Security & IT News

Over the past year, Meta has blanketed TV screens around the world with commercials touting the privacy of Whatsapp, its encrypted messenger with a monthly user base of 3 billion people. “It’s private,” one ad campaign featuring the former cast of the Modern Family TV show says. “On Whatsapp, no one can see or hear your personal messages … not even us,” a different series of ads declares. “Serious risks to user data” On Monday, the former head of security for the Meta-owed messaging app filed a federal whistleblower lawsuit that tells a far different narrative. The suit, filed in US District Court for the District of Northern California, recites a litany of purported security and privacy flaws that Meta not only didn’t fix after becoming aware of them, but also kept secret, allegedly in violation of a $5 billion settlement then-Whatsapp parent company Facebook reached with the Federal Trade Commission. The complaint was filed by Attaullah Baig, who became head of WhatsApp security in 2021. Read full article Comments

The sky is falling, and Gmail has supposedly been hacked to bits by malicious parties unknown. Or has it? Reports circulated last week claiming that Gmail was the subject of a major data breach, citing a series of warnings Google has distributed and increasing reports of phishing attacks. The hysteria was short-lived, though. In a brief post on its official blog, Google says that Gmail's security is "strong and effective," and reports to the contrary are mistaken. This story seems to have developed due to a random confluence of security events. Google experienced a Gmail data breach in June, but the attack was limited to the company's corporate Salesforce server. The hacker was able to access publicly available information like business names and contact details, but no private information was compromised. Over the following weeks, Google alerted Gmail users to an increase in phishing attacks in July and August. It didn't offer many details, but many believed the spike in phishing was related to the corporate server breach. Indeed, more people are talking about hacking attempts on social media right now. This led to the claim that Gmail's entire user base of 2.5 billion people was about to be hacked at any moment, with some reports advising everyone to change their passwords and enable two-factor authentication. While that's generally good security advice, Google says the truth is much less dramatic. Read full article Comments

Hacking is hard. Well, sometimes. Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity. So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed. Read full article Comments

Extensions installed on almost 1 million devices have been overriding key security protections to turn browsers into engines that scrape websites on behalf of a paid service, a researcher said. The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads, John Tuckner of SecurityAnnex reported . The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js , an open source JavaScript library that allows developers to monetize their extensions. Intentional weakening of browsing protections Tuckner and critics say the monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include AI startups, according to MellowTel founder Arsian Ali. Tuckner reached this conclusion after uncovering close ties between MellowTel and Olostep , a company that bills itself as "the world's most reliable and cost-effective Web scraping API." Olostep says its service “avoids all bot detection and can parallelize up to 100K requests in minutes.” Paying customers submit the locations of browsers they want to access specific webpages. Olostep then uses its installed base of extension users to fulfill the request. Read full article Comments