“Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online. The conventional wisdom is that this was a run-of-the-mill software security issue. […] It isn’t. It’s a troubling symptom that suggests Apple’s self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn’t going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple’s entire ecosystem of devices, stores, software, and services.”
Rather ironic to see a security article posted here at this very minute, when I’ve been presented with the admin side panel above the right column of news since late last night, for no reason. Apparently I’m “logged in as root” and could do all sorts of things to OSAlert and there was no hacking involved. It just came up a few hours back and it’s still there now. I’ve made no attempt to use it, but am I the only one who sees it? It appears on both my Mac and my iPad.
On a side note, please do tell me you guys don’t actually use root for your admin username?
You’re not the only one who sees it.
Check the date.
Lol Thom, that just occured to me. Funny thing about that though is, it wasn’t April first when I saw it so I wasn’t on guard against it. Good one! It’s been a long time since anyone got me with an april fools joke. I take my hat off to you.
I too was fooled, but to be fair, it is the 2nd here.
The US-centric nature of the English web always catches me unaware.
I believe it’s GMT-centric, actually.
It totally got me. I was so disappointed when I couldn’t ban Thom (kidding).
OSAlert may well be, but most of the English web is still very Americanised with times and spellings.
Not a complaint, just something Commonwealth citizens have to keep remembering.
It would be delightful if the Internet led to some consolidation in gratuitous spelling differences and such in English. Possibly because I work on an international program, I find I’m adding a lot of u’s (as in colour) without really thinking. Still can’t really internalize boot and bonnet, though. *shrugs*
I was writing an email to Adam thinking it was a bug when it occurred to me that it was probably an April Fool’s joke. I made note of it in the email, and sent it anyways, before I tried one of the links on the side.
It was 8:30pm local time when I noticed it, so it was still kinda early for me to connect it to the date.
BTW, this (the fake control panel) is WAY better than dozens of fake posts. /. is a piece of $*1t today.
I don’t know… the TRS-80 vs Commodore 64 comparison was pretty cool.
All it needed were screenshots.
You must be new here. I actually set my calendar by the Admin panel appearance.
Not new, but I must not have ever visited around April fools day before.
And if that weren’t crazy enough, I hear that Maddox is having a kid and shutting down his site!
http://thebestpageintheuniverse.net/c.cgi?u=second_chance_af
It got me last year
You know last April there was a 0 day flaw in hotmail, last November there was a Gmail security flaw, did you write a ‘when will Microsoft/Google get serious about security?’ articles. I know you think it’s ok to be biased but, really?
Security problems creep up for all companies, it’s in a inescapable part of a rapid/agile software development process. The battle between security/stability and progress has been waged and progress won.
Ironically, these days, Microsoft is probably the company that spends the most of security in their consumer software and it’s hampering their ability to innovate and it has not eliminated all security issues.
Apple does what everyone else does. They run automated security tests and when those tests don’t cover a particular case a security lapse occurs. Although this exploit was ‘dead simple’ it was also not at all ‘obvious’ as it was not previously discovered.
Fallacy ahoy: false equivalence. Not that your question would make sense anyway, since Thom wasn’t the author of this article to begin with.
Of course, the difference is that those were relatively new flaws, while Apple has consistently released products with security vulnerabilities that everyone else learned how to avoid years (if not decades) ago. That, and Microsoft/Google tend to fix those issues quickly, as opposed to Apple’s approach of “steadfastly deny that the problem even exists, then maybe get around to fixing it after 2-3 weeks of bad press.”
Please. Everyone knows that, coming from an iFanboy, “biased” really just means “not sufficiently-biased in favor of Apple.” Not that I should be surprised, of course, since that’s a standard apologetics tactic: when you can’t refute the message, then attack the messenger.
More false equivalence. If you think Apple’s security is the same as “everyone else”, then maybe you should look up the name “Mat Honan”:
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacki…
A company with the size and resources of Apple has absolutely NO excuse for regularly releasing products with such basic, serious security failings. And it shouldn’t be surprising to anyone: when you have a “technology” company with “form over function” as its guiding philosophy, those types of engineering failures are inevitable.
Switching gears to the post-hoc fallacy? The fact the flaw wasn’t discovered previously doesn’t prove anything about its obviousness, it just proves that the flaw wasn’t discovered previously (derp).
It’s equally possible that the flaw went undiscovered because barely anyone actually uses the service. Actually, that’s probably more likely, given the way that Apple’s previous attempts at online services/social media were all spectacular failures.
The fact that Apple could do more on security and the fact that Apple, like everyone in the tech business, faces escalating and mutating threats which they sometimes initially fail to spot is obviously true, but I find the way that Google and Microsoft are held up as paragons of security virtue to be risible. One of those companies makes the desktop PC OS upon which 90% plus of actual real world malware exploits takes place and the other makes the mobile OS upon which 90% plus of actual real world malware exploits takes place.
As far as consumers are concerned Microsoft systematically and comprehensively lost it’s reputation in relation to security because of the vast global ecosystem of criminal malware that developed on it’s platform. Slamming the barn door after that horse bolted will not get that reputation back, it’s probably gone for good.
Because in the real world almost no Apple desktop customers ever experienced any actual security problems Apple created a premium brand in relation to security which it will only lose if there is a sustained and serious real world malware outbreak on any of it’s products that adversely effects large numbers of it’s customers. Apple managed to carry over that solid security reputation into the mobile arena and the security benefits of the curated App store model only enhanced it further. One reason why the iOS app ecosystem grew so vertiginously was because the apps were cheap and safe.
Google and Android are skating on this ice because the rapidly escalating scale of malware on the Android platform has not yet seriously dented it’s brand, but it could hit a tipping point and then it’s reputation could seriously suffer.
Because Apple has a premium brand, and one part of that brand is a premium reputation for security amongst the general public, any security weakness is bound to attract a lot of media attention. Apple seem to be taking security very seriously given the scale of corporate hires and investment related to security. iTunes is now the world’s largest digital vendor by quite a margin and so is a juicy target and it is partly successful for it’s ease and convenience so any beefed up security must be as unobtrusive as possible.
I wonder what Apple will do with this technology and when?
http://www.reuters.com/article/2012/07/27/us-authentec-acquisition-…
Tony Swash,
Do you have evidence at all that IOS as an operating system is technically more secure than any of the other mobile platforms or are you claiming things merely because they fit within your world view? It’s a serious question. Please provide a source with real details explaining exactly how the IOS operating system is more secure without any of the usual apple fanboy spin-doctored BS.
As for the walled garden, the iphone store moderators are notorious for scrutinizing applications based on morality and banned functionality, but what indication do you have that applications get any attention from a qualified security expert?
It’s not like vulnerable iphone applications are unfounded or rare. I’m citing a few examples here, but known IOS app vulnerabilities are not rare. These aren’t apple’s own vulnerabilities, but it does show that apple’s guardians are not doing a great job of vetting app security in the apple store. It would seem apple isn’t as good at security as independent security auditors.
http://seclists.org/fulldisclosure/2013/Feb/91
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2012-10/msg0…
http://packetstormsecurity.com/files/120397/VL-864.txt
http://seclists.org/fulldisclosure/2013/Mar/8
http://www.exploit-db.com/exploits/24484/
http://cxsecurity.com/issue/WLB-2013020090
Apple’s own IOS software has had it’s own history of serious vulnerabilities as well. Some of these flaws are actually what permit us to jailbreak the iphone(s) in the first place.
http://browsers.about.com/b/2007/08/02/iphone-update-fixes-serious-…
http://blogs.mcafee.com/mcafee-labs/iphone-dos-vulnerability
http://securitywatch.pcmag.com/apple/283835-iphone-ipad-jailbreak-w…
http://www.pcworld.com/article/169436/Black_Hat_Reveals_iPhone_SMS_…
http://www.computerweekly.com/news/1280090073/Apple-races-to-fix-iP…
http://theiphonewiki.com/wiki/AT+XAPP_Vulnerability
I’m not a security researcher myself, so I cannot say how IOS stacks up to android or anything. But the OP was onto something when he said it happens to everyone.
First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.
I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible.
Clearly with the volume of apps being processed mistakes can and will be made and malware could get through any screening process. However it appears that the number of malware apps getting through the iOS screening process are vanishingly small and are quickly removed on detection.
Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets. All too often debates about relative security performance wanders into the theoretical and focusses on the obscure security potential of issues associated with particular pieces of code or particular security arrangements whilst ignoring the real world security performance of different systems and platforms. It’s all very well being concerned that security breach ‘X’ on one platform is in theory worse than security breach ‘Y’ on another but if it turns out that in the real world security breach ‘Y’ has been actually used 100,000 times on actual victims and breach ‘X’ has never been used on any actual victims then I would consider it reasonable to say that security breach ‘Y’ is a worse security problem.
In the realm of mobile platforms there are independent studies conducted at regular intervals using large data sets that attempt to measure the relative amounts of malware on different mobile platforms. The conclusions of all these studies by different security companies are all broadly the same, which is that mobile malware is overwhelming a problem of the Android OS and is vanishingly small on the iOS platform.
This pdf of the Mobile Threat Report from the F-Secure Labs dated Q4 2012 is representative of the sorts of results you see from many such reports
http://www.f-secure.com/static/doc/labs_global/Research/Mobile%…
As you can see from the report is says that observed malware by platform at the end of 2012 was as follows:
Android 79%
Symbian 19%
iOS 0.7%
The fact that the pattern of many different reports on real world security problems on mobile platforms broadly paints the same picture means, I think, one can have a high confidence that they are broadly accurate in two important conclusions:
Malware on mobile is an Android problem.
Malware on Android is getting worse.
Edited 2013-04-02 11:47 UTC
The quoted study is being misinterpreted all over the web in yet another shining example of modern journalists and bloggers not having a single f–king clue about statistics and numbers.
That “79%” sounds very scary indeed. However, all it means is that 79% of the encountered malware families occurred on Android. That’s it. The report has NOTHING, and I repeat, NOTHING, to say about how many Android devices were actually infected by malware. Still, idiots present it as such, which is exactly what F-Secure – an antivirus peddler – knew it would do.
In simpler terms: saying that 79% of flu strains affect humans is completely irrelevant information when you want to know how many humans are affected by flu strains.
If, after all these years, someone still present numbers from antivirus peddlers as-is, you know said someone is either stupid, or has an agenda.
Edited 2013-04-02 11:50 UTC
Sounds a bit complacent to me. I wonder what your position would have been if it was reported that 79% of malware was found on iOS? Less complacent I suspect.
A report from http://www.mobilesandbox.org, a site that collects information about malware on Android found that out of the 300,000 new Android apps on Android stores in 2012 it found 43,000 malicious apps in 115 different malware families. Most of the fake apps were downloaded from Russian and Asian third-party app stores, but 13 malware families were also found on the official Google Play Store. It’s possible to assume that very few people are downloading those apps and hence that the actual rate of malware infections is very low, but I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.
According to a recent report from the security firm Kaspersky, 99 percent of all new malware attacked the Android platform last year. That was a continuation of the trend from 2011, which registered an explosive growth in Android malware.
During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to a whopping 6,300 programs.
“Android is the world’s most widely used smartphone operating system, so it is not surprising that it is also the hacker’s favorite goal. But it has probably surprised many people, including myself, that it’s as much as 99 percent”, security expert Kevin Freij from MYMobileSecurity said.
Again one could assume that all those malware programs on Android are failing to actually infect any end user, even though the writers of Android malware seem to be increasing their efforts hence the explosive growth, but again I would like to understand the reasons for assuming such a thing and the evidential basis supporting such reasoning.
It’s perfectly fine to argue that it is better for various reasons if one does not lock the door to ones house but it is mendacious to suggest that leaving ones door unlocked is as secure as locking it.
Antivirus companies have a product to sell. So, they make it appear as if Android – the most popular mobile platform by a huge and wide margin – is insecure. A few years ago, they tried the same tactic for iOS, and failed, Interestingly enough, Apple fanatics – rightfully so – attacked antivirus companies because of that. Now, you don’t. Curious.
I have another explanation for there being more different variants of malware for Android: there are more versions and variants of Android, so malware needs to be adapted to each. End result: more malware families.
Until we actually see numbers about how many Android devices are infected, from an independent source, i’m not going to believe antivirus companies, who have a long history of lies, deceit, and other forms of despicable scummy behaviour.
Your selective perception to solve your cognitive dissonance at work again, I see! Predictable.
Consider, for instance, my reporting on the Flashback trojan:
http://www.osnews.com/story/25776/Reports_Flashback_trojan_has_infe…
Huh. It would appear you blocked this one out to solve your state of cognitive dissonance. I’ve got another one for you:
http://www.osnews.com/story/24475/Supposed_Mac_OS_X_Trojan_Another_…
Headline: “Supposed Mac OS X Trojan Another Piece of Linkbait”
So, there you have it. The quoted claim from you is a lie. Will you apologise for spreading said lies? I highly doubt it.
Edited 2013-04-02 13:27 UTC
What quoted claim??
Tony Swash,
Just a small personal request, but can you please cite the links to the sources of information when you are posting stats? It helps others take a quick look without having to dig up what you’re talking about, thanks.
Yes. Security breaches and exploits. Of which Android has suffered no more or less than iOS.(Even if you include such blunders as full RAM access by Samsung)
But obviously, you will count user negligence as a security breach or exploit against your opponents when it suites you. You know, discounting social engineering that results in hundreds of dollars lost via IAP on iOS. Because user negligence is not the same as social engineering, when it comes to Apple…
The fact is – malware on Android is a regional and very localized problem. Much more so than even Windows. Google can’t and shouldn’t solve it. At most they can do malware scanning in the Play Store.
And the fact that F-Secure didn’t state the level of threat coming from Play Store tells us that Google is doing a damn good job. Otherwise the title of that report would have been “Google Play Store is infested with malware – run for your lives!!! or buy our product…”
Tony Swash,
“First of all a general point. Apple screens all software before allowing it to appear in the iOS app store. Google does not screen apps before allowing it to appear in Google Play.”
I asked about “IOS as an operating system” specifically because I wanted to know whether there is anything IOS is really doing better with regards to security. I’m going to interpret the evasive response as a “no, there are no technical security advantages within IOS itself”. Please correct me with specifics if this is wrong, but spare me the fanboy spin.
“I think that checking for malware is more likely to detect malware than not checking for it even though checking for it is not infallible”
Of course I think security screening can help catch malware, but I’m not even sure there’s much of that going on in apple’s store. Consider that even if the Q/A process has no security checks whatsoever, merely testing whether the application does what it advertises can significantly raise the barrier for malware authors who don’t want to write fully functional applications as part of their malware scheme. Do you know for a fact (with credible sources) that apps in apple’s store undergo any security checks at all?
“Generally I think that the way to assess the relative security performance of operating systems or platforms is to look for independent and reasonable competent measurements of actual real world security breaches and malware exploits based on large samples and large data sets.”
That’s true in principal, but all too often someone ends up comparing apples and oranges, especially when one party is transparent about disclosing information and the other party is actively covering it up. Open source systems often set a very high bar for full disclosure (every single breach is public information). When other platforms aren’t as forthcoming it can easily paint a false picture. I don’t know how to solve this asymmetric disclosure conundrum or even how to measure the extent of the problem.
“Malware on mobile is an Android problem.”
There’s no doubt many malware authors are targeting the android store because of it’s lenient store policies. If android tightened up it’s store, more malware authors would probably spread their efforts elsewhere.
“Malware on Android is getting worse.”
How do you know that?
I’ve said this before, but my opinion is that the best approach to app stores (for both google and apple) would be to have one repository for certified / well tested apps, and another more inclusive repository for “use at your own risk” apps. This would appease both types of crowds and give consumers the benefit of making up their own minds how to use their own devices: either within the confine’s of the walled garden, or allowed to explore the forest beyond.
Edited 2013-04-02 16:03 UTC
Please read again what you wrote and give it some thought. You disputed my points with absolutely no tangible support at all. You simply said they were ‘false’. You reference an article that is totally unrelated to technology – which is what I was speaking about – and was a pure social engineering hack. You discounted my opinion because you claim I was a ‘fanboi’.
It’s weak dude. If you have a solid argument then make it, demonstrate it with facts, without insults and name calling. Your arguments will carry much more weight and people – even those that disagree with you – would give you much more respect.
I’ll add that I made a point of saying that it was Microsoft who places the greatest emphasis on security and I absolutely think Google Chrome as a browser has the best security out there and gmail makes the most effort to eliminate phishing scams.
On the other hand Mac OS X has a much lowest malware infection rate (and the gap has increased now that, by default, you can’t install unsigned apps) then Windows and iOS has virtually no Malware while Android is riddled with it. I understand this is because Apple simply locks down it’s platforms (which many think is a bad thing) but if you bother to read what CIO’s are saying their much more comfortable with Apple’s security then any other for desktop/mobile use.
Anyhow I am not here to apologize for anyone, I simply think that Thom is pushing his agenda (and he has made it clear on a number of occasions he has a ‘bias’) and I think that’s sort of lame. We don’t need to bash one another to have an intelligent discussion on the merits of one platform or another. The pre-Thom OSAlert was much more egalitarian, and much more respectful, and I think it sucks that that’s changed.
Except, exactly like on the Windows 9X -> XP transition, many users disable this security mechanisms, because they see it as something that gets in the way.
Yes, I do know what a lot of CIOs think. Since I happen to work with a lot of them directly. Apple’s security on the desktop is no more a concern as it is on Windows. CIOs are aware what and how, most of them are not stupid individuals and know where the problems lie.
Same goes for Android vs iOS, it’s more an issue of MDM tool support than anything else… And even then none of the CIOs that have MDM solutions in place or have researched them are against either of the platforms.
If security flaws are an “inescapable part” of your development process then your process is fundamentally flawed.
If the software was properly engineered that wouldn’t automatically happen.
The fact that it wasn’t discovered before doesn’t mean it’s not obvious.
I don’t think so, it comes with the territory — people make mistakes. Though I disagree with the OP’s argument that agile is more prone to security flaws.
Its also worth noting that Apple’s particular flaws, while still flaws and while they are still just a normal part of the process, are especially basic. Security is a mindset that’s built into the culture of a company. If Apple is making these kind of mistakes, there’s something wrong there.
Of course, that’s unavoidable but the argument was that security issues was inherent to the process Apple use to develop software. If that’s the case the process is flawed.
Soulbender,
“If security flaws are an ‘inescapable part’ of your development process then your process is fundamentally flawed.”
I agree with you, it’s shameful that there are developers who regularly produce security holes in software. But at the same time it’s sort of a biproduct of the fast and cheap development process that companies are seeking. My experience with most companies is that “security” is little more than a PR selling point and not a genuine development philosophy.
“If the software was properly engineered that wouldn’t automatically happen.”
I think the OP was merely explaining the situation on the ground rather than trying to justify it. If so, I think he’s right. It’d be nice if things were engineered correctly in the first place, but security is rarely a priority in development and usually only gets tackled in hindsight. I agree with you it’s the wrong way to do it.
Hi,
A company’s only goal is profit – their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the “wrong” way to do it.
– Brendan
Brendan,
“A company’s only goal is profit – their products are just a by-product of that. If engineering things correctly costs more than the potential cost of fixing things if/when they break; then engineering things correctly is the ‘wrong’ way to do it.”
That’s all true, and it wouldn’t be a big deal if the company were only putting it’s own data at risk. Unfortunately the victim of these poor security measures is often not the company but rather it’s customers. Companies should have a responsibility to protect customer data. When a company takes private data and says it will keep it private, it’s borderline fraud when they take shortcuts and fail to implement good security practices.
I realize my security demands are futile in modern business where nothing is worth doing right if it can be done wrong for cheaper. But frankly sanitizing input should automatically be standard practice for all developers on all user facing projects without needing to be justified on a balance sheet, sheesh.
I miss the old maxim: If it’s worth doing, it’s worth doing right.
Not all companies set profit as their only goal.
That’s not universally true and I doubt it’s even true for most companies.
No, it’s still the wrong way to engineer things. Correct engineering is not a function of profit goals.
The article makes some good points but it’s also completely flawed.
I think they were writing this for some time, then Apple introduced the improved authentication system (albeit only in a few countries) and kind of screwed it up for them.
Apple does indeed need to improve more on security.
However, they’ve not been idle. Gatekeeper (great for non-tech savvy people) and sandboxing on the mac. They’re certainly working on it.
As for iOS, well go check out malmware on Google playstore and then come back. And I’m not even mentioning the countless numerous security flaws which don’t get patched up on Android because it takes months (if ever) to get an update.
MS is doing a much better job.
PS: what’s up with the layout. Lot’s of useless images, uneven formatting, not what we’re used to seeing from the Verge; looks like a rushed job.
Don’t worry, I’m sure no one here expected you have a different take on it.
And? Hate to break it to you, but “malmware” [sic] still makes it into the app store, despite the supposed infallibility of Apple’s approval process. So compared to Android, iOS has severely limited functionality – and all you get for that tradeoff is a false sense of security. Now THERE’s a value proposition!
And even that requires giving Apple the benefit of the doubt, taking Apple at their word that the app store approval process is primarily intended to protect end users… As opposed to just protecting Apple from competition and anything else they deem undesirable.
So… your point is that OS updates are more difficult with a diverse platform like Android, compared to a single-vendor monoculture like iOS? Stop the presses!
Sure, it gets in everywhere, but I don’t think you can deny that Android has a significantly bigger malware problem than the other platforms.
I’m unsure how Apple gives you a false sense of security, because I wasn’t aware that this was related to the specific type of security issues that curated app stores mitigate.
No one cares about the excuse, only what actually is. The current case is that Android devices are sometimes shut out from critical security patches over carrier politics.
The Windows NT family of operating systems is also quite secure since the early days.
Windows problems on those systems were not the security mechanisms not being available, but rather developers and users turning them off by running as Administrator all the time.
Many Mac OS X non technical users seem to be doing the same nowadays.
I did, since you didn’t. And malware is a non-issue on the Play Store.(I mean password stealing, premium SMS sending and security controls overcoming apps.)
Here’s the real irony: osnews.com is vulnerable to the same thing!
I have an external link that exploits an osnews web vulnerability to reset the password of a logged in user to “hacked”.
Works under firefox, not ie since I didn’t bother…even malware authors have to struggle around incompatibilities
I’ll be a nice guy and email Thom a link in private so they can confirm it and fix it
Thom,
It occurs to me that it would have been nicer still to not say anything at all in public, but I couldn’t resist exposing the irony. I hope we can all have a good laugh
Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it…
That said, osnews.com is not Apple – I think it is fair to hold them to a slightly higher standard.
galvanash,
“Now that you point it out there is an obvious security issue on the account preferences page. There is a reason most such system require the user to re-enter their existing password in order to change it…”
Yea, there are vulnerabilities on several pages, which you can probably find if you poke around with an eye for them. I’d like to discuss them because they’re common web problems, but so far they haven’t responded and I feel guilty pointing them out before they’re fixed. It’s probably unlikely anyone will fix them before this article times out.
“That said, osnews.com is not Apple – I think it is fair to hold them to a slightly higher standard.”
Haha, I’ve read this sentence several times now and it’s not semantically clear at all which one you are holding to a higher standard
Edit: Often companies are lazy at fixing both known and unknown vulnerabilities until the exploits for them are in the wild. This is probably why many security researches end up being frustrated with “proper channels” and publish their exploits, which forces companies to promptly fix their stuff. What are osnews reader’s opinions on the morality of public disclosure of security vulnerabilities?
Edited 2013-04-02 01:40 UTC
I meant that it seems fair to me to hold Apple to a higher standard, but point taken – I did word that poorly.
I think in this case public disclosure is more than fair – the problem is so obvious it is in fact announcing itself…
ps. If you really want to get Thom’s attention send him a link to the exploit in an email… Just tell him what you are going to change his password to first
Edited 2013-04-02 02:34 UTC
galvanash,
“ps. If you really want to get Thom’s attention send him a link to the exploit in an email… Just tell him what you are going to change his password to”
That’s actually what I did. The exploit I used was a bit more sophisticated than redirected form submission – it takes over control of the user session in an iframe (which is the reason it was browser dependent) and passes control to another server.
This year one of my clients was attacked with one of the most sophisticated PHP attacks I had seen to date. Malicious code was uploaded on one website through an image upload form, propagated to another website through background mirroring jobs, and exploited on that second website. The code was self obfuscating and ultimately extracted and installed a PHP trojan which was used to conduct an attack on another third party server (who accused us of hacking them).
Thom,
This is still not fixed, and I haven’t even heard a peep from you or David in email or here. It was no april first joke, the accounts of osnews users are absolutely vulnerable.