Архив за месяц: Октябрь 2020

Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable

Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we’re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser’s address bar to make sure the site is legitimate.
But even the browser’s anti-phishing features — often the last line of defense for a would-be phishing victim — aren’t perfect.
Security researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers — including Apple’s Safari, Opera and Yandex — which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.

Riot automatically educates your team about phishing

The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.
In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.

An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7/supplied)

Rapid7’s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.
“On mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils,” Beardsley told TechCrunch. “While on a desktop browser, you can either look at the link you’re on, mouse over a link to see where you’re going or even click on the lock to get certificate details. These extra sources don’t really exist on mobile, so the location bar not only tells the user what site they’re on, it’s expected to tell the user this unambiguously and with certainty. If you’re on palpay.com instead of the expected paypal.com, you could notice this and know you’re on a fake site before you type in your password.”
“Spoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,” he said.
Baloch and Beardsley said the browser makers responded with mixed results.
So far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are “in gradual rollout.”
But the makers of UC Browser, Bolt Browser and RITS Browser — which collectively have more than 600 million device installs — did not respond to the researchers and left the vulnerabilities unpatched.
TechCrunch reached out to each browser maker but none provided a statement by the time of publication.

A simple bug makes it easy to spoof Google search results into spreading misinformation

Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable

Daily Crunch: Pakistan un-bans TikTok

TikTok returns to Pakistan, Apple launches a music-focused streaming station and SpaceX launches more Starlink satellites. This is your Daily Crunch for October 19, 2020.
The big story: Pakistan un-bans TikTok
The Pakistan Telecommunication Authority blocked the video app 11 days ago, over what it described as “immoral,” “obscene” and “vulgar” videos. The authority said today that it’s lifting the ban after negotiating with TikTok management.

“The restoration of TikTok is strictly subject to the condition that the platform will not be used for the spread of vulgarity/indecent content & societal values will not be abused,” it continued.
This isn’t the first time this year the country tried to crack down on digital content. Pakistan announced new internet censorship rules this year, but rescinded them after Facebook, Google and Twitter threatened to leave the country.
The tech giants
Apple launches a US-only music video station, Apple Music TV —  The new music video station offers a free, 24-hour live stream of popular music videos and other music content.
Google Cloud launches Lending DocAI, its first dedicated mortgage industry tool — The tool is meant to help mortgage companies speed up the process of evaluating a borrower’s income and asset documents.
Facebook introduces a new Messenger API with support for Instagram — The update means businesses will be able to integrate Instagram messaging into the applications and workflows they’re already using in-house to manage their Facebook conversations.
Startups, funding and venture capital
SpaceX successfully launches 60 more Starlink satellites, bringing total delivered to orbit to more than 800 — That makes 835 Starlink satellites launched thus far, though not all of those are operational.
Singapore tech-based real estate agency Propseller raises $1.2M seed round — Propseller combines a tech platform with in-house agents to close transactions more quickly.
Ready Set Raise, an accelerator for women built by women, announces third class — Ready Set Raise has changed its programming to be more focused on a “realistic fundraising process” vetted by hundreds of women.
Advice and analysis for Extra Crunch
Are VCs cutting checks in the closing days of the 2020 election? — Several investors told TechCrunch they were split about how they’re making these decisions.
Disney+ UX teardown: Wins, fails and fixes — With the help of Built for Mars founder and UX expert Peter Ramsey, we highlight some of the things Disney+ gets right and things that should be fixed.
Late-stage deals made Q3 2020 a standout VC quarter for US-based startups — Investors backed a record 88 megarounds of $100 million or more.
(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)
Everything else
US charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack — Prosecutors said the group of hackers, who work for the Russian GRU, are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group.”
Stitcher’s podcasts arrive on Pandora with acquisition’s completion — SiriusXM today completed its previously announced $325 million acquisition of podcast platform Stitcher from E.W. Scripps, and has now launched Stitcher’s podcasts on Pandora.
Original Content podcast: It’s hard to resist the silliness of ‘Emily in Paris’ — The show’s Paris is a fantasy, but it’s a fantasy that we’re happy to visit.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Daily Crunch: Pakistan un-bans TikTok

Google Pixel 5 review: Keeping it simple

I’m going to be totally honest with you. I don’t really understand Google’s phone strategy right now. And for what it’s worth, I’m not really sure Google does either. I wrote about it here, but I’ll save you from having to read an additional 800 words on top of all these. The short version is that Google has three phones on the market, and there isn’t a whole heck of a lot of distinction between them.
The Pixel is a portrait of a hardware division in transition. That applies to a number of aspects, from strategy to the fact that the company recently saw a minor executive exodus. It’s pretty clear the future of Google’s mobile hardware division is going to look quite different from its present — but 2020’s three phones are most likely a holdover from the old guard.

Pixel 4 review: Google ups its camera game

What you’re looking at here is the Pixel 5. It’s Google’s flagship. A device that sports — among other things — more or less the same mid-range Qualcomm processor as the 4a announced earlier this year. It distinguishes itself from that budget handset, however, with the inclusion of 5G. But then here comes the 4a 5G to further muddy the waters.
There are some key distinctions that separate the 5 and 4a 5G, which were announced at the same event. The 5’s got a more solid body, crafted from 100% recycled aluminum to the cheaper unit’s polycarbonate. It also has waterproofing and reverse wireless charging, a fun feature we’ve seen on Samsung devices for a few generations now. Beyond that, however, we run into something that’s been a defining issue since the line’s inception. If you choose not to use hardware to define your devices, it becomes difficult to differentiate your devices’ hardware.

Image Credits: Brian Heater

Since the very beginning of the Pixel line, the company has insisted that it will rely on software advances to push the products forward. It’s a nice sentiment after years of feature arms races between the likes of Apple and Samsung. But that means when it comes time to introduce new devices, the results can be fairly lackluster. That certainly applies to the Pixel 5.
From a hardware perspective, it’s not a particularly exciting phone. That’s probably fine for many. Smartphones have, after all, become more commodity than luxury item, and plenty of users are simply looking for one that will just get the job done. That said, Google’s got some pretty stiff competition at the Pixel 5’s price point — and there are plenty of Android devices that can do even more.
There are certainly some upgrades in addition to the above worth pointing out, however. Fittingly, the biggest and most important of all is probably the least exciting. The Pixel 4 was actually a pretty solid device hampered by one really big issue: an abysmal battery life. The 2,800mAh capacity was a pretty massive millstone around the device’s neck. That, thankfully, has been addressed here in a big way.

Top members of Google’s Pixel team have left the company

Google’s bumped things up to 4,080mAh. That’s also a pretty sizable bump over the 4a and 4a 5G, which sport 3,885mAh and 2,130mAh, respectively. That extra life is extra important, given the addition of both Battery Share and 5G. For the sake of disclosure, I should mention that I still live in an area with basically no 5G (three cheers for working from home), so your mileage will vary based on coverage. But using LTE, I was able to get about a day and a half of use out of the handset, besting the stated “all-day battery).
This is helped along by a (relatively) compact display. Gone are the days of the XL (though, confusingly, the 4a 5G does have a larger screen with a bit lower pixel density). The flagship is only available in a six-inch, 2,340 x 1,080 size. It’s larger than the Pixel 4’s 5.7 inches, but at a lower pixel density (432 versus 444 ppl). The 90Hz refresh rate remains. Compared to all of the phones I’ve been testing lately, the Pixel 5 feels downright compact. It’s a refreshing change to be able to use the device with one hand.

Image Credits: Brian Heater

The camera is probably the aspect of the handset where the opposing hardware-first and software-first approaches are the most at conflict with one another. Google was fairly convinced it could do everything it wanted with a single lens early on, but eventually begrudgingly gave in to a two-camera setup. The hardware is pretty similar to last year’s model, but the 16-megapixel 2x optical telephoto has been replaced by a 16-megapixel ultra-wide. Whether that represent progress is largely up to your own personal preference. Frankly, I’d prefer a little more non-distorted zooming.
Google, of course, is building on a solid foundation. I really loved the Pixel 4’s photos. The things Google’s imaging team has been able to do with relative hardware constraints is really impressive, and while you’re lacking the scope of a premium Samsung device or high-end iPhone, casual photo snappers are going to be really happy with the shots they get on the Pixel 5.

Night Sight has been improved and now turns on when the phone’s light sensor detects a dark scene. My morning walks have gotten decidedly darker in recent weeks as the season has changed, and the phone automatically enters the mode for those pre-dawn shots (COVID-19 has made me an early riser, I don’t know what to tell you). The feature has also been added to portrait mode for better focused shots.
The Pixel’s Portrait Mode remains one of the favorites — though it’s still imperfect, running into issues with things like hair or complex geometries. It really doesn’t know what to do with a fence much of the time, for instance. The good news is that Google’s packed a lot of editing options into the software here — particularly for Portrait Mode.

Everything Google announced at its hardware event

You can really go crazy in terms of bokeh levels and placement and portrait lighting, a relatively subtle effect that lends the appearance of changing a light source. Changing the effects can sometimes be a bit laggy, likely owing to the lower-end processing power. All said, it’s a good and well-rounded photo experience, but as usual, I would really love to see what Google’s imaging team would be able to do if the company ever gives it a some real high-end photography hardware to play around with. Wishful thinking for whatever the Pixel 6 becomes, I suppose.
In the end, the two biggest reasons to recommend upgrading from the Pixel 4 are 5G and bigger battery. The latter is certainly a big selling point this time out. The former really depends on what coverage is like in your area. The 5G has improved quite a bit of late, but there are still swaths of the U.S. — and the world — that will be defaulting to LTE on this device. Also note that the $200 cheaper 4a 5G also offers improvements in both respects over last year’s model.
Still, $700 is a pretty reasonable price point for a well-rounded — if unexciting — phone like the Pixel 5. And Google’s got other things working in its favor, as well — pure Android and the promise of guaranteed updates. If you’re looking for something with a bit more flash, however, there are plenty of options in the Android world.

Google Pixel 5 review: Keeping it simple

Daily Crunch: Apple introduces the iPhone 12

Apple embraces 5G, Facebook Messenger gets better integrated with Instagram and Kahoot raises $215 million. This is your Daily Crunch for October 13, 2020.
The big story: Apple introduces the iPhone 12
Apple’s big event today kicked off with the announcement of the HomePod Mini, but the real focus was on the iPhone — specifically, the iPhone 12.

Pricing for the new iPhone starts at $799. New features include 5G, a magnetic adapter for various accessories (including wireless chargers) and a more durable Corning glass display.
There are four models, so if you’re trying to decide which one you want, we’ve even created a handy chart to keep them all straight.
The tech giants
Alphabet’s latest moonshot is a field-roving, plant-inspecting robo-buggy — Announced with little fanfare in a blog post and site, the Mineral project is still very much in the experimental phase.
Messenger’s latest update brings new features, cross-app communication with Instagram – The changes are a part of Facebook’s overhauled messaging platform, announced in late September, which introduced the ability for Instagram users to communicate with people on Facebook.
Startups, funding and venture capital
Kahoot picks up $215M from SoftBank for its user-generated, gamified e-learning platform — After announcing a modest $28 million raise earlier this year, the user-generated gamified e-learning platform revealed a much bigger round today.
Astroscale raises $51M in Series E funding to fuel its orbital sustainability ambitions — The Japan-based company has been focused on delivering new solutions for orbital end-of-life.
Caliber, with $2.2M in seed funding, launches a fitness coaching platform — The company says it brings on about five of every 100 applications for coaches on the platform, accepting only the very best trainers.
Advice and analysis from Extra Crunch
Is the Twilio-Segment deal expensive? — A quick look at the deal’s historical analogs and what we can tell from the numbers.
Should you replace your developer portal with a hybrid integration platform? — Changing your integration approach can reduce time to market and boost revenue.
(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)
Everything else
Walt Disney announces reorganization to focus on streaming — Disney’s media businesses, ads and distribution and Disney+ will now operate under the same business unit.
Original Content podcast: Netflix’s ‘Enola Holmes’ is thoroughly mediocre — I did not enjoy this movie.
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Daily Crunch: Apple introduces the iPhone 12

What to expect from Apple’s ‘Hi Speed’ iPhone event

For starters, iPhones, of course. That one was easy. The company skipped out on new mobile devices during its recent Apple Watch event, owing to COVID-19-related delays. And, of course, the fact that the events are all pre-taped and virtual now means companies can more easily split them up in ways that were harder to justify when people were expected to fly in from all over the world.
That doesn’t mean we won’t be getting more than just a phone (or, more like multiple phones). While Apple’s been more inclined to host more, smaller events, there’s a decent chance this is going to be the last major event the company hosts before the holidays. That means it’s going to want to get a lot of bang for its buck this time out.
The iPhone 12 is expected to be the centerpiece, of course. The headline feature will almost certainly be 5G. Apple’s been a little behind the curve on that front versus its Android competitors (Samsung, for instance, has several devices with next-gen wireless), though another knock-on effect from the pandemic has been a slower than expected adoption of the tech. So in some ways, Apple’s really right on time here. In the U.S., the company is said to offer both the mmWave and sub-6Ghz 5G technologies. Availability may vary depending on the needs of a given market.

Here’s everything Apple revealed at its September hardware event

Rumors point to a bunch of different models. After all, gone are the days a company like Apple could just offer up a big premium device and be done with it. Sales for high-end devices were already drying up well before the virus came along to bring smartphone sales to a screeching halt there for a bit. People were already tired of paying in excess of $1,000 for new phones when the ones they already had still did the job perfectly fine.
There are supposedly four sizes arriving. There will be higher-end devices at 6.1 and 6.7 inches, and more budget-minded devices at 6.1 and 5.4 inches. It’s a pretty broad price range, from $699 for the “mini” to $1,099 and up for the Pro Max (sandwiched between are the $799 iPhone 12 and $999 Pro). Along with its recently expanded Watch line, Apple’s all about choice this time out.
Reportedly, however, the company will be bringing OLED tech to all of the models, marking a pretty big change from the days of LCD-sporting budget models. The new models are expected to get a welcome redesign, reportedly returning to something more in line with the iPhone 5. The rounded edges are expected to be dropped in favor of a flatter design, akin to what you get on the iPad Pro.
Other interesting potential additions include the return of the company’s dearly departed MagSafe life for a pair of wireless charging pads that will hopefully finally lay to rest any memory of the failed AirPower experiment. Available for one or two devices, the new pads will reportedly leverage magnets built into the phones to snap them in place.
Music has always been a cornerstone for the company, and it’s long overdue for some updates to audio products. This time out, we may finally get the long-awaited AirPods Studio, an over-ear addition to its line of headphones. The models are set to come in two variations, the largest variation being build materials. A smaller version of its smart speaker could be on the way, as well. The HomePod has long been cost-prohibitive for many, so a mini version could finally make it a bit more accessible.

A closer look at the new Apple Watches

Another long-rumored addition — AirTags — could finally arrive, as well. Apple’s product-tracking Tile competitor has been in the cards for some time now, but has repeatedly been delayed. That may still be the case — and same goes for a refresh to Apple TV. With the company’s subscription service about to celebrate its year anniversary, it could really use some updated hardware. New Macs with Apple-built chips could be on the table, as well, though the company is reportedly planning one more 2020 event for that big launch.
The event kicks off tomorrow at 10AM PT/1PM ET. We’ll be watching along with you, bringing you the news as it breaks.

What to expect from Apple’s ‘Hi Speed’ iPhone event