Tag Archives: bug

Dropbox bug deletes some users’ files permanently

Posted on by

Cloud services, especially cloud storage is a common thing these days but some people are still weary of storing their sensitive files in the netherworld. And whenever they argue against cloud storage solutions they point to events like the one Dropbox just went through, where some users’ data was permanently deleted by a bug.

The company has confirmed that a bug in an older version of its desktop apps could lead to files being deleted permanently, without the user’s knowledge or consent. The problem is related to Selective Sync, which allows users to only synchronize some important folders across machines.

Now the good news is that Dropbox says they’ve fixed the bugs in newer versions of their apps and they’re also restoring some of the lost data where that’s possible. And to give credit where it’s due, the company did acknowledge this problem quickly and is trying to help and reimburse the users that were affected.

via Dropbox bug deletes some users’ files permanently – Neowin.

Hackers target Yahoo, compromise multiple servers using Shellshock bug

Posted on by

Shellshock has claimed another victim as Yahoo recently revealed that three of its servers were compromised over the weekend by hackers that managed to exploit the vulnerability.

In a statement issued to Bloomberg via e-mail, Yahoo spokesperson Elisa Shyu said the company began patching its systems as soon as they became aware of the issue and have been closely monitoring their network. Yahoo isolated a handful of servers that were impacted and at this time, Shyu added, there is no evidence of a compromise to user data.

Security researcher Jonathan Hall was the first to report the breach, the details of which can be found in this lengthy post over at Future South Technologies. To summarize, Hall claims Romanian hackers trying to build a large botnet are responsible for the attack. In addition to Yahoo, he also found evidence of an attack on utility software developer WinZip.

The security flaw, first disclosed publically on September 24, poses an even bigger threat than the Heartbleed bug from earlier in the year as it allows a bad actor to potentially gain complete control over a target system.

Security firm Incapsula estimates that there were nearly a billion attempts to use the bug and its own web application firewall dealt with more than 217,000 exploit attempts in the week following the bug’s disclosure.

There are likely thousands of Shellshock victims at this point although Yahoo is by far the biggest (that we know about).

via Hackers target Yahoo, compromise multiple servers using Shellshock bug – TechSpot.

Chrome bug allows websites to continue listening to conversations after you close the tab

Posted on by

 

Do you use speech recognition in Google Chrome? If yes, here’s something to worry about. Developer Tal Ater has discovered a bug in Google’s popular browser that malicious websites, enabled for voice-recognition, could exploit to listen in on the conversation taking place around the computer without your knowledge.

The problem lies in Chrome’s microphone permissions policy. Once you allow an HTTPS website to access your microphone, every instance of the website (including pop-ups) has the same permission. To a user, it may seem as though a pop-up window is not doing anything evil, but in reality it could be transcribing everything they say.

In the demo, Alter closed the tab and continued talking, while a pop-up behind the main Chrome window kept on transcribing whatever he said. This pop-up was just for demonstration purposes. In reality, a pop-up could be disguised as a banner ad for example, and since Chrome does not show any visual indication that Speech Recognition is turned on in such windows, you might never know what’s actually happening.

Alter first reported the bug in September last year. Google acknowledged the loophole, nominated the bug for Chromium’s Reward Panel, and even fixed it. But the fix never made it to users’ desktops, which means that your Chrome browser is still vulnerable.

When asked, a Google spokesperson told The Verge: “we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.\”

This is yet another example of how technology is threatening privacy. Last month we reported research which revealed that it is possible for an individual or a government agency to remotely activate a built-in laptop webcam without the user knowing about it.

via Chrome bug allows websites to continue listening to conversations after you close the tab – TechSpot.

Facebook exploit reveals six million identities

Posted on by

Facebook security has always been a concern. A few years ago, a flaw allowed you to see your friends’ private chat messages, and last month there was a report of malware that attacks an individual’s machine with the intent of accessing their Facebook page. With over a billion users sharing private data, the platform is a prime target for attacks, and the company must constantly be on the lookout for security flaws in their platform.
Now a new bug has been reported. Although already fixed, the company reports that the bug exposed the email addresses and phone numbers of six million Facebook users. The company ignores the technical description, stating that it “can get pretty technical,” but does explain how the bug was exploited. In essence, Facebook has code that adds intelligence when users upload their contact information to find more Facebook friends. If a user’s email address is already a member of Facebook, for example, they should be asked to be your friend instead of asking them to join Facebook. Unfortunately, this information was accidentally being stored in an area that was accessible via the “Download Your Information” (DYI) tool when it wasn’t supposed to be.
Facebook is downplaying the severity of the bug, saying that while there were six million leaks, most of the data was only downloaded once or twice and that there doesn’t appear to be any malicious intent. In addition, the data wasn’t accessible to corporations and advertisers, although we can’t be sure that an advertiser wasn’t one of the people who downloaded the data.
The company has paid a “bug bounty” to the person who revealed this flaw.
via Facebook exploit reveals six million identities – Neowin.

New hardware required to fix Haswell USB 3.0 connection bug

Posted on by

A few weeks ago we learned that Intel’s upcoming Haswell platform was plagued with an annoying USB 3.0 bug. The chip maker didn’t immediately fess up to the issue but we’ve since heard that it is indeed a real cause for concern – so much so that it will require a new chipset revision to fix, according to Fudzilla.
If you recall, the bug rears its head when a Haswell system is woken up from an S3 (suspend to RAM) sleep state while a USB 3.0 device is attached. The attached device will disconnect itself, forcing the user to reconnect in order to access the data once again. It’s not a major issue as data isn’t compromised but if you wanted to pick up working where you left off on data from a USB drive, it’ll quickly become an annoyance if nothing else.

Motherboard partners are reportedly continuing ahead as planned with production on word from Intel that Haswell desktop components will be ready in June, probably launching at Computex 2013. Instead of delaying the platform’s launch, Intel will simply address it in a future chipset revision which means the first batch of motherboards will likely carry the bug.
Back in 2011, early models of Intel’s Sandy Bridge platform were found to have a faulty SATA 3Gb/s controller that would cause gradual degradation and eventual failure over a long period of time. Intel was forced to issue a general recall as part of a move that is believed to have cost the company upwards of $1 billion.
via New hardware required to fix Haswell USB 3.0 connection bug – TechSpot.