Share this page!

Zack Whittaker Profile picture
Twitter logo
24 Aug, 4 tweets, 3 min read
New: Citizen Lab has discovered a new NSO "zero-click" attack that circumvents Apple’s 'BlastDoor' security defenses in iOS 14. At least one activist's iPhone was hacked with Pegasus spyware. Apple said it's aware, but no word yet on a security fix.

techcrunch.com/2021/08/24/nso…
The new exploit, called ForcedEntry, targeted a Bahraini human rights activist living in Bahrain, and likely hacked by the Bahraini government using an iOS 14 exploit to deploy Pegasus, said Citizen Lab. Eight other Bahrainis were also targeted, including @moosaakrawi in London.
The eight other Bahrainis were targeted with a different, older kind of NSO zero-click that predates ForcedEntry, called Kismet, which doesn't work on iOS 14 (because of BlastDoor). Five of the activists were on the #PegasusProject list of phone numbers.
tcrn.ch/2Winnfc
Apple said BlastDoor was "not the end of its efforts to secure iMessage" and pointed to iOS 15, which is slated for released in the next month or so. But Apple wouldn't say if it had fixed the flaw in current versions of iOS 14, or say when — if at all.

techcrunch.com/2021/08/24/nso…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zack Whittaker

Zack Whittaker Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zackwhittaker

Zack Whittaker Profile picture
19 Jul
NSO issued a statement today, saying two things: 1) Pegasus wasn't involved in Jamal Khashoggi's murder, and 2) it doesn't have visibility into what customers do or who they target with Pegasus.

These two statement seem to be in conflict. Statement here: nsogroup.com/Newses/followi… Image
I asked NSO for clarification (via Mercury, its London-based crisis communications PR firm). Note the key line here: "If we determine misuse." I asked how it determines that without visibility into its customers' data. NSO basically said, "go read our transparency report." Image
Questions remain: I asked & was referred to the report:

• How would NSO "determine misuse" exactly?
• What evidence does NSO have that its technology was not used to target Khashoggi?
• Does NSO accept it may not have all the evidence to make a conclusive assessment?
Read 6 tweets
Zack Whittaker Profile picture
1 Jul
Given how much data Gettr's API spits out, I can't say I would give it long before the entire site is scraped.
For example, here's @alexstamos' post that he published earlier — gettr.com/post/peo9 — and what the API spits back.
Not the point, but I don't feel particularly solid about the security of a site with no discernible password policy or options for two-factor authentication. I just created a Gettr account with the password "password".
Read 5 tweets
Zack Whittaker Profile picture
5 May
New: Peloton's leaky API let anyone pull members' private user account data, even with their profiles set to private. Worse, when the bug was privately reported earlier this year, Peloton ignored researchers past their 90-day deadline.

techcrunch.com/2021/05/05/pel…
Great work by @FlyingPhishy who discovered the leaky API, who put up a blog post explaining the issues (now fixed) in more detail: pentestpartners.com/security-blog/…
Leaky APIs have been the source of recent scraping attacks on Facebook, LinkedIn, and Clubhouse. But Peloton declined to say if it had logs to confirm or rule out any malicious exploitation. That's a question regulators will want to ask though.

techcrunch.com/2021/05/05/pel…
Read 4 tweets
Zack Whittaker Profile picture
21 Feb
New: In the latest #JamCOVID development, the Amber Group broke its silence to say absolutely nothing of value, and the Jamaican government continues to point fingers at everyone other than itself.

A thread. (1/)
A quick refresher: Amber Group runs Jamaica's JamCOVID website and app, but it left thousands of travelers' private data on an unprotected and exposed cloud server. Then the government lied about when it first knew about the security lapse. (2/)

Amber Group's @dushyant108 (whose tweets are now protected — unlike the cloud server, which wasn't) said:

"We are working together with the Government of Jamaica and independent entities to investigate the cause of this occurrence." (3/)
Read 10 tweets
Zack Whittaker Profile picture
18 Feb
Some background on our story yesterday. TechCrunch discovered the exposed data as part of an investigation into COVID-19 apps, and worked to identify the source and notify them of the breach — as we've done before when we've found security issues. (1/)

techcrunch.com/2021/02/17/jam…
We reached out Jamaica's Ministry of Health on Saturday (Feb 13) to make contact. We got a response on Sunday from spokesperson Stephen Davidson asking for more information. We sent details of the exposed server that evening. Davidson did not respond. Server remained open. (2/)
During this time we continued to investigate the breach, and on Tuesday (Feb 16) spoke to two Americans whose data was exposed on the server. They helped to narrow down the source of the breach and the owner of the server — a Jamaican government contractor, Amber Group. (3/)
Read 7 tweets
Zack Whittaker Profile picture
30 Dec 20
New: Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demoed its new COVID-19 contact-tracing system, dubbed Fleming, to governments and journalists, researchers say. That data was exposed earlier this year. techcrunch.com/2020/12/30/nso…
The Fleming demo had an unprotected back-end database, exposing the location data. Researchers at @ForensicArchi examined that data and concluded that it was not dummy data as NSO claimed, "but rather reflects the movement of actual individuals.

From May: techcrunch.com/2020/05/07/nso…
You can read (and watch) @ForensicArchi's full technical report here, including the maps, graphs, and visualizations which explain their findings (while preserving the anonymity of the individuals whose location data was fed into NSO’s Fleming demo.)

forensic-architecture.org/investigation/…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @zackwhittaker has new unrolls!

Check out other threads from @zackwhittaker!

Read all threads by @zackwhittaker

:(