Author: Zack Whittaker

Apple fixes FaceTime eavesdrop bug, with software update incoming

Three days after Apple pulled its new Group FaceTime feature offline after users found they could eavesdrop on people before accepting a call, the company says it’s fixed the bug on its end. “We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week,” said Apple in a statement. “We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.” The bug allowed anyone to swipe up and...

Read More

Indian state government leaks thousands of Aadhaar numbers

A lapse in security has led to the leaking of over a hundred thousand Aadhaar numbers, TechCrunch can reveal. One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing. But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database. The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data. Aadhaar numbers aren’t strictly secret but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy something on Amazon, or rent an Airbnb. But the system has been...

Read More

Amazon’s barely-transparent transparency report somehow gets more opaque

Amazon posted its bi-annual report Thursday detailing the number of government data demands it receives. The numbers themselves are unremarkable, neither spiking nor falling in the second-half of last year compared to the first-half. The number of subpoenas, search warrants and other court orders totaled 1,736 for the duration, down slightly on the previous report. Amazon still doesn’t break out demands for Echo data, but does with its Amazon Web Services content — a total of 175 requests down from 253 requests. But noticeably absent compared to earlier reports was how many requests the company received to remove data from its service....

Read More

Apple has banned Google from running internal iOS apps after certificate misuse

Apple has blocked Google from distributing its internal-only iOS apps on its corporate network after a TechCrunch investigation found the search giant abusing the certificates. “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” said a Google spokesperson. A spokesperson for Apple said: “We are working together with Google to help them reinstate their enterprise certificates very quickly.” TechCrunch reported Wednesday that Google was using an Apple-issued certificate that allows the company to create and build internal apps for its staff for one of its consumer-facing apps,...

Read More

Houzz resets user passwords after data breach

Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach. A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, what was stolen, or if a hacker to blame or if it was a data exposure that the company could’ve prevented. Houzz spokesperson Gabriela Hebert would not comment beyond an FAQ posted on the company’s website, citing an ongoing investigation. In that FAQ, the company said it “recently learned that a file containing some of our user data was obtained by an unauthorized third party.” It added: “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts.” The company said it was notifiying all of its users who may have been affected. An email from a Houzz user. (Image: supplied) Houzz said some publicly visible information from a user’s Houzz profile, such as name, citiy, state, country and profile description, along with internal identifiers and fields “that have no discernible meaning to anyone outside of Houzz,” such as the region and location of the user and if they have a profile image, for example, the company said. The company also said that usernames and scrambled passwords were also taken. Houzz said that the...

Read More

Google’s also peddling a data collector through Apple’s back door

It looks like Facebook is not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple. In its app, Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate. That’s the same type of policy violation that led...

Read More

India’s largest bank SBI leaked account data on millions of customers

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions. The server, hosted in a regional Mumbai-based datacenter, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500. But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information. It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story. SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back current amount in that customer’s bank account. The system can also be used to send...

Read More

Data management giant Rubrik leaked a massive database of client data in security lapse

A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant. The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server. The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information, and case work for each corporate customer. It’s believed the...

Read More

Right Now in Politics and Business