Social media platform ends private program after paying $250,000 in rewards over eight years

Adam Bannister 26 May 2022 at 15:26 UTC

Social media platform ends private program after paying $250,000 in rewards over eight years

LinkedIn has launched a public bug bounty program to replace the invite-only program that has been running since 2014.

Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000, while high severity issues will command rewards of between $2,500 and $5,000, and medium severity flaws will net bug hunters between $250 and $2,500.

The program, which is hosted by HackerOne, invites hackers to probe the main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API plus Android and iOS mobile apps.

**Going public**

In scope on the Microsoft\-owned platform are “implementation and design issues that substantially impact LinkedIn members’ data or LinkedIn infrastructure” such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication, access control, and server-side code execution vulnerabilities.

“Our security team strives to provide a safe and secure experience for our 830 million members and customers by quickly addressing security vulnerabilities, constantly improving our defenses, and safeguarding our product development process,” said LinkedIn in a blog post announcing the news.

Read more of the latest bug bounty news

The private program had since its launch “awarded more than $250,000 across nearly 500 submissions covering the LinkedIn member platform and mobile applications,” it added.

“Because of the program’s success, we have decided to make the program public and expand participation to anyone wanting to report potential security vulnerabilities.”

LinkedIn, which connects business professionals with each other and job opportunities, was the source of two enormous data leaks in 2021, affected 500 million and 700 million users respectively, but these were attributed to scraping of public web pages rather than cyber-attacks.

However, the Silicon Valley company was apportioned blame, both by security experts and members of the US Congress, over a 2012 hack that it initially thought affected 6.4 million user passwords, but in 2016 transpired to comprise emails and passwords belonging to 117 million users.

RELATED Yik Yak fixes information disclosure bug that leaked users’ GPS location

LinkedIn bug bounty program goes public with rewards of up to $18k

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.
"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.

"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an advisory issued this week.

Tails, short for The Amnesic Incognito Live System, is a security-oriented Debian-based Linux distribution aimed at preserving privacy and anonymity by connecting to the internet through the Tor network.

The alert comes as Mozilla on May 20, 2022 rolled out fixes for two critical zero-day flaws in its Firefox browser, a modified version of which acts as the foundation of the Tor Browser.

Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are what's referred to as prototype pollution that could be weaponized to gain JavaScript code execution on devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

"For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session," the Tails advisory reads.

The bugs were demonstrated by Manfred Paul at the 15th edition of the Pwn2Own hacking contest held at Vancouver last week, for which the researcher was awarded $100,000.

However, Tor Browsers that have the "Safest" security level enabled as well as the Thunderbird email client in the operating system are immune to the flaws as JavaScript is disabled in both cases.

Also, the weaknesses don't break the anonymity and encryption protections baked into Tor Browser, meaning that Tails users who don't handle sensitive information can continue to use the web browser.

"This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier," the developers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

By Waqas
The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in…
This is a post from HackRead.com Read the original post: DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in the company’s “private” web browser.

DuckDuckGo (DDG) has always promoted and marketed itself as a privacy-centric company that refrains from adding trackers to its products. The company boasted about launching a Private browser with default tracker blocking capabilities.

However, now, research revealed that the browser offers restricted tracking protection, and there are certain loopholes left to facilitate advertising data requests from Microsoft.

It is worth noting that Microsoft is a syndication partner of DuckDuckGo. Since the companies agree on syndicated search content, the DDG browser allows Microsoft trackers on 3rd party websites.

**Research Revealed Disturbing Facts**

According to researcher Zach Edwards, who shared his startling findings on the DuckDuckGo browser on Twitter, he discovered that DuckDuckGo’s mobile browsers didn’t block ad requests from Microsoft scripts as well as non-Microsoft web services.

When Edward examined the browser data flow on Workplace.com, he learned that although DDG informed its users about blocking Facebook and Google trackers, it allowed Microsoft trackers to receive data flows linked with the user’s browsing activities on a non-Microsoft site.

For your information, DuckDuckGo is a search engine that claims it never tracks user searches or behavior and never builds users’ profiles to display targeted ads, and only uses contextual ads from its partners, including Ads by Microsoft. Microsoft ads can track users’ IP addresses and other data after clicking on an ad link.

Researcher Zach Edwards on Twitter

**More DuckDuckGo and Search Engine News**

1.  What Are Dark Web Search Engines and How to Find Them?
2.  $4 billion lawsuit claims Google tracked iPhone users’ activities
3.  DuckDuckGo study claims Google Incognito searches are not private
4.  DuckDuckGo collecting user browsing data without consent (Updated)
5.  Camera privacy bug found in Firefox Android in 2019 hasn’t been fixed yet

DuckDuckGo’s privacy and no tracking policy

**DuckDuckGo CEO’s Response**

In response to Edwards’ tweets, DDG’s founder/CEO Gabe Weinberg tried to rubbish the findings by focusing more on the stuff their browser did block, including third-party cookies, even from Microsoft, tracker blocking, and HTTPS-always encryption service.

Moreover, Weinberg noted that the data flow issue was unrelated to DDG’s search engine. However, the DuckDuckGo browser has an exemption from blocking ad data transfers to subsidiaries of Microsoft like LinkedIn or Bing.

The data can be used to conduct cross-site tracking of users to display targeted advertisements. Weinberg, however, confirmed that their browser does allow Microsoft tracker 3rd party websites due to the agreement.

> “For non-search tracker blocking (e.g., in our browser), we block most third-party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
> 
> Gabe Weinberg on Twitter

> “We have always been extremely careful to never promise anonymity when browsing because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
> 
> What we’re talking about here is above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would be using Safari, Firefox, and other browsers. (…) Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.”
> 
> Weinberg to Bleeping Computer

Nevertheless, whatever may be the case, the issue seriously undermines the privacy claims made by DuckDuckGo for so long.

**More Privacy News**

1.  How data collected in gaming can be used to breach user privacy
2.  LinkedIn was copying every keystroke of users until iOS 14 exposed it
3.  Massive privacy risk as hacker sold 2 million MyFreeCams user records
4.  Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
5.  Hackers used macOS 0-days to bypass privacy features, take screenshots

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.

The Google Project Zero security researcher Ivan Fratric noted in a report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Ivan explained.

So called zero-click attacks do not require users take any action and are especially potent given even the most tech-savvy of users can fall prey to them.

XMPP stands for Extensible Messaging Presence Protocol and is used to send XML elements called stanzas over a stream connection to exchange messages and presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS score 7.5) affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.

****Working of Bug**  **

The initial vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies between XML parser in Zoom client and server software to “smuggle” arbitrary XMPP stanzas to the victim machine.

An attacker sending a specially crafted control stanza can force the victim client to connect with a malicious server thus leading to a variety of attacks from spoofing messages to sending control messages.

Ivan noted that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task in the Zoom client, with an attacker-controlled “web domain” as a parameter”.

Zoom Patches ‘Zero-Click’ RCE Bug

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

  

Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system (OS), after the discovery of a prototype pollution vulnerability.

Tor Browser is a modification of the open source Firefox web browser, which is where the critical vulnerability, tracked as CVE-2022-1802, was found.

The bug could enable an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution, potentially achieving the execution of attacker-controlled JavaScript code in a privileged context.

A second bug, tracked as CVE-2022-1529, could allow an attacker to send a message to the parent process where the contents could be used to double-index into a JavaScript object, leading to prototype pollution and ultimately allowing attacker-controlled JavaScript executing in the privileged parent process.

**Knock-on impact**

The developers of Tails, a security-focused Debian-based Linux distribution used for security and anonymity, warned users not to fire up Tor Browser while handling any sensitive information as the vulnerability may break any protections it provides.

This is at least until version 5.1 of Tails, expected on May 31, is released.

A security advisory from Tails reads: “This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.”

DON’T MISS Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

The vulnerability does not break the anonymity and encryption of Tor connections, meaning that it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

Other applications in Tails are not vulnerable because JavaScript is disabled. The Safest security level of Tor Browser is also not affected because JavaScript is disabled at this security level.

**Fixes incoming**

Tails version 5.0 comes bundled with Tor Browser 11.0.11, which contains the prototype pollution bug.

As users await Tails 5.1, which will inherit the Tor Browser 11.0.13 security update, they could use the standalone, and fully updated, version of the browser on Mac, Windows, or Linux.

“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier,” the Tails team said.

A Mozilla security advisory contains more information about the security issues, which were reported by researcher Manfred Paul.

It also contains details on fixes for Firefox, Firefox ESR, Firefox for Android, Thunderbird to protect against the vulnerabilities.

YOU MAY ALSO LIKE Malicious Python library CTX removed from PyPI repo

Tails users warned not to launch bundled Tor Browser until security fix is released

Researchers found a litany of security flaws that allow simple, quick, and cheap forgeries in Australia.

In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic driver's license” citizens had used for decades.

Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.

“To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

A Better Mousetrap Hacked With Minimal Effort

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone’s stolen driver's licence details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate \[a\] fraudulent Digital Driver's Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.”

DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:

*   Animated NSW Government logo.
*   Display of the last refreshed date and time.
*   A QR code expires and reloads.
*   A hologram that moves when the phone is tilted.
*   A watermark that matches the license photo.
*   Address details that don’t require scrolling.

Simple Technique

The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.

Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.

From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. The precise steps on an iPhone are:

*   Use iTunes backup to copy the contents of the iPhone storing the credential the fraudster wants to modify
*   Extract the encrypted file from the backup stored on the computer
*   Use brute-force software to decrypt the file
*   Open the file in a text editor and modify the birth date, address, or other data they want to fake
*   Re-encrypt the file
*   Copy the re-encrypted file to the backup folder and
*   Restore the backup to the iPhone

With that, the ServiceNSW app will display the fake ID and present it as genuine.

The following video shows the entire process from start to finish.

Death by 1,000 Flaws

A variety of design flaws make this simple hack possible.

The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. Apple provides a function named SecRandomCopyBytes for producing random bytes that can be used to generate secure keys. “If this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers,” Farmer wrote.

The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what’s stored on the iPhone matches records maintained by the government department. With no means to natively validate the data, there’s no way to tell when information has been tampered with. As a result, attackers are able to display the falsified data on the Service NSW application without any means to prevent or detect the fraud.

The third shortcoming is that using the “pull-to-refresh” function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. Instead, it updates only the QR code. A better response would be for the pull-to-refresh function to download the latest copy of the DDL from the ServiceNSW database.

Fourth, the QR code transmits only the DDL holder’s name and status as either over or under the age of 18. The QR code is supposed to allow the person checking the ID to scan it with their own ServiceNSW app to validate that the data presented is authentic. To bypass the check, a fraudster only needs to obtain the driver's license details from a stolen or otherwise-obtained DDL and replace it locally on their phone.

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone's stolen Driver's Licence details,” Farmer explained. Had the system returned the legitimate image data, the scanning party would easily see that the fraudster had forged the DDL, since the face returned by Service NSW wouldn’t match the face displayed on the app.

The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. While all files stored in the Documents and Library/Application Support/ folders are backed up by default, iOS allows developers to easily exclude certain files from backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.

With a reported 4 million NSW residents using the DDLs, the gaffe could have serious consequences for anyone who relies on DDLs to verify identities, ages, addresses, or other personal information. It's not clear how or even if Service NSW plans to respond. Given time differences between San Francisco and New South Wales, officials with the department weren't immediately available for comment.

Farmer noted this tweet, which called out a hotel bar for refusing service to someone who had only physical ID and instead accepting only DDLs. “I know 10 kids that you let in regularly with fake digital licenses because they are easy to make,” the person claimed.

While the veracity of that claim can’t be verified, it certainly sounds plausible, given the ease and effectiveness of the hack shown here.

_This story originally appeared on_ _Ars Technica__._

‘Tough to Forge’ Digital Driver’s Licenses Are—Yep—Easy to Forge

The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

Since its founding in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN.

This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility. Geneva proved a natural place to pivot to a privacy-focused startup, thanks to both Switzerland’s privacy-friendly legal regime and to a steady crop of poachable physicists. Today, Yen presides over a company with more than 400 employees and nearly 70 million users. He recently spoke to WIRED about the enduring need for greater privacy, the dangers of Apple's and Google's dominance, and how today’s attacks on encryption recall the rhetorical tactics of the War on Terror.

This interview has been condensed and lightly edited.

**WIRED: You're in the online privacy business. To start super broadly, how do you define privacy?**

**Andy Yen**: These days, all Google and Apple and Big Tech talk about is privacy, so the best way to give our definition is to give the contrast. The way Google defines privacy is, “Nobody can exploit your data, except for us.” Our definition is cleaner, more simple, and more authentic: Nobody can exploit your data—period. We literally want to build things that give us access to as little data as possible. The use of end-to-end encryption and zero-access encryption allows that. Because fundamentally, we believe the best way to protect user data is to not have it in the first place.

**If you ask someone, “Would you like more privacy or less?” they always say more. But if you watch how people actually behave, for most people, data privacy is not a very high priority. Why do you think that is?**

Privacy is inherent to being human. We have curtains on the windows, we have locks on our doors. But we tend to disconnect the digital world from the physical world. So if you take the analogy of Google, it's someone that's following you around every single day, recording everything that you say and every place you visit. In real life, we would never tolerate that. On the internet, somehow, because it's not visible, we tend to think that it's not there. But the surveillance that you don't notice tends to be far more insidious than the one that you do.

**Your company has come out in support of reforms to strengthen antitrust enforcement. But a lot of people argue that privacy and competition are in conflict. Apple will say, “If you force us to allow more competition on the platform that we run, then that will reduce our control over the security and the privacy of the user. So if you make us increase competition, that will bring privacy down.” And then you see the flip side of the argument, which is when Apple or Google implements some new privacy feature that may hurt competitors. How do you think about these potential conflicts?**

What Apple is basically claiming is, you need to let us continue our use of app store practices because we're the only company in the world that can get privacy right. It’s an attempt to monopolize privacy, which I don’t think makes any sense.

If you look at the FTC lawsuit against Facebook, the theory is that privacy and competition are two sides of the same coin. If you're not happy with Facebook's privacy practices, what is the alternative social media that you can go to other than Facebook and Instagram? You don't really have that many options. We need more players out there. If they had to compete, then competition would force privacy to be a selling point.

The same is true for other services that we offer. Today, Google controls the Android operating system, which is used by the majority of people, and they can preload all their applications as a default on your user devices. So they have a massive advantage already because users don't change the defaults. So even though their privacy practices are quite terrible for most people, there's no real pressure to change it because the alternatives don't really exist. And if they do exist, Google's able to hide them, because they set the defaults on their devices. So if you want to fix the privacy issue, the best way to do it is to have more competition, because then there will be user choice, and users tend to choose what is more private, because, as you said, everybody wants more privacy.

**Europe’s new Digital Market Act has a controversial section requiring the biggest messaging platforms to let competitors interoperate with them, while still preserving end-to-end encryption. But quite a lot of people** **argue** **that you can't actually do both of those things. So here's a place where privacy and competition really do seem to be conflicting with each other technologically.**

I have to say, this has been around since the early '90s. PGP is basically interoperable encryption, based on the email standard. So it may not be technologically the easiest to do. But to say it’s technologically impossible is also not correct.

**Another EU proposal** **would require companies to implement methods of detecting child sex abuse material, or CSAM, on their platforms. People are very alarmed about the implications of that for encryption.**

We're still in the process of analyzing it, so I can’t comment specifically on the details of the proposal. But these proposals are not new. In fact, they've been coming up in various forms over the past decade. What is novel and different this time is that these proposals used to be packaged under “terrorism.” Now, they’re packaged under CSAM. It was very clever to repackage this idea into a topic that is even more toxic, which makes informed debate difficult. Obviously, CSAM is a horrible problem, something that the world is better without. But a wholesale attack on encryption can have unforeseeable consequences that are not always completely understood or considered by the drafters of these proposals.

**Do you think that this** _**is**_ **a wholesale attack on encryption, though? The people making these proposals say, “We're not attacking encryption. You just have to figure out a way to monitor for CSAM.”**

Well, there is really no practical way in today's technology to do that in a way that doesn't weaken encryption.

**The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens. It was really hard to argue that we have to accept that some terrorism is going to happen. It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.**

If there was no privacy in the world, that world would be more “secure.” But that world does exist; it's called North Korea. And the people that live there probably don't feel very secure. As a democracy, you have to strike the right balance. The balance is not total mass surveillance of everybody, because we know that there are serious consequences to democracy and freedom as a result of that. It's not easy to find the right balance. But during the Bush years, with terrorism, I think they went to an extreme that really was a backsliding on democracy. And this is something that we need to avoid.

**But then on the flip side,** **you read stories** **about law enforcement catching really bad criminals, and in a lot of those stories, if that person had used a Tor browser and a ProtonMail account and a VPN, and so on, they might not have been caught. Do you ever worry about a future where all the bad guys get smart enough to use the best privacy tools, and it becomes too easy to evade the legal system entirely?**

Well, encryption and privacy technologies are what I would call dual-use. What is law enforcement also concerned about these days? People’s information being stolen, sensitive communications being hacked, emails of political campaigns being stolen by state actors and disseminated to shift the political balance. In order to prevent all of those potential ills, you need privacy, encryption, and good security. So, the same tools that people in law enforcement criticize are actually the same things that are shielding a lot of the internet ecosystem and the economy from a disastrous outcome. If you were to weaken or prohibit all of these security tools and privacy tools, then you would open the floodgate to a massive amount of cybercrime and data breaches.

**Proton has grown a lot over the years, but it’s still basically a rounding error compared to something like Google. We’ve talked about competition from a regulatory perspective, but on a practical level, how do you even try to compete with your massive rivals?**

The current plan is the launch of the Proton ecosystem. It's one account that gives you access to four privacy services: Proton Mail, Proton Calendar, Proton Drive, and Proton VPN. One subscription that gives you access to all those services. It's the first time anybody has taken a series of privacy services and combined them to form a consolidated ecosystem. That doesn't match all of Big Tech’s offerings, of course. But I think it provides, for the first time, a viable alternative that lets people say, “If I really want to get off of Google, I can now do it, because I have enough components to live a lot of my daily life.” For the first time, you’ll have a privacy option that’s not fully competitive with Google, but reasonably competitive, and that will start to break the dam. I don't know how it will go, but I think this is the future of privacy, and that’s why we're doing it.

**This is probably the first time I have ever thought about having an encrypted calendar.**

A calendar is essentially a record of your life: everybody you've met, everywhere you’ve been, everything that you have done. It's extremely sensitive. So you don't intuitively think about protecting that, but actually, it's essential.

**And by making that encrypted, who am I protecting that information from?**

Maybe it's the government requesting information on you. Maybe it's a data leak. Maybe it's a change in business model of your cloud provider at some point in the future that decides that they want to monetize user data in a different way. Your data is just one acquisition away from going across the border to a country that you didn't expect when you signed up for the service.

**Right. Elon Musk is about to own all my Twitter DMs.**

Exactly right. And with end-to-end encryption, no matter what happens, it's your data; you control it. It's just a mathematical guarantee.

**But what if I move all my stuff to the Proton ecosystem, and then like four years from now, you go out of business? What happens to my stuff?**

Proton has been around for eight years now. In the tech space, that's a long time. I think an indicator of what is sustainable in the long term is alignment between the business and the customers. Our business model is simple: Premium users pay us to keep theie data private, and our only incentive is to keep it private. Sometimes the easiest and simplest models are the ones that are the most durable. I strongly believe that Proton will be a company that outlives us.

Proton Is Trying to Become Google—Without Your Data

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The list of bugs is as follows -

*   **CVE-2022-22784** (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
*   **CVE-2022-22785** (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
*   **CVE-2022-22786** (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
*   **CVE-2022-22787** (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."

At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.

Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.

While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.

Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Tag

#android