Select Page
A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years

A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years

Twitter just admitted that the social network accidentally revealed some Android users’ protected tweets to the public for more than 4 years — a kind of privacy blunder that you’d typically expect from Facebook.

When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your information, allowing you to choose if you want to keep your Tweets protected.

Enabling “Protect your Tweets” setting makes your tweets private, and you’ll receive a request whenever new people want to follow you, which you can approve or deny. It’s just similar to private Facebook updates that limit your information to your friends only.

In a post on its Help Centre on Thursday, Twitter disclosed a privacy bug dating back to November 3, 2014, potentially caused the Twitter for Android app to disable the “Protect your Tweets” setting for users without their knowledge, making their private tweets visible to the public.

The bug only got triggered for those Android users who made changes to their Twitter account settings, such as changing their email address or phone number associated with their account, using the Android app between November 3, 2014, and January 14, 2019.

images from Hacker News

New Android Malware Apps Use Motion Sensor to Evade Detection

New Android Malware Apps Use Motion Sensor to Evade Detection

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.

Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware.

The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.

The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps.

images from Hacker News

New malware found using Google Drive as its command-and-control server

New malware found using Google Drive as its command-and-control server

Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities.

Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server.

DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East.

The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Centre (360TIC) and Palo Alto Networks.

This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin, which infects victims’ computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.

Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate ‘regsvr32.exe’ application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system.

images from Hacker News

Google fined $57 million by France for lack of transparency and consent

Google fined $57 million by France for lack of transparency and consent

The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union’s new General Data Protection Regulation (GDPR) law that came into force in May last year.

The fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation,” the CNIL (National Data Protection Commission) said in a press release issued today.

The fine was imposed following the latest CNIL investigation into Google after receiving complaints against the company in May 2018 by two non-profit organisations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN).

Why Has Google Been Fined?

According to the CNIL, Google has been found violating two core privacy rules of the GDPR—Transparency, and Consent.

First, the search engine giant makes it too difficult for users to find essential information, like the “data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation,” by excessively disseminating them across several documents with buttons and links and requiring up to 6 separate actions to get to the information.

And even when the users find the information they are looking for, the CNIL says that information is “not always clear nor comprehensive.”

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalisation is the consent and not the legitimate interest of the company.”

Secondly, Google does not obtain its user’s valid consent to process data for ads personalisation purposes.

images from Hacker News

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Just in time…

Some cybersecurity experts this week arguing over Twitter in favour of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same.

Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines.

The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place.

Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.

images from Hacker News