Search the Community
Showing results for tags 'api'.
Found 4 results
steven36 posted a topic in Security & Privacy NewsTwitter discloses security incident involving the abuse of one of its official API features. In a statement published today, Twitter disclosed a security incident during which third-parties exploited the company's official API (Application Programming Interface) to match phone numbers with Twitter usernames. In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames. Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames. During its investigation into the report, the social network told ZDNet that it also discovered additional evidence that this API bug had also been exploited by other third-parties, beyond the security researcher at the heart of the TechCrunch report. Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government's backing. The company said it is disclosing today the findings of its investigation "out of an abundance of caution and as a matter of principle." The Twitter API bug that was abused in the attack According to Twitter, the attackers exploited a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts. Twitter says the attacks did not impact all Twitter users, but only those who enabled an option in their settings section to allow phone number-based matching. "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said. The social network said it immediately made a number of changes to this endpoint after it detected the attack "so that it could no longer return specific account names in response to queries." Source
Mozilla plans to change the backend for the storage.local API to indexedDB from JSON to improve performance in Firefox 63. The migration happens in the background and Firefox users who run Firefox 63 should not notice any issues afterward. Problems may arise however if users downgrade Firefox to an earlier version or switch to a channel that is not yet at Firefox 63 or newer. The change will land in Firefox Nightly first and if users load the Beta or Stable version of Firefox with the Nightly profile, they may run into data regression issues with extensions installed in the browser. Mozilla revealed the change on the organization's Add-ons blog that it uses to inform developers of extensions for Firefox about upcoming changes and new features. If your users switch between Firefox channels using the same profile during this time, they may experience data regression in the extensions they have previously installed. Mozilla recommends that users don't downgrade from Firefox 63 in any form (be it by installing an older version and running it, or running an older version that is installed already using the same profile). How to find out if the data has been migrated You can do the following to find out if the storage API has been migrated already to the new storage format: Load about:config?filter=extensions.webextensions.ExtensionStorageIDB.enabled in the address bar of the browser. Check the value of the preference. True means that the data has been migrated. False that Firefox uses the old format. Search for extensions.webextensions.ExtensionStorageIDB.migrated. If the Extension ID is set to true, the extension storage has been migrated. What you can do to re-migrate the data Mozilla published instructions on re-migrating the extension data should it not be there after the migration. Note that it requires quite a few steps including removing the extension from Firefox and reinstalling it. Open about:debugging and write down the extension ID (or remember it). Open the profile folder of Firefox by loading about:profile and there the open folder option. Open the folder browser-extension-data. Open the Extension ID folder. Uninstall the extension. Copy the file storage.js.migrated which you find in the Extensions ID folder to a new file and name it storage.js. Open the browser console by selecting Menu > Web Developer > Browser Console or by using the shortcut Ctrl-Shift-J. Install the extension again. The browser console should display a migration message. Wait for this to happen. Closing Words If you need to run different Firefox channels, use different profiles (and you can even run the profiles simultaneously). You can copy profile data from one profile to the other to create copies if you want to work with the same data set. Source
Reefa posted a topic in Security & Privacy NewsTech Experts Unite to Launch Secure Domain Foundation The Secure Domain Foundation will protect the domain industry from abuse by helping domain registrars and other Internet infrastructure operators identify cyber-criminals setting up criminal networks, the non-profit's founder said in an interview. Launched Monday at ICANN's Secure Domain Foundation offers tools to look up a domain registration or a hosting request to identify potential criminal activity. The foundation will use its API to provide the registrar with an instant “credit score” indicating the likelihood of the domain being part of a criminal network, said Chris Davis, the president of SDF. Davis, a director at security company Crowdstrike, is known for his work identifying the Mariposa botnet. SDF will “increase the pain for the bad guys” by making it harder to switch providers, Davis said. Currently, if a domain registrar or hosting provider shuts down a domain for malicious activity, it's no big deal for the criminal to move to a different provider and resume operations, Davis said. SDF will provide a WHOIS lookup via its API product so that registrars such as GoDaddy can look at an application and know that the email address has been previously associated with a command-and-control server, or that the person had been shut down by a different provider just a few days ago. The SDF's service “not only validates the contact registration data provided but also lets the registrar and registry know if we have seen that data used previously in relation to cyber crime,” said Norm Ritchie, chairman of SDF. Over the past two years, SDF has been pulling together postal addresses, email addresses, malware indicators, botnet activities, and other domain-related information to compile an extensive database about malicious domains and actors. The data validation service will draw upon this extensive database. ICANN recently mandated that domain registrars must start validating contact information provided during domain registration. SDF's service makes this easier to implement. Registrars can incorporate the data validation services directly into the registration process, or query the list of known-bad actors as part of a batch process run at a later time. The goal is to provide registrars with information to make their own decisions, not to force registrars to take certain steps. If a registrar learns that a certain domain is malicious and associated with a botnet, it is up to the registrar to decide whether to monitor the account closely, shut it down immediately, or not do anything at all. It is up to the registrar what it wants to do, as the SDF just provides tools and information, Davis said. SDF will also take a pro-active role in identifying bad actors and notifying law enforcement and registrars with sufficient evidence to get the domain shut down, Davis said. Other organizations with research on malicious servers can also contact SDF. The foundation will act as a “clearinghouse for abuse complaints,” Davis said. Some of the industry's biggest brands back this foundation, including the Anti-Phishing Working Group (APWG), Blacknight Solutions, CIRA (.ca), CO Internet (.co), CoCCA, Crowdstrike, DomainTools, Emerging Threats, Enom, ESET, Facebook, Foreground Security, Internet Identity, Mailshell, Names.com, SecDev Group, Verisign, and Verizon. While the current market focus is on domain name registrars, registries, ccTLD operators, and gTLD operators, SDF plans to expand services to include hosting providers, DNS operators, CERTS, law enforcement, and other key stakeholders in Internet infrastructure. While SDF will provide just the data validation service via the API as part of the initial launch, Davis said the focus was on a staged approach to expand its services. One approach is to work with these providers on setting up locks and other protective security features to make it harder for domain name system records to be maliciously modified. “We are going to save the world one step at a time,” Davis said. Source
geeteam posted a topic in Mobile NewsGoogle appears to be working on a series of improvements for cameras on Android, including burst mode, improved face detection, and the ability to work with RAW photos. The possible new camera features were spotted in the public Android source code by Josh Brown and Ars Technica, and they appear to have been in the works since December 2012. The updates would be part of a camera API that any manufacturer could tap into, allowing all Android phones to take advantage of these additions. While Google may have been aiming to ship these changes in KitKat, it appears that they weren't ready in time. In October, the updated camera API was removed from the upcoming release code with the note, "Not yet ready." While the detailed features wouldn't immediately lead to better photographs, it seems that Google may be starting to address one of Android's shortcomings. Google has frequently been criticized for the state of Android cameras — especially as those on Nokia and Apple's phones continue to get better — but perhaps Google is now looking to change the story. Source