With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed.
Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they’ve entered their password.
Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.
The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.
Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)
“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.
Here’s how it works: the user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.
“If the victim user is not logged into the game, he or she would have to login first,” said Vanunu. “Once that person is logged in, the account can be stolen.”
Epic Games has since fixed the vulnerability.
“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”
“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.
When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.
Another huge database exposed millions of call logs and SMS text messages
What do you get when you put one Internet connected device on top of another? A little more control than you otherwise would in the case of Alias the “teachable ‘parasite'” — an IoT project smart speaker topper made by two designers, Bjørn Karmann and Tore Knudsen.
The Raspberry Pi-powered, fungus-inspired blob’s mission is to whisper sweet nonsense into Amazon Alexa’s (or Google Home’s) always-on ear so it can’t accidentally snoop on your home.
Project Alias from Bjørn Karmann on Vimeo.
Alias will only stop feeding noise into its host’s speakers when it hears its own wake command — which can be whatever you like.
The middleman IoT device has its own local neural network, allowing its owner to christen it with a name (or sound) of their choosing via a training interface in a companion app.
The open source TensorFlow library was used for building the name training component.
So instead of having to say “Alexa” or “Ok Google” to talk to a commercial smart speaker — and thus being stuck parroting a big tech brand name in your own home, not to mention being saddled with a device that’s always vulnerable to vocal pranks (and worse: accidental wiretapping) — you get to control what the wake word is, thereby taking back a modicum of control over a natively privacy-hostile technology.
This means you could rename Alexa “Bezosallseeingeye”, or refer to your Google Home as “Carelesswhispers”. Whatever floats your boat.
Once Alias hears its custom wake command it will stop feeding noise into the host speaker — enabling the underlying smart assistant to hear and respond to commands as normal.
“We looked at how cordyceps fungus and viruses can appropriate and control insects to fulfill their own agendas and were inspired to create our own parasite for smart home systems,” explain Karmann and Knudsen in a write up of the project here. “Therefore we started Project Alias to demonstrate how maker-culture can be used to redefine our relationship with smart home technologies, by delegating more power from the designers to the end users of the products.”
Alias offers a glimpse of a richly creative custom future for IoT, as the means of producing custom but still powerful connected technology products becomes more affordable and accessible.
And so also perhaps a partial answer to IoT’s privacy problem, for those who don’t want to abstain entirely. (Albeit, on the security front, more custom and controllable IoT does increase the hackable surface area — so that’s another element to bear in mind; more custom controls for greater privacy does not necessarily mesh with robust device security.)
If you’re hankering after your own Alexa disrupting blob-topper, the pair have uploaded a build guide to Instructables and put the source code on GitHub. So fill yer boots.
Project Alias is of course not a solution to the underlying tracking problem of smart assistants — which harvest insights gleaned from voice commands to further flesh out interest profiles of users, including for ad targeting purposes.
That would require either proper privacy regulation or, er, a new kind of software virus that infiltrates the host system and prevents it from accessing user data. And — unlike this creative physical IoT add-on — that kind of tech would not be at all legal.
Why is one of the most popular Android apps running a hidden web server in the background?
ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.
But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.
Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.
“All connected devices on the local network can get [data] installed on the device,” he said.
Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.
He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 184.108.40.206.2 and below have the open port.
“It’s clearly not good,” he said.
A script, developed by security researcher , to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)
We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.
The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.
Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”
But most probably don’t realize that the open port leaves them exposed from the moment that they open the app.
Cybersecurity 101: Five simple security guides for protecting your privacy
London-headquartered BeMyEye has made another acquisition, its third in a little over three years. This time the retail execution monitoring service is purchasing Russian crowdsourcing and image recognition provider Streetbee.
The acquisition will see BeMyEye launch “Perfect Shelf,” which will use image recognition technology to lower the cost for consumer goods companies wanting to get “objective and actionable” in-store insights. These will typically include share of shelf and planogram compliance (the specific placement of products on a store shelf).
More broadly, BeMyEye offers a platform to enable companies and brands to crowdsource various in-store data. This can include checking availability (i.e. stock levels) of a particular product, how prominently an item is displayed, or whether or not it is being marketed or sold in the way retailers and staff have been instructed.
Tasks are sent out to paid members of the public via the BeMyEye app, which could include taking a photo and ‘checking in’ using geolocation as proof that it has been carried out, with the results anonymised and passed on to BeMyEye’s clients. One way to think about the proposition is as a much more scalable version of employing ‘secret shoppers’.
Augmenting these human data gatherers with image recognition technology can speed up data processing and, presumably, make a proposition like BeMyEye even more scalable.
Luca Pagano, CEO of BeMyEye, comments: “Field forces should not be burdened with data collection tasks, instead they should be empowered with action orientated in-store insights so they can focus 100 percent on selling and taking remedial action when and where it is needed. Perfect Shelf enables consumer goods companies to adopt a lean go-to-market strategy, progressively eliminating waste and enhancing field performance at a time when they are under huge pressure to find growth and demonstrate a positive ROI on their field force investments”.
The acquisition also extends BeMyEye’s reach to Russia and the CIS countries. With existing coverage in Europe, the combined companies claim aggregate crowd of more than 1.5 Million data gatherers, which will enable consumer goods companies to get a consistent view of in-store performance in 21 countries.
Meanwhile, BeMyEye isn’t disclosing the exact terms of the acquisition, although I understand it is an all-stock deal. The entire Streetbee business is being acquired, including the 50-person team, IP and technology. As part of this, the Streetbee founders will be joining BeMyEye in senior roles: Andrey Elisev is joining as CMO, Kirill Nepomnyashchiy is joing as VP Sales Russia and CIS, and Vladimir Lyzo is joining as Head of Image Recognition Development.
This news comes after BeMyEye’s acquisition of its largest French competitor, LocalEyes, in 2016, and U.K. operator Task360 in 2017.
French startup Doctolib announced back in September that it would open up telemedicine appointments on its platform in 2019. The company is taking advantage of recent legal changes that finally make telemedicine legal in France.
Doctolib is a marketplace matching patients with health practitioners — 70,000 practitioners and 1,400 medical institutions use it in France and Germany. Each health professional pays €109 per month to access the service ($124).
By replacing your calendar with Doctolib, you save a ton of time. You no longer have to pick up the phone constantly and say when you’re available and not available. Everything stays in sync between the public website and your calendar.
And now, all practitioners can go beyond face-to-face appointments. If they start accepting telemedicine appointments, patients will be able to book a remote appointment. The company has been testing the new service with 500 practitioners.
After configuring the service, patients can start a video chat when it’s time to talk with their doctor. Once the call is done, patients pay on Doctolib’s website. They can then access prescriptions in their user accounts.
Doctolib won’t take a cut on each transaction. The startup is selling this services as an add-on instead. Practitioners can choose to pay €79 per month ($90) on top of their standard Doctolib plan to start accepting remote appointments.
This is a great way to boost the company’s bottom line and also a seamless experience for everyone involved. Practitioners can accept video calls from Doctolib’s interface and patients don’t have to use another service.
Those appointments comply with France’s national healthcare system. Patients get reimbursed just like a normal appointment. But there are some legal restrictions.
In particular, you can’t book a remote appointment and get reimbursed if the doctor doesn’t know you already. So Doctolib only lets you book remote appointments with practitioners you’ve physically seen over the last 12 months. But that feature could still be particularly useful to renew your prescription and other minor medical stuff.
Grab is Southeast Asia’s top ride-hailing firm, thanks in no small part to its acquisition of Uber’s local business last year, but the company also houses an ambitious fintech arm, too. That just added another vertical to its business after Grab announced it is teaming up with China’s ZhongAn to introduce insurance.
Grab and ZhongAn International, the international arm of the Chinese insurance giant, said today they will create a joint venture that will provide digital insurance services across Southeast Asia. Grab said the new business will partner with insurance companies to offer the services via its mobile app. Chubb — a company that already works with Grab to offer micro-loans to its drivers — is the first partner to commit, it’ll offer insurance for Grab drivers starting in Singapore.
ZhongAn is widely-lauded for being China’s first digital-only insurance platform. It’s backed by traditional insurance giant PingAn and Chinese internet giants Tencent and Alibaba.
Grab’s move into digital insurance comes a day after Singapore Life, an online insurer in Singapore, closed the second part of a $33 million funding round aimed at expanding its business in Southeast Asia.
This ZhongAn partnership adds another layer to Grab’s services and fintech business, which already includes payments — both offline and online — and is scheduled to move into cross-border remittance and online healthcare, the latter being a deal with ZhongAn sibling PingAn Good Doctor.
The push is also part of a wider strategy from Grab, which was last valued at over $11 billion and is aiming to turn its app from merely ride-hailing to an everyday needs app, in the style of Chinese ‘super apps’ like Meituan and WeChat.
Indeed, Grab President Ming Ma referenced that very ambitious calling the insurance products “part of our commitment to becoming the leading everyday super app in the region.”
Last summer, Grab opened its platform to third-parties which can lean on its considerable userbase — currently at 130 million downloads — to reach consumers in Southeast Asia, where the fast-growing ‘digital economy’ is tipped to triple to reach $240 billion by 2025. Grab’s platform has welcomed services like e-grocer HappyFresh, deals from travel giant Booking and more.
Grab has also made efforts to develop the local ecosystem with its own accelerator program — called ‘Velocity’ — which, rather than providing equity, helps young companies to leverage its platform. It has also made investments, including a deal with budget hotel brand OYO in India, a fellow SoftBank portfolio company that has designs on expansion in Southeast Asia.
Grab itself operates across eight markets in Southeast Asia, where it claims to have completed more than two billion rides to date. The company is currently raising a massive Series H fund which has already passed $3 billion in capital raised but has a loftier goal of reaching $5 billion, as we reported recently.
Go-Jek, Grab’s chief rival, is expanding its business outside of Indonesia after launching in Vietnam, Thailand and Vietnam. Like Grab, it, too, offers services beyond ride-hailing and the company — which is backed by the likes of Meituan, Google and Tencent — is close to finalizing a new $2 billion funding round for its battle with Grab.
YouTube announced several policy updates today, including more stringent enforcement of its ban on videos of dangerous challenges and pranks.
In a FAQ posted to its support site, YouTube wrote “we’ve updated our external guidelines to make it clear that challenges like the Tide Pod challenge or the Fire challenge, that can cause death and/or have caused death in some instances, have no place on YouTube.” Its policies also extend to pranks “with a perceived danger of serious physical injury,” like home invasion or drive-by shooting pranks.
Reminder 1⃣: Custom thumbnail images must follow our Community Guidelines. A thumbnail that egregiously violates policies (e.g. pornography, graphic violence) will result in thumbnail removal.
In the future, this will also result in a strike.
FAQs → https://t.co/4mClLTfzqN
— Team YouTube (@TeamYouTube) January 15, 2019
Reminder 2⃣: External sites you link to from YouTube must follow our Community Guidelines. Links to sites that egregiously violate policies (eg. malware, spam) will result in link removal.
In the future, this will also result in a strike.
FAQs → https://t.co/itWJSZk82X
— Team YouTube (@TeamYouTube) January 15, 2019
Reminder 3⃣: Our policies prohibit content encouraging violent or dangerous activities that are likely to result in serious harm.
We’ve updated external guidelines to clarify what this means for dangerous challenges and pranks.
FAQs → https://t.co/4LYlC1GqlB
— Team YouTube (@TeamYouTube) January 15, 2019
While YouTube did not mention it, its announcement comes the day after a teenager crashed a car while driving blindfolded for the Bird Box challenge, inspired by the Netflix movie of the same name. The meme, which involves doing different things while blindfolded, became popular enough that Netflix itself issued a warning (“PLEASE DO NOT HURT YOURSELVES WITH THIS BIRD BOX CHALLENGE”) earlier this month.
YouTube also said it bans videos of pranks that can “cause children to experience severe emotional distress, meaning something so bad it could leave the child traumatized for life.” The platform said it worked with child psychologists “to develop guidelines around the types of pranks that cross this line. Examples include, the fake death of a parent or severe abandonment or shaming for mistakes.”
The psychological well-being of children featured in videos gained attention in 2017 when DaddyOFive, a YouTube channel run by Mike and Heather Martin, was taken down after users became concerned about the abusive nature of the pranks played by the Martins on their young children. The Martins ended up losing custody of two of the children, who were returned to their biological mother, and entering an Alford plea to child neglect charges, resulting in five years of supervised probation.
In addition to updating its pranks and challenges policy, YouTube said it will also begin issuing strikes for custom thumbnails that violate policies by showing pornography or graphic violence, as well as external sites linked to YouTube that don’t follow community guidelines.
YouTubers have two months during which videos that violate those guidelines will be removed, but they won’t be issued a strike. After the grace period is up, videos will be removed and their creators may also be issued a strike.
Roku is deleting the Infowars channel from its platform, a couple days after adding it as a supported channel. In a tweet, Roku said after the channel became available, “we heard from concerned parties and have determined that the channel should be removed from our platform. Deletion from the channel store and platform has begun and will be completed shortly.”
After the InfoWars channel became available, we heard from concerned parties and have determined that the channel should be removed from our platform. Deletion from the channel store and platform has begun and will be completed shortly.
— Roku (@Roku) January 16, 2019
Digiday first reported this morning that Roku had added the Infowars live show hosted by Alex Jones to the platform as supported channel, a decision that was immediately met with protests by customers who threatened to switch to Apple TV and other competitors.
Jones is currently the target of a defamation lawsuit filed by family members of Sandy Hook victims, who say they have experienced harassment, including death threats, as a result of conspiracy theories spread by Jones and Infowars that claim the 2012 elementary school shooting was a hoax. The lawsuit has been in the headlines recently after a judge ruled that victims’ families must receive access to internal Infowars documents.
Roku’s decision to support the Infowars channel was also especially egregious because it was purged from multiple social media and app platforms, including Apple, Facebook, Spotify, YouTube, Twitter, Periscope, Stitcher, Pinterest, LinkedIn and YouPorn for violating their content policies or terms of service, about six months ago.
Earlier today, Roku attempted to defend adding Infowars to its platform by releasing a statement that said in part that “while the vast majority of all streaming on our platform is mainstream entertainment, voices on all sides of an issue or cause are free to operate a channel. We do not curate or censor based on viewpoint. We are not promoting or being paid to distribute InfoWars. We do not have a commercial relationship with the InfoWars.”
TechCrunch has emailed Roku for comment.
The Large Hadron Collider has produced a great deal of incredible science, most famously the Higgs Boson — but physicists at CERN, the international organization behind the LHC, are already looking forward to the next model. And the proposed Future Circular Collider, at 100 kilometers or 62 miles around, would be quite an upgrade.
The idea isn’t new; CERN has had people looking into it for years. But the conceptual design report issued today shows that all that consulting hasn’t been idle: there’s a relatively cohesive and practical plan — as practical as a particle collider can be — and a decent case for spending the $21 billion or so that would be needed.
“These kind of largest scale efforts and projects are huge starters for networking, connecting institutes across borders, countries,” CERN’s Michael Benedikt, who led the report, told Nature. “All these things together make up a very good argument for pushing such unique science projects.”
On the other hand, while the LHC has been a great success, it hasn’t exactly given physicists an unambiguous signpost as to what they should pursue next. The lack of new cosmic mysteries — for example, a truly anomalous result or mysterious gap where a particle is expected — has convinced some that they must simply turn up the heat, but others that bigger isn’t necessarily better.
5 years after the Higgs boson, the Large Hadron Collider is just getting started
The design document provides several possible colliders, of which the 100-km ring is the largest and would produce the highest-energy collisions. Sure, you could smash protons together at 100,000 gigaelectron-volts rather than 16,000 — but what exactly will that help explain? We have left my areas of expertise, such as they are, well behind at this point so I will not speculate, but the question at least is one being raised by those in the know.
It’s worth noting that Chinese physicists are planning something similar, so there’s the aspect of international competition as well. How should that affect plans? Should we just ask China if we can use theirs? The academic world is much less affected by global strife and politics than, say, the tech world, but it’s still not ideal.
There are plenty of options to consider and time is not of the essence; it would take a decade or more to get even the simplest and cheapest of these proposals up and running.
The federal government produces one hell of a lot of data, but despite desultory lurches toward usability, there’s little guarantee that it’s available in a way that makes it useful to anyone. That may change for the better with the OPEN Government Data Act, which the president signed into law last night.
The act essentially requires federal agencies to default when possible to making data (and metadata) public, to publish that public data in a machine-readable format and catalog it online. It also mandates that chief data officers be appointed at those agencies to handle the process.
This bipartisan piece of legislature flew through the House and Senate mostly uncompromised, though the Treasury was removed from the list of organizations to which it would apply. I’m sure they had their reasons.
It’s a big win for proponents of open government, though considering the towering ineptitude and obsolescence of the federal information technology sector, it’s probably a bit early to celebrate. By necessity many new policies and systems will have to be updated before any agency can reasonably be supposed to comply with the law, and that could take years. However, it certainly seems like a good path for them to be on.
Government investigation finds federal agencies failing at cybersecurity basics
Another part of the law as signed (OPEN was combined with a few others for convenience and horse-trading purposes) is that these agencies are also now officially required to find and present evidence for any new policies or changes. Some agencies, like the FCC, are already required to do this, but others have a more free hand.
It may seem obvious — shouldn’t every policy be justified by evidence? — but this codifies the rules, for instance requiring the agencies to publicly present lists of relevant questions and the means (down to the statistical methods) they are taking to answer them.
If you’re curious about the act itself or its sisters passed simultaneously, there’s a history of the OPEN act here; the full text of the bill is here; the announcement of the signature is here.
CES crowds can be tough — especially toward the end of the week. You’re physically and emotionally drained, and you’re pretty sure you’ve seen everything the consumer electronics world has to offer. And then something comes along to knock your socks off. Square Off was one such product, impressing the crowd at our meetup and walking away the winner of our hardware pitch-off.
The company’s first product looks like your run of the mill wooden chess board. And that’s part of the charm. Turn it on with the single button, and the system goes to work, tapping into chess AI software built by Stockfish and moving opposing pieces accordingly with an electromagnet attached to a robotic arm hidden under the board.
It’s an overused word in this space, but the effect is downright magical. It’s like playing chess against a ghost — and who hasn’t wanted to do that at some point? Players can challenge the board using 20 different difficulty levels or can play against opponents remotely, via chess.com.
Bhavya Gohil, the co-founder and CEO of Square Off creator InfiVention, told TechCrunch that the product started life as a college project aimed at creating a chess board for people with visual impairment. After a trip to Maker Faire Rome, however, its inventors recognized that the product had the potential for broader appeal.
One Kickstarter and another Indiegogo campaign later, the company had raised in excess of $600,000 for the project. After a year learning the manufacturing ropes in China, the company began shipping retail products in March of last year, launching a website the following month. In October, the product landed on Amazon, tripling sales for the holiday. All told, the company has sold 9,000 units — not bad for a chess startup charging $369 a pop. A majority of those (80 percent) have been sold in the U.S., with the remainder being sold in Europe.
In November, the company scored a seed round of $1.1 million. InfiVention is planning version 2.0 for a mid-2020 launch. That one will be more versatile, covering additional classic table-top games like checkers and backgammon. That version will be even more versatile when it’s opened up to table-top game developers looking to build their own titles into the platform via the app.
The director and star of “Lost in Translation” are working together again, with Bill Murray starring alongside Rashida Jones in “On the Rocks,” a new film directed by Sofia Coppola.
The movie will tell the story of a young mother who reconnects with her playboy father in New York City. Production is supposed to begin this spring.
“On the Rocks” is the first film to come out of the partnership between Apple and A24, which will see A24 (the studio behind “Moonlight,” “Lady Bird,” “Hereditary” and other indie hits) producing several titles for Apple . The deal will help Apple’s yet-to-launch streaming service offer high-profile original films alongside shows like its star-studded morning news drama and an adaptation of Isaac Asimov’s “Foundation” novels.
It’s been nearly 16 years since the release of “Lost in Translation,” which was a financial and critical hit — it remains the highest-grossing film of Coppola’s directing career, and it cemented Murray’s shift to more serious roles. It also won Coppola the Academy Award for best screenplay, and it nabbed Murray his only Oscar nomination thus far. (How is that possible??)
Since then, Coppola has only directed Murray once, in the idiosyncratic Netflix special “A Very Murray Christmas.”
Apple reportedly plans to give away its TV content, because that worked well with U2