Security week-in-review: Millions of U.S. voter profiles left accessible


It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore unprotected voting records, unencrypted iOS components, and Google’s new two-factor authentication option. Check back every Friday to learn about the latest in security news.

154M U.S. voter profiles breached

Information for 154 million United States voters was left exposed in a database “configured for public access,” according to security researcher Chris Vickery. The information included fields for name, phone number, address, estimated income, voting frequency, and data on whether the voter is a gun owner. The database has since been taken offline.

Learn more about the database.

The Department of Defense warns on potential risky app

This week, Lookout released research into an app called “CAC Scan,” which could be considered a risky app by any government agency or “Common Access Card” user. The app allows anyone to scan these cards, which hold sensitive information such as social security number. The Department of Defense recently warned its employees about the app and its capabilities.

Check out what the app can do here.

Apple releases iOS developer version with elements unencrypted

Apple released a developer version of its mobile operating system iOS, but left some pieces of the code uncharacteristically unencrypted Security experts, according to MIT Technology Review, discovered the change and pondered whether the move was a mistake or purposefully executed to encourage bug-finding in the software. Apple responded, saying the company did intend to leave these parts of the software unencrypted, but did so not for security reasons, but for performance enhancements without compromising security.

Read more about the move here.

PayPal plugs malicious images vulnerability

Online payments company PayPal released a patch this week for a seriously vulnerability that could have allowed criminals to remotely inject malicious images into “the PayPal components used for transactions by the customers,” according to researcher Aditya K Sood. Sood discovered that the URL associated with PayPal’s payments page included a parameter in which someone could insert an image URL. Simply by manipulating the URL, a criminal could have served up an image embedded with with an exploit to unsuspecting visitors.

Get more information about the patch here.

Google introduces new two-factor authentication prompt

If you use some form of two factor authentication, you’re probably used to entering in a pin or code — often sent to a mobile device via text or through an app — into the account login page you’re attempting to access. This week, Google introduced a new way to prove your identity: by tapping “yes.” The new feature, called “Google prompt” connects to your phone and presents you with a screen that asks, “Trying to sign in? Are you trying to sign in from another computer?” whenever you want to access your account. You simply click yes and it awards your access.

Learn more about the feature here.

Image via justgrimes/Flickr