Privacy Roundup #0154 • May 2019
May 2019 paired a wave of careless data exposures with a hardening political mood against face surveillance, as cities, shareholders and Congress all weighed limits on the technology.
1. WhatsApp flaw let attackers plant spyware with a single call
WhatsApp confirmed a vulnerability in its calling feature that let attackers install spyware on a phone without the target answering. The exploit, tied to the NSO Group, allowed Pegasus to take over devices with no interaction from the victim.
2. First American Financial leaked hundreds of millions of title insurance records
The website of mortgage title insurance giant First American Financial exposed around 885 million records going back to 2003, with no password required. The files included bank account numbers, Social Security numbers, wire transaction receipts and driving licence images.
3. San Francisco became the first major US city to ban government face recognition
San Francisco's Board of Supervisors voted 8 to 1 to bar city agencies, including the police, from using facial recognition technology. The ordinance also forces departments to disclose and seek approval for other surveillance tools they buy or run.
4. Supreme Court let iPhone owners sue Apple over App Store pricing
In Apple v. Pepper, the Supreme Court ruled 5 to 4 that consumers who buy apps from the App Store are direct purchasers and may pursue antitrust claims. The decision allowed a lawsuit over Apple's 30 percent commission to proceed.
5. Google admitted it stored some G Suite passwords in plaintext for 14 years
Google disclosed that a flaw in an enterprise password tool from 2005 stored some G Suite passwords unhashed on its internal systems. A second lapse had also kept a subset of passwords unhashed for up to two weeks earlier in the year.
6. Canva breach exposed data on roughly 139 million users
The Australian design platform Canva suffered a breach that exposed usernames, real names, email addresses and bcrypt password hashes for tens of millions of accounts. The attacker, who went by GnosticPlayers, contacted reporters to brag about the haul.
7. Snapchat staff abused an internal tool to spy on users
A report revealed that Snap employees had misused an internal tool called SnapLion to access user location data, phone numbers and email addresses. The tool was meant for valid law enforcement requests but was turned on users for illegitimate reasons.
8. Amazon shareholders rejected curbs on Rekognition sales
Amazon shareholders voted down two proposals that would have restricted sales of its Rekognition face recognition software to governments. Both measures failed by wide margins, though the second drew enough support to keep the issue alive.
9. Stack Overflow disclosed a breach that exposed some user data
Stack Overflow said an intruder gained access to its production systems after a build introduced a flaw in early May. The company confirmed that requests by the attacker could have returned the IP addresses, names or emails of around 250 users.
10. DHS warned that Chinese-made drones could steal data
The Department of Homeland Security issued an alert warning that Chinese-made drones might send sensitive flight data back to manufacturers in China. The notice did not name companies, though DJI dominated the North American market at the time.
11. Microsoft warned of the wormable BlueKeep flaw in Windows
Microsoft patched CVE-2019-0708, a critical Remote Desktop flaw dubbed BlueKeep that needed no authentication or user interaction. Researchers and the company itself warned that the bug was wormable and urged immediate patching, even for end-of-life systems.
12. RobbinHood ransomware knocked Baltimore's city services offline
Ransomware called RobbinHood crippled most of Baltimore's government computer systems, taking email, payment systems and other services offline. The attackers demanded roughly 13 bitcoin, and the city refused to pay, facing a recovery that stretched for months.
13. Unsecured database exposed 275 million records of Indian citizens
A researcher found a MongoDB database left open on the internet that exposed more than 275 million records of Indian citizens. The data included names, dates of birth, phone numbers, email addresses, employment history and salaries scraped from job sites.
14. Salesforce outage handed users access to records they should not have seen
A faulty database script tied to Pardot gave Salesforce users far broader access than intended, letting them read and write records across their organisations. Salesforce shut down Marketing Cloud services for hours and told customers to reset non-admin permissions.
15. Open database exposed contact details for millions of Instagram influencers
A database left online without a password exposed records on millions of Instagram influencers, celebrities and brands. Alongside scraped public profile data, the records held private email addresses and phone numbers, and the trove was traced to a Mumbai marketing firm.
16. Consumer Reports asked the FTC to investigate Facebook's face recognition setting
Consumer Reports filed a complaint asking the FTC to investigate Facebook over its face recognition privacy control. The group found that some users lacked the promised ability to stop Facebook from scanning their photos and building face templates.
→ advocacy.consumerreports.org
17. TeamViewer confirmed a 2016 breach by Chinese hackers
TeamViewer confirmed that Chinese hackers had compromised its systems in 2016 using the Winnti backdoor, an attack it had never publicly disclosed. The company said it detected the intrusion in time and found no evidence that customer data or source code was stolen.
18. Flipboard reset passwords after attackers lingered for months
Flipboard disclosed a breach in which intruders had access to databases holding names, usernames, email addresses and password hashes over several months. The company reset passwords for all users and replaced or deleted third-party access tokens as a precaution.
19. Congress held a bipartisan hearing on face recognition and civil liberties
The House Oversight Committee held a hearing on the impact of facial recognition on civil rights, drawing rare bipartisan concern. Witnesses described biased accuracy, opaque deployment by police and the risk of a near constant surveillance state.
20. Unsecured database exposed credit card data on Freedom Mobile customers
Researchers found an open database that exposed sensitive data on Freedom Mobile customers, including unencrypted credit card numbers and CVV codes. The firm disputed the scale, but the records also held names, addresses, dates of birth and credit information.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: