MacOS High Sierra Root Password Flaw, Insecure Android Cryptocurrency Wallets & Uber Reveals 2.7M UK People Affected By Breach

 

Change Root Password Now – Lemi Orhan Ergin disclosed via Twitter today a major flaw with the new macOS High Sierra that allows anyone with physical and remote access to your mac access. Anyone can login as “root” with an empty password after clicking on the login button several times. By accessing root, you can have complete access and admin rights of the computer. Also, High Sierra users should be able to replicate the exploit by accessing System Preferences, then Users & Groups, and then click the lock to make changes. Then type “root” with no password, and simply try that several times until the system relents and lets you in. To protect yourself against the flaw until a patch is delivered you can complete the following simple steps at Apple Support – https://support.apple.com/en-us/HT204012

Disaster Waiting to Happen – The vast majority of Android mobile apps that are meant for the management of cryptocurrencies have been found to be vulnerable to even the most basic and well-known of security measures. Security company, High-Tech Bridge researchers used a vulnerability scanner called, Mobile X-Ray to scan 90 popular Android apps for common vulnerabilities and various weaknesses and they said that over 90% of all apps “may be in trouble.” Some of these flaws can be automated part of exploitation chains included with Android banking trojans. With Bitcoin and various other cryptocurrencies reaching all-time high trading prices, the flaws in these apps expose users to theft and other financial fraud. Apps featured well-known vulnerabilities, included hardcoded API keys and passwords, did not use encryption, and were vulnerable to MitM attacks. All in all, the report shows once again that the problem lays deep in the Android app development community where security is never a priority.

ICO Still Waiting on Technical Reports – Uber has finally come clean on how many people in the UK have been affected by the breach that occurred in October 2016. In Uber’s words, around 2.7M people were part of the breach but an exact number has yet to be arrived at as “This is an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives.” The Information Commissioner’s Office has said that it expects Uber to alert the affected people as soon as possible. However, both the ICO and National Cyber Security Centre have said that, based on the information stolen, it is unlikely to directly expose people to financial crime but could put them at risk of scams.