Weekly digest #12

1. A Facebook Messenger Flaw Could Have Let Hackers Listen In

https://www.wired.com/story/facebook-messenger-bug-bounty/

Popular social network Facebook has its own bug bounty program, and this year they are paying out two of its three most considerable rewards ever—including $60,000 for a bug in Messenger. This critical bug could have allowed an attacker to call you and start listening to your end before you picked up.

This critical vulnerability, which is now patched, could have been exploited on Facebook Messenger App for Android devices. If a hacker simultaneously called a target and sent them a specially crafted, hidden message to trigger the attack. From this point, the hacker would start hearing audio from the victim’s end of the call, even if the victim didn’t answer.

This critical vulnerability would have been difficult to exploit in practice for a few reasons. It required that both the hacker and target be logged into Facebook App for Android and that the victim also be logged into Messenger in a web browser or some other way.

2. Malicious npm packages caught installing remote access trojans

https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/

It`s not the first problem with npm packages. A couple of years ago, a similar case was when a hacker had the opportunity to upload malicious code that collected credit card data. Thousands of websites were affected then. Now the security team has worked much faster. But don`t you think that this has become commonplace.

This Monday, the security team behind the “npm” repository for JavaScript libraries removed two npm packages containing malicious code. This malicious code installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.

Two packages were affected by this attack jdb.js and db-json.js. These two packages were created by the same author and described themselves as tools to help developers work with JSON files typically generated by the database applications.

Both were uploaded on the npm package registry last week. They were downloaded more than 100 times before their malicious behavior was detected.

3. iPhone Bug Allowed for Complete Device Takeover Over the Air

https://threatpost.com/iphone-bug-takeover-over-the-air/161748/

iPhone critical vulnerability that allows the attacker to take over the device. The radio-proximity exploit of a memory corruption bug that was patched in May.

Details tied to a stunning iPhone vulnerability were disclosed by noted Google Project Zero researcher Ian Beer. Apple already patched the vulnerability earlier this year. But few details, until now, were known about the bug that could have allowed a threat actor to take over any iPhone within a nearby vicinity completely. This attack could have been performed over the air without even interacting with the victim’s device.

Specifically, he could remotely trigger an unauthenticated kernel memory corruption vulnerability that causes all iOS devices in radio-proximity to reboot, with no user interaction.

4. Android Messenger App Still Leaking Photos, Videos

https://threatpost.com/android-messenger-app-leaking-photos-videos/161741/

Once again, we want to remind you that you should not give absolute rights to mobile applications. There is always a temptation to collect user data. GO SMS Pro is no exception.

This popular app has been downloaded 100 million times. At this moment, Darkweb websites are actively sharing videos and images of stolen data from GO SMS.

The GO SMS Pro Android app has published two new versions on Google Play since a significant security weakness was disclosed in November – but neither fixes the original issue. That’s why 100 million users are at risk for privacy violations.

That’s according to Trustwave SpiderLabs, which initially discovered a security issue that can be exploited to publicly expose private voicemails, video messages, and photos sent using the popular messenger app.

5. China’s Baidu Android Apps Caught Collecting Sensitive User Data

https://thehackernews.com/2020/11/baidus-android-apps-caught-collecting.html

The most popular two Android apps from Chinese tech giant Baidu were temporarily unavailable on the Google Play Store in October. These apps were Baidu Maps and Baidu Search Box. They were caught collecting private and sensitive user data.

They have collected device identifiers. The International Mobile Subscriber Identity (IMSI) number or MAC address, without users’ knowledge, these metrics were making them potentially trackable online.

They also collected a lot of other things like phone model, screen resolution, phone MAC address, carrier (Telecom Provider), network (Wi-Fi, 2G, 3G, 4G, 5G), Android ID.