October 17, 2018
Donald Daters app for pro-Trump singles exposes users’ data at launch
By Lisa Vaas
Donald Daters, a new dating app that promises to “make dating great again” has instead leaked its users’ data.
On its first day.
The app, available on Apple and Android, went live on Monday morning and Fox News reported that Donald Daters is “open to everyone.” Unfortunately, Donald Daters turned out to be open in ways you really don’t want your app to be.
After Fox’s report was widely picked up by other media outlets, French security researcher Baptiste Robert – who also goes by the Mr. Robot-inspired handle Elliot Alderson – discovered that the app was exposing user information in an open database, including biographical details such as user names and profile photos. It was also exposing what could have been tokens for session IDs that would allow attackers to log into peoples’ accounts and private messages.
Read more at https://nakedsecurity.sophos.com/2018/10/17/donald-daters-app-for-pro-trump-singles-exposes-users-data-at-launch/
US embassy accidentally emails invitation to ‘cat pajama-jam’ meeting
By Louisa Hardwick
Canberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, after an employee distributed a meeting invite to an undisclosed number of email recipients, The Guardian reported.
Gavin Sundwall, US Mission to Australia public affairs counsellor, was, however, unperturbed, by what he claimed was a “training error”:
Sorry to disappoint those of you who were hoping to attend this ‘cat pajama-jam’ party, but such an event falls well outside our area of expertise. It was a training error made by one of our new staff testing out our email newsletter platform.
The email – entitled “Meeting” – featured an attractive tabby cat relaxing on the sofa in a Cookie Monster-style onesie, with a plate of delicious edibles on his or her lap.
Sundwall also said that they would be employing “strong new management controls” to prevent a repeat of the mistake.
Read more at https://nakedsecurity.sophos.com/2018/10/16/us-embassy-accidentally-emails-invitation-to-cat-pyjama-jam-meeting/
How Chrome and Firefox could ruin your online business this month
By Paul Ducklin
Chrome 70 comes out today.
Most people who use Google’s popular browser will receive the update, and either won’t realise or won’t especially care about the changes it contains.
Next Tuesday, Firefox 63 will be released, and much the same thing will happen for users of Mozilla’s browser.
But one of the changes common to both those products, which have a huge majority of the market share amongst laptop users, may matter very much to a small but significant minority of website operators.
Chrome
70 and Firefox
63 will both be disowning any web certificates signed
by Symantec.
From this month, anyone with Chrome or Firefox who browses to a web page
“secured” with a Symantec certificate will see an unequivocal warning insisting
that the site is insecure.
Read more at https://nakedsecurity.sophos.com/2018/10/16/how-chrome-and-firefox-could-ruin-your-online-business-this-month/
Google using lock screen passwords to encrypt Android Cloud backups
By Lisa Vaas
Google’s got your back when it comes to your backups, it says – and it’s even promising to keep its own peepers off the goods.
On Friday, Google announced that it’s brokered a marriage between Android’s Backup Service and Google Cloud’s Titan Technology to keep your backups encrypted so that even the Googlemeister itself can’t decrypt your stuff.
It’s using its newish Titan security to do that. Rolled out in July, Titan technology includes a tiny USB device – a Yubico-esque security key that offers hardware-based two-factor authentication (2FA) for online accounts to keep them from getting hijacked.
In the case of Android backups, starting with its ninth operating system – that would be Android Pie, released in August – Android devices can take advantage of the new encryption by way of a decryption key that will be randomly generated on the device. The decryption key is encrypted using the user’s lock screen PIN/pattern/passcode, which Google doesn’t know.
Read more at https://nakedsecurity.sophos.com/2018/10/16/google-using-lock-screen-passwords-to-encrypt-android-cloud-backups/