Jack’d dating app is showing users’ intimate pics to strangers

By Lisa Vaas

Dating/hook-up app Jack’d is publicly sharing, without permission, photos that users think they’re sharing privately.

The Android version of the app has been downloaded 110,562 times from Google’s Play store, and it’s also available on iOS.

Jack’d is designed to help gay, bi and curious guys to connect, chat, share, and meet on a worldwide basis. That includes enabling them to swap private and public photos.

But as it turns out, what should be its “private” photos… aren’t.

Unfortunately, as the Register reported on Tuesday, anyone with a web browser who knows where to look can access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app. Nor are there any limits in place: anyone can download the entire image database for whatever mischief they want to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.

The finding comes from researcher Oliver Hough, who told the Register that he reported the security bug to the Jack’d programming team three months ago. Whoever’s behind the app hasn’t yet supplied a fix for the security glitch, which the Register has confirmed.

Read more at https://nakedsecurity.sophos.com/2019/02/06/jackd-dating-app-is-showing-users-intimate-pics-to-strangers/

Firefox 66 will silence autoplaying web audio

By John E Dunn

Quieter web browsing is finally within reach for users of Mozilla’s Firefox.

It’s been on the to-do list for a while, but a new blog by the company has confirmed that from Firefox 66 for desktop and Firefox for Android, due on 19 March, media autoplay of video or audio will be blocked on websites by default.

According to Mozilla’s developer blog, this means:

We only allow a site to play audio or video aloud via the HTMLMediaElement API once a web page has had user interaction to initiate the audio, such as the user clicking on a ‘play’ button.

Until the user does something to initiate a video or audio stream, the only thing that will be possible is muted autoplay.

If you find it annoying when videos starting of their own accord, this will come as a welcome news. But what about use cases where it’s desirable?

Currently, it is possible to achieve autoplay blocking by toggling a setting from about:config (type that into your Firefox address bar), but that is a global setting and is either on or off.

Under the new regime, there are several options: enabling autoplay once on a website, white-listing websites to always allow autoplay from those sites, or always allow or block autoplay for all websites.

Read more at https://nakedsecurity.sophos.com/2019/02/06/firefox-66-will-silence-autoplaying-web-audio/

Just two hacker groups are behind 60% of stolen cryptocurrency

By Danny Bradbury

We may not know the names of those who steal cryptocurrency from online exchanges, but we now know that most of the thefts are down to just two groups – and one of them isn’t even in it for the money alone.

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

Cryptocurrency exchanges are prime targets for cybercriminals. People trading Bitcoin and other virtual currencies do so using exchanges, and many tend to leave their funds in their accounts on those exchanges rather than withdrawing them to a secure account under their control. This makes it more convenient for them to to make trades quickly without having to keep redepositing funds.

Large amounts of these funds often reside in an exchange’s hot wallet, which is connected to the blockchain and therefore online. It makes exchanges prime targets for online attacks. Chainalysis, which uses forensic techniques to find connections between cryptocurrency addresses, analysed some of those thefts to find out where the funds ended up. They may not know who owns the addresses, but using its forensic techniques it can determine whether the addresses are owned by the same people.

In its Crypto Crime Report, released last week, Chainalysis found that two groups, which it calls Alpha and Beta, were responsible for stealing around $1 billion in funds from exchanges.

Read more at https://nakedsecurity.sophos.com/2019/02/06/two-hacker-groups-stole-60-of-missing-cryptocurrency/

Digital signs left wide open with default password

By Lisa Vaas

Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they’d like to display on people’s signage screens.

On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.

He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn’t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is “essentially an x86 Windows 10 PC.”

As Green understands it, his client had a television in the lobby that was hooked up to the system in order to display information about the company: for example, when interns graduated college; names and pictures of new hires; and awards the company had received. The systems can also play audio, videos, or images: a good way to give customers their first impression when they’re visiting your company.

Or, on the other hand, a good way to sear visitors’ eyeballs if a hacker figures out how to upload whatever unsavories they like.

Read more at https://nakedsecurity.sophos.com/2019/02/06/digital-signs-left-wide-open-with-default-password/