Application Security news, articles & updates| SC Media

Application Security

1,200 iOS apps unknowingly handing over dollars to Chinese ad platform

Malicious code embedded in the Chinese mobile ad platform Mintegral SDK, used by 1,200-plus iOS apps downloaded more than 300 million times monthly, is siphoning off advertising dollars. The Mintegral SDK platform is intended to give app developers and advertisers an opportunity to monetize their ad-based marketing. But researchers from Snyk found evidence that other…

IBM pays up in tech, settles Weather Channel privacy lawsuit by LA

IBM will pony up $1 million worth of technology to the city of Los Angeles for COVID-19 contact tracing, and The Weather Channel app will change its privacy practices regarding use of user location data. The changes come with the settlement of a lawsuit that accused the app of misleading users as to how their…

Hackers for Charity

Exposed dating service databases leak sensitive info on romance-seekers

A series of database misconfigurations publicly exposed the personal information and private messages of more than 100 million dating website and mobile app account holders. Independent VPN review site WizCase has reported finding six separate dating sites or apps that each potentially compromised thousands of users due to improper data storage. According to WizCase researchers,…

malware under the magnifying glass

Malware in GitHub-hosted projects designed to spread among open-source developers

Twenty-six open-source projects hosted on GitHub repositories were found to be infected with malware and capable of serving up weaponized code to potential developers in a potential supply chain attack, the GitHub Security Lab has disclosed. An investigation into the incident turned up what GitHub described as a first: “malware designed to enumerate and backdoor…

Device owners demand opt-out power from COVID-19 contact tracing apps

To encourage widespread acceptance of Bluetooth-based COVID-19 contact tracing applications, developers should allow consumers to opt out of data sharing at any time, and they should also be more forthcoming about their security efforts and data usage, according to the results of a new survey. For the study, Checkmarx polled 1,500 Americans and found that…

Salt exploit attacks expose underestimated threat vector: Infrastructure-as-Code tools

Malicious actors have pounced on a pair of critical vulnerabilities found in SaltStack’s open-source, event-based IT automation and configuration management tool Salt. In a series of quick strikes over the weekend, one or more attackers exploited the flaws — disclosed and patched just days earlier — to compromise the “Salt master” servers of several prominent users,…

Two information-disclosing bugs found in Twitter Android

In the span of five days, reports of two Twitter Android app vulnerabilities have surfaced: one that could cause attackers to view nonpublic account information or control accounts, and another that reportedly allowed a researcher to look up details on 17 million accounts. In a Dec. 20 blog post, Twitter noted that it issued an…

Facebook sues surveillance tool provider and hosts of hacking websites

Facebook this week filed a lawsuit against a reputed spyware provider that allegedly exploited a WhatsApp vulnerability to enable smartphone hacking, and also pursued legal action against the domain hosts of multiple websites that allegedly offer tools for hacking the social network. On Tuesday, Facebook and its encrypted messaging subsidiary WhatApp filed a complaint against…

Twitter users’ 2FA info found its way to advertisers

Twitter this week disclosed that it gave advertisers access to email addresses and phone numbers that users had supplied to the social media messaging platform, originally for two-factor authentication purposes. The company is asserting that this practice was inadvertent. In an online post, Twitter acknowledged that data intended for “safety or security purposes” went to…

Android apps with scores of downloads serve up annoying ads, unwanted subscriptions

Hundreds of millions of Android devices have potentially been compromised by malicious adware and ad fraud apps that on the surface appear to offer harmless services such as selfie filters, weather forecasts or VPN security, according to a trio of recently released research reports. Late last week, researchers at mobile security company Wandera reported finding…

Next post in Malware