News Roundup

Facebook Refuses to Pay Bug Bounty

Like many web companies, Facebook offers independent analysts monetary prizes for discovering bugs. But when independent researcher Khalil Shreateh tried to use Facebook’s conventional channels to report a critical security vulnerability that allowed users to post on any other user’s wall—friend, enemy or other — the social network’s white hat disclosure programme failed to acknowledge his findings.

Not one to be ignored, Shreateh used the very exploit he tried to report and posted the information directly to Mark Zuckerberg’s wall.

Unfortunately, Facebook is now refusing to pay Shreateh. According to a post on Y Combinator’s forum, a Facebook representative said, “The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat."

Shreateh claims posting the bug on Zuckerberg’s wall was the only way he could prove it existed after being told previously that the bug was not valid.

Researchers Sneak Malicious App into Apple Store

Apple has always kept tight tabs on their app store. Whenever developers want to make a new app available for purchase, it must first receive the O.K. from Apple to make sure its content is neither malicious nor inappropriate. But a team of researchers has developed a work-around and successfully got a malicious app, called Jekyll, approved.

Instead of submitting an app that explicitly contains malicious functionalities to Apple, the attacker plants remotely exploitable vulnerabilities (i.e., backdoor) in a normal app, decomposes the malicious logic into small code gadgets and hides them under the cover of the legitimate functionalities. After the app passes the App Review and lands on the end user's device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together. [usenix]

In other words, the code needed for the malware is hidden in pieces within legitimate code and then reassembled during an update.

An Apple spokesman said the company has addressed the issue, but has yet to provide any details.

Cyberattacks Cause Internet Outages for More People than Hardware Failure

It’s important to remember we live in a world where cyberattacks affect more than just personal computers. According to the European Union Agency for Network and Information Security (ENISA), cyberattacks caused significant communications outages for more people than hardware failure last year.

The report shows that although cyberattacks caused only 6 percent of significant outages in the E.U., they affected about 1.8 million people. Comparatively, while hardware failure accounted for about 38 percent of all incidents, it only affected about 1.4 million people. Read more here.