The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Remember the infamous encryption fight between Apple and the FBI for unlocking an iPhone belonging to a terrorist behind the San Bernardino mass shooting that took place two years ago? After Apple refused to help the feds access data on the locked iPhone, the FBI eventually paid over a million dollar to a third-party company for unlocking the shooter's iPhone 5c. Now, it appears that the federal agency will not have to fight Apple over unlocking iPhones since the Israeli mobile forensics firm Cellebrite has reportedly figured out a way to unlock almost any iPhone in the market, including the latest iPhone X. Cellebrite , a major security contractor to the United States law enforcement agencies, claims to have a new hacking tool for unlocking pretty much every iPhone running iOS 11 and older versions, Forbes reports. In its own literature [ PDF ] "Advanced Unlocking and Extraction Services," Cellebrite says its services can break the security of "Apple iO...

If you have installed world's most popular torrent download software, μTorrent, then you should download its latest version for Windows as soon as possible. Google's security researcher at Project Zero discovered a serious remote code execution vulnerability in both the 'μTorrent desktop app for Windows' and newly launched 'μTorrent Web' that allows users to download and stream torrents directly into their web browser. μTorrent Classic and μTorrent Web apps run in the background on the Windows machine and start a locally hosted HTTP RPC server on ports 10000 and 19575, respectively, using which users can access its interfaces over any web browser. However, Project Zero researcher Tavis Ormandy found that several issues with these RPC servers could allow remote attackers to take control of the torrent download software with little user interaction. According to Ormandy, uTorrent apps are vulnerable to a hacking technique called the "domain name s...

Yes, your smartphone is spying on you. But, the real question is, should you care? We have published thousands of articles on The Hacker News, warning how any mobile app can turn your smartphone into a bugging device—' Facebook is listening to your conversations', ' Stealing Passwords Using SmartPhone Sensors', 'Your Headphones Can Spy On You' and 'Android Malware Found Spying Military Personnel' to name a few. All these stories have different objectives and targets but have one thing in common, i.e., apps running in the background covertly abuse ' permissions ' without notifying users. Installing a single malicious app unknowingly could allow remote attackers to covertly record audio, video, and taking photos in the background. But, not anymore! In a boost to user privacy, the next version of Google's mobile operating system, Android P, will apparently block apps idling in the background from accessing your smartphone's camera a...

Only a single character can crash your iPhone and block access to the Messaging app in iOS as well as popular apps like WhatsApp, Facebook Messenger, Outlook for iOS, and Gmail. First spotted by Italian Blog Mobile World, a potentially new severe bug affects not only iPhones but also a wide range of Apple devices, including iPads, Macs and even Watch OS devices running the latest versions of their operating software. Like previous 'text bomb' bug, the new flaw can easily be exploited by anyone, requiring users to send only a single character from Telugu—a native Indian language spoken by about 70 million people in the country. Once the recipient receives a simple message containing the symbol or typed that symbol into the text editor, the character immediately instigates crashes on iPhones, iPads, Macs, Apple Watches and Apple TVs running Apple's iOS Springboard. Apps that receive the text bomb tries to load the character, but fails and refuses to function prope...

Bitmessage developers have warned of a critical 'remotely executable' zero-day vulnerability in the PyBitmessage application that was being exploited in the wild. Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities. Those who unaware, PyBitmessage is the official client for Bitmessage messaging service. According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users. "The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell," Bitmessage core developer Peter Šurda ex...

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user. The worst part is that this vulnerability will not be patched by Microsoft anytime soon. It's not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch. The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype's update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking. According to the researcher, a potential attacker could exploit the "functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded fi...

Microsoft's Patch Tuesday for this month falls the day before the most romantic day of the year. Yes, it's Valentine's, and the tech giant has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers and other products. Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity. The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows' StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer. Critical Microsoft Outlook Vulnerability One of the most severe bugs includes a memory corruption vulnerability ( CVE-2018-0852 ) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines. In order to trigger the vulnerability...