Introduction
Hello, welcome to this week's review. As usual, I am Habdul Hazeez.
A malware which can steal your money is not something you'll want to hear and neither is a software bug in your favorite device. Quite frankly, these among others is what this week's review is all about.
Grab a cup of coffee, and let's dissect the stories together.
Apple's New iCloud Private Relay Service Leaks Users' Real IP Addresses
This is somehow analogous to using a VPN which ends revealing your IP address to the visited website or application. You might not even know this until you use a website that reveals your IP address.
Excerpt from the article:
A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating system
Google Warns of a New Way Hackers Can Make Malware Undetectable on Windows
A big Hat Tip to one of the smartest creatures on Earth — Humans.
We are always crafty, to say the least.
Excerpt from the article:
Cybersecurity researchers have disclosed a novel technique adopted by a threat actor to deliberately evade detection with the help of malformed digital signatures of its malware payloads
Frustrated Researcher Discloses Three Unpatched iOS Vulnerabilities
Take a deep breath, exhale, how do you feel? Calm? That's nice, and please be patient.
Excerpt from the article:
"When I confronted [Apple], they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time,” the researcher said
New BloodyStealer Trojan Steals Gamers' Epic Games and Steam Accounts
Due to the high-profile nature of the applications targeted by this malware, the name BloddyStealer is no exaggeration.
Excerpt from the article:
BloodyStealer is a Trojan-stealer capable of gathering and exfiltrating various types of data, for cookies, passwords, forms, banking cards from browsers, screenshots, log-in memory, and sessions from various applications
The information harvested from gaming apps, such as Bethesda, Epic Games, GOG, Origin, Steam, and VimeWorld, is exfiltrated to a remote server, from where it's likely to be monetized on darknet platforms
Beware! This Android Trojan Stole Millions of Dollars from Over 10 Million Users
Nothing is scarier than losing your hard-earned money to malicious code.
Excerpt from the article:
Zimperium zLabs dubbed the malicious trojan "GriftHorse." The money-making scheme is believed to have been under active development starting from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S
Hackers could force locked iPhones to make contactless payments
When it's locked, that does not mean it's safe and secure.
Excerpt from the article:
The attack, classified as a Man-in-the-Middle (MitM) replay and relay attack, requires the iPhone to have a Visa Card set up for payment with the “Express Travel” mode turned on, and the victim to be in close vicinity to the attacker
Apple forgot to sanitize the Phone Number field for lost AirTags
At first, when I read this article's title, I thought of one thing only: XSS.
Then I read the article, and it turns out to be XSS because it's the major bug you can think of when you somehow fail to sanitize inputs from your users in an application.
Excerpt from the article:
This kind of attack doesn't need much technological know-how—the attacker simply types valid XSS into the AirTag's phone number field, then puts the AirTag in Lost mode and drops it somewhere the target is likely to find it
Support Me
Writing makes me thirsty. I'll appreciate a cup of coffee 😉.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday.