tag:blogger.com,1999:blog-2779920216480517842.post3027580703857951282..comments2013-01-01T04:41:41.321-08:00Comments on WaveSecure Security Vulnerability Report: WaveSecure - Major Security Leak UncoveredMarkhttp://www.blogger.com/profile/07420177579407826915noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-2779920216480517842.post-86331117758787154202013-01-01T04:41:41.321-08:002013-01-01T04:41:41.321-08:00Hi, I have forgotten the PIN code of Wavesecure. I...Hi, I have forgotten the PIN code of Wavesecure. I installed the software, opened and forgot what did I do with it..<br />Now after a week, I wanted to uninstall coz I read its reviews in the internet, and came to know how it works. But i cant uninstall. It keeps asking me Pin Code. Its trail period has expired. it was asking me an email. I provided, but then again, it asked me for pincode. I even don't remember whom I included in my buddy list.<br />Now need help.<br />How to Uninstall?<br />I have 5800 XpressmusicAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-25577166137200821652012-08-29T15:26:34.791-07:002012-08-29T15:26:34.791-07:00Nice post mark.... any recent same kind of bugs yo...Nice post mark.... any recent same kind of bugs you've found in wavesecure or any other mcafee product.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-90090566610157010742011-06-20T06:13:56.888-07:002011-06-20T06:13:56.888-07:00Nice Catch Mark. I seen your post and even I am su...Nice Catch Mark. I seen your post and even I am surprised how it did won many acclaimed awards? I believe awards were meant on Sale and revenue generated rather than how secured it is! Management thinks of only promoting rather than securing! <br /><br />Good stuff!Jaggihttps://www.blogger.com/profile/12128826625066740161noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-20975573270313997012010-09-14T14:27:32.137-07:002010-09-14T14:27:32.137-07:00You can also bypass Wavescure's lock and unins...You can also bypass Wavescure's lock and uninstall protection app by booting any Android phone into safe mode.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-41064846059508833842010-09-13T12:41:00.788-07:002010-09-13T12:41:00.788-07:00Found out another serious security glitch!
There i...Found out another serious security glitch!<br />There is a dummy way to stop/reset Wavesecure on the device after it was stolen!<br />Simply go to Settings > Applications > Manage Apps > Wavesecure > Force stop + Clear Data<br />Next it is simply a matter of reconfiguring the service with a new, cheap prepaid card to make sure nobody take control anymore.Martijnnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-62238371591047174212010-08-23T09:17:00.256-07:002010-08-23T09:17:00.256-07:00@Anonymous August 5, 2010 6:30 PM:
Alot of applica...@Anonymous August 5, 2010 6:30 PM:<br />Alot of applications at Market are already collecting IMEI as part of the authentication of buying customers. Your IMEI is NOT secret.<br />The Google license agreement is superseded by local laws, and in most countries you are allowed to reverse engineer applications to look for security faults. That's what the antivirus companies do everyday.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-1392875061866888992010-08-06T07:54:56.890-07:002010-08-06T07:54:56.890-07:00But i agree the PDF bug is enough for a big laugh ...But i agree the PDF bug is enough for a big laugh :-)Markhttps://www.blogger.com/profile/07420177579407826915noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-71496852091334252942010-08-06T07:53:58.143-07:002010-08-06T07:53:58.143-07:00hi i did not use the APK from market but one from ...hi i did not use the APK from market but one from the internet - so i agreed to nothing :-)<br /><br />regarding IMEI: guessing is enough... also, it is really a shame that such a security hole has been open for such a long time. i could get my girlfriends IMEI and then locate her all the time without her knowing it. Or i borrow the phone of my boss and get the IMEI...<br /><br />Critical in my opinion.Markhttps://www.blogger.com/profile/07420177579407826915noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-67902669404564291392010-08-05T18:30:04.704-07:002010-08-05T18:30:04.704-07:00Good investigative job Mark! But I disagree with y...Good investigative job Mark! But I disagree with you. Probability of intrusion is pretty low considering you need physical access to the device to get the IMEI and that needs to be loaded with wave secure. Compared that to iOS' PDF exploit affecting all iPhone, this is a small case. I sure wouldn't want to be in Apple's shoes. Haa. <br /><br />Just some advice from a fellow Android dev. Do you know that you are not allowed to reverse engineer or decompile software on Android Market as it violates the term of service. Check out the terms at http://www.google.com/mobile/android/market-tos.html. <br /><br />'You agree that you will not, and will not allow any third party to, (i) copy, sell, license, distribute, transfer, modify, adapt, translate, prepare derivative works from, decompile, reverse engineer, disassemble or otherwise attempt to derive source code from the Products, unless otherwise permitted'Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-82971420472123777372010-08-03T03:47:31.518-07:002010-08-03T03:47:31.518-07:00PS: as you mentioned that you need to KNOW the IME...PS: as you mentioned that you need to KNOW the IMEI. what about guessing? i am sure i would have been able to get a good amount of secure user data in a short time.Markhttps://www.blogger.com/profile/07420177579407826915noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-36560362797629417052010-08-03T03:24:58.767-07:002010-08-03T03:24:58.767-07:00They had to, a lot of people already heard of it -...They had to, a lot of people already heard of it - and it was simply by disabling the feature and not by fixing the underlying problems. I think it can again be hacked quite easily (however i do not want to do this).<br /><br />I now know the security architecture of the software and it is really weak given that user data is stored online on their servers. This leak was open for months!!<br /><br />I would use a differen tool instead that does not use online server storage. There is ALWAYS a leak (as you see in this case where i queried WaveSecure BEFORE my attempts and they said everything is secure... which was not true)!Markhttps://www.blogger.com/profile/07420177579407826915noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-5498821284589720682010-08-03T03:22:22.046-07:002010-08-03T03:22:22.046-07:00yup, just tried it as well. doesnt seem to work no...yup, just tried it as well. doesnt seem to work now, definitely disabled from server side. But good one mark, i did wonder how WS magically, after hard reset, returned to lock the phone and know its link to my account.<br /><br />your explanation makes sense and it was a good one to catch the potential leak. But i think the probability is quite low anyway since u need the IMEI to get the username password. if i can get the IMEI of the phone, i might as well just look at the data on the phone physically.<br /><br />but you have to give it to these guys for coming up with such a thing in the first place, hope they can fix the security issues and bring back the hard-reset proof abilityAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-43897551188480145552010-08-03T03:20:35.275-07:002010-08-03T03:20:35.275-07:00Pretty cool for them to get this fixed so fast!
I...Pretty cool for them to get this fixed so fast!<br /><br />I'll miss the hard-reset restore feature. I hope they manage to do it in some other way without any security concerns.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-26166140484435815112010-08-03T03:08:03.702-07:002010-08-03T03:08:03.702-07:00the interface has been disabled at the server side...the interface has been disabled at the server side - of course! :-) would really be critical if the left it open. however i think it would not take very long to find another way... also i think that now hard-reset restore of WaveSecure will not work anymore (because the interface is not there anymore)Markhttps://www.blogger.com/profile/07420177579407826915noreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-18123125428901712852010-08-03T02:42:52.508-07:002010-08-03T02:42:52.508-07:00just tried it, doesn't work.just tried it, doesn't work.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-34338388734055042212010-08-03T02:10:47.593-07:002010-08-03T02:10:47.593-07:00the link was posted on a blog on wavesecure.com, n...the link was posted on a blog on wavesecure.com, now all the comments to that blog are gone!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-43722405824529149972010-08-03T02:09:22.745-07:002010-08-03T02:09:22.745-07:00Yes, it works...Yes, it works...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2779920216480517842.post-72689825850289702992010-08-03T00:47:57.128-07:002010-08-03T00:47:57.128-07:00??? does this work???? does this work?Anonymousnoreply@blogger.com