|
Powerful Two-Hander posted:tensorflow my tears, the policeman said
|
# ? Feb 28, 2020 23:45 |
|
|
# ? Apr 28, 2024 06:32 |
|
if google cared, they’d apply extra scrutiny to app submissions that request permissions like that. and maybe provide a way for security sensitive apps to require a conscious “yes I want to allow cindy crash saga to read the screen on google authenticator”, which people would obviously still just accept without thinking but at least it would be another red flag for them to ignore
|
# ? Feb 29, 2020 01:58 |
|
They're starting to tighten up some of the permission nonsense in newer versions, but for backwards compatability you only get the behavior of whatever android version the app's targetSDK is set to. Also android's whole system assumes every app goes through the play store, because that's the only place a minimum targetSDK is enforced for apps. Apps from anywhere else can just keep targetting whatever old version to abuse poo poo
|
# ? Feb 29, 2020 02:43 |
|
quote:The feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple overlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to build the right tools to be successful. This is some amateur hour stuff. It relies on the user specifically giving it access. I mean, it's been a month or so, so I guess we're due for someone to breathlessly post a "if you give a trojan access to your device it might steal your money! LOL ANROID" but I'm still disappointed by it every time.
|
# ? Feb 29, 2020 04:18 |
|
Volmarias posted:I mean, it's been a month or so, so I guess we're due for someone to breathlessly post a "if you give a trojan access to your device it might steal your money! LOL ANROID" but I'm still disappointed by it every time. lol okay
|
# ? Feb 29, 2020 04:28 |
|
choice quotes from a rookie product manager today:quote:we'd like to tell our sales teams that "security == enterprise-only" some people should probably should not be in charge of product direction for gateway applications that run at the network edge
|
# ? Feb 29, 2020 04:34 |
|
what does that even mean?
|
# ? Feb 29, 2020 04:40 |
|
effectively, that our sales reps have trouble closing deals because the FLOSS version of the product is good enough for most users ... and that the solution to this conundrum is to intentionally withhold security improvements from the open source codebase
|
# ? Feb 29, 2020 06:37 |
|
Lutha Mahtin posted:also, over the years a lot of legitimate apps have abused the accessibility APIs on android because it was the only way to create certain features, or it was the only way to allow users not on the latest android OS to still get the new feature you've been hyping up in your app's new update. this has trained many android users to not care that apps want to do screen-scraping because "oh that's the same feature that makes it so my (legitimate) password manager can function" making a big assumption here that people (1) look at and (2) remember what permissions they granted to previous apps
|
# ? Feb 29, 2020 07:58 |
|
CMYK BLYAT! posted:effectively, that our sales reps have trouble closing deals because the FLOSS version of the product is good enough for most users Ah, the elasticsearch model
|
# ? Feb 29, 2020 10:08 |
|
https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
|
# ? Feb 29, 2020 20:40 |
|
lol tomcat
|
# ? Feb 29, 2020 20:49 |
|
HELLOMYNAMEIS___ posted:https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/ That’s overselling it a bit, isn’t it? AJP works as advertised. Exposing it on all interfaces is a bit 10 years ago, but if your firewall exposes port 8009 you deserve a little exploit.
|
# ? Feb 29, 2020 20:50 |
|
https://twitter.com/gossithedog/status/1233796482509217794
|
# ? Feb 29, 2020 22:34 |
|
Wish there was more info in their write-up than "oh yeah turned out there were 5 more APTs there too"
|
# ? Feb 29, 2020 22:49 |
|
girlfriend was swearing in the basement trying to set up an Xbox 360 for her kid’s birthday party when I left, but she sorted it all out
|
# ? Feb 29, 2020 23:02 |
|
didn't they have a 16 character issue that they ignored for legacy products
|
# ? Feb 29, 2020 23:20 |
|
That 360 password length problem has existed since before the Xbox One at the very least, and the 360 doesn't support any 2fa so you have to use an app password now. The PS4 also only supports sms 2fa, so console gaming is fun all around I guess.
|
# ? Feb 29, 2020 23:41 |
|
just another day for mobiles https://twitter.com/awesomonster/status/1085004469878718464 https://twitter.com/LilDogMeat/status/1085436597510623232
|
# ? Mar 1, 2020 18:41 |
|
klafbang posted:That’s overselling it a bit, isn’t it? AJP works as advertised. Exposing it on all interfaces is a bit 10 years ago, but if your firewall exposes port 8009 you deserve a little exploit. i just told my wife about it cuz they use tomcat at her job and i was like "well as long as you don't have port 8009 open to the internet it should be fine" and she's like "oh yeah we do lol"
|
# ? Mar 2, 2020 02:33 |
|
klafbang posted:That’s overselling it a bit, isn’t it? AJP works as advertised. Exposing it on all interfaces is a bit 10 years ago, but if your firewall exposes port 8009 you deserve a little exploit. I guess, but the reverse-engineered documentation says quote:What about authentication? There doesn't seem to be any authentication of the connection between the web server and the container. This strikes me as potentially dangerous. which seems like a meaningful flaw in a protocol that's being deployed in 2020, and indeed the tomcat updates add a shared secret to authenticate with. If AJP were just doing what it was supposed to, then the same attack would be possible over the HTTP connector, right?
|
# ? Mar 2, 2020 15:20 |
|
So with this Cerberus thing stealing 2FA codes via accessibility screen capture (ZDNet Zero Day, e.g.), is there any mitigation that one can recommend other than "understand the significance of all Android permission requests"?
|
# ? Mar 2, 2020 15:22 |
|
Subjunctive posted:So with this Cerberus thing stealing 2FA codes via accessibility screen capture (ZDNet Zero Day, e.g.), is there any mitigation that one can recommend other than "understand the significance of all Android permission requests"? That and "stop using Android you idiot"
|
# ? Mar 2, 2020 15:25 |
|
Subjunctive posted:So with this Cerberus thing stealing 2FA codes via accessibility screen capture (ZDNet Zero Day, e.g.), is there any mitigation that one can recommend other than "understand the significance of all Android permission requests"? "Don't install something called 'Free Flash Player' from outside the play store that asks you to enable it as an accessibility aid, in fact never turn off the switch that lets you install untrusted apps" Maybe don't let that free flashlight app have access to your location or your contacts either????????
|
# ? Mar 2, 2020 16:30 |
|
Volmarias posted:"Don't install something called 'Free Flash Player' from outside the play store that asks you to enable it as an accessibility aid, in fact never turn off the switch that lets you install untrusted apps" Ah, OK, I didn't know that the Play Store would prevent things that abused accessibility in this way from being deployed. That's easy to explain to people. Why does the Play Store let the free flashlight app ask for location access if it's not reasonable for the user to permit it?
|
# ? Mar 2, 2020 16:57 |
|
because there is no one checking on that it would cost money to hire people to review app permissions
|
# ? Mar 2, 2020 17:00 |
|
Subjunctive posted:Ah, OK, I didn't know that the Play Store would prevent things that abused accessibility in this way from being deployed. That's easy to explain to people. It doesn't prevent you altogether from putting an app up that abuses APIs since it's not curated, but it does scan for malware along with some more common likely to be garbage stuff. You still have flashlight apps requesting location info for ads, basically, and while they're tightening up on this they could stand to go a lot further a lot faster imo. Not having a gate keeper was a massive differentiating feature a decade ago but at this point I think having manual review for certain kinds of apps would be helpful. Volmarias fucked around with this message at 17:06 on Mar 2, 2020 |
# ? Mar 2, 2020 17:04 |
|
Volmarias posted:It doesn't prevent you altogether from putting an app up that abuses APIs since it's not curated, but it does scan for malware along with some more common likely to be garbage stuff. OK, so what should I tell people to do then? It seems like "don't grant accessibility permissions" is the closest thing that would actually prevent this class of attack (which then uses those permissions to disable the Play Protect stuff, natch), but that's not very easy to explain to people. Certainly not as easy as "only install from the Play Store", so you got my hopes up!
|
# ? Mar 2, 2020 17:10 |
|
Subjunctive posted:OK, so what should I tell people to do then? It seems like "don't grant accessibility permissions" is the closest thing that would actually prevent this class of attack (which then uses those permissions to disable the Play Protect stuff, natch), but that's not very easy to explain to people. Certainly not as easy as "only install from the Play Store", so you got my hopes up! If it's not on the play store, and it's not something you're developing or building yourself, it's probably malware. Definitely tell people to only get it from Play or Amazon, and tell them to think about why an app needs certain permissions, especially ones that take you out of the app.
|
# ? Mar 2, 2020 17:14 |
|
Basically, if they suddenly land on a page telling them to install something they weren't expecting, don't, no matter how interesting it seems. Same advice you'd give for iframe based ad site redirects that tell you you've won a free iPad.
|
# ? Mar 2, 2020 17:16 |
|
does android not have a built in flashlight feature?
|
# ? Mar 2, 2020 17:37 |
|
other than app whitelisting/blacklisting I don’t think even android’s emm/mdm lets you restrict that permission
|
# ? Mar 2, 2020 17:39 |
|
Chris Knight posted:does android not have a built in flashlight feature? it does, but i wouldnt be surprised if a carrier removed it so they could install their own ad laden one
|
# ? Mar 2, 2020 17:41 |
|
Volmarias posted:If it's not on the play store, and it's not something you're developing or building yourself, it's probably malware. Definitely tell people to only get it from Play or Amazon, and tell them to think about why an app needs certain permissions, especially ones that take you out of the app. that reminds me: is Epic still having people side-load Fortnight to get around Play store fees?
|
# ? Mar 2, 2020 17:45 |
|
"think about why an app needs permissions" oh yea cracked that nut, gj
|
# ? Mar 2, 2020 19:09 |
|
Chris Knight posted:does android not have a built in flashlight feature? it didn't get one until version 5 (ctrl-f flashlight on this page) so ~10% of android devices in the wild don't have it.
|
# ? Mar 2, 2020 19:58 |
|
Mr.Radar posted:it didn't get one until version 5 (ctrl-f flashlight on this page) so ~10% of android devices in the wild don't have it. android is such a fuckin disaster lmao
|
# ? Mar 2, 2020 20:05 |
|
Subjunctive posted:OK, so what should I tell people to do then? It seems like "don't grant accessibility permissions" is the closest thing that would actually prevent this class of attack (which then uses those permissions to disable the Play Protect stuff, natch), but that's not very easy to explain to people. Certainly not as easy as "only install from the Play Store", so you got my hopes up! Granting accessibility requires a lot of clicks through UI that's clearly marked accessibility. "Dont grant accessibility regardless of the pitch" is a good thing to say. Only install from the play store is in practice the simplest, the numbers of bad there are still less than any other machine they own. e: this thread still doesn't know much about mobile anything
|
# ? Mar 2, 2020 20:08 |
|
Subjunctive posted:Why does the Play Store let the free flashlight app ask for location access if it's not reasonable for the user to permit it? the accessibility options are also much more of a pain to obtain device-side.
|
# ? Mar 2, 2020 20:10 |
|
|
# ? Apr 28, 2024 06:32 |
|
Anroid.
|
# ? Mar 2, 2020 20:21 |