- Affected Vendor: http://tapbots.com/
- Affected Software: Tweetbot for Mac, iPad and iPhone
- Affected Version: Mac: 1.3.3 – iPad: 2.8.5 – iPhone: 2.8.5
- Issue Type: Lack of user confirmation leading to Twitter action revealing the user’s Twitter identity
- Release Date: November 1, 2013
- Discovered by: Guillaume Ross
- CVE Identifier: CVE–2013–5726
- Issue Status: Vendor has published version 3 for iPhone which resolves the issue. Vendor has confirmed the fix is in the Mac and iOS V2 codebase and should be released soon.
Tweebot is a Twitter client for Mac and iOS. Separate iOS versions exist for iPhone and iPad.
Tweetbot has a URL Scheme/association on all versions that allows actions to be triggered from within other applications. The supported actions can be viewed at http://tapbots.com/blog/development/tweetbot-url-scheme
The actions related to following and favoriting do not prompt the user before performing the action. Additionally, Safari in iOS warns the user that an application will be launched only when the URL is used directly, but not when the URL is used within an inline frame. This makes the attack function without requiring user interaction.
A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The user would then favorite a tweet or follow a user account on Twitter. The attacker can use this action to identify the user browsing the page, to gather followers or to have the victim follow people they would be embarrassed to be associated with.
Proof of Concept
This URL would have the user follow Justin Bieber. By embedding it in an inline frame, the attack is automated on iOS and on Mac.
- August 27 2013 – Vendor notified
- August 27 2013 – Vendor acknowledges vulnerability
- October 24 2013 – Tweetbot v3 for iPhone is released and resolves the issue
- October 31 2013 – Vendor confirms the fix is in the V2 and Mac code base and will be released soon
- November 1 2013 – Vulnerability Disclosed
Temporary workaround for the Mac version
Ensure that your browser does not automatically launch Tweetbot.
Here is a sample in Firefox.
[CVE–2013–5725] – Byword for iOS Data Destruction Vulnerability
- Affected Vendor: http://metaclassy.com/
- Affected Software: Byword for iOS
- Affected Version: 2.x prior to 2.1
- Issue Type: Lack of validation/user confirmation leading to destruction of data
- Release Date: 29 Sept 2013
- Discovered by: Guillaume Ross
- CVE Identifier: CVE–2013–5725
- Issue Status: Vendor has published version 2.1 which adds a confirmation prompt to prevent the issue.
Byword is a text editor for iOS and OS X that can use iCloud or Dropbox to sync documents.
Byword supports actions through X-URLs on iOS.
One of the supported action replaces a file with the value passed through the URL.
The Replace file action in the affected version does not warn the user and replaces the content of the target file with text specified in the X-URL.
The attacker must know the path to the file, but considering iCloud does not have subfolders, it makes it easier to guess filenames such as “todo.txt” file or an “important.txt” file, or the attacker could have received a file created by the victim using Byword and can guess the filename from the title.
The file can be overwritten and the data could be lost permanently.
Proof of Concept
This URL would replace the content of the file “Important.txt” in the user’s iCloud container for Byword with “haha”. By using iframes, the attacker can embed this attack in a web page. Safari on iOS will automatically launch Byword and overwrite the file.
- August 26 2013 – Vendor notified
- August 26 2013 – Vendor acknowledges vulnerability
- September 18 2013 – Update released that adds a warning/confirmation screen
- September 29 2013 – Advisory released
Corrected in 2.1 with this prompt
Mouse issues in VMware Fusion with machines that don’t have the tools installed?
1. Boot VM
2. Left mouse button does not work
3. Swear and shutdown the VM + close Fusion
4. Edit vmx file and add this:
mouse.vusb.enable = "TRUE"
5. Restart Fusion and VM
After the Apple dev site portal was down for days, developers received this.
Last Thursday, an intruder attempted to secure personal information of our registered
developers from our developer website. Sensitive personal information was encrypted
and cannot be accessed, however, we have not been able to rule out the possibility
that some developers’ names, mailing addresses, and/or email addresses may have
been accessed. In the spirit of transparency, we want to inform you of the issue. We
took the site down immediately on Thursday and have been working around the clock
In order to prevent a security threat like this from happening again, we’re completely
overhauling our developer systems, updating our server software, and rebuilding our
entire database. We apologize for the significant inconvenience that our downtime has
caused you and we expect to have the developer website up again soon.
Two interesting links obtained via marco.org could point to someone doing this as a “security researcher”. A comment on TechCrunch and a video on YouTube.
The last slide of his video:
I have done All these pentest, adhering to the regulations
and law and without damaging the prestige of the company [...]
That same YouTube video does show email addresses and names of developers that were not blurred. It will be interesting to see how this develops, no pun intended.
It would be easy to fake this and there is certainly no proof that it is true, but if it is, a lot of these arguments have been tried already and it didn’t go that well.
Update: The video has been removed from YouTube and he posted this on Twitter.
the video is now removed from youtube, i appoligise for sharing some of the confidential information, i had to, to proof the blames wrong
Posted in Apple, Security
Windows Azure SQL Database, formely known as SQL Azure, is Microsoft’s managed database platform in Azure.
While it is based on Microsoft SQL Server, it has various limitations that can impact how you secure and manage it. It also has some features that can help improve security.
Gatekeeper is a feature that was introduced in Mountain Lion and later back ported to Lion. It controls what applications can be executed on your Mac.
By default, your Mac will only execute applications that:
- Came with your Mac or were already installed before you upgraded OS X
- Are on physical disk media
- Are downloaded from the App Store
- Are properly signed by the developers
The middle option is the default one.
Apps in the App Store are reviewed by Apple, making it the most secure source to obtain software from. However, some applications might make use of features that are not available for App Store applications, or the developer prefers to distribute it out of the store.
Applications that need deep system access such as some backup software require administrative privileges and access to all the computer’s data. As applications in the App Store do not have the privilege to access this data, they can’t be distributed in the App Store.
With Developer-ID, Apple has a record of who is the developer, and if it was ever discovered that this individual or company is distributing malware, they could blacklist their signature from Gatekeeper. This also prevents applications that were maliciously modified from being executed.
Exceptions can be made per applications, so if you have an older application that you know for a fact is a legitimate application that just hadn’t been signed properly, you can go ahead and allow your Mac to run it. Simply right-click the offending application and chose open. You will be warned of the risk and be able to carry on. This works with both restrictive options (App Store only and App Store + identified developers).
I recommend leaving the default setting as is because more and more applications are properly signed, and because it is not yet possible or even interesting to be App Store only. Before setting a parent’s computer to “App Store only” because they “do not use anything else”, remember that this means things like Adobe Flash updates will not be executed properly.
Here are 9 US newspapers, their domain names, and the associated main domain where their MX records point.
A lot of them are on PSMTP (Google Postini) or Google.
- The New York Times - nytimes.com - PSMTP.com
- The Wall Street Journal – wsj.com - PSMTP.com
- The Washington Post - washingtonpost.com - PSMTP.com
- USA Today - usatoday.com - PSMTP.com
- Los Angeles Times – latimes.com – tribune.com
- New York Post – nypost.com - PSMTP.com
- Chicago Tribune – chicagotribune.com – tribune.com
- Boston Globe (boston.com) – boston.com
- Denver Post – denverpost.com - GOOGLE.com
Sick of hitting cmd-q to quit an app in a VM but then shutting down VMware Fusion and 6 VMs that get suspended and that you need to restart and ARGHH?
Just go in Fusion’s preference menu and do this.
It’ll work as long as the mouse focus is in a VM. If you hit cmd-q while Fusion has focus but no VM does, you will still end up quitting Fusion.
This should still resolve 90% of my ARGH-quits.