Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS App 'UVLens' Apparently Hacked, Sends Out Very Inappropriate Notifications [Updated]

Paradoxally said:
In these cases, Apple should revoke their distribution certificate until the issue is resolved.
Click to expand...
Just their push certificate is enough.
[doublepost=1567549417][/doublepost]
NoNothing said:
Was the app hacked or the developer? If the users are receiving the texts as the article claims, then it sounds like the developer was hacked and the user IDs they got were stolen.

If the app was hacked, I would expect the user’s contacts to be getting the obscene IMs.
Click to expand...

Neither (according to the article). When I try to notify your phone, my server sends an encryptee push notification to Apple, which passes it on to your device. These guys didn't use their own server, but paid a third party to send push notifications, and that third party server was hacked.
[doublepost=1567549568][/doublepost]
1050792 said:
It doesn't matter. The App is on the App Store, costumers got effected[sic] by this situation. If it was on Play Store things would be way worse, am I right?. :rolleyes:
Click to expand...
On the Play Store, the situation would be exactly the same.
 
  • Like
Reactions: NetMage
MacRumors said:



An iOS App Store weather app called "UVLens" this morning sent out highly inappropriate pornographic notifications to all of its users, suggesting the app may have been hacked or otherwise compromised in some way.

There are dozens of complaints from users on Twitter who received the notification, which was in no way weather related and was explicit enough to shock users who received it.

inappropriateappnotificationuvlens-800x208.jpg

UVLens is a simple app designed to provide hourly UV forecasts for those who are concerned about their sun exposure. It is a general use app and it's quite possible that it could have been downloaded by children given its 4+ age rating.

UVLens appears to have sent out the notification to all of its users given the volume of tweets, and one person said that when she tapped the incoming notification, it tried to open a secondary window.

MacRumors was alerted to the issue by editor Mitchel Broussard, who has been using the app for more than a year. Prior to today, the app worked well and sent out no inappropriate content to users. We've never before seen reports of an app sending out notifications like this, so it's rather unusual.

Apple does not appear to have a solid reporting system in place for instances like this, as we discovered after the notifications went out. UVLens has not yet commented on the situation.

There's a "Report a Problem" website for reporting issues with recently purchased iOS apps, but it does not work with older purchased apps that suddenly go rogue. There's no report button in the App Store for individual apps, no option when 3D Touching an app on the Home screen, and no clear support path for alerting Apple about problematic apps.

We have contacted the UVLens developer, and multiple people have been sending complaints on Twitter, so the app may be removed from the App Store or fixed in the near future.

For now, customers who have installed UVLens will likely want to delete the app because it's not clear what's going on and if there has been a breach of some sort.

Update: UVLens sent out another notification, apologizing for the explicit push notification. The company says that it was not from the UVLens team and is being investigated.

uvlensapology-800x313.jpg

Update 2: UVLens tells MacRumors that a third-party push notification service that it uses was compromised, allowing a spammer to send out inappropriate notifications through the network, including to UVLens users. UVLens says that steps were taken to prevent it from happening again and no app software was compromised.

Article Link: iOS App 'UVLens' Apparently Hacked, Sends Out Very Inappropriate Notifications [Updated]
Click to expand...
[doublepost=1567549980][/doublepost]Maybe someone's kitty cat got a bath. Y'all have dirty minds.
 
  • Like
Reactions: simonmet, AppleHaterLover and JetLaw
Is it really necessary to censor that? It's only text... I see worse 10 times a day in crappy jokes on facebook. :p

By the way regarding this quote:
Update 2: UVLens tells MacRumors that a third-party push notification service that it uses was compromised, allowing a spammer to send out inappropriate notifications through the network, including to UVLens users. UVLens says that steps were taken to prevent it from happening again and no app software was compromised.​

So where's all the other apps' spam in the news? They can't be the only user of that third-party service? This sounds like a bit of 'spin' on the story.
 
gnasher729 said:
Just their push certificate is enough.
[doublepost=1567549417][/doublepost]

Neither (according to the article). When I try to notify your phone, my server sends an encryptee push notification to Apple, which passes it on to your device. These guys didn't use their own server, but paid a third party to send push notifications, and that third party server was hacked.
[doublepost=1567549568][/doublepost]
On the Play Store, the situation would be exactly the same.
Click to expand...
It would. Except many here would say how Play Store has no App Control and their Apps were tr#sh. You probably know how it usually works around here.
[doublepost=1567555264][/doublepost]
Crowbot said:
Yes but this app is no more vulnerable than any other app in the store that allows for notifications. It’s on the vender to secure that part of the app.
Click to expand...
It means anyone can have any app and then randomly use its servers to harm users privacy and steal their data.
[doublepost=1567555297][/doublepost]
coolfactor said:
This is a third-party app, not an Apple app. And notifications are sent by way of a server maintained by the app developer or a notification service that the app employs. Something was compromised at the notification server level, and this had nothing to do with iOS or Apple's own apps. In fact, Apple's side of it (delivering the notification) worked perfectly! But they don't vet every notification that is sent, that would be millions a minute.

But you already knew this, right? :cool:
Click to expand...
^ Top quote
 
seatton said:
I actually don't care about the news. I just wanted to know what the censored screenshot said :D
Click to expand...
Actually I can fill in the blank with all the right words myself, one of which as mentioned is “wet” or something similar. :D I think I am old enough to view those push notifications harmlessly lol.

Back to topic. Isn’t push notification sent through Apple server? Why there are third party services to do so?
 
1050792 said:
I
It means anyone can have any app and then randomly use its servers to harm users privacy and steal their data.
Click to expand...

I honestly don't think that's how iOS works. They can send notifications. How is that stealing your data?
[doublepost=1567565130][/doublepost]
Shirasaki said:
Back to topic. Isn’t push notification sent through Apple server? Why there are third party services to do so?
Click to expand...

I think the third party (at the request of the vender) sends the request to Apple and they send the notification. But Apple doesn't filter the requests.
 
I assume they used a third party service because they get both Apple and Android notifications handled automatically for them. If not, they should be shamed for using a third party service instead of just using Apple’s API directly.

Perhaps Apple shouldn’t have left this hole in their wall.
 
codydale said:
Wasn't expecting that...
Click to expand...

If companies want control to the shocking instant when they find out they can't trust others, they have to the consequences..

It may not have happened ever, but doing it yourself always works best.... That could never be possible all the time, but its something no one thinks about either
 
I'm more concerned as to what kind of app would send you a push notification to deliver that sort of information.
[doublepost=1567580460][/doublepost]
123 said:
Fix the US.
Click to expand...

I mean, my [noun] is already [adjective] could go a number of ways these days.
 
Judging by the network logs, it looks like it might be a company called OneSignal that's been compromised.
[doublepost=1567586355][/doublepost]
GekkePrutser said:
Is it really necessary to censor that? It's only text... I see worse 10 times a day in crappy jokes on facebook. :p

By the way regarding this quote:
Update 2: UVLens tells MacRumors that a third-party push notification service that it uses was compromised, allowing a spammer to send out inappropriate notifications through the network, including to UVLens users. UVLens says that steps were taken to prevent it from happening again and no app software was compromised.​

So where's all the other apps' spam in the news? They can't be the only user of that third-party service? This sounds like a bit of 'spin' on the story.
Click to expand...

It's possible a hacker was only able to obtain the UVLens push cert that they uploaded to OneSignal (likely the third party service they're using to send out pushes).
 
Khedron said:
Google just allows anything onto the Play Store... oh, wait...
Click to expand...
Sadly it is true, I personally know fake app published on Play Store that was a simple page stealing accounts info and fake screenshot of a well know iOS app. They took weeks to remove it. the app was only few MB since it was a fake one... so this is completely different from a third party notification plugin hacked.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back