The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was… Read More »
Discord says that hackers made off with images of 70,000 users’ government IDs that they were required to provide in order to use the site. Like an increasing number of sites, Discord requires certain users to provide a photo or scan of their driver’s license or other government ID that shows they meet the minimum… Read More »
The letter outlined not only the improper access engineers had to WhatsApp user data, but a variety of other shortcomings, including a “failure to inventory user data,” as required under privacy laws in California, the European Union, and the FTC settlement, failure to locate data storage, an absence of systems for monitoring user data access,… Read More »
In May 2020, Sacramento, California, resident Alfonso Nguyen was alarmed to find two Sacramento County Sheriff’s deputies at his door, accusing him of illegally growing cannabis and demanding entry into his home. When Nguyen refused the search and denied the allegation, one deputy allegedly called him a liar and threatened to arrest him. That same… Read More »
MellowTel is also problematic because the sites it opens are unknown to end users. That means they must trust MellowTel to vet the security and trustworthiness of each site being accessed. And, of course, that security and trustworthiness can change with a single compromise of a site. MellowTel also poses a risk to enterprise networks… Read More »
The maker of a phone app that is advertised as providing a stealthy means for monitoring all activities on an Android device spilled email addresses, plain-text passwords, and other sensitive data belonging to 62,000 users, a researcher discovered recently. A security flaw in the app, branded Catwatchful, allowed researcher Eric Daigle to download a trove… Read More »
An overview of Yandex identifier sharing An overview of Yandex identifier sharing A timeline of web history tracking by Meta and Yandex A timeline of web history tracking by Meta and Yandex Some browsers for Android have blocked the abusive JavaScript in trackers. DuckDuckGo, for instance, was already blocking domains and IP addresses associated with… Read More »
But the changes go only so far in limiting the risks Recall poses. As I pointed out, when Recall is turned on, it indexes Zoom meetings, emails, photos, medical conditions, and—yes—Signal conversations, not just with the user, but anyone interacting with that user, without their knowledge or consent. Researcher Kevin Beaumont performed his own deep-dive… Read More »
The flow of adding new members to a WhatsApp group message is: A group member sends an unsigned message to the WhatsApp server that designates which users are group members, for instance, Alice, Bob, and Charlie The server informs all existing group members that Alice, Bob, and Charlie have been added The existing members have… Read More »
Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds. When Recall was first introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders,… Read More »