Connect with us

Identity Theft

Researcher: Pokémon GO is a Huge Security Risk

Published

on

Pokemon Go

The phenomenon that is Nintendo’s Pokémon registered another massive (and arguably its biggest) hit with the release of Pokémon Go, a mobile app game so successful that it helped rocket Nintendo’s shares through the roof. With popularity comes scrutiny and one security researcher has pointed to a significant security risk concerning the iOS and Android versions of the app.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Pokémon Go users, pay attention. Internet security expert Adam Reeve has found a problem with the game, one that makes your entire Google account vulnerable if you’re playing the game.

To play the game, users are first required to set up an account. For whatever the reason, the developer of the game, Niantic, did not set up the means to allow users to create an account. Instead, users had to choose between two existing services for a pre-existing account, between the Pokémon website or a Google account. Most new users are unlikely to have a Pokémon account so are likely to opt in with their Google account.

“Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”, Reeve explained in his Tumblr blog.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

However, no such messages were shown. Reeve went ahead to check which permissions it was granted and his discovery left him “stunned”. The permission read:

Pokemon Go has full access to your Google account.

Granting “full account access” gives an application the means to see and modify “nearly all information” in a user’s Google account, according to Google itself. Understandably, Google reminds users to grant the privilege to applications that can be fully trusted.

As Reeve explains, the permission grants Pokémon Go the means to read and even send your Gmail email, on behalf of you. Full Google account access also extends to controlling (and deleting) your Google drive content, access your photos on Google Photos, look up your search history, discover your Home and Office locations on Google Maps and more.

“What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too,” Reeve added.

For their part, Niantic insists that it never intended to get total control of users’ Google accounts, with the app only gaining basic information from user’s profile. The developer is working on a patch to fix the permissions sought by the app.

Android users can edit and remove the app’s “full access” to their Google account by visiting their permissions page. For iOS users, the lack of an option to edit the permission means that the only recourse left is to revoke access entirely.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

1 Comment

1 Comment

  1. Thiago Martins

    July 13, 2016 at 7:47 pm

    I’m not seeing this:

    Pokemon Go Release has access to:

    Basic account info
    Know who you are on Google
    View your email address

    This comes from my Google account web page:

    https://accounts.google.com/IssuedAuthSubTokens

    So, is this for real, FUD or a Google bug?

You must be logged in to post a comment Login

Leave a Reply

Cybersecurity

Spotting a Well-Made Investment Scam

Published

on

For every reasonably safe investment, there are 1000 scams and 10,000 reasonably toxic investments. Self-served advertising via social media and search engines exacerbates the problem – people sometimes click ads they think were search results, or, as humans are intended to, simply consumes the content on the screen instead of paying attention to where they’re being redirected to.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

In this article we will review a recent example of a well-executed investment scam.

The intended victim, who did not actually get scammed but alerted this author to the hustle, was led to believe that the above image was redirecting to a CNN news article. This is the actual URL the link went to:

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

http://cnn.com-cat.press/anonymous-is-going-after-global-stock-market/?aref=http%3A%2F%2Ftrck.anony.trade%2Fsite%2Fredirectpage%3Fsid%3D99462%26hv%3Dgjalu5988de395a461839785307%26hid%3D264193#!

Now if you visit com-cat.press, all you see is a directory listing. This site’s entire purpose is to make people believe they are visiting legitimate .com websites, when in fact they are visiting others. It doesn’t always have to be a scam, sometimes it is simple an advertisement, but often enough it is a definite funnel to a scam. In this case, here’s where you wind up, at a place that looks an awful lot like CNN Money:

Again, this is not a real article on CNN. This is promotion for 10Markets.eu.

10Markets.eu is extremely professional looking. The platform looks to capture your details even just for demo trading. Most traders expect hurdles, so one can imagine tons of phone numbers and e-mail addresses entered:

The demo trading screen never loaded for this analyst, but the phone number is fake anyway. Took it from a coffee shop in Germany. Funnily, it appears the German exchange code is 030 in the first place, but you can’t edit that part. They also don’t allow you to visit the site at all if you’re in North America.

The tipster was clever enough to find out if 10Markets.eu was a registered broker or not. They’re not. According to ForexBrokerz.com:

10Markets is a forex and CFD broker that is headquartered in Scotland [sic] and supports the popular MetaTrader 4 platform. It is not licensed by any authority and there is not much information about the trading conditions on its website. What is worse, this broker is present in the warning lists of UK’s FCA, Australia’s ASIC and Cyprus’ CySEC, so we don’t recommend doing business with 10Markets.

There are review websites which help. Regarding 10Markets, we came up with this one.

The tipster happens to have been our own Jonas Borchgrevink. He is equipped with years of experience in website publishing, and this is why he quickly noticed that he was not reading a CNN article. The sad fact is that a high percentage of people who read that article believe it to be real, and a percentage of those people end up getting scammed. As such, here is a checklist for new trading outfits that you haven’t used or heard about before:

  • Always try to get phone support right away. Before creating an account. If no one answers or there is anything suspicious, this is a scam.
  • Always search for “[EXCHANGE NAME]” + “scam,” and read carefully any results that come up. Most scams could stop at one person if others listened to that one.
  • In the US, you can use FINRA to check the legitimacy of an exchange or broker. In the UK, you have FCA. Many countries have sites like these, and it’s important to check the one from the country where the broker does business.
  • Use ad blockers at least when legitimately searching for financial solutions.
  • Check the URL! For every legitimate exchange website, there are a few fake ones designed to steal your account information.

In The Event That You Spot A Scam

Tattle! Spread the word far and wide, not just so others don’t get scammed, but also to give authorities the jump on the thieves. Otherwise, they may exit and get away with all the money before anyone stops them.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Breaches

The Largest Breach of 2016: 412 Million FriendFinder Accounts Exposed

Published

on

 

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

 

FriendFinder Networks, the parent company behind the likes of AdultFriendFinder, Cams, Penthouse, iCams and Stripshow has been hacked, with six databases from the company compromised, according to breach notification website LeakedSource.

A Local File Inclusion (LFI) exploit was all it took for server breaches that led to a mammoth 412,214,295 user-accounts’ credentials to leak online. Alarmingly, 99% of all available passwords gathered from the breach, are visible in plaintext.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

CSOOnline reveals that information from the breached databases was circulating online since their compromise in October 2016. The incident itself is likely to have occurred before October 20, 2016 with the last login timestamps for user accounts occur on October 17.

As the publication reports, one researcher identified the LFI flaw and warned AdultFriendFinder about the vulnerability. More specifically, the LFI was discovered in a module on AdultFriendFinder’s production servers. While the researcher followed up the public reveal of the vulnerabilities with a post noting that the issue was resolved, the reality could not have been starker.

The severity of the breach saw the leak of FriendFinder Networks’ source code and public/private key-pairs alongside the databases – which contained email addresses and passwords, stored in plain text or hashed using SHA1 with pepper.

The bemusing and weak encryption habit deployed means that 99% of all websites gained from the FriendFinder Networks databases have been cracked.

Furthermore, LeakedSource was able to determine that a notable number of users had an email in the form of ‘[email protected]@deleted1.com’, a clear indicator that the user associated with the account sought to delete the account, while AdultFriendFinder tagged these to-be-deleted accounts with “@deleted.com.” A mammoth 16,766,727 so-called deleted accounts were discovered in total.

LeakedSource lays out the startling numbers. The websites that have been targeted, along with the number of compromised user accounts.

  • Adultfriendfinder .com – 339,774,493 users
  • Cams .com – 62,668,630 users
  • Penthouse .com – 7,176,877 users
  • Stripshow .com – 1,423,192 users
  • iCams .com – 1,133,731 users
  • An unknown domain – 35,372 users

Altogether, that’s over a staggering 400 million user accounts or 20 years of customer data leaked during the breach, making it the largest recorded breach this year, firmly scaling the MySpace breach which saw 360 million compromised user accounts. By way of comparing, this particular breach makes the infamous Ashley Madison breach meagre in comparison.

Image from AdultFriendFinder.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Anonymous

Anonymous India: Mobile Network Reliance Jio is Sharing Call Data with Advertisers

Published

on

Anonymous

The hacking group Anonymous is accusing the telecom network, Reliance Jio, of sharing its call data with advertisers in the U.S. and Singapore.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

In a recent blog post, Anonymous India exposes how Reliance Jio has been sharing customers’ call data with foreign companies. Anonymous India also provide steps to see how Reliance Jio are sharing the data.

It said:

A year ago we had posted about how Reliance Jio was sharing user location data with China. One year on and nothing has changed.

In the blog post, Anonymous India claims that data from Reliance Jio’s My Jio and Jio Dialer apps are being sent to an advertiser called Mad.Me. It further adds that Reliance Jio is utilizing a third-party software development kit and is failing to verify what data is being sent and collected through it.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Reliance Jio Accused a Second Time

This, however, isn’t the first time that Anonymous India has accused Reliance Jio.

Last year the hacker activist group highlighted in another blog post that Reliance Jio had security flaws in its RJio chat app.

According to the 2015 post, data was being sent to a Chinese IP without encrypting it beforehand. This meant that while data was being leaked to the Chinese, anyone who wanted to could easily look into a conversation and know what was being shared or discussed, making it vulnerable to hackers.

Anonymous Never Forgets

When it comes to bringing the wrongs of others to light, the hacker activist group, Anonymous, are not afraid of standing up to the challenge.

At the beginning of the year, Anonymous targeted Thai police after protesting the conviction of two Burmese men who faced a death sentence in connection to two murdered British backpackers.

In May, Hacked reported that Anonymous had played a significant role in the target of financial institutions such as Greece’s central bank, which was targeted in a DDoS attack. According to the report, Anonymous consider central banks around the world as a ‘global banking cartel.’

In a bid to target those that it believes should be targeted, bringing greater awareness to the public, it seems that the hacktivist collective Anonymous won’t be stopping anytime soon.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending