The Hacker News — Cyber Security, Hacking, Technology News

If you are wondering how to receive latest updates for an Android app—installed via a 3rd party source or peer-to-peer app sharing—directly from Google Play Store.

For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well.

Late last year, Google announced its plan to set up an automated mechanism to verify the authenticity of an app by adding a small amount of security metadata on top of each Android application package (in the APK Signing Block) distributed by its Play Store.

This metadata is like a digital signature that would help your Android device to verify if the origin of an app you have installed from a third-party source is a Play Store app and have not been tempered, for example, a virus is not attached to it.

From early 2018, Google has already started implementing this mechanism, which doesn't require any action from Android users or app developers, helping the company to keep its smartphone users secure by adding those peer-to-peer shared apps to a user's Play Store Library in order to push regular updates.

Additionally, Google yesterday announced a new enhancement to its plan by adding offline support for metadata verification that would allow your Android OS to determine the authenticity of "apps obtained through Play-approved distribution channels" while the device is offline.

"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity," said James Bender, Product Manager at Google Play. "This will give people more confidence when using Play-approved peer-to-peer sharing apps."

It should be noted that this feature doesn’t protect you from the threat of installing apps from third-party sources; instead, it merely helps you receive latest updates for apps if their origin is Google Play Store.

Last year, as part of its mission, to secure Android ecosystem, Google also added built-in behavior-based malware protection for Android devices, called Google Play Protect, which uses machine learning and app usage analysis to weed out the dangerous and malicious apps.

Google Play Protect not only scans apps installed from official Play Store but also monitors apps that have been installed from third-party sources.

Moreover, Play Protect now also support offline scanning, which suggests that it will take care of newly introduced metadata verification as well.

Although Play Store itself is not completely immune to malware, users are still advised to download apps, especially published by reputable developers, from the official app store to minimize the risk of getting their devices compromised.

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser.

Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.

For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.

That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.

However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.

Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.

In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.

However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.
In a blog post published today, Archibald detailed this vulnerability, which he dubbed Wavethrough, explaining how an attacker can leverage this feature to bypass protections implemented by browsers that prevent cross-origin requests.

"Bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard," Archibald explained.

According to Archibald, this loophole can be exploited by a malicious website using an embedded media file on its webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.

The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.

"I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio," Archibald said.

Archibald has also published a video, and a proof-of-concept exploit demonstrating how a malicious website can fetch your private content from websites like Gmail and Facebook, whose response will be same for the malicious site as your browser loads them for you.


Since Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected.

"This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against," Archibald said.

FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams.

Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

One of the world's most popular flight tracking services Flightradar24, which shows real-time aircraft flight information on a map, has suffered a massive data breach that may have compromised email addresses and hashed passwords for more than 230,000 customers.

Without revealing any information about the breach publically via their blog or social media accounts, Flightradar24 started sending out emails earlier this week with a password reset link, asking them to change their passwords.

The incomplete reference to suddenly announced data breach incident via emails and providing a unique password reset link to each user caused some customers to suspect that they have been a target of a phishing attack.
However, later the company confirmed the breach while responding to its customers’ queries on the official forum and Twitter, saying that the breach notifications they have received via emails are legitimate and that neither payment nor personal information has been compromised.

"The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016)," the company said. 

"We have already invalidated your old password and the link in the email will allow you to create a new password."

The Swedish-based company also confirmed that the security breach was limited to only one of its servers, which has been shut down immediately after the intrusion was detected late last week.

The company claimed that the breached passwords were hashed, though it did not specify the hashing algorithm or if they were protected using a salt, which adds an extra layer of security to your hashed passwords.

To protect accounts of its customers, in case hackers manage to crack some passwords from the list, Flightradar24 has already expired previous passwords for the affected user, forcing them to set a new password before accessing their accounts.

However, it would also be a great idea to change your passwords on other online services and platforms as well, if you share the same credentials.

Security-oriented BSD operating system OpenBSD has decided to disable support for Intel's hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks.

Introduced in 2002, Hyper-threading is Intel's implementation of Simultaneous Multi-Threading (SMT) that allows the operating system to use a virtual core for each physical core present in processors in order to improve performance.

The Hyper-threading feature comes enabled on computers by default for performance boosting, but in a detailed post published Tuesday, OpenBSD maintainer Mark Kettenis said such processor implementations could lead to Spectre-style timing attacks.

"SMT (Simultaneous multithreading) implementations typically share TLBs and L1 caches between threads," Kettenis wrote. "This can make cache timing attacks a lot easier, and we strongly suspect that this will make several Spectre-class bugs exploitable."

In cryptography, side-channel timing attack allows attackers to compromise a system by analyzing the time taken to execute cryptographic algorithms. By measuring the precise time taken for each operation, an attacker can inversely calculate the input values to reveal confidential information.

Meltdown and Spectre-class vulnerabilities discovered earlier this year would be excellent examples of timing attacks.

Therefore, to prevent users of the OpenBSD operating system from such previously disclosed, as well as future timing attacks, the OpenBSD project has disabled the hyper-threading feature on Intel processors by default, as part of system hardening.

What About System Performance?

You might be thinking, removing this optimization feature could impact the performance of your system negatively, but OpenBSD doesn't think so.

Kettenis believes that switching off SMT will not have any negative effect on the system performance, saying leaving it enabled could actually slow down most compute workloads on CPUs with more than two physical cores.

Kettenis also stressed that OpenBSD will also disable the built-in SMT feature by default for CPUs from other vendors, like AMD, in the future.

"We really should not run different security domains on different processor threads of the same core," Kettenis wrote.

OpenBSD has rolled out a new setting via "hw.smt sysctl" that, by default, disables SMT support, and those who want to leverage simultaneous multithreading feature can manually enable it.

However, the new toggle feature only available for Intel CPUs running OpenBSD/amd64 for now and soon will be extended to other vendors and hardware architectures.