Tuesday, 20 October 2020

Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable

Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we’re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser’s address bar to make sure the site is legitimate.

But even the browser’s anti-phishing features — often the last line of defense for a would-be phishing victim — aren’t perfect.

Security researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers — including Apple’s Safari, Opera and Yandex — which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.

The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.

In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.

An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7/supplied)

Rapid7’s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.

“On mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils,” Beardsley told TechCrunch. “While on a desktop browser, you can either look at the link you’re on, mouse over a link to see where you’re going or even click on the lock to get certificate details. These extra sources don’t really exist on mobile, so the location bar not only tells the user what site they’re on, it’s expected to tell the user this unambiguously and with certainty. If you’re on palpay.com instead of the expected paypal.com, you could notice this and know you’re on a fake site before you type in your password.”

“Spoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,” he said.

Baloch and Beardsley said the browser makers responded with mixed results.

So far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are “in gradual rollout.”

But the makers of UC Browser, Bolt Browser and RITS Browser — which collectively have more than 600 million device installs — did not respond to the researchers and left the vulnerabilities unpatched.

TechCrunch reached out to each browser maker but none provided a statement by the time of publication.



from Apple – TechCrunch https://ift.tt/2HjO0sX

Google calls DOJ’s antitrust lawsuit “deeply flawed” in GIF-laden blog response

Google was clearly anticipating today’s U.S. Department of Justice antitrust complaint filing – the company posted an extensive rebuttal of the lawsuit to its Keyword company blog. The post, penned by SVP of Global Affairs and Google Chief Legal Officer Kent Walker, suggests that the DOJ’s case is “deeply flawed” and “would do nothing to help consumers,” before going into a platform-by-platform description of why it thinks its position in the market isn’t representative of unfair market dominance that would amount to antitrust.

Google’s blog post is even sprinkled with GIFs – something that’s pretty common for the search giant when it comes to its consumer product launches. These GIFs include step-by-step screen recordings of setting search engines other than Google as your default in Chrome on both mobile and desktop. These processes are both described as “trivially easy” by Walker in the post, but they do look like a bit of an own-goal when you notice just how many steps it takes to get the job done on desktop in particular, including what looks like a momentary hesitation in where to click to drill down further for the “Make Default” command.

Image Credits: Google

Google also reportedly makes reference to companies choosing their search engine as default because of the quality of their service, including both Apple and Mozilla (with a link drop for our own Frederic Lardinois). Ultimately, Google is making the argument that its search engine isn’t dominant because of a lack of viable options fostered by anti-competitive practices, but that instead it’s a result of building a quality product that consumers then opt in to using from among a field of choices.

The DOJ’s full suit dropped this morning, and an initial analysis suggests that this scrutiny is perhaps inopportunely timed in terms of its proximity to the election to actually have any significant teeth. There is some indication that a more broad, bipartisan investigation with support from state level attorney generals on both sides of the aisle could follow later, however, so it’s not necessarily all just going to go away regardless of election outcome.



from Apple – TechCrunch https://ift.tt/3jghZif

Gowalla is being resurrected as an augmented reality social app

Gowalla is coming back.

The startup, which longtime TechCrunch readers will likely recall, was an ambitious consumer social app that excited Silicon Valley investors but ultimately floundered in its quest to take on Foursquare before an eventual $3 million acquihire in 2011 brought the company’s talent to Facebook.

The story certainly seemed destined to end there, but founder Josh Williams tells TechCrunch that he has decided to revive the Gowalla name and build on its ultimate vision by leaning on augmented reality tech.

“I really don’t think [Gowalla’s vision] has been fully realized at all, which is why I still want to scratch this itch,” Williams tells TechCrunch. “It was frankly really difficult to see it shut down.”

After a stint at Facebook, another venture-backed startup and a few other gigs, Williams has reacquired the Gowalla name, and is resurrecting the company with the guidance of co-founder Patrick Piemonte, a former Apple interface designer who previously founded an AR startup called Mirage. The new company was incubated inside Form Capital, a small design-centric VC fund operated by Williams and Bobby Goodlatte.

Founders Patrick Piemonte (left) and Josh Williams (right). Image credit: Josh Williams.

Williams hopes that AR can bring the Gowalla brand new life.

Despite significant investment from Facebook, Apple and Google, augmented reality is still seen as a bit of a gamble with many proponents estimating mass adoption to be several years out. Apple’s ARKit developer platform has yielded few wins despite hefty investment and Pokémon Go — the space’s sole consumer smash hit — is growing old.

“The biggest AR experience out there is Pokémon Go, and it’s now over six years old,” Williams says. “It’s moved the space forward a lot but is still very early in terms of what we’re going to see.”

Williams was cryptic when it came to details for what exactly the new augmented reality platform would look like when it launches. He did specify that it will feel more like a gamified social app than a social game, though he also lists the Nintendo franchise Animal Crossing as one of the platform’s foundational inspirations.

A glimpse of the branding for the new Gowalla. Image credit: Josh Williams

“It’s not a game with bosses or missions or levels, but rather something that you can experience,” Williams says. “How do you blend augmented reality and location? How do you see the world through somebody else’s eyes?”

A location-based social platform will likely rely on users actually going places, and the pandemic has largely dictated the app’s launch timing. Today, Gowalla is launching a waitlist, Williams says the app itself will launch in beta “in a number of cities” sometime in the first-half of next year. The team is also trying something unique with a smaller paid beta group called the “Street Team,” which will give users paying a flat $49 fee early access to Gowalla as well as “VIP membership,” membership to a private Discord group and some branded swag. A dedicated Street Team app will also launch in December.



from Apple – TechCrunch https://ift.tt/3obUZ7G

Genies updates its software development kit and partners with Gucci, Giphy

Genies, has updated its software development kit and added Giphy and Gucci as new partners to enable their users to create personalized Genie avatars.

The company released the first version of its sdk in 2018 when it raised a $10 million to directly challenge Snap and Apple for avatar dominance. Now, with the latest update, the company said it has managed to create a new three dimensional rendering that can be used across platforms — if developers let Genies handle the animation.

Genies has already managed to sign up many of the biggest names in entertainment to act as their official manager through their Genies talent agency. These include celebrities like Shawn Mendes, Justin Bieber, Cardi B, and Rihanna. Genies also locked in deals with the National Football League’s player’s association along with Major League Baseball and the National Basketball Association.

Now, those celebrities and athletes can monetize exclusive digital goods made by Genies on platforms like Gucci and Giphy and the fashion house and meme generator can now give users their own digital identity to play around with.

“Over the past year, our technology has been sharpened by the exacting creative demands of celebrities. This advanced Genies’ march to be the go-to avatar globally,” said Akash Nigam, Genies CEO and co-founder, in a statement. “What was previously a celebrity exclusive experience, is now broadly available for consumers to use as their virtual portable identities. By opening up to the masses, we’ve now created an opportunity for tastemakers to forge new, unique relationships with their audiences through avatar digital goods.”

The SDK integrations are still highly curated and tailored (there’s a lot of heavy lifting that Genies needs to do with each one). For instance, Gucci users can try on the latest designs and the company will sell digital goods on its platform created by Genies. Giphy users will use their avatars as gifs on its site and through its distribution network.

“Our Avatar Agency has served as the go-to platform for thousands of artists, and with our next-gen, highly expressive and dynamic 3D Genie, we will further solidify our position as the universal digital identity,” said Izzy Pollak, Director of Avatar SDK at Genies. “For celebrities and everyday users alike, it unlocks new arenas and verticals for users to cultivate their avatars in. On top of traditional 2D environments like mobile apps and websites, Genies can now live in AR/VR platforms, games, and in use cases or SDK partner platforms that demand a 360-degree rendering of the digital goods they purchase,”



from Apple – TechCrunch https://ift.tt/3klT7Y0

The Justice Department has filed its antitrust lawsuit against Google

The Justice Department said it has filed its long-awaited antitrust lawsuit against Google, confirming an earlier report from The Wall Street Journal.

In the suit, the Justice Department is expected to argue that Google used anticompetitive practices to safeguard its monopoly position as the dominant force in search and search-advertising, which sit at the foundation of the company’s extensive advertising, data mining, video distribution, and information services conglomerate.

It would be the first significant legal challenge that Google has faced from U.S. regulators despite years of investigations into the company’s practices.

A 2012 attempt to bring the company to the courts to answer for anti-competitive practices was ultimately scuttled because regulators at the time weren’t sure they could make the case stick. Since that time Alphabet’s value has skyrocketed to reach over $1 trillion (as of today’s share price).

Alphabet, Google’s parent company, holds a commanding lead in both search and video. The company dominates the search market — with roughly 90% of the world’s internet searches conducted on its platform — and roughly three quarters of American adults turn to YouTube for video, as the Journal reported.

In the lawsuit, the Department of Justice will say that Alphabet’s Google subsidiary uses a web of exclusionary business agreements to shut out competitors. The billions of dollars that the search giant collects wind up paying mobile phone companies, carriers and browsers to make the Google search engine a preset default. That blocks competitors from being able to access the kinds of queries and traffic they’d need to refine their own search engine.

It will be those relationships — alongside Google’s insistence that its search engine come pre-loaded (and un-deletable) on phones using the Android operating system and that other search engines specifically not be pre-loaded — that form part of the government’s case, according to Justice Department officials cited by the Journal.

The antitrust suit comes on the heels of a number of other regulatory actions involving Google, which is not only the dominant online search provider, but also a leader in online advertising and in mobile technology by way of Android, as well as a strong player in a web of other interconnected services like mapping, online productivity software, cloud computing and more.

MOUNTAIN VIEW, UNITED STATES – 2020/02/23: American multinational technology company Google logo seen at Google campus. (Photo by Alex Tai/SOPA Images/LightRocket via Getty Images)

A report last Friday in Politico noted that Democrat Attorneys General would not be signing the suit. That report said those AGs have instead been working on a bipartisan, state-led approach covering a wider number of issues beyond search — the idea being also that more suits gives government potentially a stronger bargaining position against the tech giant.

A third suit is being put together by the state of Texas, although that has faced its own issues.

While a number of tech leviathans are facing increasing scrutiny from Washington, with the US now just two weeks from Election Day, it’s unlikely that we are going to see many developments around this and other cases before then. And in the case of this specific Google suit, in the event that Trump doesn’t get re-elected, there will also be a larger personnel shift at the DoJ that could also change the profile and timescale of the case.

In any event, fighting these regulatory cases is always a long, drawn-out process. In Europe, Google has faced a series of fines over antitrust violations stretching back several years, including a $2.7 billion fine over Google shopping; a $5 billion fine over Android dominance; and a $1.7 billion fine over search ad brokering. While Goolge slowly works through appeals, there are also more cases ongoing against the company in Europe and elsewhere.

Google is not the only one catching the attention of Washington. Earlier in October, the House Judiciary Committee released a report of more than 400 pages in which it outlined how tech giants Apple, Amazon, Alphabet (Google’s parent company) and Facebook were abusing their power, covering everything from the areas in which they dominate, through to suggestions for how to fix the situation (including curtailing their acquisitions strategy).

That seemed mainly to be an exercise in laying out the state of things, which could in turn be used to inform further actions, although in itself, unlike the DoJ suit, the House report lacks teeth in terms of enforcement or remedies.



from Android – TechCrunch https://ift.tt/3dG5hZ9
via IFTTT

Adobe Lightroom gets a new color grading tool, auto versions, graphical watermarking and more

At its MAX conference, Adobe today announced the launch of the latest version of Lightroom, its popular photo management and editing tool. The highlights of today’s release are the introduction of a new color grading tool that’s more akin to what you’d find in a video editor like Adobe Premiere or DaVinci Resolve, auto versioning that’s saved in the cloud (and hence not available in Lightroom Classic) and graphical watermarks, in addition to a number of other small feature updates across the application.

Adobe had already teased the launch of the new color grading feature last month, which was probably a good idea given how much of a change this is for photographers who have used Lightroom before. Adjusting color is, after all, one of the main features of Lightroom and this is a major change.

Image Credits: Adobe

At its core, the new color wheels replace the existing ‘split toning’ controls in Lightroom.

“Color Grading is an extension of Split Toning — it can do everything Split Toning did, plus much more,” Adobe’s Max Wendt explains in today’s announcement. “Your existing images with Split Toning settings will look exactly the same as they did before, your old Split Toning presets will also still look the same when you apply them, and you can still get the same results if you had a familiar starting point when doing Split Toning manually.”

My guess is that it’ll take a while for many Lightroom users to get a hang of these new color wheels. Overall, though, I think this new system is more intuitive than the current split toning feature that a lot of users regularly ignored.

The new color grading feature will be available across platforms and in Lightroom Classic, as well as Camera Raw.

The other new feature Adobe is highlighting with this release is graphical watermarks (available on Windows, Mac, iOS, iPadOS, Android and Chrome OS), that augments the existing text-based watermarking in Lightroom. This does exactly what the name implies and the watermarks are automatically applied when you share or export and image.

Image Credits: Adobe

The most important overall quality of life feature the team is adding is auto versions (also available on Windows, Mac, iOS, iPadOS, Android and Chrome OS). This makes it far easier to save different versions of an image — and these versions are synced across platforms. That way, you can easily go back and forth between different edits and revert those as necessary, too.

Image Credits: Adobe

With its new ‘best photos’ feature, Adobe is now also using its Ai smarts to find the best photos you’ve taken, but only on iOS, iPadOS, and Android, Chrome OS and the web. It’ll look at the technical aspects of your photo, as well as whether your subjects have their eyes open and face forward, for example, and the overall framing of the image. Users can decide how many of their images make the cut by toggling a threshold slider.

Another nifty new feature for Canon shooters who use Lightroom Classic is the addition of a tethered live view for Canon – with support for other cameras coming soon. With this, you get a real-time feed from your camera, making it easier to collaborate with others in real time.

 



from Android – TechCrunch https://ift.tt/35ehalb
via IFTTT

The Justice Department has filed its antitrust lawsuit against Google

The Justice Department said it has filed its long-awaited antitrust lawsuit against Google, confirming an earlier report from The Wall Street Journal.

In the suit, the Justice Department is expected to argue that Google used anticompetitive practices to safeguard its monopoly position as the dominant force in search and search-advertising, which sit at the foundation of the company’s extensive advertising, data mining, video distribution, and information services conglomerate.

It would be the first significant legal challenge that Google has faced from U.S. regulators despite years of investigations into the company’s practices.

A 2012 attempt to bring the company to the courts to answer for anti-competitive practices was ultimately scuttled because regulators at the time weren’t sure they could make the case stick. Since that time Alphabet’s value has skyrocketed to reach over $1 trillion (as of today’s share price).

Alphabet, Google’s parent company, holds a commanding lead in both search and video. The company dominates the search market — with roughly 90% of the world’s internet searches conducted on its platform — and roughly three quarters of American adults turn to YouTube for video, as the Journal reported.

In the lawsuit, the Department of Justice will say that Alphabet’s Google subsidiary uses a web of exclusionary business agreements to shut out competitors. The billions of dollars that the search giant collects wind up paying mobile phone companies, carriers and browsers to make the Google search engine a preset default. That blocks competitors from being able to access the kinds of queries and traffic they’d need to refine their own search engine.

It will be those relationships — alongside Google’s insistence that its search engine come pre-loaded (and un-deletable) on phones using the Android operating system and that other search engines specifically not be pre-loaded — that form part of the government’s case, according to Justice Department officials cited by the Journal.

The antitrust suit comes on the heels of a number of other regulatory actions involving Google, which is not only the dominant online search provider, but also a leader in online advertising and in mobile technology by way of Android, as well as a strong player in a web of other interconnected services like mapping, online productivity software, cloud computing and more.

MOUNTAIN VIEW, UNITED STATES – 2020/02/23: American multinational technology company Google logo seen at Google campus. (Photo by Alex Tai/SOPA Images/LightRocket via Getty Images)

A report last Friday in Politico noted that Democrat Attorneys General would not be signing the suit. That report said those AGs have instead been working on a bipartisan, state-led approach covering a wider number of issues beyond search — the idea being also that more suits gives government potentially a stronger bargaining position against the tech giant.

A third suit is being put together by the state of Texas, although that has faced its own issues.

While a number of tech leviathans are facing increasing scrutiny from Washington, with the US now just two weeks from Election Day, it’s unlikely that we are going to see many developments around this and other cases before then. And in the case of this specific Google suit, in the event that Trump doesn’t get re-elected, there will also be a larger personnel shift at the DoJ that could also change the profile and timescale of the case.

In any event, fighting these regulatory cases is always a long, drawn-out process. In Europe, Google has faced a series of fines over antitrust violations stretching back several years, including a $2.7 billion fine over Google shopping; a $5 billion fine over Android dominance; and a $1.7 billion fine over search ad brokering. While Goolge slowly works through appeals, there are also more cases ongoing against the company in Europe and elsewhere.

Google is not the only one catching the attention of Washington. Earlier in October, the House Judiciary Committee released a report of more than 400 pages in which it outlined how tech giants Apple, Amazon, Alphabet (Google’s parent company) and Facebook were abusing their power, covering everything from the areas in which they dominate, through to suggestions for how to fix the situation (including curtailing their acquisitions strategy).

That seemed mainly to be an exercise in laying out the state of things, which could in turn be used to inform further actions, although in itself, unlike the DoJ suit, the House report lacks teeth in terms of enforcement or remedies.



from Apple – TechCrunch https://ift.tt/3dG5hZ9