Google+ Local hit with thousands of compromised hotel links

Yesterday, news surfaced of an annoying and somewhat unanticipated so-called hijacking of hotel links within Google+ Local accounts by yet-unknown spammers. When clicked, the compromised links took prospective customers to a third-party book service. Whether the third-party services were responsible for the compromised accounts or another entity entirely -- someone operating under an affiliate account sees most likely, in that scenario -- also isn't yet known.

The compromised links were first reported on by the folks over at Search Engine Land. It would seem thousands of hotel-based Google+ accounts were compromised, with the only change taking place being an alteration to the URL under its avatar in the main profile box -- the URL in the "Links" section also seems to have been changed. Further adding to the element of obfuscation was the nature of the compromised URLs in and of themselves.

The hijacked links, if they can be appropriately called that, upon first glance appeared legit enough, usually starting with the name of the hotel before the third-party's domain. The links pointed to RoomsToBook[dot]info, as well as a .NET variation, and HotelsWhiz[dot]com. The folks behind the report tried to contact the sites' owners without success.

Both RoomsToBook domains point to servers for a HotelWhiz offshoot, however, called HotelWhiz[dot]info. At this point, there's no word on whether the company is responsible or someone else entirely, and Google hasn't been forthcoming in details, though it is working on fixing the problem. Some pages have been removed, and the Internet giant has confirmed it is both aware and cleaning up the mess.





SOURCE: Search Engine Land

[Continue reading...]

Snapchat scraped: 4.6m usernames and numbers reportedly grabbed

The Snapchat exploit revealed last week has seemingly exposed the usernames and cellphone numbers of a claimed 4.6 million users of the self-destructing messaging service, according to a site that supposedly snatched the information from the company's database using the hack. Dubbed SnapchatDB!, the site offers up a download of what's described as "a vast majority" of Snapchat users, purportedly to highlight the lax security liberties companies take with our personal information.

Snapchat, so the site's hosts argue, was negligent in patching the exploit, "until they knew it was too late." According to Gibson Security, the research firm which publicized the API loophole at the root of the hack, Snapchat was aware of the issue as early as August 2013, but failed to address it until recently.

Still, that's perhaps little consolation for those whose personal details are now in the wild. The database download has been masked, though only the last two digits of each phone number have been hidden, though the site admins do say that those wanting the full, uncensored database should ask and, "under certain circumstances", it may be released.

Meanwhile Gibson Security, although saying that it was unaware of the database scrape and associated site being set up using its exploit, argues that it was only "a matter of time" before it happened. More concerning, the Australian researchers suggest that the exploit can still be utilized with just a few minor modifications made to it.

Snapchat's security has been called into question several times over the service's lifespan, in part because the ephemeral nature of photos shared using the app is an obvious lure for methods to preserve them. Tools to save images without the sender knowing that they have been captured have popped up on several occasions, though Snapchat has moved to block each loophole along the way.

Nonetheless the apparently cavalier approach to account security this time around may give some Snapchat users pause for thought, especially given that, as SnapchatDB! points out, many will use the same username for multiple services.



Source : Hacker News

[Continue reading...]

Facebook developers experiment with 'sympathy' button

Facebook’s “Like” button could be getting' another overhaul. The company nixed' the ubiquitous thumbs-up symbol, starting with a rollout' at that began a month ago. Now it could be getting a more emotionally' complex character in the guise of a “sympathy” button.

A Facebook engineer' this week told the Huffington Post that some of the engineers' at the social media giant were working' on a “sympathize” button. The button could rely' on a “mood” drop-down list when users' post statuses. If the indicated mood is “sad”, for example, the “like” button would' turn into a “sympathize” button.

Friends could then automatically show sympathy by clicking it. The sympathy count would show up just as the like count shows up currently. This would remove' the pesky need to type a sad-face emoticon or, heaven forbid, actual words of support' found deep within the hearts' of the average user’s few hundred closest friends.

No timeline for the 'rollout of a “sympathize” button was announced. However, it was tested. One of Facebook’s engineers has already tried it. The results were witnessed' at a Facebook hackathon' that occurred earlier this year.



SOURCE: Huffington Post

[Continue reading...]

SIM card hack possible with a couple of text messages

Almost every phone in existence uses a SIM card, especially GSM-based devices. It turns out, that while SIM cards are encrypted, they can easily be breached with just a couple of text messages, and it apparently takes only a couple of minutes. The hack allows someone to listen in on calls and steal mobile data from a phone.

The hack consists of cloaking a text message so that it looks like it was sent from the carrier, and about a quarter of the time, an error message is sent back containing information about the SIM card that can be used to break into it. After that, another text can be sent that officially finishes the job, allowing hackers into your phone.

Security researcher Karsten Nohl of Security Research Labs discovered the exploit and says that up to 750 million handsets could be vulnerable to the hack. However, he notes that only SIM cards using older data encryption methods are at risk, while SIM cards using the newer Triple DES encryption are safe.

Out of all the mobile phones littering the world, about half of them use SIM cards that still use the older DES encryption. However, the exploit probably won’t last for long, since Nohl reported the vulnerability to the GSM Association, and they plan to speak with all carriers about fixing the exploit.

Nohl also plans to reveal his findings during the upcoming Black Hat conference. Don’t worry too much, though, as Nohl believes cyber criminals haven’t figured out the hack, and it would most likely take around six months for someone to figure it out. By then, carriers are hoping to have already patched the vulnerability.






VIA: New York Times

[Continue reading...]