EPIC JAILBREAK: Permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). via @axi0mX
https://github.com/axi0mX/ipwndfu/blob/master/README.md
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip). via @axi0mX
https://github.com/axi0mX/ipwndfu/blob/master/README.md
GitHub
ipwndfu/README.md at master · axi0mX/ipwndfu
open-source jailbreaking tool for many iOS devices - axi0mX/ipwndfu
How to dump and debug the bootrom (SecureROM) on demoted devices with Apple’s official tools. #iOS
1/ connect the cable using the correct lighting orientation and launch astris
https://twitter.com/1nsane_dev/status/1177856941139337216?s=19
1/ connect the cable using the correct lighting orientation and launch astris
https://twitter.com/1nsane_dev/status/1177856941139337216?s=19
Twitter
Giulio Zompetti
@axi0mX’s #checkm8 is out and let’s you debug your device (up to A11). But how is this done? Here is a little thread on dumping the bootrom (SecureROM) on demoted devices with Apple’s official tools. 1/ connect the cable using the correct lighting orientation…
Data breach of 218 million users affected all Android and iOS game players who signed up for the Words With Friends game
Leaked:
▪️Names
▪️Email addresses
▪️Login IDs
▪️Hashed passwords, SHA1 with salt
Password reset token (if ever requested)
▪️Phone numbers (if provided)
▪️Facebook ID (if connected)
▪️Zynga account ID
https://thehackernews.com/2019/09/zynga-game-hacking.html
Leaked:
▪️Names
▪️Email addresses
▪️Login IDs
▪️Hashed passwords, SHA1 with salt
Password reset token (if ever requested)
▪️Phone numbers (if provided)
▪️Facebook ID (if connected)
▪️Zynga account ID
https://thehackernews.com/2019/09/zynga-game-hacking.html
Vulnerability in WIB sim-browser can make a phone call, send SMS to any phone numbers, send victim’s location, launch WAP browser, etc.
https://ginnoslab.org/2019/09/21/wibattack-vulnerability-in-wib-sim-browser-can-let-attackers-globally-take-control-of-hundreds-of-millions-of-the-victim-mobile-phones-worldwide-to-make-a-phone-call-send-sms-to-any-phone-numbers/
https://ginnoslab.org/2019/09/21/wibattack-vulnerability-in-wib-sim-browser-can-let-attackers-globally-take-control-of-hundreds-of-millions-of-the-victim-mobile-phones-worldwide-to-make-a-phone-call-send-sms-to-any-phone-numbers/
Jailbreaking iPhone X iOS 13.1.1 in 2 seconds with checkm8
https://twitter.com/axi0mX/status/1178299323328499712
https://twitter.com/axi0mX/status/1178299323328499712
X (formerly Twitter)
axi0mX (@axi0mX) on X
HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks…
Infographic: 10 mobile security misconceptions
https://www.wandera.com/mobile-security/mobile-security-misconceptions/
https://www.wandera.com/mobile-security/mobile-security-misconceptions/
Seven HiddenApp Trojans found on Google Play with 310,000+ installs
https://twitter.com/0xabc0/status/1178606985404653568?s=19
https://twitter.com/0xabc0/status/1178606985404653568?s=19
Twitter
Ahmet Bilal Can
#adware total of 310k+ installs Apps will drop another apk after reboot ( RECEIVE_BOOT_COMPLETED) . Strings are encrypted with base64+rc4 https://t.co/l4zom7Fwou
Android Application Security - OWASP MSTG Uncrackable level 1 writeup
https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/
https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/
0Daylabs
Dive deep into Android Application Security - OWASP MSTG Uncrackable level 1 writeup
Uncrackable Apps for Android is a collection of mobile reversing challenges maintained by the OWASP MSTG (Mobile Security Testing Guide) authors. Cracking and solving these challenges is a fun way to learn Android security.
Starbucks China Android app cloud storage service leaks a credential
https://hackerone.com/reports/440629
https://hackerone.com/reports/440629
HackerOne
Starbucks disclosed on HackerOne: Starbucks China Android app cloud...
k3mlol found a credential encoded in the Starbucks China mobile application for Android phones, which provided access to a cloud-hosted service that was used to upload information for customer...
MOBEXLER - A Mobile Application Penetration Testing Platform
https://enciphers.github.io/Mobexler/
https://enciphers.github.io/Mobexler/
Review of harmful apps found on Google Play in September 2019: 172 apps with 335,952,400+ installs
https://lukasstefanko.com/2019/10/android-security-monthly-recap-9.html
https://lukasstefanko.com/2019/10/android-security-monthly-recap-9.html
Huawei’s Undocumented APIs — A Backdoor to Reinstall Google Services
https://medium.com/@topjohnwu/huaweis-undocumented-apis-a-backdoor-to-reinstall-google-services-c3a5dd71a7cd
https://medium.com/@topjohnwu/huaweis-undocumented-apis-a-backdoor-to-reinstall-google-services-c3a5dd71a7cd
Medium
Huawei’s Undocumented APIs — A Backdoor to Reinstall Google Services
A few clicks, and Google Services are back. Sounds good, right?
Eight vulnerabilities found in the Android operating system's VoIP components
https://www.zdnet.com/article/academics-find-eight-vulnerabilities-in-androids-voip-components/
https://www.zdnet.com/article/academics-find-eight-vulnerabilities-in-androids-voip-components/
ZDNET
Academics find eight vulnerabilities in Android's VoIP components
The vulnerabilities can be exploited to make unauthorized VoIP calls, spoof caller IDs, deny voice calls, and even execute malicious code on users' devices.
Popular Android malware seen in September 2019 with samples
http://skptr.me/malware_timeline_2019.html
Samples: https://github.com/sk3ptre/AndroidMalware_2019
http://skptr.me/malware_timeline_2019.html
Samples: https://github.com/sk3ptre/AndroidMalware_2019
GitHub
GitHub - sk3ptre/AndroidMalware_2019: Popular Android threats in 2019
Popular Android threats in 2019. Contribute to sk3ptre/AndroidMalware_2019 development by creating an account on GitHub.
Detailed analysis of RCE vulnerability in WhatsApp via receiving malicoius .GIF
Patched in WhatsApp v2.19.244
https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
Video demo: https://drive.google.com/file/d/1T-v5XG8yQuiPojeMpOAG6UGr2TYpocIj/view
Patched in WhatsApp v2.19.244
https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
Video demo: https://drive.google.com/file/d/1T-v5XG8yQuiPojeMpOAG6UGr2TYpocIj/view
Home
How a double-free bug in WhatsApp turns to RCE
In this blog post, I’m going to share about a double-free vulnerability that I discovered in WhatsApp for Android, and how I turned it into an RCE. I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244.…
The State of Stalkerware in 2019
Increase of mobile Stalkerware. Based on Kaspersky, there is more Stalkerware detected in 2019 than in 2018.
https://securelist.com/the-state-of-stalkerware-in-2019/93634/
Increase of mobile Stalkerware. Based on Kaspersky, there is more Stalkerware detected in 2019 than in 2018.
https://securelist.com/the-state-of-stalkerware-in-2019/93634/
Securelist
The State of Stalkerware in 2019
This report examines the use of stalkerware and the number of users affected by this software in the first eight months of 2019.
Bad OpSec led to the botnet’s discovery — revealing 800,000 victims in Russia
https://threatpost.com/virus-bulletin-geost-android-botnet/148864/
https://threatpost.com/virus-bulletin-geost-android-botnet/148864/
Threat Post
Virus Bulletin 2019: Geost Android Botnet Goes After Millions of Euros
Bad OpSec led to the botnet's discovery — revealing 800,000 victims in Russia.
Forwarded from The Bug Bounty Hunter
URL Bar Spoofing Flaw in Safari for iOS 12.3 and iOS 13 Beta | CVE-2019–8727
https://medium.com/@justm0rph3u5/url-bar-spoofing-in-safari-for-ios-12-3-and-ios-13-beta-cve-2019-8727-d87490f8ee29
https://medium.com/@justm0rph3u5/url-bar-spoofing-in-safari-for-ios-12-3-and-ios-13-beta-cve-2019-8727-d87490f8ee29
Medium
URL Bar Spoofing in Safari for iOS 12.3 and iOS 13 Beta | CVE-2019–8727
While working for browser-based attacks on the URL bar, I learned a way where it was still possible to spoof address bar in safari. None…
Statistics and analysis of "Hqware" Android Banking malware family
https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/
https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/
Securelist
HQWar: the higher it flies, the harder it drops
Now one can say that only the lazy did not use Hqwar: Kaspersky's collection of viruses features over 200,000 Trojans packed using Hqwar.