Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

Almost seven years after alleged FruitFly author Phillip Durachinsky’s arrest, judge Solomon Oliver has ruled he's incompetent to stand trial.

On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.

CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.

On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally.

On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.

****Who is Phillip Durachinsky?****

Durachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.”

In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.

However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. While at CWRU, he was accused of “cracking passwords” on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.”

Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)

FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.

According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as “credential stuffing.”)

> “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.”
> 
> FBI Flash

In this manner, thousands of computers were infected over more than a decade.

****Arrest and arraignment****

Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)

The house, as it turned out, was the home of Durachinsky’s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school’s website and hacking into teachers’ email.

The FBI found a laptop in Durachinsky’s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.

On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky’s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.

Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.

During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.

****Ruling****

Almost seven years after Durachinsky’s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his “condition” can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.

Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, “I don’t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.”

This ruling has caused some concerns in the information security community. ASD is not something that can be “cured,” though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.

Some have expressed skepticism about the ruling, arguing that Durachinsky’s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.

Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.

****What next?****

It’s unclear what’s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there’s still the question of civil commitment. It’s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It’s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged FruitFly malware creator ruled incompetent to stand trial 

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.
The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

Vulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally\_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns "\*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the \[content security policy\] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

By Waqas
If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed…
This is a post from HackRead.com Read the original post: HelloFresh Fined £140,000 for 80 Million Spam Messages

If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed by the UK’s Information Commissioner’s Office (ICO).

****_Key Points_****

*   **Customers were bombarded with unwanted emails and texts.**
*   **HelloFresh fined £140,000 for sending 80 million spam messages.**
*   **ICO found HelloFresh’s opt-in processes were misleading and confusing.**
*   **Case highlights the importance of data protection and obtaining informed consent.**

Recipe kit delivery service HelloFresh has been slapped with a hefty £140,000 fine by the UK’s Information Commissioner’s Office (ICO) for bombarding customers with a staggering 80 million spam messages.

The fine follows a year-long investigation triggered by a flood of complaints from customers who were fed up with the constant barrage of unwanted marketing emails and texts.

The ICO found that HelloFresh’s marketing practices were a clear violation of UK data protection regulations. Between August 2022 and February 2023, the company sent out a mind-boggling 79 million emails and 1 million text messages without obtaining proper consent from its customers. This included bombarding customers who had signed up for the service solely to receive recipe kits, with irrelevant offers and promotions.

“This was a clear case of a company putting its own commercial interests ahead of the privacy and rights of its customers,” said Andy Curry, Head of Investigations at the ICO. “Customers were not given a clear choice about receiving marketing messages, and many were left feeling harassed and frustrated by the constant bombardment.”

The ICO’s investigation revealed that HelloFresh’s opt-in processes were designed to be confusing and misleading. Customers were often pre-checked into marketing lists without their knowledge, and the wording of opt-in boxes was unclear, making it difficult for customers to understand what they were agreeing to.

“We take our data protection obligations very seriously and have made changes to our email and text marketing policy in response to the ICO’s findings,” said a spokesperson for HelloFresh. However, the company’s apology and belated changes to its marketing practices may not be enough to appease customers who feel they have been taken advantage of.

The HelloFresh case highlights the importance of data protection and the need for businesses to obtain clear and informed consent from customers before sending them marketing messages. Companies that fail to comply with data protection regulations face not only hefty fines but also reputational damage and the potential loss of customer trust.

****_RELATED ARTICLES_****

1.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
2.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
3.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
4.  **Apple, Samsung fined for intentionally slowing down old smartphones**
5.  **Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps**

HelloFresh Fined £140,000 for 80 Million Spam Messages

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

macOS AppleVADriver Out-Of-Bounds Write

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

macOS AppleGVA Memory Handling

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.
The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and

Privacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker **Outlogic**, which was previously known as **X-Mode Social**, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters."

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It's also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

"The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device," the FTC said. "This raw location data is not anonymized, and is capable of matching an individual consumer's mobile device with the locations they visited."

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users' privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the "implications" of the FTC announcement, and there was no finding it misused location data.

"I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans' location data," U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

"In 2020, I discovered that the company had sold Americans' location data to U.S. military customers through defense contractors. While the FTC's action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans' personal information and prevent government agencies from going around the courts by buying our data from data brokers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FTC Bans Outlogic (X-Mode) From Selling Sensitive Location Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.

Patch Management / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.

Details of the issue first came to light in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data."

It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws -

*   **CVE-2023-38203** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-29300** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-41990** (CVSS score: 7.8) - Apple Multiple Products Code Execution Vulnerability
*   **CVE-2016-20017** (CVSS score: 9.8) - D-Link DSL-2750B Devices Command Injection Vulnerability
*   **CVE-2023-23752** (CVSS score: 5.3) - Joomla! Improper Access Control Vulnerability

It's worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple