Security News

Popular pharmacy chain Walgreens is warning that a bug in its official mobile app may have exposed sensitive data, including customers' full names and information on prescriptions for medications they are taking. While Walgreens did not detail the technical glitch, it said that the internal application error enabled certain personal messages, stored in a database, to be viewed by other customers who were using the mobile app.

Now an app developer called Mysk has discovered pasteboard's dark side - malicious apps could exploit it to work out a user's location even when that user has locked down app location sharing. In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.

A lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed. The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients' information exposed to the internet for several weeks.

KidsGuard comes from a company called ClevGuard that promises that its "Excellent products" will deliver "All the information" from a targeted device, including real-time location, text messages, browser history, photos, videos, recordings of phone calls, keylogger data for every keystroke entered and the app where it came from, and all the data from all the social apps - hopping over the end-to-end encryption of, for example, WhatsApp. ClevGuard says the app can also be used for iPhones without access to the device if you give it the target's iCloud credentials.

Samsung has admitted that what it calls a "Small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification. Several Register readers wrote in to tell us that, after last Thursday's mystery push notification, they found strangers' personal data displayed to them.

US President Donald Trump promised to pardon WikiLeaks founder Julian Assange if he denied Russia leaked emails of his 2016 election rival's campaign, a London court was told on Wednesday. The White House quickly issued a denial that Trump had dangled a pardon in exchange for help in the Russia controversy, which has cast a shadow over his first term in office.

If your computer is running any modern Intel CPU built before October 2018, it's likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel's secured SGX enclave. Dubbed CacheOut a.k.a. L1 Data Eviction Sampling and assigned CVE-2020-0549, the new microarchitectural attack allows an attacker to choose which data to leak from the CPU's L1 Cache, unlike previously demonstrated MDS attacks where attackers need to wait for the targeted data to be available.

Bad actor obtained passwords for servers, home routers, and smart devices by scanning internet for devices open to the Telnet port. A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things devices online on a popular hacking forum in what's being touted as the biggest leak of Telnet passwords to date, according to a published report.

Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that "Personal information and corporate confidential information may have been leaked." According to several reports from Japanese daily newspapers, the company discovered the data breach in late June, when they detected suspicious activities on a server at its Information Technology R&D Center in Kamakura, Kanagawa Prefecture, Japan.

An unprotected database was found to have exposed the data of all Wyze users who created an account before December 26, 2019. Following a report last week of an exposed database containing a great deal of information on Wyze users, the company stepped forward and confirmed the leak, while also revealing that it had launched an investigation into the matter.