Google launches open-source bug bounty
Google launched the Open Source Software Vulnerability Rewards Program. This will pay up to $31,337 for bugs on open-source projects used by Google like Angular, GoLang, and Fuchsia. That’s not too surprising given Google’s use of that software. However the bug bounty will also apply to third-party dependencies included in their codebases in an effort to improve the overall software supply chain, at least for Google. Researchers finding bugs in third-party code must inform the maintainer of that project before reaching out to Google. The bug in the third-party dependency must be directly related to Google’s use of that code to receive the bounty.
Ragnar Locker claims attack on airline
The carrier TAP Air Portugal disclosed that its systems were the target of a cyberattack this week. It claimed it maintained operational integrity and found no evidence attackers accessed customer information. Its app and website were unavailable earlier this week. The Ragnar Locker ransomware group took credit for the attack. It posted a new entry on its leak site, claiming it will provide evidence that it obtained hundreds of gigabytes of data. It also posted a screenshot of the spreadsheet with what appeared to be customer information.
Cloudflare won’t terminate services for controversial customers
CEO and co-founder Matthew Prince said that the company should not have the power to terminate security services to sites with “despicable” content. He compared his company to a telephone provider not terminating service, calling such actions a “dangerous precedent.” Cloudflare previously cut off services to sites on two occasions. In 2017 to cut off the neo-Nazi site Daily Stormer. In 2019 it cut off 8chan. Prince said just because it cut off services in the past doesn’t mean “we were right when we did.” This comes after some called on Cloudflare to cut off services to the site Kiwi Farms after users on the site organized a swatting campaign against a transgender activist.
(Protocol)
Microsoft details TikTok account hijacking bug
Microsoft discovered the flaw in TIkTok’s Android app, which opened the door to a one-click account takeover using a malicious link. The vulnerability allowed for bypassing TikTok’s deeplink verification, forcing the app to load a URL in WebView. This would provide access to WebView’s attached JavaScript bridges and grant app functionality to the attackers. This could provide attackers with access to private data or to modify profiles. The company notified TikTok of the issue in February 2022, and subsequently patching the issue. Microsoft does not believe attackers exploited the flaw in the wild.
Thanks to today’s episode sponsor, Code42
Twitter unable to deal with CSAM problem
Internal documents seen by the Verge show that Twitter considered launching an OnlyFans-style paid subscription feature for adult content earlier this year. However when the company assembled a Red Team to investigate its potential, they reported in April that it couldn’t safely operate such a service as “Twitter cannot accurately detect child sexual exploitation and non-consensual nudity at scale.” This isn’t the first time Twitter knew of its CSAM problem. Internal documents also show that Twitter’s Health team issued a report in February 2021 that its investment in technology to detect this material had not kept up with its exponential growth on the platform. Twitter’s moderation tools reportedly cannot verify age of content creators or consumers, and have known-windows that would let illegal content through.
Federal privacy law could force a low bar
Over at Protocol, Hirsh Chitkara wrote up a potential problem with the current draft of American Data Privacy and Protection Act that aims to set a national standard for privacy in the US. The latest draft of the legislation makes it clear that no state laws can preempt anything covered under the potential federal law. There are some explicit exemptions for state laws, like the Biometric Information Privacy Act and California’s negligent privacy breach law. But the bill voids any non-exempted state laws. More importantly it prevents any future laws to shore up privacy at the state level. This comes as California will strengthen its existing privacy laws with the Privacy Rights Act set to go into effect in 2023. This means that any technological innovations challenging privacy would be dependent on new federal legislation going forward.
(Protocol)
Chrome introduces a clipboard flaw
Chrome version 104 introduced a bug that removes standard users’ approval to write to the clipboard on websites. Usually sites can only do so through a so-called user gesture, usually something like Control+C. The bug potentially lets sites send text to the clipboard without that gesture. Chrome developers know of the issue but it remains available at the time of this writing. While this potentially opens the doors to malicious actors putting arbitrary content in the clipboard, developer Jeff Johnson notes that most browsers implement poor and inadequate safeguards for the clipboard, which can often be written to with common interactions on a page.
UK sets out new cybersecurity rules for telcos
The UK government set out changes to the draft of its new security framework for the telecommunications industry. These rules will go into effect in October 2022, with compliance required by March 2024. Up until now, telcos in the country set their own security standards. Under the new framework, these organizations must identify risks to any “edge” equipment exposed to attacks, keep controls in place for who can make network wide changes, and make sure business processes support security. The UK’s Ofcom regulator can issue fines of up to 10% of annual turnover for noncompliance.