Security Round Up: WhatsApp, Google & an XP Patch
The past few weeks have been fraught with news about security threats putting our information at risk. These threats centered around our data being used in ways we never expected or approved, and vulnerabilities we could never have known existed. Worse yet, some threats created risk without any activity on our part to allow it to happen.
This security round up discusses a recent flaw in WhatsApp, Google tracking our purchases and storing some passwords in plaintext, as well as the most recent round of patches released by Microsoft including addressing a flaw in the Windows XP operating system.
Security Round Up: WhatsApp, Google & an XP Patch
WhatsApp is an app owned by Facebook that provides easy to use group chats, messaging and voice calls using voice over IP or VoIP. One of the main benefits of using WhatsApp is that it utilizes an internet connection rather than a messaging plan which can help you avoid costly SMS fees or plans. Additionally, WhatsApp touts end to end encryption, meaning your messages cannot be intercepted or read by unintended recipients which is a concern for some people.
The threat: Earlier last week news of a vulnerability in WhatsApp was released. This vulnerability allowed an attacker to insert malicious code into an Android or iPhone device. The code could be inserted by calling the intended victim and was effective even if the call was not answered. Once the code is injected, data can be stolen from the infected phone.
This security hole is very similar to an Apple FaceTime flaw exposed earlier this year in January. With this vulnerability, using the group feature, attackers could add a call and even if the recipient declined the call, the caller could access the victim's iPhone microphone.
As more and more applications become a part of our daily usage, we will find more vulnerabilities and security flaws. This happens for two main reasons:
- First, as developers rush to include new features and add capabilities that customers are requesting, it is possible to introduce new vulnerabilities.
- Second, the more popular an application is and the more people are using it, the greater the target it becomes for someone who hacks applications.
It is unfortunate, but device and application popularity drive the desire to find vulnerabilities.
The takeaway: WhatsApp encouraged its users to upgrade to the latest version of the app in addition to updating to the latest version of their mobile operating system. It is worth stating that it is always important to keep your applications up to date! Updates often include additional features, and you may not be interested in the newest features, but updates can also include security patches for existing vulnerabilities. Making sure your applications are up to date is the easiest way you can protect yourself.
For more information about this vulnerability and how it was noticed, check out this detailed New York Times article.
Part 1 - Storing purchase histories
Last Friday a story was released showing how Google tracks our purchases, even if the purchase was made outside of Google. This is done by tracking email receipts for purchases sent to Gmail accounts. You can find what receipts are being stored for you by visiting: http://myaccount.google.com/purchases.
The threat: One issue with this feature is that this data has been stored for years but hardly anyone seems to have been aware of its existence. Another issue is that there is no quick or easy way to delete all of the purchase history data. In fact deleting the purchase information requires deleting the original email confirmation of the purchase.
This makes the process tedious and illogical for some, as many of these receipts are kept for tracking or bookkeeping purposes. There are many reasons for keeping receipts this way including, but not limited to being able to:
- Access the information at any time from anywhere
- Track the date of purchase, especially for equipment to manage warranty info
- Track expenses for budgeting or taxes
The takeaway: It is important to know what data a company is collecting about you. Synthesizing information about your purchases might not bother you, but it is critical to know what information is being collected so you can manage what a company has. Lastly, if you are uncomfortable with this tracking, forward these emails to another email platform that does not do the same tracking.
For additional details about this story, check out this CNBC article.
Part 2 - Storing passwords in plain text
Since 2005 some G Suite users have had their passwords stored in plain text. This was caused by a bug in the password recovery feature and was only accessible by authorized Google personnel and of course hackers potentially. While only a small percentage of accounts were affected, it is important to note that an organization's administrator could also access the plaintext passwords for those people within their group.
The threat: Any time passwords are stored in plaintext, they are a threat to the users of those credentials. Add that to the fact that people often reuse passwords and that this threat granted group admins access to passwords of those in their group, and the threat is far reaching.
The takeaway: Google has since disabled the features that the bug was a part of to remove the risk. Google is in the process of notifying those affected, however, if you are a G Suite administrator or user in your organization, it is a good idea to change your password. Also, remember to change credentials for any other sites utilizing the same password combination.
For more information about this story, read this WIRED article.
Windows XP Patch
April 8, 2014 was the official end of support for the Windows XP operating system. Oddly enough, many devices are still running Windows XP even though it is now going on 17 years old. In 2017 when the WannaCry vulnerability was exposed, Microsoft released a patch for the Windows XP operating system because of the intensity of the threat. Now, 2 years later, a similar threat has been found and Microsoft has once again released a patch to address this vulnerability.
The threat: This new vulnerability it a critical item to patch because it is a worm, meaning it requires no user interaction or pre-authentication to exploit. The vulnerability is related to the remote desktop application which is built into the Windows operating system. Remote desktop is used to connect one computer to another over the internet regardless of their physical location.
While the process is similar to connecting to another computer over a VPN, or virtual private network, remote desktop does not include the same security measures a VPN does. So far no reports of this vulnerability being exploited have been reported.
The takeaway: Again, applying updates is the key to protecting devices. Newer versions of applications and operating systems are being released all the time. It is not practical for any company to continue to support every application or operating system they have ever released. Whether because of cost, management, or functionality, it is simply not cost effective for a business.
The unfortunate result is that as consumers, we can end up with an orphaned device or application. Reputable companies will service older software for a substantial amount of time before dropping it out of their service window. Luckily Microsoft made patching this vulnerability a priority so users are still protected even though the XP operating system is no longer part of their regular maintenance.
For more details about this vulnerability and the patches released, read this article by Krebson Security.
New threats will never stop coming. As new applications, operating systems, updates, features, and devices are introduced, someone out there is testing it to its limits. Sometimes this leads to nothing, and other times it leads to something more nefarious. Either way, the most important things you can do to protect yourself are to apply updates when they are available and stay informed to the best of your ability.
As always, knowing what to look for and how to best protect yourself is a great start to maintaining the integrity and privacy of your data!