Your browser and other apps are vulnerable, the ads you see might take control of your system, governments are experimenting with AI, TikTok are facing fines, again.. Discover this week’s privacy and security news in this new post...
- Sources Used in this article: Wired, fbi.gov, nist.gov
🌐 Big Browser Vulnerability Discovered:
If you haven't recently updated your web browser, there's a significant issue you should be aware of. A newly revealed vulnerability has been discovered in a crucial software component called libwebp1, responsible for handling the popular WebP image format on the internet. This vulnerability, known as a "heap buffer overflow," can be exploited if someone sends you a specially crafted malicious image. Successful exploitation of this flaw could allow an attacker to gain control of your device and execute malicious code. Alarmingly, Google has confirmed that this bug has already been used by malicious actors.
Initially, this problem was identified as a "zero-day vulnerability2" in Google's Chrome browser. However, it's not limited to Chrome alone. It affects any web browser built on the Chromium engine, including Microsoft Edge, Opera, Brave, and many others.
Furthermore, it is even present in other apps. Several applications like Telegram, 1Password, Thunderbird, and Gimp are also vulnerable.
The good news is that software developers are actively working to address this issue. Patches to fix this vulnerability are currently being released. Therefore, it's crucial to remain on the lookout for these updates and promptly install them to safeguard your device against potential security threats.
☠️ Malvertising is on the rise, again…
Malicious online ads, commonly referred to as "malvertising," have been a persistent issue for a long time. However, the landscape is evolving, and now it's getting even more serious. Several Israeli companies are taking malvertising to a professional level by exploiting weaknesses in the technical mechanisms that deliver online ads, as reported by Haaretz. This elevated level of sophistication enables attackers to not only track users but also compromise their devices.
The exploit takes advantage of the complex online advertising bidding process, where automated bots compete for ad slots on web pages in real time. These companies have managed to exploit a tiny window of opportunity just before an ad slot gets filled, allowing them to display an ad that is reportedly laden with "advanced spyware."
Unfortunately, there's no quick and easy solution to completely halt the spread of this malware. However, there is a simple step you can take to protect yourself: Use an ad blocker. Employing an ad blocker can significantly reduce your exposure to these malicious ads and help safeguard your online security.
💰 TikTok Fined another 360 Million Dollars for Privacy Violations
This week, European data regulators imposed a hefty fine of 368 million dollars on TikTok for violating privacy laws concerning underage users. The Irish Data Protection Commission (DPC) determined that TikTok had breached GDPR (General Data Protection Regulation) by not setting child users' accounts to private by default. Furthermore, the DPC noted that TikTok's "family pairing" feature, which allows adults to manage a child's account, did not effectively ensure that the adult was indeed a parent or guardian.
🎲 MGM Casino Cyberattack:
MGM casinos continue to grapple with a cyberattack that has disrupted their operations for nearly a week. The group behind the breach, known as Alphv, has a history of targeting critical institutions, including schools and hospitals.
😬 Misuse of Facial Recognition in Buenos Aires:
Buenos Aires faces a scandal involving the misuse of facial recognition software. Despite legal restrictions, the system was used to look up individuals without criminal records, leading to wrongful arrests. This incident underscores the risks associated with facial recognition technology, even when regulations are in place.
🤖 Government Use of AI:
Governments in the United States are experimenting with AI-powered systems, such as ChatGPT, but there is no consensus on their appropriate use. Some states have temporarily banned these technologies due to cybersecurity concerns, while others are employing them for various tasks.
⚡ Chinese Hackers Target Power Grids:
Chinese hackers, known as APT41, have expanded their cyber activities from espionage to targeting power grids in an Asian nation. This development is concerning and raises questions about the security of critical infrastructure.
💸 FTC Fines Background Check Firms $5.8 Million Over Data Accuracy
The US Federal Trade Commission (FTC) recently slapped a hefty $5.8 million fine on background check providers TruthFinder and Instant Checkmate for failing to ensure the utmost accuracy in their consumer reports, a violation of the Fair Credit Reporting Act. The FTC alleges that these companies made substantial profits by selling subscriptions that promised to notify individuals if a "criminal record" was found in their background check, often turning out to be minor traffic violations. Additionally, the companies offered features like "Remove" and "Flag as Inaccurate" buttons, which, according to the FTC, didn't work as advertised. Adding to their troubles, this regulatory action follows a previous data breach incident where hackers exposed the personal data of millions of customers several months earlier.
Libwebp is a software library used for working with images in a specific format called WebP. WebP is a type of image file format, like JPEG or PNG, that is designed to make images on the internet load faster while still maintaining good image quality.
A zero-day vulnerability is a software security flaw or weakness that is not known to the software developer or the public.