Cybersecurity researchers have disclosed details of a new vulnerability impacting Google's Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target's device without their approval.
The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that were originally disclosed by

Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

Before the official faculty profiles of renowned Indiana University, Bloomington (IU) data privacy professor Xiaofeng Wang and his wife disappeared and the FBI raided two of the couple’s homes last week, the school is said to have been reviewing for months whether the professor received unreported research funding from China, WIRED has learned.

Indiana University contacted Wang in December to ask about a 2017-2018 grant in China that listed Wang as a researcher, according to an unsigned statement that appears to be written by a Purdue University professor and long-time collaborator of Wang seen by WIRED. The statement says that the author believed IU was concerned that Wang allegedly failed to properly disclose the funding to the university and in applications for US federal research grants.

The statement has been circulating among cybersecurity and privacy scholars at universities around the world in recent days and was sent to WIRED by three separate sources. It claims that Wang had explained the funding situation to IU, then was told in February that the school would continue looking into the matter.

Alex Tanford, a professor emeritus at Indiana University and the IU Bloomington Chapter president of the American Association of University Professors, says Wang reached out to him and said that he had been accused of alleged research misconduct. Tanford says he provided Wang guidance as a member of the faculty board of review. IU did not answer WIRED’s questions regarding any probes into Wang.

“The charge seemed trivial—that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his coauthors on an article,” Tanford tells WIRED of the allegations. He says Wang wanted to know if the university had the right to lock him out of his office and computer, as he was in the middle of ongoing research.

Research papers Wang published between 2017 and 2018 list funding from places like the National Science Foundation, National Institutes of Health, the US Defense Advanced Research Projects Agency, the US Army Research Office, Google, and Samsung, according to a WIRED review of his publications from the time period.

Wang regularly collaborated with researchers at the Institute of Information Engineering (IIE) at the Chinese Academy of Sciences, a government-funded cybersecurity research lab. In papers, Wang and his coauthors disclosed that the IIE scholars received funding from sources such as the National Natural Science Foundation of China, but that Wang was being supported by US grants. It’s not uncommon for professors at US institutions to collaborate with researchers in China, and there's no public evidence to suggest that the arrangements were improper.

According to the unsigned statement’s title and metadata, it appears to have been authored by Ninghui Li, a computer science professor at Purdue who has collaborated on research with Wang since at least 2006. The pair also serve together on the board of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), which aims “to develop the information security profession by sponsoring high quality research conferences and workshops,” according to the Association for Computer Machinery’s website. Li did not respond to emailed requests for comment nor a voicemail left on his office phone.

Jason Covert, one of attorneys representing Xiaofeng Wang and his wife, Nianli Ma, a library systems analyst whose employee profile was also removed by Indiana University, tells WIRED that Wang and Ma are both “safe” and that neither of them have been arrested. Their legal team is not currently aware of any pending criminal charges against them, and while the couple’s attorneys have viewed a search warrant from the Department of Justice, Covert says they have not received a copy of the affidavit establishing probable cause.

Wang is considered among the top researchers in the field of privacy, data security, and biometric privacy, and his sudden disappearance came as a shock to many of his academic peers. Wang joined IU in 2004 and is the lead principal investigator of the multidisciplinary Center for Distributed Confidential Computing, which he established in 2022 with an almost $3 million grant from the National Science Foundation (NSF), according to a since-deleted bio on IU’s website. As part of his application for the NSF funding and other US federal research grants, Wang would have been required to disclose other grants he already received or were currently pending review.

On March 28, the FBI searched two home addresses associated with Wang. The same day, IU also reportedly terminated Wang’s job via an email sent by provost Rahul Shrivastav, which WIRED obtained and was first reported by The Indiana Daily Student. The email also said it was understood that Wang had recently accepted a position with a university in Singapore, a detail also repeated in the statement attributed to Li.

The statement says Wang planned to start at the unnamed Singaporean university on June 1, 2025, and requested a leave of absence from Indiana University in early March. But IU responded by “putting him on administrative leave, removing his IU homepage, and disabling his IU email address,” it claims.

Wang’s new job offer “would be irrelevant in any event because it is for \[the\] next academic year and would not justify firing him,” Tanford says. Terminating his employment via an email was a violation of university policy, Tanford claims, which prohibits firing a tenured professor without cause, and requires a 10-day notice and a hearing before a faculty board of review, if requested by the staff member. “The faculty is deeply concerned. If the administration can fire a tenured professor without due process and in violation of a policy approved by our trustees, none of us is safe,” he says.

Reached for comment, an IU spokesperson declined to answer detailed questions from WIRED about prior communications between the university and Wang and the school’s decision to fire him.

“Indiana University was recently made aware of a federal investigation of an Indiana University faculty member,” university spokesperson Mark Bode tells WIRED in an emailed statement. “At the direction of the FBI, Indiana University will not make any public comments regarding this investigation. In accordance with Indiana University practices, Indiana University will also not make any public comments regarding the status of this individual.”

The FBI has so far not commented on the reason for its activities surrounding Wang’s properties. In a statement sent to WIRED, Indianapolis-based spokesperson Chris Bavender says, “The FBI conducted court authorized law enforcement activity at homes in Carmel and Bloomington, Indiana last Friday. We have no further comment at this time.”

WIRED could not immediately reach Wang or Ma for comment directly, but Covert, their attorney, provided a statement on their behalf.

“Prof. Wang and Ms. Ma are thankful for the outpouring of support they have received from colleagues at Indiana University and their peers across the academic community,” the statement reads. “They look forward to clearing their names and resuming their successful careers at the conclusion of this investigation.”

To many in the academic research community, the events surrounding Wang and another Chinese-born scholar in Florida who was fired recently are reminiscent of the China Initiative, a US Department of Justice campaign launched under the first Trump administration to combat cybercrime and economic espionage. Critics accused the program of unfairly targeting Chinese-born researchers and broader Asian-immigrant and Asian-American academic communities.

The DOJ abandoned the program under the Biden administration in 2022 after it lost or withdrew charges in a number of associated cases. At the time, a top DOJ official said it had “helped give rise to a harmful perception” that there are lower standards for prosecuting conduct related to China, and people with ties to the country are treated differently. But several congressional efforts have since sought to resurrect the program or start similar law enforcement campaigns, including a 2023 bill that passed the House but not the Senate last year.

“We, like many other organizations and individuals, have broad concerns that the end of the \[China Initiative\] is just in name but does not reflect a change in fact and substance,” Jeremy Wu, the coorganizer of APA Justice, a nonprofit organization that advocates against racial profiling, said in a March webinar at the Michigan State University. Wu declined WIRED’s request to comment on the events surrounding Wang.

Matthew Green, a professor at Johns Hopkins University who specializes in cryptography and cryptographic engineering says that, while he doesn’t know Wang personally, he is troubled by how secretive Indiana University has been about the circumstances that led to his alleged firing. “This is not normal behavior by a university,” Green tells WIRED.

Green says he worries that cases like Wang’s could make young engineers from China think twice about studying at American universities, and even motivate talented researchers who have lived in the US for decades to instead consider working abroad. “We may lose a huge amount of expertise,” Green says.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code.
"The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact

Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse

Top Data Anonymization Tools of 2025 to protect sensitive information, ensure compliance, and maintain performance across industries.

Data protection is of the highest importance in 2025. With growing numbers of organizations handling sensitive customer data and stricter data protection regulations emerging around the world, organizations need strong tools for information protection. That’s where data anonymization enters the picture; it covers up or replaces personal data, and even if data leaks, it’s meaningless for hackers.

But not all anonymization software are created equally. Some are fast, some are secure, and some are just user-friendly. Let’s review the best data anonymization software of 2025 below.

****K2view****

If you’re looking for a top-of-the-line anonymization solution, the number one on your list should be K2view. K2view, being one of the best data anonymization tools, doesn’t just scramble data; it restructures data such that it can still be useful for testing and analytics purposes, with total privacy.  

K2view does this by creating “micro-databases” for each record, keeping each customer’s data apart and secure. It doesn’t just encrypt or mask data but also anonymizes it on the fly based on who is viewing it. That leaves developers with realistic test data, analysts with actionable insights, and no one with access to real sensitive data unless they need it.

Speed is also a perk. Unlike other software that slows down systems, K2view is optimized for handling vast databases with no lag. If you’re part of the finance, healthcare, or retail sector, this tool keeps your data secure with no slowing down.

****Privitar****

If your organization is dealing with a number of privacy laws like GDPR, CCPA, or HIPAA, then Privitar is a great choice. Privitar is centered around policy-based anonymization, which is the ability for you to define rules for data anonymization depending on the type of data and the laws involved.

Privitar is special because it can preserve data utility and still make the data private. If, for example, you’re dealing with medical records, it can anonymize the names and addresses of the patients but preserve the important trends for research.

And the best part? It supports the big cloud platforms such as AWS, Azure, and Google Cloud, making it convenient for any size of organization, be it a start-up or a large-scale organization.

****ARX****

Not all companies have a large budget for data privacy software, and that is precisely why ARX fills the gap. ARX is a free, open-source anonymization software that is no less effective when it comes to capabilities.

ARX offers a number of anonymization options, including generalization, suppression, and differential privacy. You can control the quantity of information deleted from the data, making it suitable for data sharing or research purposes without violating the law.

The catch is, it’s not as user-friendly and refined as some of the paid options. But if your team is technologically savvy and can work with a bit of learning curve, ARX is a wonderful free solution for anonymizing data without the cost.

****DataVeil****

If you’re seeking a tool with sole function for anonymization, DataVeil is one that is definitely worth looking at. DataVeil differs from other platforms which integrate anonymization with other data security features because it is specifically intended for masking and obfuscation.

One of its most significant strengths is real-time masking, which can anonymize data as it is being used. This is most suitable for organizations that make use of live databases but still need to protect sensitive information. It supports a number of databases like SQL Server and Oracle, and is thus appropriate for organizations with big data.

The only catch? It’s a bit specialized, and that means if you’re looking for a tool with broader data security features, then you might be required to integrate it with other tools.

****Anonos****

Everything is touched by AI in 2025, data privacy is no exception. Anonos is a game-changing solution that uses AI-driven anonymization for context-dependent protection of data.

For example, if a store would like to analyze customer buying habits without exposing real customer data, Anonos can anonymize the data for each team differently, such that marketing teams can view the patterns and IT teams can view the technical data—without exposing sensitive customer data.

It also possesses the feature of generating synthetic data, i.e., generating fake data sets that behave like real ones, making it suitable for training AI and data science without the fear of data breaches.

****Tonic.ai****

If you’re a software developer, then Tonic.ai is a saviour. The software is meant for creating realistic test data without the use of real personal data.

Developers need test data that mirrors real customer data, but real data is a privacy nightmare. Tonic.ai solves this problem by generating fake, though incredibly accurate, datasets that reflect the structure of real ones. Developers can then test apps without exposing anyone’s personal information.

It is integrated with popular databases and development tools seamlessly, thus being the best solution for software development teams that want to focus on software development rather than being distracted by compliance.

****Which Is the Right Choice for You?****

The anonymization tool of your choice will be determined by what you’re seeking. If a high-performance enterprise solution is what you’re seeking, then choose K2View. If compliance is most important, choose Privitar. If budget is the limiting factor, then ARX is the best free solution. If real-time masking is the answer for you, then DataVeil is the best, with the addition of AI from Anonos. If you’re a developer, then the answer is Tonic.ai.

As data privacy becomes even more critical in 2025, the decision of which anonymization tool is not just a smart one, it’s a necessity.

Image by Stephan Marquardt from Pixabay.

Best Data Anonymization Tools in 2025

On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks.
The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox

Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Intimate images from kink and LGBTQ+ dating apps left exposed online 

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS). This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-36vv-q5jv-94cj: Drupal Google Tag Cross-Site Scripting (XSS) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Google Tag allows Cross Site Request Forgery. This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

GHSA-qchr-8m24-7v66: Drupal Google Tag Cross-Site Request Forgery (CSRF)

A list of topics we covered in the week of March 24 to March 30 of 2025

March 31, 2025 - The internet is so filled with falsehoods that April Fools hits different these days. That's why, as a cybersecurity company, we're out.

March 27, 2025 - A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

March 27, 2025 - Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

March 26, 2025 - Fake Booking.com emails sent to hotels lead to fake CAPTCHA sites that trick the staff into infecting their own systems.

March 26, 2025 - With its growing popularity, sponsored Google search ads have started impersonating DeepSeek AI.

 A week in security (March 24 &#8211; March 30) 

The internet is filled with falsehoods.  We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or...

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

****How to protect yourself from scams** **

*   **Watch out for a false sense of urgency.** Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

*   **Is it too good to be true?** Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, **too good to be true** and should be avoided at all costs. 

*   **Have a family code word**. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

*   **Check via another way**. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

*   **Use a different password for every account**. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

*   **Set up multi-factor authentication** on every account you can. It’s not foolproof, but it does make it considerably harder for scammers.

Tag

#google