Twitter is banning animated PNG image files (APNGs) from its platform, after an attack on the Epilepsy Foundation's Twitter account sent out similar animated images that could potentially cause seizures in photosensitive people. The Verge reports: Twitter discovered a bug that allowed users to bypass its autoplay settings, and allow several animated images in a single tweet using the APNG file format. "We want everyone to have a safe experience on Twitter," the company says in a tweet from the Twitter Accessibility handle. "APNGs were fun, but they don't respect autoplay settings, so we're removing the ability to add them to Tweets. This is for the safety of people with sensitivity to motion and flashing imagery, including those with epilepsy."

Tweets with existing APNG images won't be deleted from the platform, but only GIFs will be able to animate images moving forward. According to Yahoo, Twitter has further clarified that APNG files were not used to target the Epilepsy Foundation, but the bug meant such files could have been used to do so in the future had Twitter not moved to squash it. The attacks on the Epilepsy Foundation's Twitter handle occurred last month -- National Epilepsy Awareness Month -- with trolls using its hashtags and Twitter handle to post animated images with strobing light effects. It's not clear how many people may have been affected by the attack, but the foundation said it's cooperating with law enforcement officials and has filed criminal complaints against accounts believed to have been involved.

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. From a report: Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs. Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain's complexity and severity.

The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.

Chrome 79 is creating an issue with WebView (the Android component that allows apps to display content from the web), reports 9to5Google: On Friday morning, Android developers reliant on WebView and local storage began encountering an issue where their apps lost data after users updated to version 79 of WebView. Those affected took to Chromium's bug tracker, and have described the incident as a "catastrophe" and "major issue." To end users, it's as if apps were entirely reset and just downloaded for the first time. This includes saved data disappearing or being logged out. Given the level of system opacity, most will blame developers for a problem that's out of their hands.

By that afternoon, Google engineers responded and isolated the issue to "profile layout changes" where "local storage was missed off the list of files migrated." A member of the Chromium team apologized Saturday morning, with the Chrome/WebView rollout halted after 50% of devices already received the update. At the highest priority level (P0), Google is currently "working on a solution that minimizes the data loss, and that can be rolled out safely." The last guidance for a patch is 5-7 days.

harrymcc writes: In the late 1990s, lots of people were concerned that the Y2K bug could lead to power outages, financial collapse, riots, and worse when the clock rolled over to January 1, 2000. Hundreds of books about the problem and suggestions on how to respond (quit your job, move to the country, stockpile food) not only capitalized on this fear but helped to spread it.

Over at Fast Company, I marked the 20th anniversary of the "crisis" with a retrospective on the survival guides and what we can learn from them.
The article calls them "an eternally useful guide to how not to give people advice about technology and its role in their lives... They provided a brief layperson's guide to the origins of the problem, and then segued into nightmare scenarios."
They had scary titles like Time Bomb 2000 and The Millennium Meltdown. Their covers featured grim declarations such as "The illusion of social stability is about to be shattered... and nothing can stop it" and garish artwork of the earth aflame and bombs tumbling toward skylines. Inside, they told readers that the bug could lead to a decade or more of calamity, and advised them to stockpile food, cash, and (sometimes) weapons. There were hundreds of these books from publishers large and small, some produced by people who turned the topic into mini-media empires...

Spoiler alert: When January 1, 2000, rolled around, nothing terrible happened. By then, techies had spent years patching up creaky code so it could deal with 21st-century dates, and the billions invested in the effort paid off. Some problems did crop up, but even alarming-sounding ones -- such as glitches at nuclear power plants -- were minor and resolvable.
On December 31st, 1999, Roblimo posted a call for comments from Slashdot readers, writing "This thread ought to make an interesting chronicle of Y2K events -- or non-events, as the case may be."

But NBC had even filmed a made-for-TV Y2K disaster movie (which Jon Katz called "profoundly stupid and irresponsible.")

And one survivalist videotape even featured an ominous narration by Leonard Nimoy.

Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.

The admission comes from the author of the snippet itself, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, a Q&A website for programming-related topics. From a report: An academic paper [PDF] published in 2018 identified a code snippet Lundblad posted on the site as the most copied Java code taken from StackOverflow and then re-used in open source projects. The code snippet was provided as an answer to a StackOverflow question posted in September 2010. The code snippet printed byte counts (123,456,789 bytes) in a human-readable format, like 123.5 MB. Academics found that this code had been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet. In a blog post published last week, Lundblad said that the code had a flaw as it incorrectly converted byte counts into human-readable formats. Lundblad said he revisited the code after learning of the academic paper and its results. He looked at the code again and published a corrected version on his blog.

Microsoft has fixed a vulnerability in its login system that could have been used to trick unsuspecting victims into giving over complete access to their online accounts. TechCrunch reports: The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords. Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account -- potentially without ever alerting the user.

CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user. With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen. [...] Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

Security researcher Ivan Rodriguez has proposed a new security standard for iOS apps, which he named Security.plist. From a report: The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps. The file would contain all the basic contact details for reporting a security flaw to the app's creator. Security researchers analyzing an app would have an easy way to get in contact with the app's creators. Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017. Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams. Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app's dev or security team has been a problem in the past. "I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,"Rodriguez told ZDNet.

On Tuesday, lawyers representing current and former employees of Israeli surveillance contractor NSO Group took legal action against Facebook to try and get their accounts reinstated after being banned by the social media giant. Motherboard reports: Last month, Facebook itself sued NSO in California for leveraging a vulnerability in the WhatsApp chat program that NSO Group clients used to hack targets. As part of that, Facebook also banned the personal Facebook and Instagram accounts of multiple current and former NSO employees. The new lawsuit argues that Facebook violated its own terms of service by blocking the NSO employees, and it used personal information they shared with Facebook in order to identify them, in violation of an Israeli privacy law. As relief, the lawyers ask the court to make Facebook lift the ban on the accounts. The lawsuit was first reported in Israeli media.

"It appears that Facebook used the [NSO employees'] personal data...in order to identify them as NSO employees (or former employees), in service of imposing 'collective punishment' on them, in the form of blocking their personal accounts," the lawsuit reads in Hebrew. The lawsuit argues that the personal data used to identify them as NSO employees belonged to the individuals, and not Facebook. The legal action says that the NSO employees were banned without warning even though they are "private people, who make private use of the social networks, whose only 'sin' was any association with NSO, as employees or former employees." The lawsuit includes a screenshot of an email Facebook allegedly sent to someone who had their account suspended. Facebook told Motherboard in a statement on Tuesday, "In October we filed a legal complaint which attributed a sophisticated cyber attack to the NSO Group and its employees that was directed at WhatsApp and its users in violation of our terms of service and U.S. law. Such actions warranted disabling relevant accounts and continue to be necessary for security reasons, including preventing additional attacks."

Facebook and Twitter announced on Monday that the companies were notified about malicious software development kits (SDKs) that allowed certain apps to collect users' data from the apps without their permission. Paul Thurrott reports: The main culprits here are One Audience and Mobiburn, developers of the malicious SDKs that apparently paid developers to use the SDKs and secretly collect users data. Twitter noted that the issue isn't due to a vulnerability in its software. The breach was caused by "the lack of isolation between SDKs within an application," according to the company. The company also said that the malicious SDKs could allow apps to access personal information like your email, username, and your last tweet without your permission. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," the company said. The two social networks said that they will notify the affected users about the breach.

OnePlus has sent out an email informing recent OnePlus customers of a security issue. "This 'Security Notification' from OnePlus informs customers that an 'unauthorized party' was able to access order information from the company's online store," reports 9to5Google. "OnePlus says that payment information as well as account details were not accessed, but names, addresses, emails, and phone numbers 'may' have been exposed. The company says it will continue to investigate the matter, but obviously this is no small issue." From the report: Speaking to Droid-Life, OnePlus says that they took "immediate steps to stop the intruder and reinforce security," and that they are currently "working with the relevant authorities to further investigate this incident." OnePlus didn't explain what went wrong, but they are apparently working to start a bug bounty program by the end of this year.

This isn't the first time the company's store has fallen victim to a security issue like this. In early 2018, OnePlus customers found evidence of credit card fraud stemming from the Store that triggered OnePlus to shut down credit card payments temporarily. Just a day later, OnePlus' investigation into the matter revealed that 40,000 credit card numbers had been exposed. OnePlus has a thread on its forums with more details about the breach.

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

Debian "is heading toward a new general resolution to decide at what level init systems other than systemd should be supported," reports LWN.net.

"I'm absolutely convinced we've reached a point where in order to respect the people trying to get work done, we need to figure out where we are as a project," writes Debian project leader Sam Hartman. "We can either decide that this is work we want to facilitate, or work that we as a project decide is not important."

LWN.net reports: The immediate motivation for a reconsideration would appear to be the proposed addition of elogind, a standalone fork of the systemd-logind daemon, to Debian. Elogind would provide support for systemd's D-Bus-based login mechanism -- needed to support small projects like the GNOME desktop -- without the need for systemd itself. The addition of elogind has been controversial; it is a difficult package to integrate for a number of reasons. Much of the discussion has evidently been carried out away from the mailing lists, but some context on the problem can be found in this bug report. In short: merging elogind appears to be complex enough that it would be hard to justify in the absence of a strong commitment to the support of non-systemd init systems. It seems possible that this commitment no longer exists across the distribution as a whole; the purpose of a general resolution would be to determine whether that is the case or not.

Unsurprisingly, Debian developers have a variety of opinions on this issue. This response from Russ Allbery is worth reading in its entirety. He argues that the 2014 decision (of which he was a part) never really nailed down the project's position toward other init systems. That was a necessary compromise at the time, he said, but it is causing stress now: "while I feel somewhat vindicated by the fact that this didn't immediately fall apart and has sort of worked, I think it's becoming increasingly untenable".... Josh Triplett zeroed in on one of the issues that is testing the init-system peace now. There is, he said, an increasingly long list of features that are only available with systemd, and application developers want to use those features... The responses to this argument took a couple of different approaches. Ted Ts'o described those features as "the 'embrace, extend, and extinguish' phenomenon of systemd which caused so much fear and loathing."
There's much more information in LWN.net's 1,600-word article -- but where do things stand now? Hartman posted a draft general resolution last week with three choices.

• Affirm init diversity
• Support "exploring" alternatives to systemd, "but believing sysvinit is a distraction in achieving that." [Marco d'Itri later noted that less than 1% of new installs use sysvinit]
• "Systemd without diversity as a priority." There would be no requirement to support anything but systemd in Debian.

"It should be noted, though, that this is explicitly a draft," concludes LWN.net. "It is likely to evolve considerably before it reaches the point where the project will vote on it."

A Google Chrome experiment has gone horribly wrong this week and ended up crashing browsers on thousands, if not more, enterprise networks for nearly two days. From a report: The issue first appeared on Wednesday, November 13. It didn't impact all Chrome users, but only Chrome browsers running on Windows Server "terminal server" setups -- a very common setup in enterprise networks According to hundreds of reports, users said that Chrome tabs were going blank, all of a sudden, in what's called a "White Screen of Death" (WSOD) error. The issue was no joke. System administrators at many companies reported that hundreds and thousands of employees couldn't use Chrome to access the internet, as the active browser tab kept going blank while working. In tightly controlled enterprise environments, many employees didn't have the option to change browsers and were left unable to do their jobs. Similarly, system administrators couldn't just replace Chrome with another browser right away.

It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen. From a report: At the Association for Computing Machinery's Conference on Computer and Communications Security in London today researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws. The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.

One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars. The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.

When you're scrolling through Facebook's app, the social network could be watching you back, in more ways than just your data, concerned users have found. Multiple people have found and reported that their iPhone cameras were turned on in the background while looking at their feed. From a report: The issue came to light with several posts on Twitter, showing that their cameras were activated behind Facebook's app as they were watching videos or looking at photos on the social network. After clicking on the video to full screen, returning it back to normal would create a bug where Facebook's mobile layout was slightly shifted to the right. With the open space on the left, you could now see the phone's camera activated in the background. This was documented in multiple cases, with the earliest incident on November 2.

The U.S. military may have finally found a way to fix a glitch with the world's most high-tech helmet used by pilots flying the most expensive fighter jet in history. From a report: A bug in the $400,000 helmet display screen used by F-35 aviators caused a green glow when flying in very low-light conditions and is now expected to be overcome by using a different type of semiconductor illumination. The distracting green glow was deemed so critical that restrictions were imposed on some night landings on aircraft carriers, and the fault was classified as a "Priority One" fix by the Pentagon's test office. Jittery lines were also visible to some pilots. Defense giant Lockheed Martin has been contracted by the F-35 Joint Program Office for the redesign, modifying headpieces by installing new organic light-emitting diodes to replace traditional liquid crystal displays. "In partnership with the F-35 Joint Program Office and our U.S. Navy customer, we've been working to transition the helmet technology from a traditional LCD to an Organic LED system," Program Manager Jim Gigliotti said by email. Lockheed Martin did not provide a figure for the number of helmets requiring modification or the upgrade cost.

An anonymous reader quotes TechCrunch: Two security researchers have been crowned the top hackers in this year's Pwn2Own hacking contest after developing and testing several high profile exploits, including an attack against an Amazon Echo. Amat Cama and Richard Zhu, who make up Team Fluoroacetate, scored $60,000 in bug bounties for their integer overflow exploit against the latest Amazon Echo Show 5, an Alexa-powered smart display.

The researchers found that the device uses an older version of Chromium, Google's open-source browser projects, which had been forked some time during its development. The bug allowed them to take "full control" of the device if connected to a malicious Wi-Fi hotspot, said Brian Gorenc, director of Trend Micro's Zero Day Initiative, which put on the Pwn2Own contest...

When reached, Amazon said it was "investigating this research and will be taking appropriate steps to protect our devices based on our investigation," but did not say what measures it would take to fix the vulnerabilities -- or when.
The same researchers also compromised Sony and Samsung smart TVs, and the Xiaomi Mi9 smartphone, according to ZDNet, which also reports that "Nobody wanted a piece of the Facebook Portal, and nor did they want to hack Google's Home assistant.

"Security researchers chose to go after the easier targets, like routers and smart TVs, known for running weaker firmware than what you'd usually find on a smart speaker or home automation hub."