Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
ElevenPaths #CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case...
ElevenPaths New report: Twitter botnets detection in sports event We all know that a botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform DDoS attacks,...
Innovation and Laboratory Area in ElevenPaths EasyDoH Update Hot off the Press: New Improvements and Functionalities Just a few weeks ago, we launched EasyDoH: an extension for Firefox that simplifies the use of DNS over HTTPS. We have been asked about its improvements and several...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
ElevenPaths New tool: SKrYPtEd, your Skype conversations local database protector Did you know your Skype conversations are stored in plaintext in your hard drive? Did you know anyone could just grab them with some kind of malware and upload...
Sergio De Los Santos The attack against OpenPGP infrastructure: consequences of a SOB’s actions What is happening with the attack against OpenPGP infrastructure constitutes a disaster, according to the affected people who maintain the protocol. Robert J. Hansen, who communicated the incident, has...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
Sergio De Los Santos Facebook signed one of its apps with a private key shared with other Google Play apps since 2015 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version...
ElevenPaths How to forecast the future and reduce uncertainty thanks to Bayesian inference (II) In the first part of this article we explained how Bayesian inference works. According to Norman Fenton, author of Risk Assessment and Decision Analysis with Bayesian Networks: Bayes’ theorem is...
ElevenPaths Tackling Cybercrime: Three Recommendations for 2018 In 2017 we saw ransomware variants such as Wannacry wreak havoc across computer networks in the UK. Not only were these variants of malware almost impossible to remove from...
Facebook signed one of its apps with a private key shared with other Google Play apps since 2015Sergio De Los Santos 9 September, 2019 Facebook Basics is a Facebook app aimed at countries with poor connectivity, where a free access service to WhatsApp and Facebook is provided. It has been discovered that the Android version used a “Debug” certificate shared by other unrelated applications and in other markets. Moreover, within ElevenPaths we have verified that since 2015 such certificate was shared with Chinese apps on Google Play. This means that they shared private key and could even influence the original app. A few days ago, the owner of the Android Police page reported that the same certificate used to sign the app Facebook Basics was being used by many other apps in other markets, with no apparent relationship. Facebook has downplayed the issue by claiming that there is no evidence that the certificate has been exploited and that it has already been fixed. However, this is not so simple, so both consequences and potential causes are only bad news. Causes Android APKs must be signed with self-signed certificates. This breaches a little bit any rule from a chain of trust, but at least it preserves the integrity of the app and allows its updating. If you sign an app with a certificate and upload it to Google Play, you will never be able to change the certificate (or the package name) if you wish to update it. If you lose the certificate, you will have to create a different appꟷand this is what Facebook has done to “fix it”. Nevertheless, Facebook has not (supposedly) lost the private key of the signing certificate. They have done something different (worse?) what we can only speculate about. To begin with, they have used an ‘Android Debug’ certificate without real filled data. This, in addition to the bad image, means that they have left the typical test certificate at the production stage. How is it possible that third parties use this certificate? This certificate might be public. There are some cases, and some developers use it by ignorance or because they do not make efforts to develop high-quality apps… But they may have lost control over this certificate as well, which would imply a lack of security over its development. Another possibility is that the app had been commissioned to a third party (freelance?) and this one worked on it later by signing with the same key (which is strongly inadvisable). Furthermore, from ElevenPaths we have ascertained that the apps signed with the same certificate were not exclusively in other markets, but that already in 2015 (when Facebook Basics was released) we found Chinese applications signed and already taken down from the market. * App: af739e903e97d957a29b3aeaa7865e8e49f63cb0 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-20 to 2016-10-07. * App: 063371203246ba2b7e201bb633845f12712b057e Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-10-21 to 2016-06-22. * App: c6a93efa87533eeb219730207e5237dfcb246725 Signed with: 5E8F16062EA3CD2C4A0D547876BAA6F38CABF625 On Google Play from approximately 2015-09-15 to 2015-09-16. Impact In addition to the poor image of Facebook (is there any area where privacy has not been brought into question?), an attacker could have taken advantage of this to fraudulently update the app of Facebook. How? Well, to update an app it just needs to have the same certificate and it is only necessary to have access to the Google Play account. It’s not easy, but with this Facebook was doing half the work to be performed by an attacker. Moreover, the work to perform a potential collusion attack in Android applications would be facilitated as well. These are well-known attacks involving different applications which are not malicious by themselves but working together may lead to an attack. An example is by adding permissions of two applications so that together the attacker can have more power on the phone, even if individually they seem harmless. To achieve this kind of attacks, such apps must be signed with the same certificate. Again, the necessary work was being provided to a potential attacker. On top of all this, Facebook did not want to reward the discoverer because he made it public on Twitter before reporting the issue. New tool: Masked Extension Control (MEC), don’t trust Windows extensionsEasyDoH: our new extension for Firefox that makes DNS over HTTPS simpler
Innovation and Laboratory Area in ElevenPaths EasyDoH Update Hot off the Press: New Improvements and Functionalities Just a few weeks ago, we launched EasyDoH: an extension for Firefox that simplifies the use of DNS over HTTPS. We have been asked about its improvements and several...
Innovation and Laboratory Area in ElevenPaths Google report 17% of Microsoft vulnerabilities. Microsoft and Qihoo, 10% Who finds more vulnerabilities in Microsoft products? What percentage of vulnerabilities are discovered by Microsoft, other companies or vulnerability brokers? How many flaws have unknown discoverers? Over this report we have analyzed...
Innovation and Laboratory Area in ElevenPaths EasyDoH: our new extension for Firefox that makes DNS over HTTPS simpler A year ago, the IETF has raised to RFC the DNS over HTTPS proposal. This new is more important than it may seem. For two reasons: firstly, it’s a...
ElevenPaths New tool: Masked Extension Control (MEC), don’t trust Windows extensions Windows relies too much on extensions to choose the program that must process a file. For instance, any .doc file will be opened by Word, regardless of its “magic...
Innovation and Laboratory Area in ElevenPaths Five interesting own tools that you may have missed (and a surprise) This time we are going to rehash a blog entry by gathering some of the own tools that we have recently developed and we consider of interest. We summarize...
Innovation and Laboratory Area in ElevenPaths Uncovering APTualizator: the APT that patches Windows By the end of June 2019, we assisted to an incident were a high number of computers had started to reboot abnormally. In parallel, Kaspersky detected a file called swaqp.exe, which apparently...
