Security News

The US Federal Trade Commission and a coalition of 48 state attorneys general on Wednesday filed a pair of sweeping antitrust suits against Facebook, alleging that the company abused its power in the marketplace to neutralize competitors through its acquisitions of Instagram and WhatsApp and depriving users of better privacy-friendly alternatives. Specifically, the lawsuits seek to rescind the acquisitions of Instagram and WhatsApp, spinning off both platforms into independent companies, prohibit Facebook from imposing anti-competitive conditions on software developers, and require the company to seek prior notice and approval for future mergers and acquisitions.

In a nutshell, the vulnerability could have granted an attacker who is logged into the app to simultaneously initiate a call and send a specially crafted message to a target who is signed in to both the app as well as another Messenger client such as the web browser. "It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out," Facebook's Security Engineering Manager Dan Gurfinkel said.

When you make a Messenger call, for example, the app on your device - which could be a mobile phone, a laptop or even something like a smart TV - asks the Messenger cloud to locate the recipient's device, and the apps at each end start negotiating to set up a call. Once the call is accepted by the recipient - typically after the app has played a ringtone, popped up a message or both, and the recipient has opted in to the call - then the apps start exchanging network packets of audio data.

Social media giant Facebook this week announced that it has paid out more than $11.7 million in bug bounties since 2011. To date, more than 50,000 researchers signed up for the company's bug bounty program, and approximately 1,500 of them, from 107 countries, have received a bug bounty reward, the company says.

Facebook has patched a significant flaw in the Android version of Facebook Messenger that could have allowed attackers to spy on users and potentially identify their surroundings without them knowing. Exploiting the bug would only take a few minutes; however, an attacker would already have to have permissions-i.e., be Facebook "Friends" with the user-to call the person on the other end.

Facebook this week addressed a vulnerability in Facebook Messenger for Android that could have allowed an attacker to connect to an audio call without user interaction. To reproduce the issue, both the attacker and the receiver need to be logged into Facebook Messenger on their devices.

Apple confirmed Thursday it would press ahead with mobile software changes that limit tracking for targeted advertising - a move that has prompted complaints from Facebook and others. The iPhone maker said it was moving ahead with updates to its mobile operating system to give users more information and control on tracking by apps on Apple devices.

Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users' surroundings without permission before the person on the other end picked up the call. Facebook Messenger for Android has been installed on more than 1 billion Android devices according to the app's official Play Store page.

The unsecured Elasticsearch database was 5.5 gigabytes and contained 13,521,774 records of at least 100,000 Facebook users. The data in the exposed database included credentials and IP addresses; text outlines for comments the fraudsters would make on Facebook pages that directed people to suspicious and fraudulent websites; and personally identifiable information data such as emails, names and phone numbers of the Bitcoin scam victims.

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it stole in a Nov. 3 attack - unless a $15 million ransom is paid in Bitcoin. The ads, first spotted by researcher Brian Krebs on Nov. 9, were to-the-point and entitled, "Security Breach of Campari Group Network." Ragnar Locker bought the ads using a hacked Facebook account, which Krebs said were subsequently shown to more than 7,000 users before Facebook caught on and pulled them down.