Feedback & Followups
- We warned about this then-unpatched flaw a few weeks ago, now there’s a fix: Apple patches security flaw that allowed Magic Keyboard Bluetooth connections to be faked — appleinsider.com/…
- Kaspersky have developed and released a new technique to more easily spot spyware like Pegasus: iShutdown scripts can help detect iOS spyware on your iPhone — www.bleepingcomputer.com/…
Deep Dive 1 — Malware Resurrecting Google Sessions
TL;DR if you change your Google Password because you suspect your account has been compromised, you need to change your password and remove all linked devices from your account, especially if you use the desktop version of the Chrome browser (just Google’s Chrome, not other Chromium-based browsers).
This story has been bubbling away for months, but it’s been utterly lacking in detail and clarity, so I’ve never felt it was appropriate to include it in these segments. But, we now finally have enough clarity for a meaningful discussion.
For months now malware-as-a-service offerings have been claiming to support ‘resurrection’ of Google sessions. The claim was that attackers could reconnect to Google services like Google Drive even after the victim changed their password. This was a big claim, and there was no evidence to back it up, and no plausible mechanism.
Now, we know enough to verify that the claim is at least mostly true, and we understand how the attack works.
When you log into the Chrome desktop browser, a secret key is generated by the browser that represents your authorisation to use Google services. It acts as a kind of single sign-on session token, allowing you to stay logged in to all Google services so long as you stay logged in to the browser. Google provide an API that accepts these tokens as inputs and returns fresh session IDs for Google services. If an attacker steals one of these tokens, they can log into any Google service without needing to authenticate, i.e. without a password, 2FA, or Passkey.
Changing your password doesn’t invalidate existing tokens, it just stops new tokens being created! But, Google’s account security pages do provide options to terminate all sessions and remove any logged-in devices from your account. support.google.com/…
These tokens also have a finite lifetime, so attackers can’t resurrect sessions indefinitely.
A very important point is that the only way to steal these tokens is to hack a computer that’s logged in to Chrome. Unless you have malware on your computer, you’re not at risk from this, so the best protection is to avoid getting hacked in the first place!
There’s just one take-home message really — if you use the Chrome browser on a desktop computer, and that computer gets hacked, you need to update your Google password and invalidate all sessions and disconnect all devices from your account.
Links
- Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset — thehackernews.com/…
- Google: Malware abusing API is standard token theft, not an API issue — www.bleepingcomputer.com/…
Deep Dive 2 — China Cracks AirDrop Anonymity (Probably, and with a Caveat)
There have been rumblings for years that Apple’s AirDrop does not hide Apple IDs well enough. At the root of the problem is the competing need to distinguish between AirDrop requests from people in your contact list, and protecting your anonymity.
Apple rely on cryptographic hashing algorithms to do this, and their design is not strong enough to withstand some types of attack. Security researchers have both flagged this weakness and recommended protocol changes that would remedy the problem, but Apple have not chosen to act, and probably can’t without breaking backwards compatibility with current and previous OSes.
While researchers were aware of the weaknesses in the hashes, they were not aware of the fact that receiving devices store logs of AirDrop activities, and those logs also include the weak hashes. In the past, it was assumed an attacker would need to be watching the Bluetooth/WiFi traffic as the exchange was happening. Now we know that if a phone is seized and the user forced to unlock it, the hashes of all the Apple IDs that sent files to the device can be retrieved.
The final piece of the puzzle is rainbow tables. A hash is a function that can be performed quickly in one direction, but can’t be feasibly reversed. If you know all possible inputs, you can attack hashes by precomputing the hash for each possible input and building a searchable table of all the results. This kind of table is known as a rainbow table.
It would not be possible to either build or store a rainbow table with the hashes for all possible phone numbers and Apple IDs, but that’s not necessary for a government to build a useful rainbow table. What it appears the Chinese have done is build a rainbow table that covers every existing phone number in China. It’s easy for a totalitarian government to get that kind if data from the carriers in their country! It also seems that they have precomputed the hashes for some email addresses too. It seems they have a list of Apple IDs of interest from somewhere. Perhaps they are capturing Apple IDs somewhere in the Great Firewall of China, or they were able to get the list of all Chinese Apple IDs from Apple, or the Chinese company Apple were forced to partner with to provide the data centers for the Chinese version of iCloud provided these Apple IDs.
So, what does this mean for the typical NosillaCastaway? If you’re not in China, probably not a lot. But you should be aware that any government with enough resources, and the inclination to do so, can precompute the hashes for all cellphone numbers in their country, and for any other cell phone numbers or email addresses they are interested in.
The only possible fix would be an updated AirDrop protocol, and that is unlikely to come before iOS 18 this fall, and Apple have not made any kind of promise to do any such thing, so it may never happen.
Links:
- China claims it cracked Apple’s AirDrop to find numbers, email addresses — www.bleepingcomputer.com/…
- Apple was warned of AirDrop flaws before China’s hack — appleinsider.com/…
- AirDrop security weakness exploited by China — sixcolors.com/…
❗ Action Alerts
- Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs — www.bleepingcomputer.com/…
- Google fixes first actively exploited Chrome zero-day of 2024 — www.bleepingcomputer.com/…
Worthy Warnings
- Halara probes breach after hacker leaks data for 950,000 people — www.bleepingcomputer.com/…
- Bleeping Computer’s spot checks suggest the breach is real
- The proported hackers have told Bleeping Computer they got the data through a still unpatched bug in Halara’s website
- It appears victims have not been notified yet
- The leaked data contains no payment info or passwords but does contain enough to make users very vulnerable to convincing phishing/smishing/vishing attacks
- The new year is the time for this kind of scam, with hackers pretending to be HR: Fake 401K year-end statements used to steal corporate credentials — www.bleepingcomputer.com/…
- Be aware that Instagram is failing to remove fake profiles that imitate real people: Meta won’t remove fake Instagram profiles that are clearly catfishing — www.bleepingcomputer.com/…
- Another new Ransomware Trick to be aware of: Ransomware victims targeted by fake hack-back offers — www.bleepingcomputer.com/…
Notable News
-
Many PCs (but not Macs) are vulnerable to (another) UEFI vulnerability dubbed PixieFail* — thehackernews.com/…
- The biggest danger is from others on your LAN, because the bug is in the networking code used in some popular UEFI firmwares
- All users can keep an eye out for firmware updates and install them when they’re available
- LeftoverLocals GPU bug can leak ML & LLM information on AMD, Apple, Qualcomm and other devices — patches available for many, but not all affected devices — www.bleepingcomputer.com/…
- Attackers need to be able to run their code on the same GPU as the victim, so the biggest risk is in shared cloud environments
- Apple have patched A17 & M3 chips, but not M2s
- AMD have patched some but not all of their GPUs
- Intel, NVIDIA, and discreet ARM GPUs are not affected
- Something seems to have gone wrong with X/Twitter’s security in recent weeks — many high-profile accounts have been hacked, so don’t believe everything you read:
- Having settled a $5B suit alleging it deceived users, Google is updating the description for Incognito Mode in the Chrome browser to make it clear that Google still track users while incognito mode is enabled, and many websites probably do too, it just hides things from other users on your computer — www.cultofmac.com/…
-
Now would seem like a good time to check your status on Have-I-Been-Pwnd (or better yet, to set up alerts): Have I Been Pwned adds 71 million emails from Naz.API stolen account list — www.bleepingcomputer.com/…
- The full story of how this massive collection of stolen details was discovered, verified, and added to HIBP: Inside the Massive Naz.API Credential Stuffing List — www.troyhunt.com/…
- Having never banned a data broker before, the US FTC has now taken action again two!
- FTC bans data broker from selling Americans’ location data — www.bleepingcomputer.com/… (the company, Outlogic, formerly X-Mode Social, did not filter out sensitive locations and failed to respect users opt-outs)
- FTC bans one more data broker from selling your location info — www.bleepingcomputer.com/… (the company, InMarket, was banned for tracking sensitive data without consent, including selling categotries like ‘Christian churchgoers’, ‘wealthy and not healthy’ & ‘parents of preschoolers.’)
- It’s emerged that Apple quietly doubled the number of FindMy item users can track to 32 with last fall’s OS updates — www.macobserver.com/…
- FTC offers $25,000 prize for detecting AI-enabled voice cloning — www.bleepingcomputer.com/…
Top Tips
- How to disable Facebook Link History — www.cultofmac.com/… (feature tracks every link you click on in your feed)
- Some excellent start-of-year advice: Checklist Episode 358: New Year, New Stuff! — checklist.libsyn.com/…
Palate Cleansers
- From Allison: XKCD 2883 — Astronaut Guests
- From Allison: Basic Apple Guy on Mastodon – How many Apple Vision Pro would it take to watch the following films
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |