lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAH8yC8kbeBMVDygbVKkOdqn=i_GBgc039_DX1Qhxohkf=EhWUA@mail.gmail.com>
Date: Fri, 8 Dec 2017 05:48:11 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
Cc: Full Disclosure List <fulldisclosure@...lists.org>
Subject: Re: [FD] Follow-up on CVE-2017-8769 - WhatsApp Issues with Media
	Files

On Tue, Dec 5, 2017 at 5:27 PM, Nightwatch Cybersecurity Research
<research@...htwatchcybersecurity.com> wrote:
> [https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-whatsapp-for-android-privacy-issues-with-handling-of-media-files-cve-2017-8769/]
>
> We reported an issue earlier this year to WhatsApp / Facebook, where
> after deleting chats the media files would be retained on the device.
> The vendor fixed the issue by adding an option of deleting these
> files. HOWEVER, our testing now shows that the fix doesn't always work
> and the vendor doesn't acknowledge the issue as a security problem. We
> have updated the advisory accordingly and are recommending that users
> delete the media files from the SD card manually.

Deleting files from the SDcard likely won't fix the problem. The
vendor has to fix the problem by avoiding plain text on the disk.

Also see "Reliably Erasing Data From Flash-Based Solid State Drives,"
https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf .

Jeff

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ