Serious Safari security flaw found

By on July 22, 2010 at 2:40 PM.

Serious Safari security flaw found

SafariLogo

If you are a Mac user, and fancy Safari as your default internet browser, you are going to want to pay attention to this one. A bug found in Safari’s AutoFill feature can allow a malicious website to gather personal information from a users address book card — more specifically: first name, last name, work place, city, state, and email address. There is a published proof of concept exploit for the bug that can be found here. We suggest Safari users navigate to: Preferences > Auto-fill, and uncheck “Use info from my Address Book card” until Apple sorts this one out. Hit up the read link for more details. More →

67 Comments

HTC considers EVO 4G screen separation flaw minor; will address screen sensitivity issue in a patch?

By on June 19, 2010 at 2:57 PM.

HTC considers EVO 4G screen separation flaw minor; will address screen sensitivity issue in a patch?

evo-4g-ctia

Potentially good news for HTC EVO 4G owners, as a circulating rumor suggests that HTC is addressing the screen problems that are reportedly plaguing its flagship WiMAX handset. According to the unofficial source, HTC is aware of the screen separation issue and is playing the waiting game to see if this problem develops further. Currently, the handset manufacturer considers this problem to be minor and has made some refinements to its assembly process to eliminate this cosmetic flaw in future production runs. HTC has also reportedly acknowledged that a select number of its EVO 4G handsets suffer from a screen sensitivity problem. The screen sensitivity issue is thought to affect a disproportionate number of handsets in arid climates and HTC is working on a software patch to fix this issue. How about it EVO owners? Are you seeing any of these reported issues? More →

95 Comments

HTC confirms Droid Incredible browser issue, plans fix

By on June 18, 2010 at 7:13 PM.

HTC confirms Droid Incredible browser issue, plans fix

htc-logo

HTC just let us know that their team has been able to replicate the browser privacy issue we posted about a couple of days ago. Here’s the official statement:

HTC has identified the root cause of the DROID Incredible not deleting web page thumbnails after a factory reset, and is creating an update which will eliminate this issue. This will be distributed through a software maintenance release that will be pushed to devices in the near future. Until this time, consumers who wish to manually delete these thumbnails can do so by following these steps:

1) Go to the “Settings” menu

2) Select “SD Card and Phone Storage”

3) Select “Format Phone Storage”

*NOTE* This will delete all files in internal storage, including music and image files. So these files should be backed up before taking these steps.

Other Android devices with HTC Sense, like the DROID Eris, save these thumbnails to the SD card, instead of internal memory, so users can easily keep this information from being shared simply by removing the SD card from their device before trading in the device, sending in for repair, etc.

Since the Incredible memory is built in, it makes sense that this would happen, but it should be all good in no time.

33 Comments

Browser privacy issue with DROID Incredible and HTC Sense UI widget?

By on June 16, 2010 at 10:20 AM.

Browser privacy issue with DROID Incredible and HTC Sense UI widget?

incredible-browser-privacy

An astute reader stumbled upon an interesting bug with the HTC Incredible. The Incredible, with Sense UI, will periodically store screenshots of the contents of your web browser. The screen captures are a function of the HTC Sense UI bookmark widget and are not the main issue; temporary screen grabs are understandable. The problem is these JPEG files are extremely hard to get rid of. They remain when the current browser session is closed, they remain after you clear the browser history, and they remain after a full factory reset. The JPEG files are saved to a folder named .bookmark_thumb1 which is located within the emmc folder of the phones internal storage (so you would expect a full factory reset to delete them). We found some screenshots of us logged into Facebook, logged into our online banking website, and viewing several other mundane websites (see picture above) even after having completed a factory reset. We tested this on more than one stock, un-rooted HTC DROID Incredible and replicated it several times. While you can delete these images manually, information like this information should be nuked with a factory reset, no? To be honest, seeing a screenshot of our logged-in banking session after a reset was a bit unnerving. Any DROID Incredible owners out there seeing the same thing?

UPDATE: HTC has acknowledged the issue and says a fix is in the works.

Thanks, Ben Nargi!

103 Comments

Reports of a Gmail security flaw are proven false

By on November 29, 2008 at 2:24 PM.

Reports of a Gmail security flaw are proven false

Gmail

A recent rumor of a Gmail security vulnerability that reportedly led to people having their domains hijacked was proven to be false on Wednesday. The rumor claims that a flaw in Gmail allowed unauthorized users to access a user’s Gmail account and create a forwarding filter without their knowledge; effectively stealing all incoming email. The flaw, reported by Geek Condition, was brought to light on Sunday with several Gmail users complaining that their domain names were hijacked because of this vulnerability. Google launched their own investigation and announced on Wednesday that a Gmail security was not to blame. Rather, the people who reported hijacked domains were the victims of an elaborate phishing scam. The hackers sent emails to web domain owners encouraging them to visit fraudulent websites such as google-hosts.com whose sole purpose was to steal Gmail usernames and passwords. Once obtained, the usernames and passwords were used to create forwarding filters in compromised Gmail accounts and the information from the forwarded emails was then used to hijack the domains. Whew, Google dodged the bullet on that one and all Gmail users can rest easy now knowing that the reported Gmail security vulnerability is non-existent.

Read

5 Comments