Security News
It reminded me of a very similar Skype message I'd received a few years ago, one that abused an open redirect in Google Maps, and I wondered if there was another. One answer is to find an open redirect on a legitimate website - a redirection facility that can be abused to bounce users from a trustworthy website to another, less trustworthy one.
"Healthy Together" app uses a raft of location data, including GPS, cell tower triangulation and Bluetooth, to pinpoint users and ID coronavirus hotspots. The state of Utah has settled on a contact-tracing mobile app that collects detailed user location information to track the spread of COVID-19 among citizens - eschewing the API model proposed by Apple and Google in April.
A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender. Beginning with an innocuous-looking dropper hosted on the Google Play store, masquerading as one of a number of legitimate apps, Mandrake allowed its Russian operators to snoop on virtually everything unsuspecting targets did on their mobile phone.
A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website. During the initial connection with Google Search Console, the plugin generates a proxySetupURL through which the site admin is redirected to Google OAuth, and leverages a proxy to run the verification process.
Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "Personal data" as defined by the EU's GDPR and that this data is illegally processed. The complaint against Google, which was filed with the Austrian Data Protection Authority, is based on the claim that Google's Android operating system generates the advertising ID without user choice as required by GDPR. "In essence, you buy a new Android phone, but by adding a tracking ID they ship you a tracking device," said Noyb lawyer Stefano Rossetti.
MariaDB announced the immediate availability of MariaDB SkySQL through the Google Cloud Marketplace. "The addition of SkySQL in the Google Cloud Marketplace allows joint customers to build predictability into their cloud modernization budgets while ensuring mission-critical workloads are built and run on a best-of-breed integrated platform. This ultimately brings more choice and value for our customers."
Google this week announced that Google Authenticator users can now transfer 2-Step Verification secrets between devices. The new feature is meant to make it easier for users to manage their Google Authenticator 2SV codes across multiple devices.
Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after Harry Denley, director of security at MyCrypto, found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users' private keys and other secrets used to access digital wallets so that their authors can steal victims' funds.
Lancaster found that millions of people are still using their favorite song, sports team, or superhero as their password, all of which are easily discoverable by cybercriminals doing routine searches of a person's social media profiles. Lancaster said the explosion of digital platforms that billions of people have to use for work, education and pleasure have forced people into an untenable situation where they feel they have no choice but to reuse passwords for dozens of accounts.
Developers who create contact tracing apps using a joint technology from Apple and Google will not be able to track the location of users. The guidelines specifically state: "A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality, and may not collect any device information to identify the precise location of users. In addition, Contact Tracing Apps are prohibited from using frameworks or APIs in the Apple Software that enable access to personally identifiable information, unless otherwise agreed by Apple."