Month: February 2019

Enlarge / The Jack'd dating app allowed men to upload "private" photos--but stored them open to public viewing, the same as the rest.

Amazon Web Services' Simple Storage Service powers countless numbers of web and mobile applications. Unfortunately, many of the developers who build those applications do not adequately secure their S3 data stores, leaving user data exposed—sometimes directly to web browsers.  And while that may not be a privacy concern for some sorts of applications, it's potentially dangerous when the data in question is "private" photos shared via a dating application.

Jack'd, a "gay dating and chat" application with over 1 million downloads from the Google Play store, has been leaving images posted by users and marked as "private" in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack'd users—public or private. Additionally, location data and other metadata about users was accessible via the application's unsecured interfaces to backend data.

The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users' identity and location—were exposed to public view. Because the images were retrieved by the application over an insecure web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted

We've got our first look at footage from Little Monsters, Australian director Abe Forsythe's new black comedy that just debuted at the Sundance Film Festival. It's been described as Zombieland meets Kindergarten Cop, and based on this footage (courtesy of Sundance), we think it looks like a lot of good bloody fun.

This film should not be confused with the 1989 film of the same name (in which a young Fred Savage discovers a secret world of prankster monsters). Kindergarten teacher Miss Caroline (Lupita Nyong'o) takes her young charges on a school field trip to Pleasant Valley Farm. Tagging along as a chaperone is Dave (Alexander England), a failed musician whose nephew is in her class. Dave has a romantic interest in Miss Caroline and is chagrined to discover that he has a rival for her affections: a famous children's TV personality, Teddy McGiggle (Josh Gad), who also happens to be at the farm organizing all the planned activities.

But something has gone terribly wrong at a nearby military base, and a zombie outbreak turns the innocent excursion into a bloody fight for survival. Miss Caroline, Dave, and Teddy join forces to make sure the kids don't get eaten—and hopefully aren't traumatized for life by the sight of the ravenous undead.

We've got our first look at footage from Little Monsters, Australian director Abe Forsythe's new black comedy that just debuted at the Sundance Film Festival. It's been described as Zombieland meets Kindergarten Cop, and based on this footage (courtesy of Sundance), we think it looks like a lot of good bloody fun.

This film should not be confused with the 1989 film of the same name (in which a young Fred Savage discovers a secret world of prankster monsters). Kindergarten teacher Miss Caroline (Lupita Nyong'o) takes her young charges on a school field trip to Pleasant Valley Farm. Tagging along as a chaperone is Dave (Alexander England), a failed musician whose nephew is in her class. Dave has a romantic interest in Miss Caroline and is chagrined to discover that he has a rival for her affections: a famous children's TV personality, Teddy McGiggle (Josh Gad), who also happens to be at the farm organizing all the planned activities.

But something has gone terribly wrong at a nearby military base, and a zombie outbreak turns the innocent excursion into a bloody fight for survival. Miss Caroline, Dave, and Teddy join forces to make sure the kids don't get eaten—and hopefully aren't traumatized for life by the sight of the ravenous undead.

Enlarge (credit: Lisa Brewster / Flickr)

LibreOffice, an open source clone of Microsoft Office, has patched a bug that allowed attackers to execute commands of their choosing on vulnerable computers. A similar flaw in Apache OpenOffice remains unfixed.

Austrian researcher Alex Inführ publicly reported the vulnerability on Friday, shortly after it was fixed in LibreOffice. His disclosure included a proof-of-concept exploit that successfully executed commands on computers running what was then a fully patched version of LibreOffice. The only interaction that was required was that the target user hover over an invisible link with a mouse. On Wednesday, researcher John Lambert provided additional PoC samples.

The chief vulnerability exploited is a path traversal that allowed the attack code to move out of its current directory and into one that contained a sample Python script that LibreOffice installed by default. That allowed Inführ to invoke the cmd command on the vulnerable computer. The researcher then exploited a separate weakness that allowed him to pass parameters of his choice to the command.