Bug

T-Mobile Says It Has 'Not Broadly Blocked' iCloud Private Relay, Blames iOS 15.2 Bug For Errors (9to5mac.com) 11

T-Mobile has officially acknowledged a bug that has blocked some subscribers from using iCloud Private Relay when connected to cellular networking. In a statement to 9to5Mac, T-Mobile blamed this situation on a bug in iOS 15.2 and said that it has "not broadly blocked" iCloud Private Relay. From the report: It's also important to note that this bug is not only affecting T-Mobile subscribers, as the company says in its statement. Instead, it's a bug that seems to affect iOS 15.2 broadly rather than T-Mobile specifically. The issue is also still present in the latest release of iOS 15.3 beta. The full statement reads: "Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay."

A solution to the problem that has worked for 9to5Mac in testing is to go to Settings, then choose Cellular, then choose your plan, and ensure that "Limit IP Address Tracking" is enabled. Make sure to complete these steps while WiFi is disabled and you are connected to your cellular network. T-Mobile has, however, acknowledged that are situations in which it is required to block iCloud Private Relay due to technical reasons. Namely, if your account or line has content moderation features or parental controls enabled, you will be unable to use iCloud Private Relay when connected to cellular. [...] A source has also confirmed to 9to5Mac that this also applies to certain legacy plans that include the Netflix on Us perk and have Family Allowances enabled.

Security

CISA Director: We'll Be Dealing With Log4j For a Long Time (cnet.com) 46

Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday. CNET reports: If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack. No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said.

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It's possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. "We do expect Log4Shell to be used in intrusions well into the future," Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software. Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.

Privacy

Some Carriers Are Blocking iPhone Users From Enabling iCloud Private Relay (9to5mac.com) 77

Some European carriers, including T-Mobile/Sprint in the United States, are blocking iCloud Private Relay access when connected to cellular data. As 9to5Mac reports, "This feature is designed to give users an additional layer of privacy by ensuring that no one can view the websites that they visit." From the report: Apple says that Private Relay is a feature designed to give users another layer of privacy when browsing the web. The first relay is sent through a server maintained by Apple, and the second is a third-party operator. The feature was announced at WWDC last June and initially slated for inclusion in iOS 15. Apple ultimately shipped the feature as a "public beta," meaning that it is disabled by default in the newest iOS 15 and macOS Monterey releases. You can manually enable it by going to Settings on your iPhone, tapping your name at the top, choosing iCloud, and choosing "Private Relay."

T-Mobile was among the carriers in Europe that signed an open letter expressing concern about the impact of Private Relay. The carriers wrote that the feature cuts off networks and servers from accessing "vital network data and metadata and could impact "operator's ability to efficiently manage telecommunication networks." In the UK, carriers including T-Mobile, EE, and others have already started blocking Private Relay usage when connected to cellular data. 9to5Mac has also now confirmed that T-Mobile is extending this policy to the United States. This means that T-Mobile and Sprint users in the United States can no longer use the privacy-preserving iCloud Private Relay feature when connected to cellular data.
The report notes that T-Mobile appears to be "in the process of rolling it out," so some users might still be able to use the feature -- at least for now. "The situation could also could vary based on your location or plan," the report adds.

UPDATE: T-Mobile Says It Has 'Not Broadly Blocked' iCloud Private Relay, Blames iOS 15.2 Bug For Errors
Security

Threat Actors Can Simulate IPhone Reboots and Keep IOS Malware On a Device (therecord.media) 23

An anonymous reader quotes The Record: In a piece of groundbreaking research published on Tuesday night, security firm ZecOps said that it found a way to block and then simulate an iOS restart operation, a technique that they believe could be extremely useful to attackers who may want to trick users into thinking they rebooted their device and as a result, maintain access for their malware on that infected system.

The technique is of extreme importance and gravity because of the way the iPhone malware landscape has evolved in recent years, where, due to advances in the security of the iOS operating system, malware can't achieve boot persistence as easily as it once did.... As a result, many security experts have recommended over the past year that users who might be the target of malicious threat actors regularly reboot devices in order to remove backdoors or other implants.... But in a blog post on Tuesday, ZecOps said that the iOS restart process isn't immune to being hijacked once an attacker has gained access to a device, in a way to perform a fake restart where the user's device only has its UI turned off, instead of the entire OS.

Bug

An Apple HomeKit Bug Can Send iOS Devices Into a Death Spiral (theverge.com) 22

Security researcher Trevor Spiniolas has discovered a vulnerability "capable of locking iOS devices into a spiral of freezing, crashing, and rebooting if a user connects to a sabotaged Apple Home device," reports The Verge. From the report: The vulnerability [...] can be exploited through Apple's HomeKit API, the software interface that allows an iOS app to control compatible smart home devices. If an attacker creates a HomeKit device with an extremely long name -- around 500,000 characters -- then an iOS device that connects to it will become unresponsive once it reads the device name and enter a cycle of freezing and rebooting that can only be ended by wiping and restoring the iOS device. What's more, since HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device will trigger the crash again, with the cycle continuing until the device owner switches off the option to sync Home devices from iCloud.

Though it's possible that an attacker could compromise a user's existing HomeKit-enabled device, the most likely way the exploit would be triggered is if the attacker created a spoof Home network and tricked a user into joining via a phishing email. To guard against the attack, the main precaution for iOS users is to instantly reject any invitations to join an unfamiliar Home network. Additionally, iOS users who currently use smart home devices can protect themselves by entering the Control Center and disabling the setting "Show Home Controls." (This won't prevent Home devices from being used but limits which information is accessible through the Control Center.)

Bug

'Year 2022' Bug Breaks Email Delivery For Microsoft Exchange On-Premise Servers (bleepingcomputer.com) 146

Kalper (Slashdot reader #57,281) shares news from Bleeping Computer: Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a "Year 2022" bug in the FIP-FS anti-malware scanning engine.

Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server's Event Log stating, "The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error" or "Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long." Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again... Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft's scanning engine, leading to more malicious emails and spam getting through to users.

Biotech

Sugar Additive Trehalose Could Have Helped Spread Dangerous Superbug Around the US (sciencealert.com) 78

A sugar additive used in several foods could have helped spread a seriously dangerous superbug around the US, according to a 2018 study. ScienceAlert reports: The finger of blame is pointed squarely at the sugar trehalose, found in foods such as nutrition bars and chewing gum. If the findings are confirmed, it's a stark warning that even apparently harmless additives have the potential to cause health issues when introduced to our food supply. In this case, trehalose is being linked with the rise of two strains of the bacterium Clostridium difficile, capable of causing diarrhea, colitis, organ failure, and even death. The swift rise of the antibiotic-resistant bug has become a huge problem for hospitals in recent years, and the timing matches up with the arrival of trehalose.

"In 2000, trehalose was approved as a food additive in the United States for a number of foods from sushi and vegetables to ice cream," said one of the researchers, Robert Britton from the Baylor College of Medicine in Texas, back in January 2018. "About three years later the reports of outbreaks with these lineages started to increase. Other factors may also contribute, but we think that trehalose is a key trigger."

The C. difficile lineages Britton is referring to are RT027 and RT078. When the researchers analysed the genomes of these two strains, they found DNA sequences that enabled them to feed off low doses of trehalose sugar very efficiently. In fact, these particular bacteria need about 1,000 times less trehalose to live off than other varieties of C. difficile, thanks to their genetic make-up. [...] It's still not certain that trehalose has contributed to the rise of C. difficile, but the study results and the timing of its approval as an additive are pretty compelling. More research will now be needed to confirm the link.
According to figures from the CDC, "C. difficile was responsible for half a million infections across the year and 29,000 deaths within the first 30 days of diagnosis," adds ScienceAlert.

The findings were published in the journal Nature.
Security

'Critical' Polygon Bug Put $24 Billion in Tokens at Risk Until Recent Hard Fork (theblockcrypto.com) 16

Ethereum scaling project Polygon was at risk of losing nearly all of its MATIC tokens until it upgraded its network earlier this month. From a report The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion. The vulnerability was reported on the bug bounty platform Immunefi by a whitehat hacker known as Leon Spacewalker. According to details shared Wednesday, the bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract. After Spacewalker found the bug, Immunefi informed the Polygon team the same day. The team then confirmed the vulnerability and moved to update the Polygon network, initially with an update for its Mumbai testnet. According to Polygon, the testnet update was completed on December 4, and the team was preparing for the mainnet upgrade. Yet before the mainnet upgrade was undertaken, a malicious actor exploited the bug and stole 801,601 MATIC tokens (currently worth over $2 million). Polygon has said it will bear the cost of the theft.
Bug

Fisher-Price's Chatter Phone Has a Simple But Problematic Bluetooth Bug (techcrunch.com) 27

An anonymous reader quotes a report from TechCrunch: As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter -- despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn -- is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted. The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop.

Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.

Bug

Microsoft Notifies Customers of Azure Bug That Exposed Their Source Code (therecord.media) 9

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.

All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

Medicine

A Bluetooth Bug In a Popular At-Home COVID-19 Test Could Falsify Results (techcrunch.com) 39

An anonymous reader quotes a report from TechCrunch: A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results. F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume's mobile app. Gannon found, however, that the built-in Bluetooth analydzer could be tricked to allow a user to falsify a certifiable result before the Ellume app processes the data.

To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one. Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.

While Gannon's writeup only includes changing negative results to positive ones, he says that the process "works both ways." He also said that, before it was patched, "someone with the proper motivation and technical skills could've used these flaws to ensure they, or someone they're working with, gets a negative result every time they're tested." In theory, a fake certification could be submitted to meet U.S. re-entry requirements. In response to F-Secure's findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.

Bug

Amazon Issues False Copyright Strike Against New World YouTuber for Reporting Bug (neowin.net) 70

segaboy81 writes: Amazon Games is new to the AAA games space, finding tremendous success with their title New World. Since its release in September, YouTubers like Sethphir and Video Game Databank have begun to carve out their own niche in the New World community, seeing their subscriber base soar into the tens of thousands. However, YouTubers may begin to suffer under the watchful eye of New World's leadership. Recently, YouTuber Video Game Databank discovered a serious bug in version 1.2 regarding aptitude levels in a single crafting attempt which purportedly resulted in his loss of 40,000 coins. Dutifully, he reported the bug to Amazon customer support. When they didn't understand his complaint, he shared a video showing the bug in action. He goes on to call this a "fatal mistake" as just two hours later the video is removed from Youtube after a manual copyright claim was invoked by Amazon. While it could be a coincidence, it certainly seems like a hostile action on behalf of the games studio as it was not an automated, AI triggered task. Someone at the studio manually filed the claim.
Google

More Than 35,000 Java Packages Impacted by Log4j Vulnerabilities, Google Says (therecord.media) 39

Google's open-source team said they scanned Maven Central, today's largest Java package repository, and found that 35,863 Java packages use vulnerable versions of the Apache Log4j library. From a report: This includes Java packages that use Log4j versions vulnerable to the original Log4Shell exploit (CVE-2021-44228) and a second remote code execution bug discovered in the Log4Shell patch (CVE-2021-45046). James Wetter and Nicky Ringland, members of the Google Open Source Insights Team, said in a report today that typically when a major Java security flaw is found, it typically tends to affect only 2% of the Maven Central index. However, the 35,000 Java packages vulnerable to Log4Shell account to roughly 8% of the Maven Central total of ~440,000, a percentage the two described using just one word -- "enormous." But since the vulnerability was disclosed last week, Wetter and Ringland said the community has responded positively and has already fixed 4,620 of the 35,863 packages they initially found vulnerable. This number accounts to 13% of all the vulnerable packages.
Privacy

Security Flaws Found in a Popular Guest Wi-Fi System Used in Hundreds of Hotels (techcrunch.com) 25

A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk. From a report: Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are "extremely easy to guess." With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway's settings and databases, which store records about the guest's using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway's networking settings to unwittingly redirect guests to malicious webpages, he said. Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored "millions" of guest names, email addresses and arrival and departure dates, he said. Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk? In the end, the security researcher found five vulnerabilities that he said could compromise the gateway -- including guests' information.
Open Source

Who's Paying to Fix Open Source Software? (dev.to) 142

The Log4Shell exploit "exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization," writes VentureBeat. But the incident also raises some questions: Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?
Long-time Slashdot reader frank_adrian314159 shares a related article from a programming author on Dev.To, who'd read hot takes like "Open source needs to grow the hell up." and "Open source' is broken". [T]he log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves...?

It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license — that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things...

In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations.

The log4j exploit was first reported by an engineer at Alibaba — a corporation with a market capitalization of $348 billion — so the article wonders what would happen if log4j's team had sent back a bill for the time they'd spend fixing the bug.

Some additional opinions (via the "This Week in Programming" column):
  • PuTTY maintainer Andrew Ducker: "The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable."
  • Filippo Valsorda, a Go team member at Google: "The role of Open Source maintainer has failed to mature from a hobby into a proper profession... The status quo is unsustainable.... GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure."

Valsorda hopes to eventually see "a whole career path with an onramp for junior maintainers, including training, like a real profession."


Firefox

Firefox Fixes Password Leak via Windows Cloud Clipboard Feature (therecord.media) 13

Mozilla has fixed an issue in its Firefox browser where usernames and passwords were being recorded in the Windows Cloud Clipboard feature, in what the organization categorized as a severe security risk that could have exposed credentials to non-owners whenever users copied or cut a password. From a report: The issue was fixed in Firefox 94, released last month, but was detailed in more depth this week by Mozilla developers. At its core, the bug is related to Windows Cloud Clipboard, a feature added to Windows 10 in September 2018 (v1809 release), a feature that allows users to sync their local clipboard history to their Microsoft accounts. The feature is disabled by default, but once enabled, it allows users to access the cloud clipboard section by pressing the Windows+V shortcut. This grants users access to clipboard data from all devices, but the feature is also used for its clipboard history capabilities, allowing users to go through past items they copied or cut and re-paste the same data in new contexts, making it extremely useful for most IT workers. In a blog post on Wednesday, Mozilla said that they have now modified the Firefox browser so that usernames and passwords copied from the browser's password section (about:logins) won't be stored in the Windows Cloud Clipboard feature, but instead will be stored only locally, in a separate clipboard section.
Businesses

CISA Tells Federal Agencies To Patch Log4Shell Before Christmas (therecord.media) 57

The US Cybersecurity and Infrastructure Security Agency has told federal civilian agencies to patch systems affected by the Log4Shell vulnerability by Christmas Eve. From a report: The agency has added yesterday the Log4Shell bug (CVE-2021-44228) to its catalog of actively-exploited vulnerabilities, along with 12 other security flaws. According to this catalog, federal agencies have ten days at their disposal to test which of their internal apps and servers utilize the Log4j Java library, check if systems are vulnerable to the Log4Shell exploit, and patch affected servers. All of this must be done by December 24, according to a timeline provided in the catalog. In addition, CISA has also launched yesterday a dedicated web page providing guidance to the US public and private sector regarding the Log4Shell vulnerability.
Bug

Software Flaw Sparks Global Race To Patch Bug (wsj.com) 60

Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks. From a report: Cybersecurity researchers said the bug, hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector." Germany's cybersecurity organization over the weekend issued a "red alert" about the bug. Australia called the issue "critical."

Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched. "It is one of the most significant vulnerabilities that I've seen in a long time," said Aaron Portnoy, principal scientist with the security firm Randori. Security experts noted that many companies have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the fallout from the bug. Microsoft, in an alert to customers, said "attackers are probing all endpoints for vulnerability." Amazon.com, Twitter and Cisco were among the companies that have said they were carrying out investigations into the depth of the problem. Amazon, the world's biggest cloud computing company, said in a security alert, "We are actively monitoring this issue, and are working on addressing it."

Android

Google Says Bug With Teams and Android Can Cause 911 Calls To Fail (msn.com) 44

JoeyRox writes: Last week, a Reddit user reported that they weren't able to call 911 using their Pixel 3 and later said they were working with Google support to figure out the issue. Yesterday, Google announced what was causing the issue in a reply to the post: an "unintended interaction between the Microsoft Teams app and the underlying Android operating system." In its comment, Google says that the bug happens when someone is using Android 10 or later and has Teams installed but isn't logged into the app. The company says that Microsoft will be releasing an update to Teams "soon" to prevent the issue and that there's an update to Android coming January 4th.
Bitcoin

Really Stupid 'Smart Contract' Bug Let Hackers Steal $31 Million In Digital Coin (arstechnica.com) 55

An anonymous reader quotes a report from Ars Technica: Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts. The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. "Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity," MonoX company representatives say here. "It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design."

An accounting error built into the company's software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol. Specifically, the hack used the same token as both the tokenIn and tokenOut, which are methods for exchanging the value of one token for another. MonoX updates prices after each swap by calculating new prices for both tokens. When the swap is completed, the price of tokenIn -- that is, the token sent by the user -- decreases and the price of tokenOut -- or the token received by the user -- increases.

By using the same token for both tokenIn and tokenOut, the hacker greatly inflated the price of the MONO token because the updating of the tokenOut overwrote the price update of the tokenIn. The hacker then exchanged the token for $31 million worth of tokens on the Ethereum and Polygon blockchains. There's no practical reason for exchanging a token for the same token, and therefore the software that conducts trades should never have allowed such transactions. Alas, it did, despite MonoX receiving three security audits this year.
"These kinds of attacks are common in smart contracts because many developers do not put in the legwork to define security properties for their code" said Dan Guido, an expert in securing smart contracts and CEO of security consultancy Trail of Bits. "They had audits, but if the audits only state that a smart person looked at the code for a given period of time, then the results are of limited value. Smart contracts need testable evidence that they do what you intend, and only what you intend. That means defined security properties and techniques employed to evaluate them."

According to Blockchain researcher Igor Igamberdiev, the drained tokens included $18.2 million in Wrapped Ethereum, $10.5 in MATIC tokens, and $2 million worth of WBTC, along with small amounts of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X.

Slashdot Top Deals