By Jeff Benjamin on Aug 25, 2015
It’s a number that’s bound to raise some eyebrows: 220,000 iCloud accounts breached in what is being called a backdoor attack made possible by a malicious jailbreak tweak.
This leak, which was brought to our attention by /r/jailbreak, was reported by a Chinese online vulnerability reporting platform called WooYun. It’s an information security platform where security researchers report vulnerabilities and vendors give feedback. WooYun is a legit site, and it has reported thousands of security related issues in this month alone.
On a post on its website, WooYun details the nature of this particular attack, stating that 220,000 accounts have been compromised as a result of a malicious jailbreak tweak or plug-in. It also states that WooYun has notified vendors—presumably Apple—and are awaiting processing.
It’s sure to make any jailbroken iPhone user take note, but before you get too alarmed, understand that this hack has nothing to do with Apple’s security, and that there appears to be special circumstances in the case of this breach. Read More
By Cody Lee on Aug 13, 2015
In addition to iOS 8.4.1, Apple on Thursday also seeded OS X Yosemite 10.10.5, a free update for Macs. The release comes after two developer betas and a month of testing, and you can find it in the Updates tab of the Mac App Store.
Most notably, the update features a patch for the DYLD privilege escalation bug that was discovered earlier this month. Apple says in the release notes that the software includes fixes for both Mail and Photos apps, as well as QuickTime.
By Christian Zibreg on Aug 5, 2015
A “privilege escalation” bug plaguing Apple’s OS X desktop operating system will be patched in the next security update that the company is working on as we speak, a company spokesperson said today.
The Guardian newspaper reported that a fix for the dangerous zero-day vulnerability, known as DYLD, will be patched before OS X El Capitan releases for public consumption this fall. Read More
By Christian Zibreg on Jul 8, 2015
At WWDC, Apple has made a promise to step up security with native two-factor authentication in iOS 9 and OS X El Capitan. Before today, the feature was unavailable on iOS 9 betas prior to beta 3.
But with today’s release of iOS 9 beta 3, the new system has made its debut, with some users offered the option to upgrade their Apple ID to use the new two-factor authentication.
Here’s what you need to know about this new system, how it increases your security and how it’s different from Apple’s existing two-step verification process. Read More
By Jeff Benjamin on Jul 7, 2015
Now that Amazon Payments is no longer an option for purchases in Cydia, users are forced to use PayPal, at least for the time being. Saurik has noted that he plans on offering an alternative to Cydia, but until that day comes, users are forced to use PayPal.
The problem with PayPal, is that you cannot make a payment via Cydia if you have 2 Factor Authentication (2FA) enabled on your PayPal account. You’ll simply receive an error message stating that you need to add your security key to the end of the password in order to login. This, unfortunately, doesn’t work, leaving users who haven’t set up the initial auth with PayPal unable to purchase Cydia tweaks.
This issue is due to the mobile PayPal interface presented while inside Cydia. If you can bring your authorization outside of Cydia and into mobile safari, you can invoke the desktop interface and login to PayPal that way. Thankfully, a new jailbreak tweak makes this easy. Read More
By Jeff Benjamin on Jul 2, 2015
After a false start earlier this morning with an update to its iOS 8.4 jailbreak tool, TaiG has officially released version 2.2.1.
This update is security oriented, as it contains the setreuid patch to prevent applications from obtaining to root privileges through setreuid. The update also contains stability improvements. If you’ve yet to jailbreak your iOS 8.4 device, it is recommended that you use this latest version of TaiG’s tool, version 2.2.1. Read More
By Jeff Benjamin on Jun 23, 2015
Jailbreakers Nikias Bassen (Pimskeks) and Melissa Archer have teamed up for a new security-oriented jailbreak tweak called Blocked. Released at WWJC 2015, Blocked brings two new operation modes to the iPhone for enhanced security.
The two modes, SleepMode and GuestMode, each work to block access to certain features. By using Activator gestures, users can quickly and stealthily enter either mode to beef up device security.
Watch our video walkthrough inside to see how to the tweak works. Read More
By Christian Zibreg on Jun 22, 2015
A cross application resource attack (XARA) that researchers at Indiana University, Georgia Tech and China’s Peking University publicized last week seems to have been partially addressed as Apple issued a server-side fix on the Mac App Store to block malicious apps and secure app data.
Additional fixes are in the works for the XARA exploits on both iOS and OS X, a company spokesperson told iMore. XARA exploits allow malicious apps to steal iCloud credentials of a user, access private data in apps like 1Password and Evernote, hijack their iCloud Keychain passwords and more. Read More
By Christian Zibreg on Jun 17, 2015
Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple’s iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple’s desktop and mobile operating systems.
As discovered by a team of researchers at Indiana University, Georgia Tech and China’s Peking University and reported by The Register, Keychain’s access control lists, URL schemes and OS X’s app containers contain flaws creating serious attack vectors. Read More
By Cody Lee on Jun 10, 2015
Good news today for jailbreakers who are hoping to update to iOS 9 this fall. Speaking with Forbes’ Thomas Fox-Brewster, Liang Chen of the elite hacking group Keen Team says they’re eyeing the firmware to release their first ever jailbreak.
Right now, Chen says the team is prodding the recently released iOS 9 developer beta, and may even reach out to the well-known Pangu Team for assistance. “We want to release it just after iOS 9, that’s our plan,” he told Forbes. “It depends how lucky we are.” Read More
By Christian Zibreg on Jun 10, 2015
A serious bug in Apple’s stock Mail application for iPhone, iPod touch and iPad permits attackers to fool users into providing their iCloud credentials.
Such phishing attacks can be devastating as iCloud increasingly becomes home for our digital life in the Apple universe, including our photo libraries, notes, contacts and other personal data.
The scam takes advantage of an exploit in the Mail application that makes it easy to deliver convincing-looking pop-ups resembling iCloud password prompts through a simple email message, The Register reported Wednesday.
While such emails look like they’re coming from a real company, they’re spoofed and once an unsuspecting user opens them on their iPhone, iPod touch or iPad running iOS 8.3, the operating system will execute malicious HTML content embedded inside. Read More
By Christian Zibreg on Jun 8, 2015
Activation Lock, Apple’s theft-deterrent feature available on iPhone, iPod touch and iPad devices running iOS 7 or later, will be available on the Apple Watch this fall, courtesy of the free watchOS 2 software update announced earlier this morning during the Worldwide Developers Conference keynote talk.
It was previously discovered that the Apple Watch lacks this necessary security feature to dissuade thieves due to the limitations in its software and its dependency on iPhone for network connectivity. Read More
By Cody Lee on Jun 2, 2015
Tim Cook took time out of his busy schedule yesterday to talk about privacy with folks attending EPIC’s Champions of Freedom event in Washington. EPIC, a non-profit research center focused on emerging privacy issues, was honoring the CEO for his superior “corporate leadership.”
Cook addressed attendees via a remote video feed, and spoke about a number of topics regarding privacy, security and what they mean to Apple versus other Silicon Valley tech giants. TechCrunch has a transcription of the speech, and he takes quite a few jabs at Facebook and Google. Read More
By Jeff Benjamin on May 28, 2015
Google’s annual I/O conference is currently going on in San Francisco, and as expected, Android M, its latest update to Android, was officially unveiled. Although lots of new features will be packed in with Android M, six of those features were brought to the forefront during the beginning of the I/O keynote.
Google states that Android M is rethinking fundamental aspects of how the platform has worked for years, and focuses on polish and quality and improving the core user experience. From what we’ve seen thus far, we’d have to agree.
The following six areas—App Permissions, Web Experience, App Links, Android Pay, Fingerprint Support, and Power & Charging—were specially highlighted as new features for Android M. What do these new features mean for Android and the future of mobile? Read More
By Christian Zibreg on May 25, 2015
The National Security Agency’s (NSA) bulk phone metadata collection program should come to an end on June 1 at 5pm Eastern time as the Obama administration has reportedly decided not to ask a secret court for a 90-day extension of Section 215 in the Patriot Act, an administration official confirmed to The Guardian on Saturday.
The controversial program was established as an effective, secret means of siphoning user data, not just from carriers but also from major technology companies like Apple, AT&T, Google, Verizon, and Microsoft, with or without their willing participation. Read More
By Jeff Benjamin on May 22, 2015
Recent reports are claiming that Apple’s upcoming iOS update—iOS 9—will make it more difficult to jailbreak iPhones and iPads going forward. Some are even stating that it will be nearly impossible to jailbreak an iPhone running iOS 9.
The reason? Rootless—the kernel-level security feature that was discussed earlier today. This new feature is said to prevent malware, increase the safety of extensions and preserve the security of sensitive data.
When it’s all said and done, Apple’s security efforts in iOS 9 appear to be its most prolific since iOS 5. It could make it more of a challenge for jailbreakers and hackers.
But impossible? There’s nothing that’s impossible when it comes to security. More difficult? Perhaps. More challenging? Maybe. But impossible? Read More
By Christian Zibreg on May 19, 2015
In the refreshed iOS Security Guide, Apple has for the first time detailed security technologies pertaining to the Apple Watch.
As it turns out, the wrist-worn device borrows the many security features and technology built for iOS, including hardware-encrypted storage and data protection, keychain access control, protection of wireless data exchange with its paired iPhone and much more. Read More
By iDB Deals on May 19, 2015
An all-in-one solution for online privacy, Blur protects you from credit card fraud, identity theft, and third-party monitoring. Get a lifetime subscription to Blur from iDownloadBlog Deals today for just $49.99. Read More