Mysk π¨π¦π©πͺ
@mysk_co
Followers
16K
Following
4K
Media
1K
Statuses
5K
We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity π¬ https://t.co/JGKIHaSEgs πhttps://t.co/69k7WAGSBT π¨π¦π©πͺ
Canada - Germany
Joined November 2010
π¨ NEW: Private Wi-Fi addresses had been useless ever since they were introduced in iOS 14. When an iPhone joins a network, it sends multicast requests to discover AirPlay devices in the network. In these requests, iOS sends the device's real Wi-Fi MAC address. π¬ Watch the
15
60
303
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet. We used @ProtonVPN and #Wireshark. Details in the video:. #CyberSecurity #Privacy
434
6K
20K
TL;DR: Don't install @signalapp for macOS, it is not secure. I carried out this small experiment:. - I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app).- I ran the script in the Terminal and
135
509
3K
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
108
1K
3K
iOS 16.5.1 still bypasses the VPN. New tests show that Apple Push Notification traffic completely ignores the VPN connection. Apple Maps sends many requests outside the VPN, including unencrypted DNS requests. This also happens in the Lockdown Mode. π¬.
39
365
1K
π¨ New Findings:.𧡠1/6.Appleβs analytics data include an ID called βdsIdβ. We were able to verify that βdsIdβ is the βDirectory Services Identifierβ, an ID that uniquely identifies an iCloud account. Meaning, Appleβs analytics can personally identify you π
54
512
1K
I know what you're asking yourself and the answer is YES. #Android communicates with #Google services outside an active VPN connection, even with the options "Always-on" and "Block Connections without VPN.".I used a #Pixel phone running #Android13, its IP is 192.168.2.14 π
32
222
886
Speaking of outdated, @MicrosoftEdge is the only browser on macOS that still requires administrative privileges to install. π«
You. Yes, you. It's time to leave that outdated browser π«΅.
19
50
876
π¨PSA: iOS 17 turns these sensitive location options back on. If you have disabled significant locations as well as adding your location information to your iPhone analytics before upgrading to iOS 17, iOS 17 will turn the options on as shown in the screenshot. While significant
71
346
821
iPhone storage is encrypted with the iPhone's passcode. Based on iOS security model, it's impossible to recover data after a factory reset. If this bug is proven to be true, the entire iOS security model is at risk.
23
65
743
π§΅.1/5.The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.πThis data is sent in one request: (data usage & personalized ads are off).#CyberSecurity
38
299
708
You can easily monitor the network traffic of any device using this simple method. You don't need a custom router for that. You just need a Mac and #Wireshark, and enjoy βοΈ.
At Mysk we use this simple method to monitor the network activity of a device:.βΊConnect your Mac to the internet via LAN.βΊShare the internet from LAN to Wi-Fi.βΊConnect the device to this Wi-Fi.βΊStart #Wireshark on your Mac and pick brdige100.βΊStart capturing. #SecurityTips
14
73
629
WhatsApp messages are end-to-end encrypted, but user data is not only about messages. That also includes the metadata such as user location, which contacts the user is communicating with, the patterns of when the user is online, etc. This metadata according to your privacy policy
Many have said this already, but worth repeating: this is not correct. We take security seriously and that's why we end-to-end encrypt your messages. They don't get sent to us every night or exported to us. If you do want to backup your messages, you can use your cloud provider.
34
114
637
This is the folder structure of Signal's local data on macOS. The encrypted database and encryption key are stored next to each other. The folder is accessible to any app running on the Mac. How could such a blunder be approved by an open-source project reviewed by many experts?
35
107
628
Our recent encounter with Signal has revealed a new face of Signal as a project and team; one of exclusion, dismissal, and denial. We can no longer recommend Signal as a secure chat app. And we will no longer review, report, or disclose any security bugs related to Signal.
40
79
595
It's official. iOS will not support Progressive Web Apps in the EU. It would be great if Apple provides the basis of this claim:. "We expect this change to affect a small number of users"
62
113
566
The top two grossing apps in the Utilities category on the Brazilian App Store are VPN apps:
10
33
514
This video shows that @signalapp (7.15.0) on macOS stores photos and docs sent through the app locally without encryption. Worse, the files are stored in a location accessible by any app or script. However, text messages are stored locally in an encrypted DB. #privacy #security
35
110
501
@mer__edith Hi Meredith, let me address your points:. 1) The issue we highlighted does not require βfullβ access to the device. Signal desktop stores the chat database in an unprotected area of the file system thatβs accessible by any user process. This would allow any program without any.
16
41
435
The community note is wrong and @elonmusk is right. Signal's desktop apps encrypt local chat history with a key stored in plain text and made accessible to any process. This leaves users vulnerable to exfiltration. The issue was reported in 2018, but it hasn't been addressedπ.
@realchrisrufo There are known vulnerabilities with Signal that are not being addressed. Seems odd β¦.
19
55
445
This is an example of what the App Store app shares with #Apple when you search for an app. Everything you type in the search field is recorded as an event and associated with your Apple ID before it is sent to Apple. When I search for "Google Authenticator," events are recorded
23
83
419
The community note is inaccurate. The claim "Find My is end-to-end encrypted" generally is misleading. Online devices report their location to Apple without end-to-end encryption even with Advanced Data Protection is on. This makes it possible to look up a deviceβs location
@9to5mac @benlovejoy This feature is super creepy surveillance tech and shouldnβt exist. Years ago, a kid stole a Mac laptop out of my car. Years later, I was checking out Find My and it showed a map with the house where the kid who stole my Mac lived. WTF Apple? How is that okay?!.
16
76
364
It seems it's not allowed to criticize Signal on Reddit. This is the second post that gets removed by the moderators. Users in the comments make wrong claims that physical access is required, others claim that full disk access is required. This is wrong. If you really have the
31
54
400
Apple decided to remove PWAs, then walked back the decision. Apple terminated Epic Games developer account, now they walked back the decision. What's going on with Apple?."Trust is built in drops and lost in buckets". How many buckets has Apple lost so far?.
Update - Apple has told us and committed to the European Commission that they will reinstate our developer account. We are moving forward as planned to launch the Epic Games Store and bring Fortnite back to iOS in Europe. More belowβ¬οΈ.
20
52
384
On Android, several Google services bypass an active VPN connection. As a result, a VPN connection won't hide your IP address from Google. And since YouTube is a first-party app on Android, it will get your real IP address and roughly determine your location despite using a VPN.
YouTube confirms crackdown on VPN-based cheaper Premium subscriptions
13
126
376
Well it would be nice to get a little more detail on that βdatabase corruptionβ issue, wouldnβt it?.
17
24
361
The security bug about storing the encryption key in plain text wasn't considered a bug by Signal in 2018, wasn't considered a bug by Signal's president today, and even demanded responsible disclosure for it. Well, that not bug thing is getting a fix now:.
27
46
341
On macOS, iMessage stores the chat history locally in plain text, but the data is sandboxed and no other process can access it without permission. @Whatsapp also stores the local history in plain text but stores the data in a location accessible by any process/app/script started.
11
45
339
𧡠.1/6. Apple's Data & Privacy statement starts with the calming phrase "Apple believes privacy is a fundamental human right" then goes on to describe how the platform aggressively collects your data. You must accept the statement or stop using your iPhone. #CyberSecurity
13
116
324
π Soon after we published our findings about the App Store collecting exhaustive and identifiable usage data, we were approached by law enforcement in the U.S. to help them navigate through the usage data they obtained from Apple for a suspect. They presented a court order to
8
63
320
Apparently reporting on actual longstanding security issues in Signal is considered right-wing π€·ββοΈ. Plus, they will fix the issue, which is good for everybody.
A sudden flood of right-wing attention has pushed Signal to close a vulnerability in its desktop app.
16
34
309
BREAKING: The EU Commission designates iPadOS as a gatekeeper under the Digital Market App. Apple will have to allow alternative marketplaces on the iPad too.
4
57
308
Just realized that the Passwords app communicates with 147 websites. It turns out the app calls every website of your added accounts to download its icon. The request has this user-agent:.User-Agent: Passwords/8619.1.26.30.5 CFNetwork/1568.100.1 Darwin/24.0.0. #iOS18
19
26
302
Holy moly!.iPhone users in the EU: DO NOT delete your alternative marketplace apps. iOS 17.5 breaks alternative marketplace app re-installation. MarketplaceKit now generates a different client_id every time it is called. Now there's no way for alternative marketplace developers
13
50
291
Apple blocked Spotify's update for including a button that emailed a link for purchasing audiobooks. Amazon is doing exactly the same. If you tap on the "I Want This Book" button in the #iOS app, you get a link to purchase the book outside the app. Apple Review Team approved it.
13
41
269
π¨@signalapp on its website presents both mobile and desktop versions to be equally secure. As we showed, the desktop versions are vulnerable to data exfiltration and session hijacking. This is consistent with early reports from 2018 and results from developers who successfully.
TL;DR: Don't install @signalapp for macOS, it is not secure. I carried out this small experiment:. - I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app).- I ran the script in the Terminal and
12
39
271
Signal for desktop has been updated twice since we reiterated the known security issues related to storing the database encryption key and media attachments in plaintext, and in a location accessible to any process. None of the release notes mention this issue. The privacy chat
10
50
274
To the unknown future dissident, activist, or freedom seeker whose life will be saved as a result of the enhanced security added to Signal Desktop: You're welcome.
Signal is finally tightening its desktop client's security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018.
14
28
262
π¨π¬ Privacy Concerns about Apple Push Notifications. TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB
12
86
257
Dear #Android users,.Chrome shares your motion sensor with all the websites you visit by default. This video shows how you can disable it. Please do it now. You can learn more about this here:. #CyberSecurity #Privacy
18
197
243
At Mysk we use this simple method to monitor the network activity of a device:.βΊConnect your Mac to the internet via LAN.βΊShare the internet from LAN to Wi-Fi.βΊConnect the device to this Wi-Fi.βΊStart #Wireshark on your Mac and pick brdige100.βΊStart capturing. #SecurityTips
9
45
245
Still don't understand why Safari does this? It happens on iOS too. Any explanation?
25
4
248
As @PrivacyMatters speculated, Authy sends too much analytics for an authenticator app. It associates analytics with the user's ID, which is tied to phone number and email. The analytics include the issuer name of each scanned QR code. Try to use a different #2FA app. #Privacy
24
56
244
Philips Hue will soon force users to create a Hue account and sign in to continue to use the app and control the smart lights. The best security model to protect smart devices is to keep them disconnected from the internet, or at least keep this option available. #Privacy
23
41
219
An open-source project should embrace an open mindset. Signal has positioned itself as the "secure" communication tool for users in troubled parts of the world. A fix should be pushed forward to make the app more secure for its users, not because a call for the fix "is getting
10
23
195
A lot of accounts promote crypto scams on X and they hardly get suspended. And now this:. @ProtonWallet
18
22
204
@VeraJourova The draft mandates providers to perform human oversight of content sent over a private and end-to-end encrypted channel so that they detect false positives. How would employees view such content without breaking encryption and invading one's privacy?
2
12
200
Just detected a call made by my iPhone seemingly sending my iOS keyboard data to an iCloud server. The domain name icloud-content[.]com is owned by Apple but not the one normally used for syncing iCloud data. The 316 KB of keyboard data is marked as "UserWords". The data is
21
42
200
Signal has positioned itself as the secure communication tool that activists and users in troubled regions can trust. In 2021, Signal introduced simple TLS proxy to bypass government censorship. In 2018, Signal knew that their desktop app had security issues regarding protecting
14
28
198
It's May 1. Instagram for iOS just got updated. It still sends the device's system uptime to remote servers. Starting today developers are no longer allowed to access this API without providing a reason. And in no way can the app send the value off-device. #Privacy
5
28
195
Sorry Signal and WhatsApp, you're not getting full access to my contacts. Stop begging. Be grateful you have access to a dummy contact. Both apps now check for the new #iOS18 authorization status "limited" and complain if the user authorizes access to some contacts only.
11
15
204
π¬ The App Store will continue to be the only place to install apps on the iPhone, even in the EU. Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can't be turned off. We made this video to show how tapping an app link gets.
4
48
187
Nice! @brave for iOS just got updated to support the new "marketplace-kit" scheme. Brave only calls the scheme when trackers blocking is disabled. As we reported earlier, Apple implemented the new scheme in a way that allows tracking across websites based on the unique client_id.
5
29
187
BREAKING: The App Store has taken down the scam #2FA app that steals secrets. We warned about this app four months ago. This wouldn't have happened without your support to spread the word. Thank you! ππβοΈ
π¬ So this scam #2FA app is using custom product pages of Apple Search Ads to trick users. It has different campaigns per search keywords. When searching for "Microsoft Authenticator", it shows screenshots highlighting "Microsoft". and when searching for "Google Authenticator",
12
30
182
The title should be clearer. Apple didn't do this willingly. This is a more accurate title:. "EU Regulators finally force Apple to allow Spotify to show pricing info to EU users on iOS"
Apple finally allows Spotify to show pricing info to EU users on iOS
5
23
187
More context:.
This video shows that @signalapp (7.15.0) on macOS stores photos and docs sent through the app locally without encryption. Worse, the files are stored in a location accessible by any app or script. However, text messages are stored locally in an encrypted DB. #privacy #security
6
10
185
π§΅.1/7.During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
10
65
184
This old thread by @signalapp's president addresses a report by johnjhacking about the same desktop app vulnerability we highlighted. The response downplays the risks on the basis that the level of access required to hijack a session is "only available if the device is already.
The report by johnjhacking is confused. What they propose requires a level of access that's only available if the device is already completely compromised: βFirst and foremost, you need access to the device.β TLDR someone compromising your device is not a problem with Signal. 1/.
14
26
185
Just got the "ad free" subscription of Prime Video in the iOS app and paid with my credit card directly to Amazon. I didn't see an option to pay with the App Store's in-app purchase, neither did I see a "scare screen.".Digital content? Yes. Can other apps do this? π«
7
12
180
Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:.1οΈβ£ Google can read the secrets and generate one-time passwords for your accounts.2οΈβ£ Google knows the services you use.3οΈβ£ #Google knows your usernames.#Privacy.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
10
65
178
Apple "pressures" ByteDance and Tencent, but immediately suspended Epic Games' Apple Developer account and removed their apps from the App Store.
Apple Pressures ByteDance and Tencent Over App Fee Loopholes in China
10
16
177
Weβve been a little quiet recently, and not just because itβs the holiday season πβοΈ. Over the last several months weβve been working on a brand new privacy-focused app for iOS. We plan on launching this app soon and we canβt wait to share more details with you.
13
7
180
It still doesn't sound right that a password manager app communicates with 130 different websites (for downloading icons). That's more than X on my device π€―. Thanks to our report, all these connections now use HTTPS, but 130. π©
17
17
180
Thank you @Apple! We were rewarded a bounty of $5,000 for reporting this bug. π. CVE-2023-42846.
π¨ NEW: Private Wi-Fi addresses had been useless ever since they were introduced in iOS 14. When an iPhone joins a network, it sends multicast requests to discover AirPlay devices in the network. In these requests, iOS sends the device's real Wi-Fi MAC address. π¬ Watch the
16
14
177
6/6.It is worth noting that the DSID is also sent by other Apple apps for analytics purposes. You just need to know three things:.1- The App Store sends detailed analytics about you to Apple.2- There's no way to stop it.3- Analytics data are directly linked to you.
8
39
163
This statement is from a court document submitted by Apple's lawyers regarding the App Store data privacy class action lawsuit:. "Given Appleβs extensive privacy disclosures, no reasonable user would expect that their actions in Appleβs apps would be private from Apple."
9
53
167
The "Advanced Tracking and Fingerprinting Protection" introduced in Safari in iOS 17 leaks DNS queries to Apple DNS server. Users who rely on custom DNS to block malware domains will be unprotected. We reported this bug to Apple, but Apple says it is not an issue. In our
9
39
164
We prepared this video to illustrate why access to the accelerometer should get a permission in iOS. Unrestricted access to accelerometer data can breach user privacy. We used Facebook as an example in the video. #Cybersecurity #Privacy #iOS .
11
89
168
2/6.Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. We also showed earlier that the #AppStore keeps sending detailed analytics to Apple even when sharing analytics is switched off.
5
40
165
So does @WhatsApp and @Apple iMessage, and likely many other apps. Open a terminal on a Mac and check:. strings ~/Library/Group\ Containers/group.net.whatsapp.WhatsApp.shared/ChatStorage.sqlite. strings ~/Library/Messages/chat.db.
ChatGPT Mac App Stored User Chats in Plain Text Prior to Latest Update
7
27
168
Many comments suggest that if you don't want Apple to collect this private data about you, don't buy an iPhone. Well, many users already bought iPhones based on Apple's privacy promises. What should they do?.Moreover, Apple has its own definition of the term "tracking" π
π¬ The App Store will continue to be the only place to install apps on the iPhone, even in the EU. Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can't be turned off. We made this video to show how tapping an app link gets.
11
35
161
Microsoft Defender marks emails from Microsoft as spam. Good job!
12
14
164
YES!! iOS 18 will let users decide which contacts an app can access. This is sad news for data harvesting apps such as LinkedIn. #iOS18 #WWDC #Privacy.
#iOS17 should stop apps from harvesting contact details when they have access to contacts and calendars. This video shows the data that LinkedIn syncs when it has access to contacts and calendars. π€―.#WWDC23Β #privacy #cybersecurity #cybersecuritytips.
6
18
155
First thoughts on having the opportunity to install apps from various app stores on the iPhone: it feels right, fair, and independent. Every iPhone user, not just those in the EU, should have that option.
4
16
151
When you view the tweet below by @signalapp on an iPhone, you'll see a card showing the Signal app with a button to install the app. If you tap on the button, a sheet is presented within the Twitter app showing more details about Signal. Even though the sheet is presented inside
Announcement! Signal is refreshing our board as we grow. Weβre delighted to welcome @krmaher, @ambaonadventure, and @jaysullivan as Signalβs new Directors. Learn more here:
13
37
152
Signal now addresses vulnerabilities that have been known since 2018. Two CVEs were filed in this regard in 2023: CVE-2023-24068 & CVE-2023-24069.This proves the community note on @elonmusk' post wrong. Now do the right thing and vote against it. Thank you πβοΈ.More links below:.
@realchrisrufo There are known vulnerabilities with Signal that are not being addressed. Seems odd β¦.
7
28
153
Again, iOS 17.0.3 changed my privacy settings and turned these settings on:.Significant Locations.iPhone Analytics.HomeKit and more π€¬. Check your iPhones before and after the upgrade and let us know π. Settings -> Privacy & Security-> Location Services-> System Services
29
29
152
Update: The Lockdown Mode leaks more traffic outside the VPN tunnel than the "normal" mode. It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode. Here is a screenshot of the traffic (VPN and Kill Switch enabled) #iOS
6
32
145
π¨π¬.Here is what happens when you insert an unlocked SIM card into a locked iPhone:. - The #iPhone accepts the SIM card and connects to the internet π³.- Apple immediately adds the phone number of the SIM card to the Apple ID of the iPhone owner π².- Apple accepts the new phone
12
33
149
As we reported earlier, if a bad actor inserts a SIM card into a locked iPhone, the phone number of the SIM card will immediately be associated with the iPhone's Apple ID and iMessage while the iPhone is locked. Although we couldn't find a scenario to exploit this, we just find.
4
34
149
@hugelgupf @Apple Order an iPhone or iPad. Sign in to your iCloud account, accept the new terms, reset the device, and then send the device back to Apple. You can always return items purchased from Apple within 2 weeks. It's not good for the environment, but it should work.
11
4
142
βοΈ.
Signal encryption key vulnerability being fixed on Mac (and less fully on Windows) by @benlovejoy.
9
10
138
A few remarks about the #CrowdStrike outage:. β‘οΈ A broken update rolled out to customers without sufficient testing. The bug is clearly so easily reproducible. β‘οΈ The update was released on Friday. Not a great sign. β‘οΈ A staged rollout wouldβve avoided most of the damage.
5
16
143
π¬ Finally, iOS treats all browsers equally when it comes to PWAs. Previously, only Safari was able to install and run PWA apps. With iOS 17.4 beta in the EU, no browser can install PWA apps, even Safari. It seems PWAs have been disabled entirely. Oh yes, when you set a
22
29
134
Back in the day, the rules to obtain the blue checks were absolutely arbitrary. Those who had "friends" at Twitter got it easily. Also Twitter employees allegedly sold the blue checks. Verified accounts used to have a clear advantage over unverified accounts. There was no clear.
Back in the day, #BlueChecks used to mean trustworthy sources of informationβοΈπ¦. Now with X, our preliminary view is that:. βThey deceive users. βThey infrige #DSA. X has now the right of defence βbut if our view is confirmed we will impose fines & require significant changes.
8
15
145
If you leave the EU for "too long," you won't be able to update apps installed from alternative app marketplaces. This is not the case for the App Store. A German account can install apps and purchase content from the German App Store even if you're gone for "too long"
13
24
134
3/6.Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user's personal data:
1
22
133