Hacking

Major security flaws leave iOS and OS X vulnerable to wide ranging password theft

Christian Zibreg ∙ June 17, 2015

Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple's iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple's desktop and mobile operating systems.

As discovered by a team of researchers at Indiana University, Georgia Tech and China's Peking University and reported by The Register, Keychain's access control lists, URL schemes and OS X's app containers contain flaws creating serious attack vectors.

Hackers find easy way to steal large sums of money through Starbucks app

Jake Smith ∙ Updated April 18, 2018

Hackers are stealing money from users' credit cards, banks, and PayPal accounts through the Starbucks mobile app, the coffee giant confirmed to CNN on Tuesday.

The app, which lets users pay at checkout and reload Starbucks gift cards, has an auto-reload function that makes it easy for hackers to take from users, not needing any account numbers.

Hackers break Apple’s Lightning connector making it easier to debug kernel bugs for future jailbreaks

Jeff Benjamin ∙ Updated May 17, 2018

Big news for the hacking community, and by extension, iPhone jailbreakers. Apple's Lightning connector—a proprietary bus and power connector found in all modern iPhones, iPads and iPod touches—has had its security compromised by a team of resourceful hackers. What does this mean for the jailbreak community?

Geohot joins elite team of hackers for Google’s Project Zero

Cody Lee ∙ July 17, 2014

Since wunderkind George Hotz, better known as Geohot, first made a name for himself by hacking the iPhone at age 17, he's bounced around to several projects. He hacked the PlayStation, did some work for Facebook, and more recently popped up in Android land.

His latest gig is an internship for Google's Project Zero—a team of elite hackers tasked with finding and eradicating serious software vulnerabilities. Back in March Geohot won $150K for exposing Chrome exploits, and it seems the Mountain View company took notice...

iCloud hackers who held iOS devices ransom detained in Russia

Joe Rossignol ∙ June 9, 2014

The Sydney Morning Herald reports that Russian authorities have detained two young hackers for hijacking iOS devices through iCloud and holding them ransom for payment. The suspects, both residents of the Southern Administrative District of Moscow, are a 23-year-old named Ivan and an unnamed 17-year-old that served as his accomplice.

Russia's Ministry of Internal Affairs announced on Monday that the hackers were detained during the course of "operational activities" by the Russian Interior Ministry. The hackers were caught on closed-caption TV after attempting to withdraw ransom payment from an ATM machine. The ministry also noted that one of the suspects has already been tried before…

Hackers caught using EA Games servers to phish for Apple IDs

Cody Lee ∙ March 19, 2014

According to a new report from security research firm Netcraft, Electronic Arts' servers have been compromised. Two websites from the video game publisher's domain have been hacked and are now hosting phishing pages setup to steal Apple ID and credit card information.

It works like this: when a potential victim arrives at one of the pages, they are asked to enter their Apple ID and password. Once completed, they're taken to a second page which asks for personal details and credit card info, and then redirected to the official Apple ID website...

Snapchat apologizes (yes, apologizes!) for spam increase following data breach

Christian Zibreg ∙ Updated March 18, 2016

Perhaps realizing that apologizing isn’t a sign of weakness, Snapchat, the popular photo messaging application, took to the official blog to apologize for the spam increase observed during the weekend.

"We’ve heard some complaints over the weekend about an increase in Snap Spam on our service," a Monday post reads. The company has tried to make peace with disgruntled users by offering a formal apology. "We want to apologize for any unwanted Snaps," the team wrote.

The spam increase, the post claims, has nothing to do with a recent breach that saw a group of hackers breach its database and post 4.6 million user names and phone numbers on the web...

Snapchat is ‘sorry’ for data breach, strengthens mobile app security

Christian Zibreg ∙ Updated March 18, 2016

Snapchat has found itself in some pretty hot water after a group of anonymous hackers on New Year's Eve breached its database and leaked 4.6 million usernames and phone numbers on the web. The controversy wasn't necessarily about the security breach itself, but over Snapchat's stubborn refusal to publicly acknowledge the situation, apologize for the inconvenience and update customers on steps taken, if any, to rectify the situation.

It's mind-boggling that Snapchat was aware of a security hole in its API for several weeks yet did absolutely nothing to plug it, an inexplicable move that has in turn allowed the hackers to successfully exploit Snapchat's shortcomings and steal user data.

Today, the company has finally gone on the record to confirm that a new update to its Android and iOS apps improves security by letting folks opt out of the Find Friends feature which has, partially, allowed for the hack.

And although the company has yet to formally apologize for the messy handling of the situation, it now says it's "sorry" for any problems this issue may have caused its users...

Hackers leak 4.6M Snapchat usernames and phone numbers, see if you’ve been affected

Christian Zibreg ∙ Updated January 26, 2016

Bad news, Snapchat fans: a group of anonymous hackers have successfully exploited a nasty security hole in the popular IM application to hijack a whopping 4.6 million usernames and phone numbers, publishing this private data on a website called SnapchatDB.info.

The circa 40MB SQL database dump (also available as a CSV file) includes phone numbers and usernames, along with the affected users' geographical region information.

Why did they do it? The leaked private information “is being shared with the public to raise awareness” of a Snapchat API exploit they'd used for the hack.

Snapchat has been aware of the security loophole in its application since August, but did literally nothing to patch it. Is there a way to see if you've been affected? Yes, there is. Read on for the full reveal...

Evad3rs to present at HITBSecConf2013 in Amsterdam

Cody Lee ∙ February 13, 2013

The evad3rs are probably one of the hottest tickets around right now on the mobile security circuit. The four hackers were able to overcome Apple's highly regarded security systems in iOS 6, to provide us with the evasi0n jailbreak.

Well good news for those of you that will be in Amsterdam between the dates of April 8 - 11. The team will be giving a presentation at the Hack in the Box Security Conference in the country, at the Okura Hotel. More details after the fold...

Pod2g, MuscleNerd and others to take part in HITB discussion panel

Cody Lee ∙ October 9, 2012

Hot on the heels of last week's JailbreakCon convention, another event is set to take place on October 11th featuring some prominent members of the jailbreaking community.

On October 11th, in Kuala Lumpur, Malaysia, MuscleNerd, pod2g and other well-known hackers will take part in a discussion panel at this year's Hack in the Box conference...

iPhone 4S hacked using Safari exploit in Pwn2Own contest

Cody Lee ∙ September 19, 2012

Users of Apple's iPhone and other iOS devices enjoy a fairly high level of security. In the past five years, the platform has only seen a handful of malware scares, and MIT says it recently crossed a "significant" threshold in security.

But all of that security couldn't stop the iPhone 4S from getting hacked today at the Pwn2Own contest in Amsterdam. A group of Dutch security researchers gained remote access to the handset in seconds with a Safari exploit...