The folks in Mountain View are starting to make a habit of getting hacked — intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it’s doing it again — hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don’t let that stop you — Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
Psst. Hey, do you carry a spare Smart Cover around with you? Well, if you’re an unscrupulous sort, you can actually use it to bypass the lock screen of any iPad running iOS 5. This multi-step security hole will let you browse whatever’s running behind the passcode screen, whether that’s email, apps or the homescreen. To take advantage of the flaw, hold down the power button on the locked device until the power off slider appears, then whip the Smart Cover on, open and tap cancel. Fortunately for iPad owners, the rest of the tablet remains locked-down, but the main problem here is any sensitive information left on-screen. If you unlock the tablet to the main screen, you won’t be able to open new apps, although anyone feeling particularly nefarious can apparently delete apps from that meticulously arranged home screen. See how it’s done in the video after the break.
It would appear that some of HTC’s Android smartphones may have a major security hole, according to a recent report by Trevor Eckhart and the guys over at Android Police.
According to the report, the security hole may be in certain HTC devices which have been updated to the latest version of HTC’s Sense user interface, and could grant apps with Internet permission access to your private data like text messages and location information.
Some of the devices which are reported to be effected include the HTC EVO 4G, EVO 3D, Thunderbolt, Evo Shift 4G, MyTouch 4G Slide and possibly some models of the HTC Sensation.
It would appear HTC hasn’t released any official statement with regards to the alleged vulnerabilities as yet, you can find out more information over at Android Police.
Verizon Android users have had 3G Skype calling since this time last year, but the latest app release — v184.108.40.2063 for those of you keeping tabs — brings 3G calling to the masses, without the need for a VZW-sanctioned app. The update also patches a rather significant security hole discovered last week, which could let third-party apps get hold of your personal information. We’re glad to see that’s no longer the case, and who’s going to object to free calling as part of the deal as well? Make sure your phone’s running Android 2.1 (2.2 for Galaxy S devices) and head on over to the Android Market to get updated.
If you didn’t already have enough potential app privacy leaks to worry about, here’s one more — Android Police discovered that that Skype’s Android client leaves your personal data wide open to assault. The publication reports that the app has SQLite3 databases where all your info and chat logs are stored, and that Skype forgot to encrypt the files or enforce permissions, which seems to be a decision akin to leaving keys hanging out of the door.
Basically, that means a rogue app could grab all your data and phone home — an app much like Skypwned. That’s a test program Android Police built to prove the vulnerability exists, and boy, oh boy does it work — despite only asking for basic Android storage and phone permissions, it instantly displayed our full name, phone number, email addresses and a list of all our contacts without requiring so much as a username to figure it out. Android Police says Skype is investigating the issue now, but if you want to give the VoIP company an extra little push we’re sure it couldn’t hurt.