Has Houseparty really hacked your phone and stolen your bank details? - Naked Security
Has Houseparty really hacked your phone and stolen your bank details? - Naked Security |
| Has Houseparty really hacked your phone and stolen your bank details? - Naked Security Posted: 30 Mar 2020 01:12 PM PDT If you're at home right now – and who isn't? – then you've probably heard of Houseparty. It's a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019. The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your "room" and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world. Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that's your thing – can wander in and say, "Hi." As the app makers themselves put it early last year:
Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it's like arriving at the pub to see who's there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place. And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:
For "snow" read "coronavirus lockdown" and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren't allowed out to meet other people at all. Has the party gone wrong?Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:
If anyone is using that house party app DELETE IT My friends email account been hacked into by it And managed to get bank account details too and has hacked that. I've seen a few other people saying this too on twitter. I also keep getting dodgey emails. Just a warning x Is there any truth in this? To be honest, we can't tell you that the Houseparty app is bug-free, because we haven't decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative. But the claim in the post above is not that there's a bug that's being exploited in the app. Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality. And as unlikely as that sounds, and for all that Houseparty itself has stated this…
..there are pages of counter-tweets insisting that… BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked and how many others are being hacked on various things DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! Didn't realise what was happening when i got these emails but is 100% that houseparty app!! Three new logins to my spotify and someone tried to reset my password for netflix!! Not worth it the risk Well, here's the thing. There's one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence. What happened?At the moment, we don't know what kicked off the storm of accusations, but Houseparty says [2020-03-31T03:21Z] it is "investigating indications" that the whole thing started as a smear campaign, to the point of offering a huge reward for proof:
But could a security bug in the app or a breach on Houseparty's own servers have a knock-on effect by which other hackers – not Houseparty itself, but opportunists elsewhere – could break into your other online accounts? In theory, yes, assuming that you used the same password on your other accounts so that your Houseparty password would effectively be a master key for all of them. You have to type your password into the app at least once when you set it up, so your keystrokes are revealed to the app, from which it is at least theoretically possible they might leak – though your keystrokes would also, in theory, be revealed to other apps active on your phone at the same time, including malware running in the background. And any online service that has user accounts needs to maintain a user database by which it can verify passwords, so a server breach could, in theory, expose that database to a hacker. Note that very few online services actually store the text of your password – they store what's called a hash of the password that can be used for verification instead. For the technical details of how this works, see our article Serious Security: How to store your users' passwords safely. So, crooks who steal a password database – and there is no evidence that happened here at all – can't directly read out the passwords, but they can try to crack them one-by-one using trial-and-error, which sometimes lets them figure out a few passwords, usually those that are shortest and most likely to be tried first. The problem is that none of the Twitter comments we've seen so far give any credibility to these explanations, let alone providing evidence that Houseparty is itself implicated in any hacking. After all, if you use the same password on all your accounts – and some people who are accusing Houseparty are at least admitting that they did just that – then any phishing attack against any of your accounts would expose all of them. Ironically, for all we know, some of the "look, someone hacked my Netflix account after I started using Houseparty" screenshots on Twitter might themselves be phishing attacks in which the crooks send you a fake Netflix notifications to trick you into revealing your password. And that's the trouble here, namely that however this Houseparty accusation fiasco started, the insistence to close your account and delete the app is simply not useful advice on its own, and is likely to leave you with a false sense of security even if you do so. What to do?A few calm voices on Twitter are asking the obvious question, which is: where's the evidence it was from houseparty? How do you know this had happened because of house party tho? That's a vital point to consider, and not just because it's the ethically correct thing to do. After all, if any of this "hacking" behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple's and Google's official online stores… …then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren't. Our advice is simple:
We'll update this article if we learn any more genuine information – until then, please don't blindly repeat other people's unsubstantiated claims, because you can't make something true simply by saying it over and over again. Latest Naked Security podcast |
| The CyberWire Daily Briefing, 3.30.20 - The CyberWire Posted: 30 Mar 2020 03:05 PM PDT  Notes. Today's issue includes events affecting Australia, China, India, Iran, Romania, Russia, Saudi Arabia, Syria, United Kingdom, United States Bring your own context.How important is unsigned firmware, anyway? Suppose you were able to replace a device's firmware? "One way to think of it is, if I'm a malicious actor and I can replace the firmware in this device, the simplest case is to emulate the existing device. So, for example, if I'm compromising the firmware in a trackpad, because it's a trackpad, I can easily emulate the behavior of a trackpad. I can essentially have the firmware move the mouse cursor all on its own without your finger actually touching the trackpad. And you might say, well, what good does that do? – you can, you know, move it around to make an annoyance... "Well, you can also get a little bit more complicated – and by complicated, I mean sophisticated, I guess, in this case, they kind of go hand-in-hand here. But if I can move the mouse cursor around, I can use that same mechanism to interact with the host system, to emulate other aspects of that device. And I can do so in a very rapid fashion. So, I could do things like move the mouse cursor to the bottom left corner of the screen where I know the start button always is. And because I know where that is, now I can, you know, click and work through the start menu in a very fast fashion. "I can also look at how the device is connected to the host system. In the case of a lot of trackpads or mice or other pointing or human interface-type devices, they use what's called a "HID" interface, or a human interface device. And that is used for both keyboard and mice. Well, if the trackpad already acts as a HID device, I can perhaps emulate not only a mouse or trackpad, but also emulate a keyboard at the same time. So now I have the capability of moving the mouse pointer and typing, which then opens the case of, well, if I could arbitrarily type in things and move the mouse pointer around, then what can I do with that? I can start up and run various commands." —Rick Altherr, principal engineer at Eclypsium, on the CyberWire's Research Saturday, 3.28.20. Listen to the whole thing for context, especially if you'd like a quick explanation of what firmware actually is. CyberWire Pro delivers timely briefings about developing news.Take a look at CyberWire Pro, our new subscription program designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed.  |
| You are subscribed to email updates from "secure mobile phone communications,android text encryption,how to remove encryption password android" - Google News. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
Comments
Post a Comment