Security News
SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems. In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "Conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications," and warned time was of the essence, reporting "SAP vulnerabilities being weaponized in less than 72 hours since the release of patches."
The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself. As we said at the time, "Developers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost."
A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer. Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer's applications.
Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one. Last month, Mike West, a Google security engineer, drafted a note titled, "Post-Spectre Web Development," and Mozilla's Daniel Veditz of the W3C's Web Application Security Working Group asked the group to come to a consensus on supporting the recommendations.
Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security. Both are already working at the Linux Foundation, so what is new? "Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us.
Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google's Play Core library for Android - versions that contained a remote file inclusion vulnerability. They found that the Play Core Library, an in-app update and streamlining feature offered to Android devs, could be abused to "Add executable modules to any apps using the library".
Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), "In clear and easy to understand language," in the extension's detail page in the Chrome Web Store. "You'll need to provide information about your app's privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect," Apple told app developers.
Mobile app developers accused by Facebook of deploying "Malicious" SDKs to scrape users' data from the social network have hit back, telling London's High Court that nearly all their apps were "Not capable" of harvesting data from Facebook itself. Haltas has now hit back, claiming that all but three of his apps couldn't possibly scrape data from Facebook because they didn't use the Login with Facebook feature.
Through most of 2020 bans on Chinese apps have meant geopolitical strife, but China yesterday revealed it has started banning some of its own apps. A ban on 34 apps was among the nuggets of news revealed, with their banishment from local app stores the result of a departmental trawl of 320,000 apps offered in local download-marts.
Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers. "Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "But [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."