background preloader

Public vulnerabilities

Facebook Twitter

Your Mac, iPhone or iPad May Have Left the Apple Store With a Serious Security Risk. Just over a year ago to the day, my wife and I walked into the Apple store in Sydney’s CBD and bought her a shiny new MacBook Air.

Your Mac, iPhone or iPad May Have Left the Apple Store With a Serious Security Risk

Macs weren’t familiar territory for us so we happily accepted the offer for a staff member to walk us through some of the nuts and bolts of OSX. That was a handy little starter and we left the store none the wiser that the machine now had a serious security risk that wouldn’t become apparent for another year. A couple of weeks ago I wrote about my new favourite device, the Wi-Fi Pineapple.

Despite its friendly tropical name, the Pineapple is a piece of cigarette-pack-sized professional security equipment I picked up online for $100 to help me demonstrate secure coding practices. Specifically, it’s helping me educate web developers about the risk of not using encryption between browsers and the websites they’re communicating with, something that needs to be built into the design of the site itself.

You didn’t know this could happen? The “Apple Demo” conundrum. Taking Steps To Protect Our Members. It is of the utmost importance to us that we keep you, our members, informed regarding the news this week that some LinkedIn member passwords were compromised.

Taking Steps To Protect Our Members

We want to reiterate that we sincerely apologize for the inconvenience this has caused our members. From the moment we became aware of this issue, we have been working non-stop to investigate it. While we continue to learn more as a result of our ongoing investigation, here is what we know now: Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published.

To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. We’re a Java Shop,We’re Not Going to Get Hacked… We Recommend These Resources This article is another in a series of articles associated with our Executive Brief.

We’re a Java Shop,We’re Not Going to Get Hacked…

To access the executive brief, “Addressing Security Concerns in Open-Source Components,” visit Facebook and MySpace security: backdoor wide open. Facebook and MySpace fixed this quickly after being notified.

Facebook and MySpace security: backdoor wide open

As a application developer on Facebook, I usually run into certain walls that limit my application functionality. But I don't give up easily, and only recently I found a solution to one of my function limitations. Surprisingly, when looked into more carefully my solution allowed full access and control to the Facebook user account that accessed my application. Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie?

Lets walk through it along some clarifying images. In certain cases this could limit a flash application capabilities. While indeed Facebook locked the front door from any non-facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access it's domain data:. A huge problem that leads to full access and control of a user account whom has "auto login" enabled, and who hasn't?

I got Facebook phished « Roman Kennke's Blog. Today I received a Facebook notification that a friend of mine sent me a message.

I got Facebook phished « Roman Kennke's Blog

She was asking if that was my picture and a link. I quickly sanity checked the link as I always do in emails, and yes, the link was indeed a valid Facebook internal link, so I thought of nothing bad. The site turning up at first looked a bit suspicious, but a splitsecond later it was all Facebook. The stylesheet probably took a while to load, after all it’s Sunday evening and everybody’s surfing facebook now. It was asking me for login, I haven’t logged into Facebook for a long time as I’m not really using it, so there you go. This was the tipping point for me.