To be clear, this is not a fault Apple Pay or its payment network. But the results illustrate the unforeseen problems that can arise from web interconnections and third-party integrations. Joshua Maddux, a security researcher with PKC Security, first noticed the problem last fall when he was implementing Apple Pay support for a client.
"This is not Apple Pay as such, it's only an exposure to websites offering increased support for Apple Pay."
Joshua Maddux, PKC Security
You configure the Apple Pay feature in your web service by integrating it with the Apple Pay App Programming Interface, which allows Apple to power the module with its existing Apple Pay infrastructure. . But Maddux noticed that the connection between a site and the Apple Pay infrastructure, as well as the validation mechanism to negotiate that connection, can be established in different ways, all at the discretion of the host site. An attacker could exchange the URL used by the target site to communicate with Apple Pay, for example, with a malicious URL that can be used to send requests or commands to the target site's infrastructure. From there, the attacker can use this position to potentially extract an authorization token or other privileged data, which gives him access to the backbone infrastructure of the website.
These flaws are part of a well-known vulnerability known as "server-side query forgery," which allows attackers to bypass protections such as firewalls to send commands directly to Web applications. These vulnerabilities pose a real threat and are regularly exploited in the wild. More recently, they play a role in Massive breach of Capital One last month. Similarly, the flexibility in how a website integrates with Apple Pay potentially exposes its own backend infrastructure to unauthorized access.
"This is not Apple Pay per se, it's just an exposure to websites that have added support for Apple Pay," Maddux said. "But, on the other hand, Apple Pay users trust these merchant sites for their data, so the connection is important."
Maddux first informed Apple of the problem in February and communicated with the company its proposed mitigation measures in March, including locking out options on how websites can configure the company. integration in order to reduce the number of potential exposures. Maddux says that in his evaluations, it seems that Google Pay, for example, offers more specific instructions and fewer options. Since then, Maddux noticed that Apple had revised its documentation to add an Apple Pay button to reduce the risk that sites integrate it in this potentially vulnerable manner. But there does not seem to be any structural change. Apple did not send back a comment request from WIRED.
Maddux notes that server-side request forgery vulnerabilities also appear in other integrations on the Web, not just with the Apple Pay module. And it is currently possible to set up an Apple Pay button more securely if you know how to mitigate potential weaknesses. Maddux believes however that the problem needs to be better known because mainstream integrations such as Apple Pay result in countless websites and create exhibits even if users of a site do do not interact directly with the module.
"It is certainly possible to implement Apple Pay support safely," says Maddux. "It's just that it would not be easy for a security-minded developer who does not understand the faking of server-side queries – it's not for the moment deeply rooted in developer consciousness."
Given the number of Apple Pay buttons available in the digital world, it is high time to catch your eye.
Would you like to receive this two minute summary as an email every day of the week? register here!
From Samsung new Galaxy Note the phone is available in two sizes
Samsung unveiled its latest addition to the world of smartphones: the Galaxy Note 10 and Galaxy Note 10+. The 10+ is a 6.8-inch juggernaut that will start at $ 1,100. The 10 will come out with a 6.3-inch screen, similar to the Galaxy S10, and it starts at $ 950. But the bad news, headphone enthusiasts: the two new Galaxy phones use USB-C for charging and audio. Finished the 3.5mm headphone jack.
A code leak security vulnerabilities exposes deep in the 787s
Last year, a security researcher discovered a publicly available data set on a Boeing server. He downloaded it and it turned out to be code for the 737 and 787 components, including part of code 787 that had several serious security bugs. These vulnerabilities cover components such as the in-flight entertainment system, but could potentially be used to integrate safety-critical systems such as flight controls and sensors.
Hackers can insert into your iPhone just by sending a text
At the Black Hat conference, security researchers unveiled the "no interaction bugs" in Apple's iOS, which would have give a hacker access to your phone without doing anything at all. An attacker could send a specially crafted text message, and even if you did not open it, the iMessage server would return specific user data, such as the contents of your SMS messages or images. Apple has already fixed many of these bugs without interaction in the past and will continue to do so in updates, so keep your iOS up-to-date!
That's just about all the money that Presidential hope Elizabeth Warren intends to put in a new broadband package improve Internet access for rural and underserved communities. She is one of the first candidates to come up with a plan of this type, and she promises to "ensure that every American household has a high-speed fiber optic connection at an affordable price for families" .
Polaroid-style instant print devices are back. Choose the one that suits you from our list of the 11 best.
Here's how "30-50 wild pigs" Even is born.
This daily report is available as a newsletter. You can register just here to make sure you receive the news in your inbox every day of the week!
We watched a series of vulnerabilities in VxWorks, an operating system you may not have heard of, but that is feeding billions of devices into critical infrastructure and beyond. We took the Guardian Firewall app for a ride and found a nice way to block unwanted trackers on iOS. And we are sorry to announce that the 5G has finally arrived, but some security issues still need to be resolved.
Speaking of security, Senator Mark Warner enlightened us on Russia's plans for the 2020 elections. The former tsar of the cybersecurity of the White House has lifted the veil on her next act with Trinity, a startup that wants to frustrate hackers. And the choice of Donald Trump as National Intelligence Director, John Ratcliffe, gives a sense of unease to Garrett Graff, WIRED contributor"The fact that the administration is so predictable in its terrible choices should not make these terrible choices less troubling," writes Graff. On Friday, Ratcliffe withdrew his nomination.
And there's more! Every Saturday, we summarize the security and privacy stories that we have not analyzed in detail, but that we feel we need to know. Click on the titles to read them and stay safe.
After a report in The Guardian The extensive use of subcontractors to Apple to "classify" records of Siri users was announced by the company, which announced the suspension of the program. Apple is not alone in the practice; Google and Amazon also use humans. But Apple's declared role as a protector of privacy has made the revelation even sharper. As with Google and Amazon, the company says it will allow people to withdraw from the filing system in a future update of the software – or, hopefully, opt for this option.
Club Penguin is a popular online game for kids operated by Disney. Club Penguin Rewritten is the Grucci version of this game, an "independent recreation", as BleepingComputer calls it. Millions of users, however, were exposed when hackers found a backdoor apparently set up by a disgruntled administrator. Intruders have obtained information for more than 4 million accounts and 2.9 million IP address logs. The administrator in question denies the allegations and, honestly, it's a lot of drama to not be the real Club Penguin.
Not surprising anyone, Facebook has found yet another group of coordinated inauthentic accounts promoting a story probably sponsored by the state. This time, it is the United Arab Emirates and Egypt, where two marketing companies have exploited hundreds of fake accounts and Pages, pushing to various political positions. Facebook has also removed hundreds of inauthentic pages originating in Saudi Arabia that promoted the agenda of Crown Prince Mohammad bin Salman, while messing up Saudi neighbors as well as Al-Jazeera and Amnesty International.
The New York Times reports that the facial recognition database of the New York Police Service includes teens and children as young as 11 years old. This is another example of the unrestrained expansion of facial recognition with little supervision; several members of New York City Council were not aware of this practice. Experts have also criticized this practice technologically, since facial recognition algorithms are, at best, unreliable, and even more so when applied to young faces that can change substantially in a matter of minutes. years.
Letting people opt out of the data collection is better than not letting them choose at all. But for decades, that's the breadth of the conversation. This gives too many giant tech companies a plausible denial for the frantic transfer of your personal information and allows them to blame the victim implicitly when they go too far: Do not be angry with us, you could have withdrawn all this time. Here is a simple suggestion: Let people register instead.
This is a simple problem to explain. A paradigm of "unsubscribe" means that data collection is done automatically and you must actively look for ways to stop it. Under "Opt in", you must affirmatively grant the right to access such data to a company before you can do so. You are in control from the beginning.
"Not only do participation mechanisms serve consumers better, they also serve democracy better."
Joseph Tomain, University of Indiana
At the moment, we do not know what form Apple's unsubscribe to Siri will take; The company has temporarily suspended its collection of voice data and only indicates that once it is resumed, "users will have the opportunity to opt in." Apple has not responded to a request for more specific information.
But to illustrate the limitations of unsubscribe options, look no further than Alexa from Amazon, who already has a mechanism to say "no thank you" to strangers who listen to your orders. Ready for that? Open the Alexa application. Tap the three dots in the upper left corner. Then go to Settings. Then go to Alexa account. Then go to Alexa privacy. Then go to Manage how your data improves Alexa. Then go Help develop new features to off. Then set the rocker under Use messages to improve transcripts to off. Theseus had an easier time fleeing the Minotaur.
This criticism applies much more widely than simple voice assistants, of course. Facebook is the undisputed master of art. This is not a new concern either; search the WIRED archives and you'll find titles like "Investigation: the opt-out is a loophole"Almost two decades ago. Consider this as an indicator not of the mold's argument, but of the length of time since this problem was infected and the little progress made.
"Not only do participation mechanisms serve consumers better, they also serve democracy better. They do this by helping to reduce the power imbalance between companies and individuals, "said Joseph Tomain, a researcher at Indiana University's Center for Applied Cybersecurity Research. "The information collected about us harbors our human strength, our autonomy and our human dignity in a way that we should not lose sight of."
"Companies that opt for an incentive to offer data practices that people would really agree to," said Tomain. That does not seem so much to ask.
Changing the current churn frame to accept does not solve all the problems. In fact, he would create some.
"Even if you had a big list of progressive things to sign up for, then you have a lot of fun on what the right options look like," says Michelle Richardson, director of privacy and data at the Center for Democracy. nonprofit organization. Technology "Do you show them [users] all different types of data and make them make changes to each type of data? Have you made any granular decisions? Do you notify them at any time of the changes? It's a lot to handle for a basic user. "
According to Richardson, the emphasis on whether to opt-out is ultimately the responsibility of the individual, not the companies that misuse the data. Plus, your data travels through hundreds of businesses with which you have no interaction, an underground economy of ghost data brokers. You can not get rid of it any more than you can hit a ghost.
Ideally, a strong privacy law will someday raise the question of questionable consent. "You need a privacy bill that companies can not continue to do these very risky things that continue to hurt people," Richardson said.
The establishment of strong membership policies does not preclude a possible general law on the protection of privacy. And, in some ways, the huge amount of data you have to collect is exactly why businesses should need it. You would finally have some idea of the gravity of the situation.
In reality, the opt-in practice seems like a long shot. Among the various privacy-related bills that go through Congress, only one handle include itand focusing on certain categories of sensitive information. But every time a company bursts its data under a sip layers of parameters, every time Big Tech takes more than that givesIt seems less radical to suggest that the least they can do is to get your explicit permission first.
Tim Verheyden, a journalist with the Belgian public channel VRT, contacted the couple with a mysterious audio file. To their surprise, they clearly heard the voice of their son and grandchild, captured by Google's virtual assistant on a smartphone.
Verheyden claims to have had access to the file and over 1,000 other people through a Google provider that is part of a paid global workforce to control the audio captured by the assistant from devices including smart speakers, phones and security cameras. One recording contained the couple's address and other information suggesting that it was about grandparents.
Most of the recordings reviewed by VRT, including the one referring to the Waasmunster couple, were intended; users have asked for weather information or pornographic videos, for example. WIRED reviewed the transcripts of files shared by VRT, which released a report on his findings on Wednesday. According to the broadcaster, the wizard appears incorrectly in about 150 records, after misinterpreting the message.
Some of these fragments captured phone calls and private conversations. They notably announced that someone needed the bathroom and that it seemed to be about discussions on personal topics, such as a child's growth rate, healing. of his injury and the love life of someone.
Google says that it transcribes a fraction of the audio from the wizard to improve its automated voice processing technology. Yet, the sensitive data contained in the recordings and instances of Google's unauthorized eavesdropping algorithms make some people uncomfortable, including the worker who shared the audio with VRT and some privacy experts . Privacy experts say Google's practices violate EU privacy rules GDPR introduced last year, which offers special protections for sensitive data such as medical information and requires transparency on how personal data is collected and processed.
VRT started talking to the Google entrepreneur as a result of a Bloomberg report this describes how Alexa audio from Amazon– Unintentional recordings included – are transcribed by company staff and subcontractors, including Boston, Costa Rica and India. The Google entrepreneur said that I had transcribed about 1,000 clips a week in Dutch and Flemish and that I was concerned about the sensitivity of some recordings. I showed VRT how I connected to a private version of a Google app called crowdsource access the records assigned to it.
In one case, said the contractor, I transcribed on a recording in which a woman felt like she was in distress. "I thought physical violence was involved," I said in VRT's English subtitles video reportage. "These are real people you listen to, not just voices." The contractor adds that Google has not provided clear guidance on what workers should do in such cases.
In a statement, Google spokesman said the company had opened an investigation because the contractor had violated the data security rules. According to the release, Google is calling on "language experts from around the world" to transcribe the audio recordings of the company's assistant, but only checks for about 0.2% of all recordings, which are not associated with user accounts.
Google reviewers may not see the account data, but they still have the ability to hear very private information, for example relating to health. Jef Ausloos, a researcher at the Center for Computer and Intellectual Property Law at the University of Leuven, Belgium, told VRT that Google's system might not be in line with the GDPR, which requires explicit consent to collect health data.
Michael Veale, a technology policy researcher at the London-based Alan Turing Institute, said that these speeches did not seem to meet the requirements of the GDPR, even for data considered non-sensitive. The group of national data protection regulators in charge of the GDPR application stated that companies had to be transparent about the data collected and their processing. "You have to be very specific about what you are implementing and how," says Veale. "I think Google did not do that because it would look scary."
Google spokesman said the company would look into how it could clarify how users are used to improve the company's speech technology.
Veale has filed a complaint about the Apple Siri with the Irish data controller, arguing that the service violates the GDPR because users can not access the recordings made by Siri. He added that Apple had replied that its systems handled the data with enough care so that the audio files of its own voice would not be considered as personal data. Google and Amazon allow users to view and delete their records. Amazon now allows users to call, "Alexa clears everything I said today, "To purge your story.
Amazon's privacy policies do not describe how reviews treat certain Alexa audio files. Like Google, its privacy pages Alexa does not record all conversations, but does not explain that he may inadvertently listen. Apple's documents also do not describe the review processes, although a White Paper on Security indicates that some Siri audio files are kept for "continuous improvement and quality assurance". Amazon and Apple declined to comment.
Fixed on 19/10/19 at 19h ET: The Google entrepreneur who spoke on Belgian TV said he watched 1,000 audio clips a week. An earlier version of this article, I reviewed 1,000 clips per month.
I've been an indispensable leader at Apple and the leading guide to the company's aesthetic vision. His role became even more important after Apple co-founded Steve Jobs died of pancreatic cancer in 2011. Apple will not immediately appoint a new design manager. Alan Dye, who heads the Apple user interface team, and Evans Hankey, head of industrial design, will report directly to Apple's chief operating officer, Jeff Williams, according to the same source. Financial Times.
"It seems like a natural and sweet moment to make this change," I said in the interview, somewhat perplexed. Apple's business is currently facing many changes: iPhone sales decline, increasing tension commercial war between the administration of President Trump and China, the departure in April of the head of retail, Angela Ahrendts. The company is also moving from hardware devices to software Services.
It's unclear exactly what LoveFrom will work on, and I'm a little behind the nature of the company, even though I said it would continue to work on technology and health care. Another Apple design employee, Marc Newson, is also leaving to join the new company. This is not the first time that the pair is working together on a non-Apple project. In 2013, they designed a custom Leica camera This product was auctioned for the Global Fund to Fight AIDS, Tuberculosis and Malaria.
During an interview with Anna Wintour at the WIRED25 Summit last November, I discussed the creative process and how he sees his responsibility as a mentor at Apple. "I still think it's so remarkable that ideas can become so powerful and literally change the world," he said. "But these same ideas in the beginning are extremely fragile, I think the creative process does not sit naturally or easily in a large group of people."
Ive left the London design studio Tangerine and moved to California to join Apple in 1992. I became executive vice president of industrial design in 1997, after the return of Jobs in the company. The following year, the iMac G3 came out, which will prove to be Ive's first big hit, helping to right the torch of Apple's business. He then helped oversee the design of the new Apple headquarters, Apple Park.
"It's frustrating to talk about this building in terms of absurd and numerous numbers," said WIRED's Steven Levy at the campus opening in 2017. "It's an impressive statistic, but you're not living not an impressive statistic, although it is a technical marvel to make glass on this scale, it is not a feat, the goal is to create a building where so many people can connect and collaborate, walk and talk. . "