Update WhatsApp now: MP4 video bug exposes your messages

By Lisa Vaas

WhatsApp’s pitch: Simple. Secure. Reliable messaging.

Needed marketing addendum: Hole. Update. Now. Evil. MP4s.

Facebook on Thursday posted a security advisory about a seriously risky buffer overflow vulnerability in WhatsApp, CVE-2019-11931, that could be triggered by a nastily crafted MP4 video.

It’s rated as a high-risk vulnerability – 7.8 – on the CVE scale. Understandably so: if left unpatched, it can lead to remote code execution (RCE), which can then enable attackers to access users’ files and messages. The security hole also leaves devices vulnerable to Denial of Service (DoS) attack.

Facebook said that this one affects WhatsApp versions for iOS, Android and Windows phones. The problem isn’t just on the regular WhatsApp; it’s also found on WhatsApp for Business and WhatsApp for Enterprise.

That’s an enormous number of users: With over 1.5 billion monthly active users, WhatsApp is the most popular mobile messenger app worldwide, according to Statista.

Read more at https://nakedsecurity.sophos.com/2019/11/20/update-whatsapp-now-mp4-video-bug-exposes-your-messages/

Instagram stalker app Ghosty yanked from Play store

By Lisa Vaas

Ever wanted to view hidden profiles on Instagram? To stalk users who’ve chosen to make their profiles private?

Up until Tuesday morning, you could do that by using a stalker service called Ghosty. Here’s what the app developer promised on versions available on Google Play and Apple’s App Store:

Ghosty – View Hidden Instagram Profile. You can view all the profiles you want to view including hidden profiles on Instagram. You can download or share photos or videos from your Instagram profiles to your gallery. In addition, you will soon be able to access many new features related to your Instagram account.

“Soon” won’t come for the app, the logo for which was the profile of snooper extraordinaire Sherlock Holmes. Ghosty was removed from Google’s Play store after Android Police found the service creating what the publication called a “stalker paradise.” Nor could I find it on Apple’s store.

In that stalker paradise/privacy dystopia, anyone could view the many private profiles Ghosty amassed by signing up users who handed over their own accounts’ data – including whatever private accounts those users follow.

As Android Police tells it, this was the deal you had to make with the devil: in order to view whatever private accounts Ghosty had managed to crowd-source, you handed over your Instagram login credentials. You also had to invite at least one other person to Ghosty in order to view private profiles. Thus, did Ghosty keep expanding the pool of content it could show its users: if any of those users followed a private account, that profile got added to the content Ghosty would make available.

Android Police noted that when it looked into the app, the media outlet managed to skip past that invitation step and was still able to view at least one private profile.

Not only was the service brazenly exploiting users’ desires to get at private accounts; it was also charging them for bundles or flinging ads at them.

Ghosty isn’t new; it appeared on the Play Store in April 2019. It had been downloaded over half a million times as of 13 November.

That’s a long time for an app to be amassing content while breaking Instagram’s rules. The relevant terms of service clause that forbids what Ghosty was up to:

You can’t attempt to buy, sell, or transfer any aspect of your account (including your username) or solicit, collect, or use login credentials or badges of other users.

As Android Police points out, during the half year that Ghosty was operating, neither Facebook (Instagram’s owners) nor Google apparently did anything about it – at least, not until now.

Read more at https://nakedsecurity.sophos.com/2019/11/20/instagram-stalker-app-ghosty-yanked-from-play-store/

XSS security hole in Gmail’s dynamic email

By John E Dunn

Did Android users celebrate loudly when Google announced support for Accelerated Mobile Pages for Email (AMP4Email) in its globally popular Gmail service in 2018?

Highly unlikely. Few will even have heard of it, nor have any idea why the open source technology might improve their webmail experience.

They might, however, be interested to learn that a researcher, Michal Bentkowski, of Securitum, recently discovered a surprisingly basic security flaw affecting Google’s implementation of the technology.

The intention behind AMP4Email, called ‘dynamic email’ in Gmail, was to reduce tab-clutter and make viewing email more like viewing and interacting with web pages, by allowing, for example, filling out reservation forms or searching Pinterest from within an email.

For examples of what dynamic email looks like in Gmail, scroll through Google’s 2018 YouTube demo featuring AMP4Email examples taken from Doodle, Booking.com and Pinterest.

AMP4Email beats plain HTML hands down but from the start Google knew this could potentially open the door to a security wrangle – the more things an email can do, the more likely someone will abuse those capabilities maliciously.

That’s why dynamic email senders are required to use TLS encryption, as well as deploying email authentication using DKIM, SPF, and DMARC so not just anyone could spray users with empowered malicious spam.

As for the content, to avoid the possibility that attackers might execute JavaScript to attempt a Cross-Site Scripting (XSS) attack, senders must also build email content using an allow list of tags and attributes or risk validation errors that stop it rendering.

XSS is bad enough when users are lured to a vulnerable website. Embedding this in an email is even more dangerous because the threat is being delivered straight to users’ webmail inboxes.

Read more at https://nakedsecurity.sophos.com/2019/11/20/xss-security-hole-in-gmails-dynamic-email/

Adobe Acrobat and Reader 2015 reach end of support

By Danny Bradbury

If you’ve been happily using Adobe Reader 2015 software for the last few years, you’re in for a rude awakening. The software vendor is ending support for these versions of its PDF-perusing product.

Adobe is bringing its support for two related products to an end: its free Acrobat Reader 2015 software, which enables people to open PDF documents without paying anything and perform basic edits, and the commercial Acrobat 2015 software that lets people create, convert, and add security and extra interactivity to their PDFs.

Adobe released both of these products in 2015, with Acrobat DC and Acrobat Reader DC. DC stands for Document Cloud, which is Adobe’s central cloud-based hub for managing documents.

The company’s Support Lifecycle Policy only provides five years of support from the date that its products become generally available. Adobe is pulling support on the products’ fifth anniversary, 7 April 2020.

At that point, customers won’t get technical support for their products, meaning that if you phone Adobe with a problem, its operatives won’t deal with it. More importantly, this end of support means that you won’t get any more security patches for the products either.

Read more at https://nakedsecurity.sophos.com/2019/11/20/adobe-acrobat-and-reader-2015-reach-end-of-support/

Brand new Android smartphones shipped with 146 security flaws

By John E Dunn

If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.

Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.

The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).

Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.

The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.

But in common with Android and Google applications, these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix.

Factory soiled

We’ve been here before, of course. In August 2019, Google Project Zero researcher Maddie Stone gave a presentation at Black Hat to highlight the issue of malware she and her colleagues had discovered being installed on Android devices in the supply chain.

Read more at https://nakedsecurity.sophos.com/2019/11/19/brand-new-android-smartphones-shipped-with-146-security-flaws/