Search the Community
Showing results for tags 'messages'.
Found 4 results
steven36 posted a topic in Security & Privacy NewsIn-short conclusion—Whatsapp service or its 45-days deletion policy doesn't seem to have a bug. For detailed logical explanation, please read below. An Amazon employee earlier today tweeted details about an incident that many suggests could be a sign of a huge privacy bug in the most popular end-to-end encrypted Whatsapp messaging app that could expose some of your secret messages under certain circumstances. According to Abby Fuller, she found some mysterious messages on WhatsApp, notably not associated with her contacts, immediately after she created a new account with the messaging app on her brand new phone using a new number for the very first time. Fuller believes that the mysteriously appeared content on her new account was the message history associated with the WhatsApp account of the previous owner of the same SIM/mobile number, which WhatsApp pushed to her phone. Since for WhatsApp, your phone number is your username and password is the OPT it sends to that number, it's not a vulnerability. This is how the service works. In a blog post, WhatsApp has explicitly mentioned that it's a "common practice for mobile providers to recycle numbers, you should expect that your former number will be reassigned." In her tweets, Fuller said that the appeared chat history was "not FULL, but definitely actual threads/DM conversations," she has yet to confirm if those messages also included any message sent by the previous SIM owner. However, to my knowledge, setting up WhatsApp on a new device using a new phone number could not restore full message archive of the previous owner because the company never backs up your encrypted conversations on its server. However, it keeps pending messages on its server until delivered to the recipients when they come back online. This suggests that the messages Fuller found on her newly created Whatsapp account were probably only the undelivered messages sent by the contacts of the previous owner after he/she stopped using that SIM number. Moreover, to prevent your previous messages from landing onto others device, WhatsApp recommends users to either delete their account before stop using a SIM or mitigate the WhatsApp account with "Change number" feature available in the app settings. Besides this, in case you forget to delete your old account, WhatsApp automatically deletes undelivered messages from its servers 45 days after you stay offline, preventing the new owner of your old number from receiving those messages. However, Fuller claimed that she owns her new phone number from many months, i.e., more than 45 days, and may be due to some bug due to which WhatsApp failed to delete those messages from its server that were associated with the previous SIM owner. Here's What Could Have Happened A few tech sites and users on Twitter, Reddit currently suggesting that WhatsApp "45-day message deleting mechanism" contains a bug that eventually is keeping undelivered messages stored on the company server for a longer period after the recipients stop using their accounts. However, they all missed an important fact here — You don't need your SIM to keep using your WhatsApp account, once configured on the phone. That means, it is likely possible that the old owner of that SIM was still using his WhatsApp account after dumping the SIM number until Fuller recently configured the same number and verified the account using the OPT received on her phone. So, with high confidence, we can say that the messages appeared on the Fuller phone were only some recently undelivered messages that the old user was supposed to receive when online this morning. What About the WhatsApp Encryption Keys? Lastly, if you are thinking how a new user with a new WhatsApp private key on her phone was able to receive/read messages that were actually end-to-end encrypted using the private keys of the previous owner, you should read our previous article here. This story also highlights the privacy threat a Guardian reporter raised two years ago in the way WhatsApp implemented the protocol, wherein the company, by default, trusts new encryption keys broadcasted by a contact and uses it to automatically re-encrypt undelivered messages and send them to the recipient without informing or leaving an opportunity for the sender to verify the recipient. We have contacted the WhatsApp team and waiting for their comment. We'll update the story as soon as we heard back from them. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group. Source
straycat19 posted a topic in Security & Privacy NewsA company selling internet-connected stuffed toys used by kids and parents to send voice messages to one another leaked 800,000 user account credentials and 2 million message recordings, according to security researcher Troy Hunt. The data was hacked, locked and held for ransom. Researchers and journalists have been trying to reach the company, Spiral Toys, since late last year to confirm and fix the data breach and security problems for the CloudPets brand. No one has heard back from the manufacturers as the data hit the web and was passed around between hackers and researchers. The magnitude of problems and the nature of the victims — small children and families — have set up the CloudPets hack to be a textbook-example security failure for a long time to come. Spiral Toys is a virtually worthless company, according to its stock prices and activity. It does not appear to have a functioning phone number, and no one at Spiral Toys has answered an email on this issue for months, including messages sent Monday by CyberScoop. CloudPets’ data is stored in a public-facing MongoDB database without any authentication required. The database was indexed by search engines like Shodan and found independently by multiple individuals. There was no password to protect the database. Users have no password requirements on their own accounts and the site itself offers no security. In mid-January, as hackers attacked and ransomed thousands of critically vulnerable MongoDB databases, researchers saw the CloudPets database suffer the same fate. Unlike other databases, whose owners paid the ransom or at least responded to the demands, Spiral Toys appears to have been silent on the issue as the database was deleted and ransomed numerous times over the next several days. Sensitive data was exposed, Hunt wrote, and no parents were ever notified. “Circling back to the parents’ position for a moment, you must assume data like this will end up in other peoples’ hands,” Hunt wrote. “Whether it’s the Cayla doll, the Barbie, the VTech tablets or the CloudPets, assume breach. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes. If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen.” Source
Batu69 posted a topic in Security & Privacy NewsEvery now and then here on the Skype Community we see another wave of reports from customers saying that their Skype account sends unwanted spam instant messages to their contacts including links to Baidu, LinkedIn or other popular online services. Please follow all the following steps to learn how to act on these and take back control over your account: 1. Checking your computer security Is your antivirus scanner up to date? Your firewall still active? Malware scanning doesn't find anything? This is to ensure that no keylogger or other backdoor is transmitting your password input to bad people somewhere else. 2. Update your password(s) If you have a Microsoft account (e.g. you sign in with either email or phone number) and you never linked a Skype name to it before September 2016: Simply Sign in to your Microsoft account, then select Security & privacy and then select Change password. If you linked your Skype account with your Microsoft account in the past: there are still two passwords that grant access to your account. The best way to consolidate your passwords is by opening https://account.microsoft.com and sign in with your Skype name and password there. If this is the first time for you signing in since October 2016 you will be asked to update your account. More information in the article One account for Skype and your other Microsoft services - NB: After you have updated your account going forward there's only one password giving access to your unified account. 3. Protect your account Now to updated your password (and possibly your account as well) secure it by setting up two factor verification: https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification Frequently asked questions (and answers to them) I didn't even use Skype while the spam messages were sent? / I haven't signed in to Skype for ages? / I was only signed in to Skype on my mobile phone and the device was always with me? The spammers obtained your credentials and signed in from another computer at any other place in the world to send out the spam messages. They don't need access to your device or even you to be signed in to send their spam. How did the spammers obtain my account password(s)? Over the past years unfortunately data leaks of user credentials (emails/usernames + passwords) have become somewhat of a regularity. If you have been re-using credentials across multiple services then just one service leaking your data will compromise these credentials everywhere else. You can check if your username or email was part of any recent popular leak on the following website: https://haveibeenpwned.com/ - If you see the message "Oh no — pwned!" you should update your password everywhere you use this username/password. Even if your information was not part of a data leak your computer or a computer you used your credentials on - in internet cafes, at a friend or family shared computer, even at work - could have been compromised by malware and your password information gotten into the wrong hands that way. That's why two factor verification/authentication is a powerful tool to enhance your security. But I checked sign ins via the /showplaces chat command? The output of this chat command does not list currently signed in endpoints reliably. Instead it lists all endpoints registered to receive notifications, e.g. for incoming calls. This list largely overlaps, but the output is not a reliable indicator. After you have updated your Skype account to a Microsoft account (see Step 2 earlier) you can use the "Recent Activity" report though: https://account.live.com/Activity Article source
Batu69 posted a topic in Software NewsMicrosoft has been teasing the ability to send Skype and SMS messages from the same app for what seems like an eternity. When the November Update (1511) came along, Microsoft added three apps to Windows 10, which were meant to integrate Skype into the OS - Messaging, Phone, and Skype Video. On phones, Messaging served as both a Skype and SMS client, although the Skype aspect of it never really worked well. When the Anniversary Update was in preview, we were promised Messaging Everywhere, which would finally bring the SMS functionality to the Messaging app on PCs. Later, Microsoft would kill off the project, along with all Skype integration, in favor of a new UWP Skype Preview app. Instead, SMS integration would show up in that app, rather than the other way around. Did that sound confusing? If so, good. That means you're paying attention. Today, Fast ring Insiders can finally get a taste of SMS from the Skype Preview app. You can update the app to 11.8.180 right now through the Windows Store. To set it up, head over to the Skype Preview app, go into the settings, and find the SMS section. Choose to set Skype as your default SMS app, and it will prompt you to set it up. The PC version also has SMS settings, which will allow you to sync your conversations. It's unknown when this feature will come to non-Insiders. It's very unlikely that Microsoft will force users to wait for the next feature update, which we currently only know as Redstone 2, and is slated to arrive in April. Article source