Apple started scanning for CSAM in 2019
Earlier this month, Apple announced it would start client-side scanning of devices for hashes derived from child sexual abuse materials or CSAM. These scans would only occur when uploading content to iCloud. This triggered concerns about potential privacy implications and potential uses for state censorship. Apple has now confirmed it has been scanning outgoing and incoming iCloud Mail for CSAM since 2019, although it says it has never scanned iCloud Photos or iCloud backups. Apple’s pages on child safety policy and interviews with executives have previously alluded to some sort of existing CSAM scanning. Sources tell 9to5Mac that the total number of reports Apple makes regarding CSAM each year is measured in the hundreds.
(9to5Mac)
Power Apps had leaky APIs
Researchers at the security firm Upguard discovered that data stored in Microsoft’s Power Apps portal service was being publicly exposed. This included over 38 million records across a variety of web apps, impacting a number of organizations including American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, and the New York City MTA. Data exposed ranged from job applications containing social security numbers to Covid-19 contact tracing. None of the data is known to have been compromised and exposed data has since been made private. The researchers found that the Power Apps platform defaulted to making backend data publicly accessible when enabling APIs for its pre-made apps. Microsoft changed the defaults to private at the start of August.
(Wired)
Razer mice squeak past user privileges
Security researcher Jon Hat detected a vulnerability in a Razer mouse that allows Windows Update to download a Razer installer that runs with SYSTEM privileges, allowing the user to access the Windows file explorer in Powershell with “elevated” privileges. This would effectively allow anyone with physical access to a system to plug in the mouse and install any software they’d like. Razer’s team is currently working on a fix. It’s unclear if all or only some Razer mice trigger the vulnerability.
(Engadget)
Facebook delayed release of Q1 content report
The New York Times reports that Facebook held back a Q1 report on its most frequently shared content, having recently published its Q2 report last week. The Times characterized this delay as avoiding bad optics for the company, while Facebook said the report was pushed back to make “key fixes.” The most viewed link in the Q1 report was a story on a doctor who had died two weeks after getting a Covid-19 vaccine, shared 54 million times. The story was later updated to include comment by the Medical Examiner that there was insufficient evidence that the vaccine was in any way tied to his death. According to Facebook Policy Communications Director Andy Stone, “We’re guilty of cleaning up our house a bit before we invited company. We’ve been criticized for that; and again, that’s not unfair.”
(BBC)
Thanks to our episode sponsor, Privacy.com
Poly Network hacker returns all stolen funds
The Poly Network confirms that all of the $610 million in crypto assets stolen in a recent attack have been returned, dubbing the hacker Mr. White Hat. $33 million in the tether stablecoin remains frozen, although Poly Network is working to restore that. These frozen assets were reportedly why there has been a longer delay in refunding all assets. Mr. White Hat said the attack was made to demonstrate “crucial facts about this crazy DeFi world,” and indicated he may have accepted a security role with the company.
(Insider)
Ethiopia building its own social platform
Ethiopia’s government is developing its own social media platform to rival Facebook, Twitter, Whatsapp and Zoom, according to the director general of the Information Network Security Agency, Shumete Gizaw. Shumete declared to Reuters that “the rationale behind developing technology with local capacity is clear… why do you think China is using WeChat?” Regulators do not plan to block other social networks in the country after its rival service launches. Shumete said this platform will be developed with local expertise and not require using a foreign contractor or company.
Firefox to block insecure downloads
Mozilla developers are finalizing a new feature for Firefox called mixed content downloaded blocking, which will not allow downloads started from HTTPS pages but which actually take place over an unencrypted HTTP channel. This will prompt a message about why the download was blocked, and allow users to click through to proceed with the sketchy download. HTTP file downloads from HTTP pages will not be blocked. The feature is now live in Firefox beta channels. Chromium-based browsers received a similar feature in late 2020.
3D printers left exposed online
The Spaghetti Detective, or TSD is an open toolkit designed for makers using 3D printers, which uses automated image recognition techniques to monitor in-progress print jobs for signs of errors, which would otherwise result in “spaghetti monsters” of ruined plastic filaments. TSD can run on a local server or as a cloud service offered by TSD creator Kenneth Jiang. However, recent modifications to the TSD cloud code inadvertently opened up printers on private networks to any other user of the service. The vulnerability was open for about 8 hours before being resolved, with a user attempting to start a print job on another person’s printer. However the underlying issue that caused this problem, using IP numbers as a way of identifying and authenticating users, remains unresolved.