It seems that dozens of hugely popular iOS apps have a bad habit: they read the copy-paste data without your consent, even if you only use them in other applications. It seems little stuff but it is not: the copy-paste in fact could include credit card numbers, passwords and other sensitive data.
A recent security research reveals an unhealthy habit of some pretty popular apps. TikTok, Reuters, The Wall Street Journal, Fruit Ninja, Viber, Hotels.com, Plants vs. Zombies Heroes and many others are reading the contents of the copy-paste (also called “clipboard”) every time they are opened, and even if the content is not intended for them. Indeed, some would not even provide the functionality of paste, but they grab it anyway.
This is a possibility provided by the operating system which allows you to switch information from one app to another; but it would be good to access this information only when the user gives a precise command, otherwise it is a clear violation. It’s as if a secretary secretly reads the notes in his employer’s desk drawer. Technically nothing prevents him, given that he has full access to the office, but still remains a betrayal of mutual trust.
Finally, to underline that, if you have Universal Clipboard activated, these apps can also automatically read the data you copy and paste on your Mac.
Here is the complete list of apps that snoop on the pasteboard every time the app is opened. The apps are listed alphabetically
- ABC News — com.abcnews.ABCNews
- Al Jazeera English — ajenglishiphone
- CBC News — ca.cbc.CBCNews
- CBS News — com.H443NM7F8H.CBSNews
- CNBC — com.nbcuni.cnbc.cnbcrtipad
- Fox News — com.foxnews.foxnews
- News Break — com.particlenews.newsbreak
- New York Times — com.nytimes.NYTimes
- NPR — org.npr.nprnews
- ntv Nachrichten — de.n-tv.n-tvmobil
- Reuters — com.thomsonreuters.Reuters
- Russia Today — com.rt.RTNewsEnglish
- Stern Nachrichten — de.grunerundjahr.sternneu
- The Economist — com.economist.lamarr
- The Huffington Post — com.huffingtonpost.HuffingtonPost
- The Wall Street Journal — com.dowjones.WSJ.ipad
- Vice News — com.vice.news.VICE-News
- 8 Ball Pool™ — com.miniclip.8ballpoolmult
- AMAZE!!! — com.amaze.game
- Bejeweled — com.ea.ios.bejeweledskies
- Block Puzzle — Game.BlockPuzzle
- Classic Bejeweled — com.popcap.ios.Bej3
- Classic Bejeweled HD — com.popcap.ios.Bej3HD
- FlipTheGun — com.playgendary.flipgun
- Fruit Ninja — com.halfbrick.FruitNinjaLite
- Golfmasters — com.playgendary.sportmasterstwo
- Letter Soup — com.candywriter.apollo7
- Love Nikki — com.elex.nikki
- My Emma — com.crazylabs.myemma
- Plants vs. Zombies™ Heroes — com.ea.ios.pvzheroes
- Pooking – Billiards City — com.pool.club.billiards.city
- PUBG Mobile — com.tencent.ig
- Tomb of the Mask — com.happymagenta.fromcore
- Tomb of the Mask: Color — com.happymagenta.totm2
- Total Party Kill — com.adventureislands.totalpartykill
- Watermarbling — com.hydro.dipping
- TikTok — com.zhiliaoapp.musically
- ToTalk — totalk.gofeiyu.com
- Tok — com.SimpleDate.Tok
- Truecaller — com.truesoftware.TrueCallerOther
- Viber — com.viber
- Weibo — com.sina.weibo
- Zoosk — com.zoosk.Zoosk
- 10% Happier: Meditation —com.changecollective.tenpercenthappier
- 5-0 Radio Police Scanner — com.smartestapple.50radiofree
- Accuweather — com.yourcompany.TestWithCustomTabs
- AliExpress Shopping App — com.alibaba.iAliexpress
- Bed Bath & Beyond — com.digby.bedbathbeyond
- Dazn — com.dazn.theApp
- Hotels.com — com.hotels.HotelsNearMe
- Hotel Tonight — com.hoteltonight.prod
- Overstock — com.overstock.app
- Pigment – Adult Coloring Book — com.pixite.pigment
- Recolor Coloring Book to Color — com.sumoing.ReColor
- Sky Ticket — de.sky.skyonline
- The Weather Network — com.theweathernetwork.weathereyeiphone
Hackers have released a new jailbreak that can reportedly crack any iPhone
A new jailbreak has just been released that works across all iPhones, according to reports from Motherboard and TechCrunch.
- The jailbreak was reportedly made possible by a new vulnerability in Apple’s software that the company has not discovered yet.
- A jailbreak is a hack that makes it possible to overcome the iPhone’s security restrictions so that users can load apps and features that aren’t approved by Apple.
- Installing jailbreaks can pose security risks since doing so lifts Apple’s safeguards.
A vulnerability in Apple’s mobile software has made it possible for hackers to release a new iPhone jailbreak that supposedly works across all iPhones, according to Motherboard.
It’s the first time such a jailbreak that works so broadly at launch has surfaced since Apple launched its iOS 10 operating system in 2016, the report says. The jailbreak, known as unc0ver, should work on all iPhones that support iOS 11 and above, according to TechCrunch .
Apple did not immediately respond to Business Insider’s request for comment.
A jailbreak is a hack that makes it possible to overcome Apple’s security protocols so users can load onto their iPhones apps and software that the company hasn’t authorized. Jailbreaks were once very popular among iPhone owners that wanted to customize their devices, but they also pose serious security risks since they discard Apple’s built-in safety measures.
Apple has cracked down on jailbreaking in more recent iOS software updates, making them far less common.
The new jailbreak is the result of a zero-day vulnerability found in Apple’s iOS software, Motherboard reported. The term “zero-day” refers to a security flaw that has not yet been discovered.
Although jailbreaks are usually considered a security risk, the researcher who discovered the iOS vulnerability that makes the new jailbreak possible told Motherboard that Apple’s security mechanisms remained intact.
While the new jailbreak is said to be the first in years to work across all models right away, it’s not the first time jailbreaking has returned to the iPhone. Last August, Apple re-introduced a security vulnerability that would make jailbreaking possible , as Motherboard reported at the time. But that jailbreak worked on current and up-to-date iPhones, according to the report, while the new one is said to work across all models.
The news also comes as Apple has been investing more heavily in sourcing help from external cybersecurity experts and researchers through its bug-bounty program, which the company introduced in 2016.
For example, Apple updated its bug-bounty program in August to include a new million-dollar reward for researchers who can pull off a specific type of iPhone hack. The type of attack, known as a “zero-click full chain kernel execution attack with persistence,” gets to the core of Apple’s operating system and enables control of an iPhone without requiring any user interaction.
After Zoom, Hackers Turn to Microsoft Teams as Reports Show Spike in Cyberattacks
With working from home becoming the new norm, Microsoft Teams and other video conferencing platforms have seen an extraordinary spike in usage. However, the increase in popularity has also attracted the attention of hackers.
Recent, reports by security researchers have shown spikes in cyberattacks targeting Microsoft Teams users. According to the reports, researchers have observed thousands of cloned Microsoft Teams login pages being used in an attempt to harvest account passwords.
Hackers turn their sights to Video-conferencing Platforms
With the daily usage of Microsoft service at about 75 million after leaping from 44 million in the last two weeks of March, it’s no surprise that hackers have turned their sights to the platform.
However, Microsoft Teams is not the first video chat platform to receive increased attention from hackers. Last month, Zoom had about 530,000 account information stolen by hackers auctioned on the dark web.
This, together with Zoom’s several other security and privacy shortcomings, caused a backlash which resulted in few top organisations porting to rivals like Teams. However, the increase in cyberattacks directed at Teams shows that users porting from Zoom doesn’t necessarily mean they are off the radar of cybercriminals.
Impersonation attack threat to over 75 million users
Researchers have discovered that hackers are using a multi-prong Microsoft Teams impersonation attack. According to the team from Abnormal Security, convincingly-crafted emails impersonating the automated notification emails from Microsoft Teams are sent out to users, with the aim of stealing their Microsoft Office 365 login credentials when they try to use the fake website.
The Cybersecurity and Infrastructure Security Agency (CISA) on April 29 issued a warning that attacks using such methodology was going to increase given the speed of deployment as organizations migrate to Microsoft Office 365 during the COVID-19 lockdown.
However, Abnormal Security has said it discovered that no security configurations or vulnerabilities in Microsoft Teams were at fault. The hacker exploits human vulnerabilities by sending emails that are designed to look legit and professional to trick as many users as possible.
“The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider,” the researchers say.
This new phishing campaign is disguised as normal everyday mail you receive for business or work. However when you click on the link, it employs multiple URL redirects, concealing the real hosting URLs, and so aiming to bypass email protection systems, the hacker will eventually drive the user to the cloned Microsoft Office 365 login page.
Also, hackers use newly-registered domains that are designed to fool users into thinking the notifications are from an official source.
Over 50,000 users have been victims to this attack
Once the user enters his login details, it is already stolen without them even knowing it. This is usually the case when users enter their details in unsecured webpages and it bounces.
According to Abnormal security, the current situation of things, where people have become accustomed to receiving video invitations and notifications from collaboration software providers makes it easier for the phishing attack to work.
“Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials, given the current situation, people have become accustomed to notifications and invitations from collaboration software providers.”
Similar to Zoom, Microsoft Teams’ booming popularity has caught the attention of both security experts and hackers. Although everything looks fine pertaining to Microsoft Teams security and privacy, users have to play their part in being extra vigilant so that preying hackers won’t be able to steal their information.
Be vigilant about performing ‘security hygiene’ during coronavirus threat
Consumers should seek out information based on science and not just personal testimonies.
Many of the news stories discussing the global outbreak of the COVID-19 virus rightly stress the importance of practicing protective measures such as vigorous hand washing and avoiding crowded events. Authorities roundly agree that proper hygiene and adherence to your national health authorities such as the CDC is critical to containing the spread of the deadly virus.
Meanwhile, the coronavirus scare is posing other risks – some directly, others indirectly related to COVID-19. Consumers hell-bent on gathering the latest information about virus-protection techniques are being warned about phishing scams that prey on their fears. Workers holed up in home offices face ongoing threats from hackers looking to poke holes in the patchwork of home and workplace security defenses.
“It’s always important to keep our guards up, to protect ourselves against security threats,” said Martin Hron, senior researcher at Avast. “Just like we need to pay attention to our own hygiene during times like these, we should maintain a high level of security hygiene to ensure we’re keeping our risk levels low.”
Virus-related scams are on the rise. State attorneys general have put out notices to watch for illegitimate investment schemes and websites advertising coronavirus “miracle products” or vaccines. Consumers should seek out information based on science and not just personal testimonies.
Earlier this month, the World Health Organization (WHO) issued a warning about phishing emails being sent by hackers posing as WHO representatives. The agency is getting regular reports of coronavirus-related phishing attempts.
The Secret Service recently issued a warning about phishing scam from people purporting to be from a medical organization offering information regarding the virus. Clicking on a link could infect your computer. The agency called the coronavirus outbreak “a prime opportunity for enterprising criminals because it plays on the basic human conditions … fear.”
As more regions declare states of emergency in response to the coronavirus, workers that haven’t spent time working remotely suddenly have to reacquaint themselves with VPNs and document-sharing tools. Corporate remote-work rules can – and should – be stringent. Workers should review key practices with IT before embarking on long, and perhaps open-ended, remote periods.
Other corporate security measures could include the following:
- Arm employees with a list of phone numbers, so they can reach out to a human from their IT team or other responsible person in case they have any IT issues.
- Inform employees of the hardware, software, and services they can utilize that are not company issued, but could help to connect and share files with colleagues during the special circumstances.
- Lay ground rules for employees when it comes to using personal hardware while working from home, such as printers.
- Enforce two-factor authentication wherever possible to add an extra layer of protection to accounts.
- Make sure employees have limited access rights and can only connect to the services they need for their specific tasks, rather than giving employees access to the entire corporate network.
Other potential risks tie back to actual hygiene itself. Workers operating remotely in regions affected by the coronavirus have been trained to scrub their hands and cover their mouths to stop the spread of disease. But are they paying the same attention to their technology devices themselves? Phones, laptops, tablets and IT remotes can transmit viruses if they’re not properly wiped down.
“We have to be vigilant, to be sure we’re protecting ourselves in every facet of our lives,” Hron said.