Categories
News

Android Lock exploit allows devices to be unlocked with a long string of characters

Android Lock exploit is a real thing and everyone knows about it. This discovery was made by the University of Austin, Texas, where a new report revealed an exploit that hackers can use a very large code to easily bypass the lock screen of Android devices. This works with devices running on Android 5.0 to Android 5.1.1 with a password-based lock, and it does not matter if you have enabled encryption on the device. Recent Google numbers put Android Lollipop versions running on 21% of all Android devices, which means they all could be easily hacked.

 

18ix8qpfr3iq6jpg

 

 

Hacking your Android Lollipop device could be as easy as inserting a very very long password via this Android Lock exploit. Hackers could infect a phone by simply swiping left from the lock screen in order to open the camera app and then they can access the “Settings” menu from the notifications panel. When they tap the Settings menu they would be prompted to enter a password. After introducing a long string of characters, hackers can crash the device to the home screen. There they can access different apps or take information and expose data.

 

There’s more than one way to go about this Android Lock exploit. Hackers can copy a large string of characters into the Android clipboard and they can paste into the password prompt. They can also use the emergency dialing field to type long lists of codes that can be used on the password prompt as well.

 

As luck would have it, Google took action and managed to fix the problem via a security update that began to roll-out to devices last week. You will find it in the Android build LMY48M. The fix for this Android lock exploit could take months to reach all affected devices though, as we all know carrier-locked devices take more time to update than others. Nexus devices already got this fix.

 

Categories
Updates/Software

Heartbleed strikes again! new vulnerabilities patched by the Open SSL team

Heartbleed keeps giving head-aches to devs and programmers ever since it appeared this spring. The bug doesn’t let Open SSL catch a break and it keeps opening vulnerabilities to all versions (0.9.8, 1.0.0, 1.0.1 and 1.0.2).

CCS Injection is one of the worst in the Heartbleed suite of bugs, and it is considered extremely serious by the OpenSSL team. The updated versions of OpenSSL were published today and some vulnerabilities were patched. The first three versions were patched and 1.0.2 beta release is currently still vulnerable and did not receive an update.

Any user who has this Heartbleed bug is advised to upgrade his device as soon as possible to avoid further annoyance.

CCS Injection is a serious bug that affects Open SSL’s Change CipherSpec processing by intercepting encrypted data and decrypting them via malicious intermediate nodes. It forces SSL clients to use weaker keys which then are exposed to malicious tools and nodes. It can exploit and tamper with contents and authentication information over encrypted communication via web browsing, VPN or E-mail. Attackers can use vulnerable clients and servers when users communicate with them and they can falsify on these communications. Attackers can hijack an authenticated session, although they cannot steal private keys, unless the users transferred his private keys via protected paths by SSL or TLS.

Source: CloudFare