This time it's a warning from the Australian Securities & Investment Commission (ASIC) and exposure of a weakness in the Grindr and Blendr social network services, with claims in the SMH that -
A popular "meat-market" smartphone app that spawned a sexual revolution in Australia's gay community has been compromised by a Sydney hacker, potentially exposing intimate personal chats, explicit photos and private information of users.Grindr, with a reported 100,000 Australian users in mid 2011, and the straight Blendr, combine geospatial awareness with personal profiles. In essence participants can use a mobile phone or other wireless device to view the profiles of other participants within a particular proximity and exchange information.
It's discussed in studies such as 'There’s an App for that: The Uses and Gratifications of Online Social Networks for Gay Men' by David Gudelunas in 16 Sexuality & Culture (2012), Gaydar culture: gay men, technology and embodiment in the digital age (Ashgate 2010) by Sharif Mowlabocus and 'Queer theory, cyber-ethnographies and researching online sex environments' by Chris Ashford in 18(3) Information & Communications Technology Law (2009).
The SMH reports that -
The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.What are consumer expectations about privacy and data protection in such services? What are service operator responsibilities? I'm reminded of the iBill data breach several years ago.
The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had "no real security" and were "poorly designed". Fairfax Media is not aware that Blendr has been hacked but the potential was there, according to the security expert.
The founder of the apps, Joel Simkhai, conceded both were vulnerable and he was rushing to release a patch to address the issues. He said he had originally been waiting until new architecture was built "within weeks" but was now releasing an update to both apps "over the next few days".
In a telephone interview about the vulnerabilities last Friday he said it was news to him about the potential for text chats to be monitored and claimed the company had never experienced a "major breach" in which a large portion of users were affected.
"We [do] get people trying to hack into our servers," he said. "That's something that I am aware of and we certainly have a team in place that are working to prevent that."
But by Tuesday Mr Simkhai admitted that he was "aware of some vulnerabilities" but he would not talk about them in detail to avoid a hacker exploiting them.
"We are certainly aware of a lot of these vulnerabilities and ... they will be fixed as fast as humanly possible," he said.
He could not say how many people had attempted to take advantage of the vulnerabilities but said a website created by the hacker had exploited some of the flaws in Grindr. That website was shut down after Friday's interview with Fairfax Media after he sought legal action.
The website, registered on July 14 last year, allowed the hacker to search for any Grindr user regardless of their location, and capitalised on the vulnerabilities to offer other services not designed by the apps. ...
At one point, according to sources who saw the website before it was taken down, it listed users' Grindr pseudonyms, passwords, their personal favourites (bookmarked friends) and allowed them to be impersonated, and thus have messages sent and received without their knowledge. At one point, the website also allowed users' profile pictures to be replaced.
It is understood the hacker changed the profile picture of numerous Sydney Grindr users to explicit images. One user who was targeted confirmed they had been banned due to a perceived terms of service violation.
It is understood the hacker took advantage of the fact the apps used a personalised string of numbers known as a hash, instead of a user name and password, to log in. The hash is exchanged between users' smartphones so they can communicate with each other but the hacker discovered it could be replaced with another users' hash to enable the hacker to:
• Log in as any userA security expert - who did not wish to be named because he didn't have Mr Simkhai's permission to analyse his systems - said that the Grindr and Blendr apps "had no real security".
• See the user's favourites
• Change their profile information and profile picture
• Talk to others as the user
• Access pictures sent to the user
• Impersonate a user's "favourite" and talk to them as a friend
They are "very poorly designed ... [with] poor session security and authentication", the expert said. "It wouldn't be too hard to secure this."
The security expert demonstrated with permission of a user how he could log in as them and take over the app.
In a statement Mr Simkhai said keeping his platform secure from hackers was a "number one priority".
In 2006 it was revealed that personal information for over 17 million customers of the online payment service iBill (the dominant payment intermediary in the online adult content industry) was available on the net, being used by spammers and identity theft criminals. The data included consumer names, phone numbers, addresses, email addresses, IP addresses, credit-card types and purchase amounts. It appears to have been taken by an iBill employee. I've noted elsewhere that the iBill data breach was not disclosed by the company. Given that the data did not include Social Security, credit-card or driver's-license numbers, no US laws required iBill (or the adult content companies for which they provided payment services) to warn people. A year after the FBI first learned of the loss they had also failed to issue any public warnings.
ASIC has meanwhile "advised clients of online stockbroking firms to urgently review their account security". Its media release states that -
During regular surveillance of the Australian financial markets, ASIC has become aware of several stockbroking account intrusions involving unauthorised access and trading.
ASIC recommends that as soon as possible users of online stockbroking accounts:
• ensure their computer virus software is up-to-date;ASIC also recommends users do this regularly, as with bank accounts.
• change their passwords; and
• check their transaction history.
If you become aware of any unauthorised trading on your account, you should contact your stockbroker immediately. This will help to ensure that any further unauthorised activity can be prevented.
ASIC is working with online stockbroking firms to help those clients who have been impacted.
ASIC is also working with other authorities to identify the source of the intrusions and pursuing a line of enquiry consistent with similar incidents in overseas markets.