Google Workspace Design Flaw Allows Unauthorized Access

0
[ad_1]

Researchers publicly disclosed a design flaw affecting Google Workspace that allows unauthorized access. While they responsibly disclosed the vulnerability to Google, the bug remained unpatched until public disclosure. The researchers urge the users to implement safety best practices when using Google Workspace’s Domain-Wide delegation feature.

DeleFriend Design Flaw Riddles Google Workspace Cloud

In a recent post, the cybersecurity firm Hunters elaborated on a severe design flaw affecting the security of Google Workspace users. Exploiting the flaw lets an adversary to gain unauthorized access to Workspace APIs.

Identified as “DeleFriend,” the vulnerability affects the Domain-Wide Delegation (DWD) feature in Google Workspace. This feature allows a delegation between Google Workspace and apps and Google Cloud Platform identity objects, facilitating GCP identities to execute tasks on apps like Google Calendar, Drive, and more, with elevated privileges. That’s where the vulnerability exists.

Briefly, the researchers observed that potential adversaries could exploit the existing delegation between the Google Workspace and Google Cloud Platform even without the mandatory Super Admin Workspace role. Stating how an attacker may execute the attack, the researchers explained in a press release,

With less privileged access to a target GCP project, they can create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled.

Specifically, the vulnerability exists because instead of private keys for a service account identity object, the OAuth ID determines the domain delegation configuration. Moreover, the lack of JWT combinations fuzzing at the API level also doesn’t restrict delegation takeover attempts.

The researchers have explained the vulnerability in detail in their post.

Patch Still Awaited

The researchers confirm disclosing the vulnerability to Google in August 2023. However, until their public disclosure, the vulnerability remained unpatched. Hunters acknowledge that addressing a design flaw is tedious. Therefore, until a fix arrives, the researchers advise users to practice caution with the Domain-Wide delegation feature.

Besides, they have also released a DeleFriend PoC tool for organizations to understand the flaw better with clear demonstrations.

Let us know your thoughts in the comments.


[ad_2]
Source link

Huawei P70 series to include new SoC & revamped camera setup

0
[ad_1]

The Huawei P70 series is expected to arrive in Q1 next year, likely towards the end of that window. A new report surfaced, claiming that the Huawei P70 series will not only include a new SoC, but a revamped camera setup too.

The Huawei P70 series is expected to sell a lot better than the Huawei P60 series

This info actually comes from Ming-Chi Kuo, a well-known analyst from TF International Securities. He was a bit more broad in terms of the launch window, as he said that the phones will launch in H1 next year. He’s not sure we’ll get them in Q1 2024.

The analyst actually released a rather lengthy report, talking about various things. Let’s kick things off with sales, though. Recently, he claimed that the Huawei P70 series is expected to sell 100% better than the Huawei P60 series.

Now he went a step further, claiming that Huawei will see a yearly growth of around 230% in terms of smartphone sales. The company is expected to ship up to 15 million units of the Huawei P70 series. In comparison, Huawei only sold 4-5 million of the Huawei P60 devices. So, the sales could be even better than he initially reported.

A revamped camera setup is expected on the Huawei P70 series

Huawei is expected to include an even better camera setup than the Huawei P60 series offered. Those are still some of the best cameras around, by the way. The Huawei P70 is tipped to include a 5P lens and a 1/3.6-inch telephoto sensor. The Huawei P70 Pro phones will have a 6P zoom lens and a 1/2.5-inch sensor behind it.

It’s also worth noting that the ‘Art’ version of the phone is tipped to include a 1G6P lens. That means it will have one glass and six plastic layers, and a 1-inch type sensor for the ultrawide camera is also tipped. That phone is expected to be quite expensive to manufacture.

A new ‘SoC’ is also mentioned. The thing is, it’s not clear whether it’s a new SoC in general, or just new for the Huawei P series. The Kirin 9000s fuels the Huawei Mate 60 phones, and we initially thought that’s the chip Huawei will use. There’s still a chance of that, but it seems like Huawei could have a new processor in mind. We’ll see.


[ad_2]
Source link

Meta knowingly collected data from underage users, complaint says

0
[ad_1]

Meta, the parent company that operates social media platforms Facebook and Instagram, is currently facing a lawsuit from 33 U.S. states regarding its treatment of young users. Now, a new unsealed legal complaint viewed by the New York Times sheds light on Meta’s knowledge of the underage users on its platforms.

Meta “routinely continued to collect” data from underage users, complaint says

By rule, Meta requires users of its social media platforms to be 13 years of age or older. But users younger than that are on sites like Instagram, and the latest complaint says Meta “routinely continued to collect” data from underage users. The attorneys general of 33 states have brought the legal challenges to Meta, which could be substantially fined if the states’ allegations are proven.

“Within the company, Meta’s actual knowledge that millions of Instagram users are under the age of 13 is an open secret that is routinely documented, rigorously analyzed and confirmed,” the complaint said, according to the New York Times. “And zealously protected from disclosure to the public.” Aside from Meta’s alleged knowledge of these underage users, the complaint says it collected data from them too. This data included location information and email addresses, per the complaint. It also notes that Meta was aware of these users, as shown by internal communications and graphs.

The newly-unsealed complaint is within the overarching federal lawsuit against Meta. The lawsuit argues that Meta supported obsessive usage of social media platforms, specifically targeting younger users. However, this particular complaint has a more narrow scope. It hinges on the Children’s Online Privacy Protection Act, which is a 1998 federal law that dictates how companies can collect data from underage users. The statute stipulates that platforms get permission from a parent before collecting certain types of data. This applies to users under 13 years-old. So, if Meta knowingly collected data from underage users, it would be violating the law.

Is there precedent for this type of legal claim?

Since the development of compulsive social media use — like the endless-scroll format — is new, there isn’t precedent for the lawsuit against Meta. However, the federal government has been successful in Children’s Online Privacy Protection Act complaints in the past.

Meta responded to the complaint in a statement, saying the filing “mischaracterizes our work using selective quotes and cherry-picked documents.” Additionally, the company pointed out the issues that come with successful age verification. Meta has been clear that its official position is that underage users are not allowed on its platforms. The question is whether it had a different position behind the scenes. At its core, the states’ complaint argues that Meta could have taken action against underage users. Instead of making those moves, the complaint proposes that Meta knew how important those users were to its platforms. As such, the states allege Meta simply chose not to remove underage users from its sites.


[ad_2]
Source link

A Severe Design Flaw in Google Workspace

0
[ad_1]

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools like Google’s Domain-Wide Delegation. 

It enables GCP (Google Cloud Platform) identities to perform tasks in GWS (Google Workspace) apps on behalf of Workspace users, streamlining work processes.

Cybersecurity researchers at Hunters’ Team Axon recently found a design flaw in Google Workspace’s Domain-Wide Delegation, which is dubbed as “DeleFriend.”

This flaw allows:-

  • Misuse
  • Privilege escalation
  • Unauthorized API access without Super Admin rights
Document
Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

DeleFriend Severe Design Flaw

Google Cloud and Workspace share a vital connection through Domain-Wide Delegation. While Google Cloud IAM handles internal resource control, Workspace is the central ‘hub’ for user management. 

The integrated identity concept is key, whether through Workspace or Cloud Identity, even for organizations using third-party IdP like Okta or Azure AD for GCP services.

Google's IDaaS concept (Source - Hunters)
Google’s IDaaS concept (Source – Hunters)

Google Workspace’s Domain-Wide Delegation streamlines app access to Workspace data and helps boost efficiency. 

With OAuth 2.0, developers grant service accounts user data access without individual consent, which:-

  • Reduces the errors
  • Automates the tasks

Here below, we have mentioned the types of main global delegated object identities that Google Workspace allows to create:-

  • GWS Applications
  • GCP Service Account

Google adopts OAuth 2.0 RFC 6749 for delegated authorization, mirroring other cloud providers. This allows identities to grant permissions to Workspace REST API apps without exposing credentials.

However, besides this, the researchers demonstrated the flaw with the help of two scenarios, and here below, we have mentioned those scenarios:-

  • Scenario 1 – New delegation with interactive GWS access: In this scenario, the threat actor gains initial IAM access, creates GCP service accounts, earns GWS super admin privilege, and seeks robust persistence and exfiltration options.
  • Scenario 2 – DeleFriend – Compromise existing delegation: In this scenario, in an effort to go from restricted GCP rights to Workspace without requiring Super Admin power, the security researchers investigate the GWS delegation misuse with lesser privileges.

Advantages of this Attack Vector

Here below, we have mentioned all the advantages that this attack vector brings to the threat actors:-

  • Powerful impact
  • Long life
  • Easy to hide
  • Awareness
  • Hard to detect

Mitigation Recommendations

Here below we have mentioned all the mitigation recommendations that the cybersecurity researchers recommend:-

  • Configuration is based on the entire Service Account instead of a private key.
  • Block JWT enumeration on API level.
  • Over-permissive permission to the Editor role.
  • Identify Delegated OAuth Requests to Google APIs.
  • Make sure to review all the query results.
  • All the inactive delegations that are outlined in the query results must be evaluated.
  • The private keys of the found GCP service accounts must be examined properly.
  • Check OAuth scopes if delegation is as expected but unused.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


[ad_2]
Source link

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

0
[ad_1]

OwnCloud has fixed the issue in version 10.9.01 but urges customers to change their OwnCloud admin password, database and mail server credentials.

A critical vulnerability has been identified in the OwnCloud “graphapi” app, enabling threat actors to gain access to sensitive information in containerized deployments. This includes admin passwords, mail server credentials, and license keys.

According to a security advisory released by OwnCloud, the vulnerability affects versions 0.2.0 to 0.3.0. The company publicly disclosed this issue on 21 November 2023.

For your information, OwnCloud is a file server/collaboration platform offering safe storage, sharing, and synchronization of sensitive files.

The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. It was assigned the identifier oC-SA-2023-0011. 

On the other hand, data security firm GreyNoise has observed mass exploitation of this flaw in the wild starting from 25 November, raising serious concerns within the cybersecurity community.

What happens is that attackers can exploit this vulnerability to access a URL that can reveal the configuration details of the PHP environment (phpinfo). 

It is worth noting that the vulnerability was detected in the OwnCloud server and caused by a third-party library, which provides the URL, that reveals the configuration details, including all the environment variables like mail server credentials or admin passwords of the webserver. 

OwnCloud has fixed the issue in version 10.9.01. The company noted that Docker-Containers from before February 2023 aren’t vulnerable to credential exposure.

Nevertheless, the company suggests users must act promptly to mitigate the threat. This involves deleting the file OwnCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabling the phpinfo function in Docker containers

The advisory explained that simply disabling the graphapi app cannot eliminate the issue because phpinfo can expose sensitive configuration data that attackers can exploit to collect system-related information. This means even if OwnCloud isn’t running in a containerized environment, the threat will persist.

Therefore, users should change their OwnCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access key. These steps will help mitigate the risk of attackers exploiting the vulnerability to access sensitive information.

Casey Ellis, Founder and Chief Strategy Officer at San Francisco, Calif.-based crowdsourced cybersecurity firm Bugcrowd shared a comment with Hackread on the disclosure, calling it “concerning.” 

“This one is concerning because OwnCloud is the type of software that home users and small businesses tend to set up and then forget,” explained Ellis. “The combination of the impact of this vulnerability and the type of personal/valuable data stored in ownCloud instances provides a wide variety of options for attackers looking to exploit it – I’d be very surprised if we don’t start hearing about ransomed ownCloud instances in the coming days.”

  1. Google Workspace Vulnerable to Takeover
  2. Outdated Wallets Threatening Billions in Crypto Assets
  3. OracleIV DDoS Botnet Malware Targets Docker Engine API Instances
  4. Domain Squatting, Brand Hijacking: A Silent Threat to Digital Enterprises
  5. Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

[ad_2]
Source link

OnePlus 12 hands-on images appear; display specs reavealed

0
[ad_1]

The OnePlus 12 will launch on December 5, and as we wait for that day, hands-on images just surfaced. That’s not all, though, the phone’s display specifications have been kind of revealed too.

All of this information comes from Digital Chat Station, one of the most prominent tipsters from China. He shared the info via Weibo. Let’s talk about the phone’s real-life images first, shall we.

The OnePlus 12 has appeared in hands-on images ahead of launch

The tipster shared several real-life images, though sadly only the front side of the device is shown. You can clearly see that a curved display will be used, and that the display camera hole will be centered this time around.

On top of that, the bezels around the display are very thin, though the bottom one still seems to be a bit thicker than the rest. All the physical buttons are placed on the right-hand side, while the alert slider now sits on the left.

The phone’s display specs have been revealed

The tipster has also confirmed that the phone will feature a 6.82-inch 8T LTPO OLED display with a resolution of 3168 x 1440. It will enable a refresh rate between 1-120Hz. This is a BOE X1 panel, as already confirmed, and it can heat a peak brightness of 4,500 nits. Brightness via the manual slider will be limited to 1,722 nits.

This display will have an A+ certification from DisplayMate, for both color and accuracy. The OnePlus 12 display will also feature an average Just Noticeable Color Difference (JNCD) value of 0.35.

OnePlus will also use the OPPO P1 display chip here. This panel will also offer 2,160Hz PWM dimming for eye protection. That’s pretty much it as far as the display is concerned.

OnePlus’ new flagship will likely launch globally on January 23, 2024

The OnePlus 12 will launch globally on January 23, almost certainly. It is coming in January for sure, that much has been confirmed. OnePlus also released a number of images of the OnePlus 12 thus far.


[ad_2]
Source link

Google reveals reason behind missing Google Drive files

0
[ad_1]

Some Google Drive users started filing complaints to Google recently, regarding missing Google Drive files. Quite a few reports were filed, and the company started investigating. Google now revealed the reason behind missing Google Drive files.

Google has revealed the reason behind missing Google Drive files

It turns out that the culprit is the Google Drive for Desktop app. The issue affected a limited number of users, not everyone who uses the app, though. Google promised to provide more information in the near future.

Until that happens, however, the company decided to share some suggestions with users, to help them prevent losing files. You should not click the ‘Disconnect account’ option within Drive for desktop.

Also, do not delete or move the app data folder. On Windows, it’s the ‘%USERPROFILE%\AppData\Local\Google\DriveFS’ folder, while on macOS, it’s the ‘/Library/Application Support/Google/DriveFS’ folder.

As an optional step, Google also said that it would be a good idea to make a copy of the app data folder, if you have some free space on your hard drive.

Users started complaining about this problem rather recently

To give you a bit more of a backstory here. It all started when a user complained that he lost 6 months’ worth of Google Drive files. That complaint was issued about a week ago. He said that the last available files were from May, for whatever reason.

A number of other Google Drive users followed, saying that they have the same problem, pretty much. It didn’t take long for Google to respond, and start investigating. It’s good news that the company pinpointed the culprit.

Let’s hope Google will fix the problem soon, and hopefully return missing files to their owners as well. If those files are gone for good, that could make this an even bigger problem than it already is and really reflect poorly on the company.


[ad_2]
Source link

MediaTek rebuts Dimensity 9300 throttling claims, calls test ‘flawed’

0
[ad_1]

MediaTek has responded to the speculations that the Dimensity 9300 may be resorting to extensive performance throttling to manage temperatures. The concerns surfaced after a recent CPU Throttling Test where the chip throttled down to just 46 percent of its maximum performance within a few minutes to avoid overheating. The company has called the test “flawed,” adding that it doesn’t accurately represent real-world usage scenarios.

MediaTek says Dimensity 9300’s CPU throttling is normal

The Dimensity 9300 has an unusual CPU configuration. MediaTek has equipped the octa-core chip with four Cortex-X4 prime cores and four Cortex-A720 mid cores. There aren’t any power-efficient CPU cores here, which makes cooling the chipset a tough task when all the cores are running at full blast. YouTuber @KaroulSahil decided to put the new MediaTek processor through a stress test to check how it handles thermals.

The YouTuber ran the CPU Throttling Test on the Vivo X100 Pro, which is one of the first phones to feature the Dimensity 9300. The chip started throttling after just two minutes and lost more than half of its performance a few minutes later. One CPU core dropped to a frequency of just 0.60GHz, four to 1.20GHz, and the remaining three to 1.50GHz (the peak speed is 3.25GHz).

Since the CPU Throttling Test pushes chips to their limits, the Dimensity 9300 resorted to extreme throttling to keep the temperature in check. However, MediaTek says this is normal. “It is well known that all modern smartphones include thermal throttling to ensure the device temperature stays in an acceptable/safe range,” the company said in an emailed statement to Android Headlines.

It contends that the test was flawed. “A better way to use the CPU Throttle Test as a way to compare devices side by side would be to run the test with the same device case temperature,” the firm added. “With MediaTek’s big core CPU architecture, the Dimensity 9300 will achieve a much higher max & average score than the competitors if the testing is done correctly. In summary, the Dimensity 9300 will be able to deliver more computing performance across the span of the test.”

MediaTek is questioning the test conditions

MediaTek is correct when it says that all modern smartphones throttle performance to avoid overheating. However, a drop to just 46 percent of the maximum performance within just a few minutes is too much. For example, GSMArena found that the Snapdragon 8 Gen 2-powered Galaxy S23 Ultra ran at around 80 percent of its performance after more than 10 minutes of the same test.

That said, several other factors affect these tests. If the surrounding is hot and humid, the ambient temperature is higher and may result in quicker and more aggressive thermal throttling. The body or case temperature of the device before running the test is also a key metric to look into. The cooling system of the device is essential too. Devices with active cooling, like a fan, handle thermals better than passive cooling.

The Vivo X100 Pro has a vapor chamber, which is a passive cooling solution. All of this may have affected the performance of the Dimensity 9300 in this CPU Throttling Test. Unsurprisingly, MediaTek is questioning the test conditions. It says the chip is capable of delivering better results than what we saw here. A side-by-side comparison of the Dimensity 9300 and Snapdragon 8 Gen 3 would give us a clearer picture. We are obtaining review devices for our own testing, so stay tuned.

Dimesity 9300 CPU performance throttling test


[ad_2]
Source link

Apple Music Replay 2023: Your year in music is here

0
[ad_1]

Curious about your impact on making Morgan Wallen’s “Last Night” the most-listened song on Apple Music in 2023? Well, now you can find out!

Back in 2019, Apple Music introduced Replay, a feature that compiles your top-played songs throughout the year. Think of it as Apple’s response to Spotify Wrapped, offering mainly a web-based experience while still allowing you to access your Replay playlist in the Apple Music app.

The Replay for 2023 has just been unveiled, giving Apple Music users the chance to explore their musical journey over the past year. Apple’s user-friendly interface presents a straightforward list of your top picks and a “Highlighted Reel” that shows your most-played songs, artists, and playlists of 2023.

Aside from your favorites, you’ll also get insightful statistics, including the total minutes spent enjoying music on Apple Music, the variety of artists you’ve tuned into, and the number of songs played throughout the year. Apple Music users can even discover if they rank among the top 100 listeners of their favorite artists.

Adding to the experience, Apple Music Replay introduces a milestone tracker, letting you know if you’ve hit specific targets, like listening to 1,000 songs.

To check out your Replay for this year, simply visit replay.music.apple.com and log in with your Apple ID. There, you’ll uncover all your listening stats for the year. With Spotify Wrapped anticipated to launch in the next few days, Apple has given Replay a head start to ensure it gets the attention it deserves before being overshadowed by the Wrapped stats flooding social networks.

Ever since its debut, Spotify Wrapped has been a hit. In a single year, there were nearly 60 million shares of Wrapped stories and cards on social platforms. The secret sauce to its enduring success lies in its approach—it’s not just about summarizing top songs or artists. Spotify Wrapped also offers engaging and shareable elements that music and audio fans can explore, share on social media, and compare with their friends.


[ad_2]
Source link

Google Slides update adds recording feature

0
[ad_1]

If you’re using Google Slides to make presentations, you’ll be happy to know that the app has just been updated with the ability to record yourself presenting. The new feature comes along with the option to share the video recording with others to view when it works for them.

More importantly, the video recording feature has been added directly in the app, so you won’t have to leave Google Slides to record yourself. With slides recordings now available, users won’t have to use a separate video recording tool.

According to Google, Slides users taking advantage of the new feature can also use their computer’s built-in or external camera and microphone hardware to add their voice and webcam feed to their recordings.

The rollout of the new feature will happen in two phases. The first one started on November 28, 2023, and will take up to 15 days for the feature to be visible to those enrolled in the Rapid Release domains.

The second phase will start on January 2, 2024, and will take up to 15 days for the feature to appear for those enrolled in the Scheduled Release domains.

As far as availability goes, Google has already confirmed that the feature will show up for Google Workspace Business Standard, Business Plus, Enterprise Starter, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, and Education Plus customers.


[ad_2]
Source link