Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

377K
active users

mastodon.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-nightly.2025-03-10

The Citizen Lab

🚨🚨WE URGE EVERYONE TO UPDATE THEIR APPLE DEVICES AS SOON AS POSSIBLE.

We have found an actively exploited vulnerability that was used to deliver group’s citizenlab.ca/2023/09/blastpas

The Citizen Lab · BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild - The Citizen LabCitizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
Sep 08, 2023, 06:51 PM·Public·Web
110boosts·72favorites
Public
Russell Devine :verified:

@citizenlab interested to know if Lockdown Mode on iOS and macOS would have prevented the exploit?

Public
ApplSec

@rjmd @citizenlab "We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack."

Public
Feilner IT

@citizenlab but ... we were told this cannot happen on , because they are secure? And it cannot happen because it's Google, not a small team of underpaid developers?

Public
Hans-Christoph Steiner

Weeks later, Google posted a proper CVE. A publicly funded civil society org, @citizenlab found this #vuln, while two of world's largest corps, #Google and #Apple, sat on it while making sure that their affected products were patched. That sure makes them look good to non-technical users. They are built on #FreeSoftware, and have more than enough resources to be a responsible steward, but failed to do the standard practice #CVE, screwing everyone else.

arstechnica.com/security/2023/

Ars Technica · Google quietly corrects previously submitted disclosure for critical webp 0-dayPrevious CVE submission failed to mention that thousands of apps were affected.
#BigTech#WebP
ExploreLive feeds
About