"Hello Chrome OS Community," posted one of Google's community managers Wednesday. "Thank you for raising this issue, and for your patience as we work to resolve this. Our team has identified the issue and is rolling out a fix to affected devices."

The issue? ChromeOS users reported the latest updates "cause a Google Play Store service to utilize 100 percent of their CPUs..." according to TechRadar, "making their devices hot and leading to performance issues." As reported by BleepingComputer, after upgrading their devices to ChromeOS version 85.0.4183.108 and later users have faced a number of issues including apps that are running erratically, devices getting hot, fans running at high speed and batteries draining much too quickly. Upon investigating these issues further, users discovered that they were caused by the Google Play 'com.android.vending:download_service' utilizing 95 to 100 percent of their devices CPU for an extended period. This service is used to download new updates from the Google Play Store when they become available. However, a bug in the service causes the CPU to run at 100 percent power all of the time even when a new update is not available.
Bleeping Computer reported last Sunday that the issues didn't affect all Chromebooks, but was reported by users of Acer Chromebooks, ASUS Chromebook Flip, and Galaxy Chromebooks. "One user stated they resolved this issue by rolling back to an older Google Play Store version."

"Google is hiring to create a special Android security team that will be tasked with finding vulnerabilities in highly sensitive apps on the Google Play Store," reports ZDNet: "As a Security Engineering Manager in Android Security... Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers," reads a new Google job listing posted on Wednesday.

Applications that this new team will focus on include the likes of COVID-19 contact tracing apps and election-related applications, with others to follow, according to Sebastian Porst, Software Engineering Manager for Google Play Protect.

"Anyone can access portions of a web portal used by law enforcement to request customer data from Amazon," reports TechCrunch, "even though the portal is supposed to require a verified email address and password..." Only time sensitive emergency requests can be submitted without an account, but this requires the user to "declare and acknowledge" that they are an authorized law enforcement officer before they can submit a request.

The portal does not display customer data or allow access to existing law enforcement requests. But parts of the website still load without needing to log in, including its dashboard and the "standard" request form used by law enforcement to request customer data... Assuming this was a bug, we sent Amazon several emails prior to publication but did not hear back...

Motherboard reported a similar issue earlier this month that allowed anyone with an email address to access law enforcement portals set up by Facebook and WhatsApp.

"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet: The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...

The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.

The supermassive black hole at the center of the M87 galaxy has a shadow crescent that moves, like a dancer in the dark. From a report: Over a year ago, scientists unleashed something incredible on the world: the first photo of a black hole ever taken. By putting together radio astronomy observations made with dishes across four continents, the collaboration known as the Event Horizon Telescope managed to peer 53 million light-years away and look at a supermassive black hole, which is 6.5 million times the mass of the sun and sits at the center of the galaxy Messier 87 (M87). The fiery historic image showed off a bright crescent of ultra-hot gas and debris orbiting the black hole's event horizon, the pitch-black central point-of-no-return that traps anything that goes over, even light. The EHT team had just made one of the most impressive achievements in the history of astronomy, but this was only the beginning. On Wednesday, members of the EHT collaboration published new findings in the Astrophysical Journal about M87's supermassive black hole (known as M87*), revealing two new major insights.

First, the shadow diameter of the event horizon doesn't change over time, which is exactly what Einstein's theory of general relativity predicts for a supermassive black hole of M87*'s size. However, the second insight is that the bright crescent adorning this shadow is far from stable: it wobbles. There's so much turbulent matter surrounding M87* that it makes sense the crescent would bug out and get fidgety. But the fact that we can watch it over time means we now have an established method for studying the physics of one of the most extreme kinds of environment in the entire universe.

Users have found a major bug in Apple's iOS 14 iPhone software. The free software upgrade, which Apple made publicly available last week, includes features many users had long asked for, such as better ways to organize apps, living programs called widgets on the home screen, and the ability to change which default apps the phone uses to browse the web or send an email. That last one doesn't appear to work. From a report: A growing chorus of Twitter users has been posting about the bug in Apple's default email and default web browser options. What happens is that whenever they set the default browser to Google's Chrome, for example, it works as expected, and tapping any link in an app or browser will open Chrome on the iPhone. But then if they restart the phone, iOS 14 changes that default back to Apple's Safari. "We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update," Apple said in a statement.

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft.

Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows.

Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states....

The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

An anonymous reader quotes a report from MacRumors: Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched in Safari in Picture in Picture mode. As of today, that workaround is gone, and it's not clear if it's a bug or a deliberate removal. Attempting to use Picture in Picture on a video on the mobile YouTube website simply doesn't work. Tapping the Picture in Picture button when in full screen mode pops the video out for a second, but it immediately pops back into the website, so it can't be used as a Picture in Picture window. [...] Picture in Picture appears to work on the mobile YouTube website in Safari for those who are YouTube Premium subscribers, which suggests that the restriction is intentional and not a bug.

Facebook is again being sued for allegedly spying on Instagram users, this time through the unauthorized use of their mobile phone cameras. Bloomberg reports: The lawsuit springs from media reports in July that the photo-sharing app appeared to be accessing iPhone cameras even when they weren't actively being used. Facebook denied the reports and blamed a bug, which it said it was correcting, for triggering what it described as false notifications that Instagram was accessing iPhone cameras.

In the complaint filed Thursday in federal court in San Francisco, New Jersey Instagram user Brittany Conditi contends the app's use of the camera is intentional and done for the purpose of collecting "lucrative and valuable data on its users that it would not otherwise have access to." By "obtaining extremely private and intimate personal data on their users, including in the privacy of their own homes," Instagram and Facebook are able to collect "valuable insights and market research," according to the complaint.

An anonymous reader writes: Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization's crown jewels -- the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device. However, when this condition is met, it's literally game over for the attacked company, as an attacker can hijack its entire network within three seconds by leveraging a bug in the Netlogon authentication protocol cryptography by adding zero characters in certain Netlogon authentication parameters, bypassing authentication procedures and then changing the password for the DC server itself. The technical report from Secura B.V., a Dutch security firm, is available here.

schwit1 shares a report from TechCrunch: A privacy bug in Democratic presidential candidate Joe Biden's official campaign app allowed anyone to look up sensitive voter information on millions of Americans, a security researcher has found. The campaign app, Vote Joe, allows Biden supporters to encourage friends and family members to vote in the upcoming U.S. presidential election by uploading their phone's contact lists to see if their friends and family members are registered to vote. The app uploads and matches the user's contacts with voter data supplied from TargetSmart, a political marketing firm that claims to have files on more than 191 million Americans.

When a match is found, the app displays the voter's name, age and birthday, and which recent election they voted in. This, the app says, helps users find people you know and encourage them to get involved." While much of this data can already be public, the bug made it easy for anyone to access any voter's information by using the app. The App Analyst, a mobile expert who detailed his findings on his eponymous blog, found that he could trick the app into pulling in anyone's information by creating a contact on his phone with the voter's name. The Biden campaign fixed the bug and pushed out an app update on Friday.

"We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed," Matt Hill, a spokesperson for the Biden campaign, told TechCrunch. "We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so."

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.
The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way. From a report: Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019. Researchers say the tool, which checked for 26 basic cryptography rules (mentioned in the source story), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

Apple on Monday announced that its new App Store appeals process, first revealed at WWDC in June, is now live, meaning developers can challenge Apple over whether their app is in fact violating one of its guidelines. In addition to that, Apple says developers can also suggest changes to the App Store guidelines through a form submission on its online developer portal. From a report "For apps that are already on the App Store, bug fixes will no longer be delayed over guideline violations except for those related to legal issues. You'll instead be able to address guideline violations in your next submission," reads a note posted to Apple's developer website. "And now, in addition to appealing decisions about whether an app violates guidelines, you can suggest changes to the guidelines." These changes were introduced at WWDC on the heels of a rather public feud with software maker Basecamp, the creator of a new email service called Hey. Basecamp openly challenged Apple over whether it could distribute an iOS companion app to its email service without including in-app sign-up options, as Hey costs $99 a year and Basecamp felt it unnecessary to give Apple its standard 30 percent cut of that revenue (although Apple does only take 15 percent of in-app subscription revenue after one year of service). Apple, in response, held up the company's bug fixes and update capability.

An anonymous reader shares a report: Windows 10 May 2020 Update, otherwise known as version 2004, was released in May with at least ten known issues. Microsoft later expanded the list of the problems and acknowledged that this feature update is also plagued with a bug that breaks Drive Optimize tool. After upgrading to Windows 10 version 2004, users observed that Optimize Drives (also known as defragmentation tool) is not correctly recording the last time a drive has been optimized. As a result, when you open the tool, you will see that your SSD drive says it 'Needs Optimization' even though you've manually optimized the drives already or automatic maintenance was run this morning. Since the last optimizations times are forgotten, Windows 10's built-in maintenance tool started defragging an SSD drive much more often when you restart Windows. With Windows 10 Build 19042.487 (20H2) for Insiders, Microsoft has finally resolved all problems with the Optimize Drives (also known as defragmentation tool).

An anonymous reader writes: The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards. According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn. Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs.

Federal prosecutors have charged Uber's former chief security officer with covering up a massive 2016 data breach by arranging a $100,000 payoff to the hackers responsible for the attack. The personal data of 57 million Uber passengers and drivers was stolen in the hack. NPR reports: Prosecutors are charging the former executive Joe Sullivan with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in federal court in California on Thursday.

"Sullivan is being charged with a corporate cover-up and Sullivan is being charged with the payment of hush money to conceal something that should have been revealed," David Anderson, U.S. attorney for the Northern District of California, told NPR. Sullivan not only allegedly hid the breach from authorities, but also concealed it from many other Uber employees, including top management -- with one exception. According to the complaint, Uber's CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber's "bug bounty" program. Kalanick has not been charged and wouldn't comment for this story.

Like many tech companies, Uber pays so-called "white hat" hackers to test its systems for vulnerabilities. But the payment Uber made in this case was much larger than any bug bounty it had paid before, the complaint said, noting the company's program "had a nominal cap of $10,000." Uber required the hackers to sign nondisclosure agreements, also not standard practice for a bug bounty, the complaint alleged. Those agreements falsely said that the hackers did not take or store any data. "The problem is that this hush money payment was not a bug bounty," Anderson said. "We allege that this entire course of conduct reflects [Sullivan's] consciousness of guilt and desperation to conceal."

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers. From a report: The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer. According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards. However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September. Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.

An anonymous reader quotes a report from Wired: Findings published on Thursday by the security firm Check Point reveal that Alexa's Web services had bugs that a hacker could have exploited to grab a target's entire voice history, meaning their recorded audio interactions with Alexa. Amazon has patched the flaws, but the vulnerability could have also yielded profile information, including home address, as well as all of the "skills," or apps, the user had added for Alexa. An attacker could have even deleted an existing skill and installed a malicious one to grab more data after the initial attack. [...] For an attacker to exploit the vulnerabilities, they would need first to trick targets into clicking a malicious link, a common attack scenario. Underlying flaws in certain Amazon and Alexa subdomains, though, meant that an attacker could have crafted a genuine and normal-looking Amazon link to lure victims into exposed parts of Amazon's infrastructure. By strategically directing users to track.amazon.com -- a vulnerable page not related to Alexa, but used for tracking Amazon packages -- the attacker could have injected code that allowed them to pivot to Alexa infrastructure, sending a special request along with the target's cookies from the package-tracking page to skillsstore.amazon.com/app/secure/your-skills-page.

At this point, the platform would mistake the attacker for the legitimate user, and the hacker could then access the victim's full audio history, list of installed skills, and other account details. The attacker could also uninstall a skill the user had set up and, if the hacker had planted a malicious skill in the Alexa Skills Store, could even install that interloping application on the victim's Alexa account. Both Check Point and Amazon note that all skills in Amazon's store are screened and monitored for potentially harmful behavior, so it's not a foregone conclusion that an attacker could have planted a malicious skill there in the first place. Check Point also suggests that a hacker might be able to access banking data history through the attack, but Amazon disputes this, saying that information is redacted in Alexa's responses. "The security of our devices is a top priority, and we appreciate the work of independent researchers like Check Point who bring potential issues to us," an Amazon spokesperson told WIRED in a statement. "We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems. We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed."