Security News

Facebook has filed legal action against two Chrome extension developers that the company said was scraping user profile data - including names and profile IDs - as well as other browser-related information. The two unnamed developers under the business name Oink and Stuff, developed Chrome malicious browser extensions, which actually contained hidden code "That functioned like spyware," alleges Facebook.

Facebook has taken legal action against the makers of malicious Chrome extensions used for scraping user-profiles and other information from Facebook's website and from users' systems without authorization. After being installed on the users' computers, these Chrome extensions also installed malicious code in the background which allowed the defendants to scrape user data from Facebook's site.

Any EU country can take legal action against companies like Facebook over cross-border violations of data privacy rules, not just the main regulator in charge of the company, a top court adviser said Wednesday. The preliminary opinion is part of a long-running legal battle between Facebook and Belgium's data protection authority over the company's use of cookies to track the behavior of internet users, even those who weren't members of the social network.

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.

Following a significant security incident that sent shockwaves through the global cybersecurity community, SolarWinds has hired a newly formed cybersecurity consulting firm founded by Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency and Alex Stamos, former security chief at Facebook and Yahoo. Generically named the Krebs Stamos Group, its website currently shows limited information about the firm, saying its goal is to "Help organizations turn their greatest cybersecurity challenges into triumphs."

The mandatory changes allow WhatsApp to share more user data with other Facebook companies, including account registration information, phone numbers, transaction data, service-related information, interactions on the platform, mobile device information, IP address, and other data collected based on users' consent. In its updated policy, the company expands on the "Information You Provide" section with specifics about payment account and transaction information collected during purchases made via the app and has replaced the "Affiliated Companies" section with a new "How We Work With Other Facebook Companies" that goes into detail about how it uses and shares the information gathered from WhatsApp with other Facebook products or third-parties.

This information disclosed to the Facebook Companies already adds up to a fair bit of data, includes users' account registration information, such as phone number; transaction data; service-related information; data on how users interact with others, including businesses; mobile device information,; IP address; as well as other info identified as information users have given the service consent to collect, according to WhatsApp. The expansion in data sharing between the two platforms will now ask users to provide payment account and transaction information to WhatsApp, according to one report.

Despite its focus on users' privacy, WhatsApp is now giving its users a harsh ultimatum, with only three options available: to accept sharing their data with Facebook, to stop using the app altogether, or to delete their accounts. With the new changes to the policy, users will now be forced to accept sharing their data with Facebook to continue using their account or, as an alternative, delete their accounts as WhatsApp says.

The issue was discovered in October by Saugat Pokharel, a researcher based in Nepal, and it was patched within hours by Facebook. Pokharel identified the vulnerability while analyzing the Facebook Business Suite interface that the social media giant introduced in September.

Download numbers from the browser store show that several million people worldwide currently may be using the extensions, researchers said. Avast Threat Intelligence discovered the malware after following up on research by Czech researcher Edvard Rejthar at CZ.NIC, who first identified the threat originating in browser extensions on his system, Avast senior writer Emma McGowan wrote in a blog post published Thursday.