Author: Zack Whittaker

Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost. More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems. Many of these vulnerable units are found in industrial refrigerators in restaurants, hospitals, and supermarkets and grocery stores from the U.K., Ireland, and as far away as Sweden, Germany and China. The researchers also found a pharmaceutical company in Malaysia and a cooling facility in Germany. Defrosting the refrigerators could lead to untold water damage, financial losses, and the destruction of inventory. In the case of high-value industries, that could amount to hefty losses. The web interface of an industrial freezer at a Marks & Spencer in Hong Kong. (Image: TechCrunch) “The systems can be accessed through any browser,” said Rotem in his write-up. shared with TechCrunch before his public disclosure. “All you need is the right URL, which as our tests show, isn’t too difficult to find.” Rotem said defrosting a machine takes only a “click a button and enter the default username and password,” both of which are near-universal across the company’s devices. TechCrunch found several hundred refrigerators...

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.” “We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added. It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister, and Hotels.com, were using a third-party analytics tool, to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity. Even though sensitive data is supposed to be masked, some data — like passport numbers and credit card numbers — was leaking. Glassbox is a cross-platform analytics tool that specializes in session replay technology. It allows companies to integrate its screen recording technology into their apps to replay how a user interacts with the apps. Glassbox says it...

Apple has pushed iOS 12.1.4 to iPhone and iPad users, fixing a security bug that allowed users to eavesdrop on people before accepting a FaceTime call. The software giant moved quickly to disable Group FaceTime on its servers to prevent anyone from exploiting the bug after news of the bug spread quickly on Twitter. After three days of downtime, Apple restored the video video calling feature but promised that a software update would land this week. The update says that it “provides important security updates and is recommended for all users,” without specifically referencing the Group FaceTime bug. But in its usual separate notice detailing security updates, Apple confirmed the bug is fixed. “Today’s software update fixes the security bug in Group FaceTime,” said an Apple spokesperson. “We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.” The bug was initially reported to Apple by 14-year-old Grant Thompson and his mother,...

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission. You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps. Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data. Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers. Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did...

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants. Confused about what happened? Here’s everything you need to know. How did all this start, and what happened? On Monday, we revealed that Facebook was misusing an Apple-issued certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules. The app, known simply as “Research,” allowed Facebook access to all the data flowing out of the device it was installed on. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason. It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users. Apple was angry that Facebook was misusing its special-issue certificates to push an app it already banned, and revoked it — rendering the app useless. But Facebook was using that same certificate to sign its other employee-only apps,...