Top Stories for the Week of December 14, 2016

  • Episode 482
  • December 14, 2016
The weekly tech news from Category5 TV is provided free of charge. If you enjoy what we do, please consider becoming a Patron so we can continue offering more great content.
Support This Free Content

Here are the stories we're following for the week of Wednesday December 14, 2016

A security researcher got $10,000 for finding a bug on Yahoo that would let him read any users' mail.

A security researcher says he bagged $10,000 after discovering and reporting a serious flaw in Yahoo! Mail that could have been exploited by crooks to read victims' messages.

The hacker says he reported the vulnerability in Yahoo! Mail via bug-bounty organizers HackerOne. "The impact of the bug is similar to the one I reported last year, which also brought a $10k bounty" the hacker said. "It allowed an attacker to, for example, read a victim's email."

The flaw – fixed in production late last month – could be exploited simply by tricking your target into opening a booby-trapped email. The same vulnerability could also be abuse to spread malware.

The root cause of the problem was a failure to sanitize user-supplied values in dynamic content.

For this latest programming blunder, Pynnönen supplied proof-of-concept exploit code to Yahoo!'s security team in the form of an email that, when viewed, would use AJAX to read the user's inbox contents and send it to an attacker's server.


Sent to us by: Roy W. Nash

Samsung is going to brick Galaxy Note 7 phones early next week.

Anyone still using a Samsung Galaxy Note 7 has five days to return their device for a refund before Samsung kills the handset for good. Literally.

The South Korean electronics giant says that an over-the-air update set for release on December 19 will effectively brick the devices for good, shutting off all phone and data connections and preventing the Android-powered handset from accepting a recharge.

This, Samsung hopes, will kill off the 7 per cent of sold Galaxy Note 7 units that have not yet been returned for a refund.

While the Note 7 is still legal to own (so long as you're not flying), Samsung has been extremely aggressive with the voluntary recall for the fire-prone handset.

Not everyone, however, will see their Note 7 go dark on December 19. Verizon says that it will not be taking part in the mass shutdown, but will continue to request that customers bring their handsets in to swap out for a new device.


Sent to us by: Roy W. Nash

Fitbit has bought, and is killing off Pebble.

Fitbit, the world's bestselling wearable tech-maker, has confirmed it is buying the inventions that power Pebble's smartwatches.

However, the deal does not include any of Pebble's products, and work on several crowdfunded devices that have yet to be made has been cancelled.

Pebble said it would try and refund backers of the Time 2, Core and Time Round gadgets by March 2017.

It also warned those who already owned its gear to expect less support.

Fitbit has said that "key personnel" from Pebble would join its company. The founder of Pebble will not be among them.

The approach makes the acquisition appear to be one to obtain patents, software and personnel, leaving Pebble users in its dust.


Sent to us by: Roy W. Nash

Fraudsters can guess Visa card information in just six seconds.

According to a group of researchers from Newcastle University, fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network.

The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined.

The research team says, unlike rival Mastercard, Visa does not detect the flood of requests across multiple sites.

They call it a "distributed guessing attack" and proved its effectiveness against the top 400 payment sites.

The attacks rely on card-not-present fraud, in which merchants do not require the three-digit CVV number to authorise a transaction.

The researchers said, "This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions."

The researchers say all merchants should use standard payment authorisation fields to knock out the ability for the attacks to scale.


Sent to us by: Roy W. Nash


Technology TV is On Summer Break

Episode 660 will be live August 12! See you then.

Being Watched

Twitter Posts

Login to Category5

Error message here!

Hide Error message here!

Forgot your password?

Register on Category5

Error message here!

Error message here!

Hide Error message here!

Lost your password? Please enter your email address. You will receive a link to create a new password.

Error message here!

Back to log-in