Latest news with #Nazarovas
Gulf Insider
21-05-2025
- Gulf Insider
How Hackers Can Control Your Phone With "Zero-Click" Attack
In 2025, most people are inseparable from their laptops and smartphones. With that familiarity has come a wariness of the dangers of clicking on unsolicited emails, SMS, or WhatsApp messages. But there is a growing menace called zero-click attacks, which have previously targeted only VIPs or the very wealthy because of their cost and sophistication. A zero-click attack is a cyberattack that hacks a device without the user clicking anything. It can happen just by receiving a message, call, or file. The attacker uses hidden flaws in apps or systems to take control of the device, with no action needed from the user and the user remains unaware of the attack. 'Although public awareness has increased recently, these attacks have steadily evolved over many years, becoming more frequent as smartphones and connected devices proliferated,' Nathan House, CEO of StationX, a UK-based cybersecurity training platform, told The Epoch Times. 'The key vulnerability is in the software, rather than the type of device, meaning any connected device with exploitable weaknesses could potentially be targeted,' he said. Aras Nazarovas, an information security researcher at Cybernews, told The Epoch Times why zero-click attacks usually target VIPs, rather than ordinary individuals. 'Since finding such zero-click exploits is difficult and expensive, most of the time such exploits are used to gain access to information from key figures, such as politicians or journalists in authoritarian regimes,' he said. 'They are often used in targeted campaigns. Using such exploits to steal money is rare.' In June 2024, the BBC reported that social media platform TikTok had admitted that a 'very limited' number of accounts, including those of media outlet CNN, had been compromised. While ByteDance, the owner of TikTok, did not confirm the nature of the hack, cybersecurity companies such as Kaspersky and Assured Intelligence suggested it stemmed from a zero-click exploit. 'The part that requires high levels of sophistication is finding bugs that allow such attacks and writing exploits for these bugs,' Nazarovas said. 'It has been a billion-dollar market for years, selling zero-click exploits and exploit chains. Some gray/dark market exploit brokers often offer $500,000 to $1 million for such exploit chains for popular devices and apps.' Nazarovas added that while ordinary users have been hit in the past by zero-click 'drive-by' attacks. These are attacks that emerge after the unintentional installation of malicious software onto a device, often without the user even realizing it. They have become more infrequent with the growing gray market for such exploits. House said zero-click exploits often seek out vulnerabilities in software and apps that are expensive to discover, which means the perpetrators are usually 'nation-state actors or highly-funded groups.' Although there have been recent innovations in AI that have made certain cyber crimes, such as voice-cloning or vishing, more prevalent, Nazarovas says there is no evidence yet that it has increased the risk from zero-click attacks. House said people could use AI to 'write zero-click exploit chains for people who would have otherwise lacked the time, experience, or knowledge to be able to discover and write such exploits.' But, he said, the increase in zero-click attacks in recent years, 'stems mainly from expanded spyware markets and greater availability of sophisticated exploits, rather than directly from AI-driven techniques.' He said zero-click attacks have existed for more than a decade, the most infamous of which was the Pegasus spyware affair. In July 2021, The Guardian and 16 other media outlets published a series of articles, alleging that foreign governments used the Israeli-based NSO Group's Pegasus software to surveil at least 180 journalists and numerous other targets around the world. Alleged targets of Pegasus surveillance included French President Emmanuel Macron, Indian opposition leader Rahul Gandhi, and Washington Post writer Jamal Khashoggi, who was slain in Istanbul on Oct. 2, 2018. In a statement at the time, NSO Group said, 'As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi.' On May 6, a California jury awarded WhatsApp's parent company, Meta, $444,719 in compensatory damages and $167.3 million in punitive damages, in a privacy case against NSO Group. The WhatsApp complaint was focused on the Pegasus spyware, which, according to the lawsuit, was developed 'to be remotely installed and enable the remote access and control of information—including calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating systems.' 'While ordinary users can occasionally become collateral targets, attackers generally reserve these costly exploits for individuals whose information is especially valuable or sensitive,' Nazarovas said. According to Nazarovas, corporations offer hackers 'bug bounties' to incentivize them to find these exploits and report them to the company, rather than selling them to a broker who then sells them on to parties who use them illegally. Read the rest here… Also read: Kuwaiti Jailed For 6 Months Over Hacking Wife's Mobile Phone
Yahoo
30-03-2025
- Yahoo
Kink and LGBT dating apps exposed 1.5m private user images online
Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists. Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove. These services are used by an estimated 800,000 to 900,000 people. M.A.D Mobile was first warned about the security flaw on 20th January but didn't take action until the BBC emailed on Friday. They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services. He was shocked that he could access the unencrypted and unprotected photos without any password. "The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said. "As soon as I saw it I realised that this folder should not have been public." The images were not limited to those from profiles, he said – they included pictures which had been sent privately in messages, and even some which had been removed by moderators. Mr Nazarovas said the discovery of unprotected sensitive material comes with a significant risk for the platforms' users. Malicious hackers could have found the images and extorted individuals. There is also a risk to those who live in countries hostile to LGBT people. None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex. In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash. "We appreciate their work and have already taken the necessary steps to address the issue," a M.A.D Mobile spokesperson said. "An additional update for the apps will be released on the App Store in the coming days." The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from researchers. Usually security researchers wait until a vulnerability is fixed before publishing an online report, in case it puts users at further risk of attack. But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it. "It's always a difficult decision but we think the public need to know to protect themselves," he said. In 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse. Ashley Madison client data 'leaked' The hackers taking the bugs to the bank 'Sensitive' army papers found scattered in street
BBC News
30-03-2025
- BBC News
Over a million private photos from dating apps exposed online
Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and services are used by an estimated 800,000 to 900,000 people.M.A.D Mobile was first warned about the security flaw on 20th January but didn't take action until the BBC emailed on have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the was shocked that he could access the unencrypted and unprotected photos without any password."The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said. "As soon as I saw it I realised that this folder should not have been public."The images were not limited to those from profiles, he said – they included pictures which had been sent privately in messages, and even some which had been removed by moderators. Hacking risk Mr Nazarovas said the discovery of unprotected sensitive material comes with a significant risk for the platforms' hackers could have found the images and extorted is also a risk to those who live in countries hostile to LGBT of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash."We appreciate their work and have already taken the necessary steps to address the issue," a M.A.D Mobile spokesperson said. "An additional update for the apps will be released on the App Store in the coming days."The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from security researchers wait until a vulnerability is fixed before publishing an online report, in case it puts users at further risk of attack. But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it."It's always a difficult decision but we think the public need to know to protect themselves," he 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse.
