A bug was recently fix in Signal that allowed a caller to force a call connection without any user interaction on the receiving side. We’ve seen this sort of problem in other chat applications, most recently the Zoom debacle.
The Signal client uses the same function to connect an outgoing call as an incoming call. This bit of code re-use allows a malicious client to initiate a call, and then send the “Accept Call” message. Because of the code re-use, this message triggers the same code as the accept call button on the receiving side. It’s as if the attacker uses reverse psychology to trick the other client into connecting.
It seems this bug only affected the Android client, and didn’t trigger a video call. It’s unclear whether the bug was discovered and exploited before it was fixed, but now that it has been announced, be sure to get Signal up to date. Continue reading “This Week In Security: Signal, WhatsApp, Oauth Fishing, And More State-Sponsored Attacks”
One of the tasks I dread is configuring a web server to send email correctly via Gmail. The simplest way of sending emails is SMTP, and there are a number of scripts out there that provide a simple method to send mail that way with a minimum of configuration. There’s even PHP
mail(), although it’s less than reliable.
Out of the box, Gmail requires OAUTH2 for authentication and to share user data, which has the major advantage of not requiring that you store your username and password in the application that requires access to your account. While they have an ‘allow less secure apps’ option that allows SMTP access for legacy products like Microsoft Outlook, it just doesn’t seem like the right way forward. Google documents how to interact with their API with OAUTH2, so why not just use that instead of putting my username and password in plaintext in a bunch of prototypes and test scripts?
Those are the thoughts that run through my head every time this comes up for a project, and each time I’ve somehow forgotten the steps to do it, also forgotten to write it down, and end up wasting quite a bit of time due to my own foolishness. As penance, I’ve decided to document the process and share it with all of you, and then also make it work on an ESP8266 board running the Arduino development environment.
Continue reading “Using Gmail With OAUTH2 In Linux And On An ESP8266”
[ZPriddy] was looking for a way to control his Nest thermostats with Amazon Echo. He didn’t want to settle for using AWS or some other hosted service. [ZPriddy] wanted something that he could host and manage completely on his own. The end result is what he calls EchoNestPy.
[ZPriddy] started by learning how to use the Alexa Skills Kit (ASK). ASK is the official SDK that allows enthusiasts to add functionality to their Amazon Echo. Unfortunately for [ZPriddy], most of the example code he found was designed to be used on Amazon Lambda, but that didn’t stop him. After finding a few examples of Amazon Echo requests and responses, he was on his way.
[ZPriddy] chose to implement a simple web server using Flask. The web server listens for the Amazon requests and responds appropriately. It also Oauth2 authentication to ensure some level of security. The server is capable of synchronizing the temperature of multiple Nest devices in the same home, but it can also increment or increment the temperature across the board. This is accomplished with some simple voice commands such as “Tell Nest that I’m a little bit chilly”. If you like Amazon Echo hacks, be sure to check out this other one for controlling WeMo devices. Continue reading “Control Nest Devices With Amazon Echo”
[Santiago] recently completed this project which he calls Tuitwall. It will display your Twitter feed on an LED matrix. The method he used to put it together will come in handy for any project where you need to scrape information from the Internet.
The project does require a server in addition to the Arduino hardware seen above. On the Arduino side [Santiago] uses an Ethernet shield and an LED matrix which is addressed via SPI. The server is running a PHP script which takes advantage of the twitteroauth library to handle authentication.
There’s a little bit of configuration to be done, most of it having to do with how Twitter handles 3rd party applications. But once everything is set up you can take the hardware with you and plug it into any network (as long as it offers DHCP). With this framework as a guide it’s a snap to bend it to your will. It could be used as an RSS reader, time and temperature, server farm status, a prank ticket displaying fake headlines, etc.