Yandex
Auto Added by WPeMatico
Auto Added by WPeMatico
Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we’re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser’s address bar to make sure the site is legitimate.
But even the browser’s anti-phishing features — often the last line of defense for a would-be phishing victim — aren’t perfect.
Security researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers — including Apple’s Safari, Opera and Yandex — which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.
The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.
In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.
An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7/supplied)
Rapid7’s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.
“On mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils,” Beardsley told TechCrunch. “While on a desktop browser, you can either look at the link you’re on, mouse over a link to see where you’re going or even click on the lock to get certificate details. These extra sources don’t really exist on mobile, so the location bar not only tells the user what site they’re on, it’s expected to tell the user this unambiguously and with certainty. If you’re on palpay.com instead of the expected paypal.com, you could notice this and know you’re on a fake site before you type in your password.”
“Spoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,” he said.
Baloch and Beardsley said the browser makers responded with mixed results.
So far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are “in gradual rollout.”
But the makers of UC Browser, Bolt Browser and RITS Browser — which collectively have more than 600 million device installs — did not respond to the researchers and left the vulnerabilities unpatched.
TechCrunch reached out to each browser maker but none provided a statement by the time of publication.
Powered by WPeMatico
Even before pitching onstage at Y Combinator, Indian car refueling startup MyPetrolPump has managed to snag $1.6 million in seed financing.
The business, which is similar to startups in the U.S. like Filld, Yoshi and Booster Fuels, took 10 months to design and receive approval for its proprietary refueling trucks that can withstand the unique stresses of providing logistics services in India.
Together with co-founder Nabin Roy, a serial startup entrepreneur, MyPetrolPump co-founder and chief executive Ashish Gupta pooled $150,000 to build the company’s first two refuelers and launch the business.
MyPetrolPump began operating out of Bangalore in 2017 working with a manufacturing partner to make the 20-30 refuelers that the company expects it will need to roll out its initial services. However, demand is far outstripping supply, according to Gupta.
“We would need hundreds of them to fulfill the demand,” Gupta says. In fact the company is already developing a licensing strategy that would see it franchise out the construction of the refueling vehicles and regional management of the business across multiple geographies.
Bootstrapped until this $1.6 million financing, MyPetrolPump already has five refueling vehicles in its fleet and counts 2,000 customers already on its ledger.
These are companies like Amazon and Zoomcar, which both have massive fleets of vehicles that need refueling. Already the company has delivered 5 million liters of fuel with drivers working daily 12-hour shifts, Gupta says.
While services like MyPetrolPump have cropped up in the U.S. as a matter of convenience, in the Indian context, the company’s offering is more of necessity, says Gupta.
“In the Indian context, there’s pilferage of fuel,” says Gupta. Bus drivers collude with gas station operators to skim money off the top of the order, charging for 50 liters of fuel but only getting 40 liters pumped in. Another problem that Gupta says is common is the adulteration of fuel with additives that can degrade the engine of a vehicle.
There’s also the environmental benefit of not having to go all over to refill a vehicle, saving fuel costs by filling up multiple vehicles with a single trip from a refueling vehicle out to a location with a fleet of existing vehicles.
The company estimates it can offset 1 million tons of carbon in a year — and provide more than 300 billion liters of fuel. The model has taken off in other geographies as well. There’s Toplivo v Bak in Russia (which was acquired by Yandex), Gaston in Paris and Indonesia’s everything mobility company, Gojek, whose offerings also include refueling services.
And Gupta is preparing for the future as well. If the world moves to electrification and electric vehicles, the entrepreneur says his company can handle that transition as well.
“We are delivering a last-mile fuel delivery system,” says Gupta. “If tomorrow hydrogen becomes the dominant fuel we will do that… If there is electricity we will do that. What we are building is the convenience of last-mile delivery to energy at the doorstep.”
Powered by WPeMatico
Google has reached a settlement with Russia’s Federal Antimonopoly Service (FAS) agency in the antitrust case the Russian search rival Yandex had originally filed, claiming Google had violated local competition rules. The case revolved around how Google had required handset makers to pre-load their devices with Google apps and services in order to also gain access the Google Play… Read More
Powered by WPeMatico
Google has had another appeal against Android antitrust charges turned down by a Russian court. At issue is how the company requires handset makers using its Android OS to also pre-load Google apps and services onto devices in order to get access to the Play app store. Read More
Powered by WPeMatico
Amid reports that Russia will be one of the first countries to get access to the new music service that Apple is reportedly launching next week, Russian search giant Yandex is enhancing its own. Today it announced Yandex.Radio, an ad-supported streaming music service that provides around 100 ready-made “stations” to users organised around moods and themes, initially available… Read More
Powered by WPeMatico