Hacking, Security & Privacy News - Page 1
TikTok is facing many questions regarding its data security after rumors began circulating about its source code becoming comprised.
Bloomberg reported that several cyber security analysts took to Twitter on Monday to inform the public about a potential security breach in TikTok's source code. This security breach was traced to TikTok's data storage that the analysts claim contained personal account information on users, which led them to deem the purported breach a "high-severity vulnerability". The security breach was found in TikTok's Android application and would have allowed attackers to "comprise users' accounts with a single click".
On September 3 posts surfaced on the Breach Forums message board where a hacker wrote that the server contains 2.05 billion records in a humongous 790GB database. Followed by these rumors was a tweet from hacking group BlueHornet, who has seemingly had their account suspended by Twitter after this story gained traction. The tweet read, "Who would have thought that TikTok would decide to store all their internal backend source code on one Alibaba Cloud instance using a trashy password?".
Reports indicate that several Russian soldiers have been baited by hackers using fake accounts of attractive women.
A new report from the Financial Times delves into a group of hackers called Hackyourmom that was founded by Nikita Knysh, a 30-year-old IT professional from Kharkiv, a northeastern city in Ukraine. Knysh informed the publication that he wanted to assist his country with the invasion and decided to form a group that consists of thirty hackers from various locations across Ukraine.
The founder of the group stated that last month he and his fellow hackers were able to gather the locations of several Russian soldiers in Melitopol by pretending to be attractive women on several social media platforms. The hackers communicated with Russian soldiers for quite some time, eventually convincing them to send photos of them on the front line, which immediately gave the hackers enough information to discern an approximate location.
Hackers have disrupted the flow of traffic in Moscow, Russia, by ordering dozens of taxis to what is originally considered to be a lightly trafficked road.
VICE reports that the ground of hackers infiltrated the ride-hailing app Yandex Taxi to order taxis to Kutuzov Prospect in Moscow on Thursday. The hacking was confirmed by a Yandex spokesperson who said that on the morning of September 1, the ride-hailing service detected a hacking attempt that sent several dozen taxi drivers an order to fill in the Fili district of Moscow. Notably, the Fili district is right outside of Moscow city center and is a typical road used to enter the city center.
Moscow is no stranger to traffic jams, as the city ranks as one of the worst in the world for traffic jams. Additionally, the Yandex spokesperson said that the initial security breach was fixed in less than an hour and that improvements have been made to the system to prevent future attacks. On September 3, the Anonymous TV Twitter account, an account affiliated with the notorious hacking group Anonymous, took to Twitter to "confirm" that Anonymous carried out the attack on the Yandex Taxi in cooperation with the IT Army of Ukraine.
Twitter has been discovered to have a major flaw that has reportedly exposed account data of millions of users, including celebrities and companies.
A cybersecurity expert that goes by the name Zhirinovskiy took to the HackerOne forum in January to report a vulnerability within Twitter's login pipeline. According to the report, the vulnerability was a gaping hole within the platform's cybersecurity, and just within a few days, Zhirinovskiy was able to successfully infiltrate and discover Twitter accounts linked to specific numbers and email addresses. Zhirinovskiy explained that a malicious party could easily find an individual's Twitter account with a phone number or email address.
Zhirinovskiy contacted Twitter support about the security flaw, which was found in Twitter's Android app, and was rewarded a $5,040 bug bounty for the discovery. A patch was rolled out that fixed the major issue, but according to Restore Privacy, it was already too late as a malicious individual that uses the username "devil" had already exploited the flaw and scraped 5,485,636 Twitter accounts. The swath of data was then thrown onto the dark web hacking community forum 'Breached Forums', where the lister claimed that the data included users that "range from Celebrities to Companies, randoms, OGs, etc."
North Korea has stepped up its hacking game as cybersecurity firms drop warning about new never-before-seen malware that infects Gmail accounts.
According to reports, cybersecurity firm Volexity has detected North Korean hackers using simple browser extensions to gain access to individuals' Gmail accounts. The cybersecurity firm has warned that the malware is different from the usual "spear phishing" techniques that would require users to agree to download infected software, as the new malware is capable of downloading itself on an individual's PC without the user even knowing its happening.
Volexity wrote to Ars Technica and said that the malware is called SharpTounge and that it's currently only affecting Windows users. However, the cybersecurity firms President Steven Adair has warned that there is a big possibility of macOS and Linux users also being targeted. Reports indicate that the North Korean state likely backs the hacking group and that it targets users in the US, Europe, and South Korea who are working on topics involving North Korea.
You may have heard about the Vault 7 leaks from WikiLeaks back in 2017, where I was reporting about it back then... a cache of tools and exploits that the US government-funded CIA (Central Intelligence Agency) use to hack into everyone's computers, iPhones and Android devices, Samsung smart TVs and more.
Well, a jury in New York convicted 33-year-old ex-CIA engineer Joshua Schulte on 9 charges, which has now become the single largest leak in CIA history. Schulte worked inside of the Operations Support Branch (OSB) of the CIA, where he reportedly built hacking tools, turning prototypes that he was working on into real exploits that were capable of monitoring, or stealing information from the device that it was on.
Investigators secured evidence against Schulte through his own holes in his personal security, where the ex-CIA engineer stored the passwords for his accounts on his phones, and then investigators used that to access his encrypted storage.
A group of hackers have announced a digital war has begun on anti-abortion states with gigabytes of data already reportedly stolen.
The hacking group is called SiegedSec, and according to reports, in the past, has concentrated on stealing/destroying portions of user data held by private companies. The group announced on its Telegram that it will be launching attacks against government bodies and organizations that don't hold their pro-choice views. Notably, the group declared that they are "pro-choice" and "one shouldn't be denied access to abortion".
Adding to the announcement, the group said that it has already hacked government servers in Arkansas and Kentucky, claiming that they have already stolen approximately 8 gigabytes of data that contains government workers' personal information. Taking to Telegram, SiegedSec declared that the attacks will continue and that their targets are any "pro-life entities", which will include any government servers within states that have anti-abortion laws.
Virginia Beach Police Department (VBPD) officers have apprehended two men responsible for illegally accessing gas pumps and selling the gasoline for cheap.
Officers responded to suspicious activity at a closed Citgo gas station, where several vehicles and people had gathered and were pumping gasoline. Their investigation revealed that individuals used devices to allow them to pump gas of their own accord and sell it to others at a discounted rate.
The suspects responsible, by the names of Rashane Griffith and Devon Drumgoole, both from Norfolk, were charged with Grand Larceny, Conspiracy, and Possession of Burglary Tools. They advertised their operation on social media to potential customers, allowing them to come and purchase gas through a smartphone application.
US researcher Christopher Balding has said that he has evidence that China is siphoning data from Americans' smart coffee machines.
IoT home appliances have absolutely ballooned in popularity and use over the last few years, with Balding's new report at New Kite Data Labs adding that China spying on Americans through smart coffee machines isn't the worst of it -- it's the issue with the always-connected, connect-everything, Internet of Things future we're living in.
The data collection from coffee machines is part of a larger effort of China, and I'm sure many other countries -- all behind the US and its alphabet agencies of course -- with low security and data policies that aren't clear to most people. Balding said: "China is really collecting data on really just anything and everything. As a manufacturing hub of the world, they can put this capability in all kinds of devices that go out all over the world".
A paper on the Bluetooth signal tracking titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices" was recently presented at the IEEE Security & Privacy conference in Oakland, California, on May 24th, 2022.
Researchers from the University of California San Diego have found Bluetooth Low Energy (BLE) signals are constantly emitted by mobile devices, generating a unique fingerprint that attackers can use to track an individual's movements. This covers smartphones, smartwatches, and fitness trackers, all of which transmit roughly 500 "Bluetooth beacons" per minute.
The unique fingerprint results from minute manufacturing imperfections in device hardware, which uniquely distorts the Bluetooth signal, allowing attackers to bypass anti-tracking techniques like constantly changing network addresses. Across their experiments, they found that 40%-47% of devices were uniquely identifiable and could track a volunteer as they left their residence.