Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’

 

source: threatpost.com  | image:  pixabay.com

 

Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software.

Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers.

iOS users’ concerns over tracking were addressed by Apple’s 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT). The added control was intended to require app-developers to get the user’s consent before tracking data generated by third-party apps not owned by the developer.

Krause said that both iOS apps Facebook and Instagram are using a loophole to bypassed ATT rules and track website activity within their in-app browsers via the use of a custom JavaScript code used in both in-app browsers. That means, when an iOS user of Facebook and Instagram click on a link within a Facebook and Instagram post (or an ad), Meta launches its own in-app browser which can then track what you do on external sites you visit.

Meta’s Use of a JavaScript Injection 

“The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote.

Continue reading “Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’”

Fingerprint Theft Just a Shutter Click Away

source: technewsworld.com  |  image: pixabay.com

 

Ever since smartphone makers started incorporating fingerprint scanners as a means of unlocking mobile phones, the Chaos Computer Club has attacked the technology with vigor. 

Not long after Apple added Touch ID to its iPhones, the German hackers demonstrated how to lift prints from a surface and create a flexible pad containing the print that could be used to break into a phone.

Now the CCC hacker known as “Starbug” has used digital photography to perform the same trick without lifting any prints at all. At a recent cybersecurity conference, Starbug demonstrated how he created the thumb print of German Minister of Defense Ursula von der Leyen from several news photos.

“After this talk, politicians will presumably wear gloves when talking in public,” Starbug said.

Continue reading “Fingerprint Theft Just a Shutter Click Away”

A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise

 

source: wired.com  |  image: pixabay.com

 

Though often viewed as the “crown jewel” of the US intelligence community, fresh reports of abuse by NSA employees and chaos in the US Congress put the tool’s future in jeopardy.

The federal law authorizing a vast amount of the United States government’s foreign intelligence collection is set to expire in two months, a deadline that threatens to mothball a notoriously extensive surveillance program currently eavesdropping on the phone calls, text messages, and emails of no fewer than a quarter million people overseas.

The US National Security Agency (NSA) relies heavily on the program, known as Section 702, to compel the cooperation of communications giants that oversee huge swaths of the internet’s traffic. The total number of communications intercepted under the 702 program each year, while likely beyond tally, ostensibly reaches into the high hundreds of millions, according to scraps of reportage declassified by the intelligence community over the past decade, and the secret surveillance court whose macroscopic oversight—even when brought to full bear against the program—scarcely takes issue with any quotidian abuses of its power.

Continue reading “A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise”

Social engineering for espionage

and for profit

 

source: thecyberwire.com  |  image: pixabay.com

 

At a glance.

  • Okta discloses a data exposure incident.
  • Cisco works to fix zero-day.
  • DPRK threat actors pose as IT workers.
  • Five Eyes warn of AI-enabled Chinese espionage.
  • Job posting as phishbait.
  • The risk of first-party fraud.
  • The Quasar RAT and DLL side-loading.
  • Hacktivists trouble humanitarian organizations with nuisance attacks.
  • Content moderation during wartime.
  • Not content-moderation, but fact-checking.
  • Cyberespionage at the ICC.

Okta discloses a data breach.

Identity and access management company Okta has disclosed a data breach affecting some of the company’s customers. The company stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

Continue reading “Social engineering for espionage and for profit”

The Best Password Managers to Secure Your Digital Life

 

source: wired.com  |  image: pexels.com

 

PASSWORD MANAGERS ARE the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For nearly a decade, that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.

The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.

A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. Read our guide to VPN providers for more ideas on how you can upgrade your security, as well as our guide to backing up your data to make sure you don’t lose anything if the unexpected happens.

Scammers Impersonate Companies to Steal Cryptocurrency from Job Seekers

 

source: infosecurity-magazine.com  |  image: pexels.com

 

Security researchers have discovered a major new scam operation designed to trick job seekers into parting with cryptocurrency, by getting them to complete meaningless tasks they believe will earn them money.

Dubbed “WebWyrm” by CloudSEK, the operation has already targeted more than 100,000 individuals across over 50 countries by impersonating over 1000 companies across 10 industries. It has already potentially netted the scammers over $100m.

The scammers approach victims primarily on WhatsApp, potentially using data from recruitment portals to target their schemes to those most likely to respond.

Promising a weekly salary of $1200-1500, they request the victim to complete 2-3 “packets” or “resets” per day, with each containing 40 tasks.

Continue reading “Scammers Impersonate Companies to Steal Cryptocurrency from Job Seekers”

The surprising threat is lurking even in your ‘secure’ work environment

 

source: fast company.com  |  image: pexels.com

 

When Netflix released The Most Hated Man on the Internet, we got an up-close glimpse of the harm that nefarious people can do by exposing the personal information of others online. The series illustrated how Hunter Moore used stolen or hacked images to populate a pornographic website, targeting women who did not consent for their images to be used—and introducing many people to the concept of “doxing.” 

Derived from 1990s hacker culture, doxing is a play on the word document or dossier, referring to compiling data on a person or company. It gained greater visibility in 2014 when a group released the private information of women who they perceived as receiving favoritism in the gaming journalism industry. The incident, titled GamerGate, exposed the dangers of being targeted by bad actors and the potential for negative psychological outcomes.

Continue reading “The surprising threat is lurking even in your ‘secure’ work environment”

Cyberattacks on hospitals are growing threats to patient safety, experts say

source: abcnews.go.com  | image: pexels.com

 

The number of attacks on U.S. hospitals each year doubled between 2016 and 2021

Jes Kraus was supposed to be going to the University of Vermont Medical Center every day for aggressive radiation and chemotherapy treatments to fight stage three colorectal cancer, for which he was diagnosed in September 2020.

But at the end of October 2022, the hospital called to tell him not to come in for his appointments until further notice. The medical center had just been hit by a cyberattack, which infected computer systems across the state and locked out health care workers from his treatment plan and other critical tools.

“Radiation was canceled for a week,” Kara Kraus, Jes’s wife, told ABC News. “We were afraid. We weren’t sure if that would affect the outcome. Again, the tumor, would it start growing back within that week? What was going to happen?”

Continue reading “Cyberattacks on hospitals are growing threats to patient safety, experts say”