Palo Alto, USA, 18th March 2025, CyberNewsWire

**Palo Alto, USA, March 18th, 2025, CyberNewsWire**

**Groundbreaking initiative reveals browser vulnerabilities in understudied yet critical attack surface**

SquareX, a pioneer in Browser Detection and Response (BDR) space, announced the launch of the “Year of Browser Bugs” (YOBB) project today, a year-long initiative to draw attention to the lack of security research and rigor in what remains one of the most understudied attack vectors – the browser.

The browser has evolved from a simple web rendering engine to be the new “endpoint” — the primary gateway through which users interact with the Internet, for work, leisure, and transactions. Yet, traditional security solutions continue to focus on endpoints and networks despite the exponential growth of browser-native attacks.

The YOBB project was inspired by Month of Bugs (MOB), an iconic cybersecurity initiative where security researchers would publish one major vulnerability found in major software providers every day of the month. MOB projects played a huge role in improving the gravity at which security and responsible disclosure are taken in these companies. Notable projects included the Month of Browser Bugs (July 2006), Month of Kernel Bugs (November 2006), and Month of Apple Bugs (January 2007). SquareX is bringing back this tradition with the YOBB to raise awareness of cyberthreats that the browser is vulnerable to. However, unlike H. D. Moore’s original Month of Browser Bugs which focused on software bugs in the browser itself, SquareX will be disclosing application layer attacks that can be delivered through any website, app, or cloud data storage accessed through the browser. 

Throughout 2025, SquareX’s research team will disclose at least one critical web attack per month as part of the YOBB project, focusing on vulnerabilities that exploit architectural limitations of the browser and incumbent solutions. The research will reveal never-seen-before attack vectors that remain unknown even to the cybersecurity community. Each disclosure will include attack video demonstrations, technical breakdowns, and mitigation strategies. These disclosures will be wholly SquareX-researched and discovered, rather than an aggregation of existing security research. 

Under the YOBB initiative, SquareX has already made major releases since 2024 and into the first two months of 2025:

**2025**

*   **January:** **SquareX Discloses “Browser Syncjacking”, a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk** 
*   **February:** **SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk** 

**2024**

*   **August:** **SquareX Uncovers Critical Flaw in Secure Web Gateways**
*   **December:** **Cyberhaven’s OAuth Identity Attack — Are your Extensions Affected?**

> Quoting Vivek Ramachandran, the Founder and CEO of SquareX, “As browsers become the new endpoint, attackers are increasingly targeting employees to break into organizations and exfiltrate data, just like the Cyberhaven incident. Unfortunately, beyond mainstream media attention, there is little done by vendors from a security perspective to prevent similar exploits from happening in the future. The YOBB is our attempt to draw attention to an attack surface that is exponentially growing. We hope that this will serve as a call to action for browser and security vendors to solve these vulnerabilities that give rise to application layer attacks that simply cannot be solved through browser patches.”

As the year progresses, security teams can expect monthly disclosures to be documented at https://sqrx.com/research.

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate and threat-hunt client-side web attacks targeting employees in real time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Polymorphic Extension,s, and Browser Syncjacking. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

To learn more about SquareX’s BDR, users can contact \[email protected\]. For press inquiries on this disclosure on the Year of Browser Bugs, users can contact \[email protected\].

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Launches “Year of Browser Bugs” (YOBB) to Expose Critical Security Blind Spots

Do you need to permanently and securely delete photos from an iPhone to prevent unauthorized access? Simply deleting…

Do you need to permanently and securely delete photos from an iPhone to prevent unauthorized access? Simply deleting them isn’t always enough, as they can sometimes be recovered or stored in the cloud. Fortunately, there’s a straightforward way to erase them for good. This guide will show you how to securely delete photos from an iPhone and protect your privacy.

In this section, we’ll show you how to securely delete photos from your iPhone. Just tapping the trash icon in the Photos app isn’t enough; we’ll explain why later. We’ll also share tips to speed up the deletion process and point out other albums where images might still be hiding. 

****1\. Delete Photos from the Photo Library****

The Photos app on your iPhone stores not just the pictures you take but also images received through chats and other apps. To delete pictures from your iPhone, you first need to remove them from the album where they’re stored. Here’s how:

1.  Tap on the Photos app icon on your home screen to start.
2.  Browse through your photos and tap ‘Select’ in the top right corner. Then, tap on each photo you wish to delete or swipe your finger across multiple photos to select them quickly.
3.  After you select the photos, tap the trash can icon at the bottom right corner.
4.  Confirm your decision to delete the photos when prompted.

**Tip:** If you organize your photos into folders for structured photo storage within the Photos app, you can delete all photos from an album with a few taps. Open the album, tap ‘Select,’ then ‘Select All,’ and finally, tap the trash can icon to remove all the photos at once.

However, this action doesn’t permanently and safely delete your photos; it just moves them to the Recently Deleted album, where they’ll remain for 30 days.

****2\. Delete Photos Using Third-Party Apps****

There are third-party iPhone apps that can help you manage and delete photos, often offering advantages over native methods. These apps display your photo gallery differently and use unique algorithms to group your images. Below, we’ll briefly discuss three examples of these apps and their key features for deleting photos from your iPhone.

*   Clever Cleaner: AI Duplicate Remover is a free app that helps you quickly find and delete duplicate and similar photos. It automatically groups them, allowing you to remove all copies at once or choose which ones to keep. You can also delete all screenshots from your iPhone with a single tap. After using any feature, the app reminds you to clear the Recently Deleted album to guarantee the photos are permanently removed.

*   Hyper Cleaner also lets you delete similar photos, but it offers another standout feature; you can swipe through your photos grouped by the month they were added. This makes deleting photos much faster since you can simply swipe to remove them, rather than manually selecting each one and tapping the trash icon like in the Photos app.

*   Photo Cleaner does more than just delete duplicates and similar photos; it also categorizes your images differently. It can identify low-resolution photos and ones where your eyes are closed, which can be useful for you. Plus, the app allows you to select all your photos at once and delete them in a single action.

Keep in mind that while these apps make deleting photos faster and more convenient, they don’t permanently remove them from your iPhone. Instead, they move them to the Recently Deleted album.

****3\. Check the Hidden Photos****

You should also check the Hidden album in your Photos app if you want to confirm your photos are fully removed. This album lets you hide images from your main gallery without actually deleting them, which makes it useful for keeping personal photos private. However, you may have added pictures there and forgotten about them, or even done so by accident, so it’s worth reviewing and removing any unnecessary images.

**Tip:** If you’ve used a third-party cleaning app on your iPhone, check if it includes a hidden photo feature, often called “Secret Folder,” “Safe Space,” or something similar. If you don’t manually delete photos from these hidden areas, they’ll stay stored within the app, even if they no longer appear in your main photo gallery.

1.  Tap the Photos icon on your iPhone to open the app.
2.  Scroll down until you find the Hidden album under the ‘Utilities’ section.
3.  Tap the Hidden album to open it and view the photos.
4.  Tap ‘Select’ in the top right corner, then choose the photos you want to delete and tap the trash can icon to delete the selected photos.

Even after following these steps, your photos aren’t permanently deleted yet. To completely remove them from your device, you need to empty the photo trash on your iPhone. We’ll walk you through how to do that in the next section.

****4\. Delete Photos from Trash on iPhone****

After you delete photos, they do not immediately disappear from your iPhone; instead, they move to the Recently Deleted album, where they are stored for another 30 days. During this period, you still have access to these photos and can restore them if you discover that you need some of them or if they were deleted by mistake. In order to permanently and securely delete iPhone photos, you must manually empty this album.

**Note:** If you use iCloud sync, clearing the Recently Deleted album will also remove the photos from your iCloud storage. However, if you use other cloud services like Google Photos, you’ll also need to empty the trash within that app separately to make sure the photos are fully deleted.

1.  Tap on the Photos icon on your iPhone to open the app.
2.  Scroll down to the bottom of the Utilities tab until you find the Recently Deleted album.
3.  Tap on the Recently Deleted album to view all the photos and videos it contains.
4.  Tap ‘Select’ in the top right corner of the screen, then choose either ‘Delete All’ to remove all items or select individual photos that you wish to delete.
5.  Tap ‘Delete from this iPhone’ and confirm that you want to permanently remove the selected photos from your iPhone. This action cannot be undone.

**Note:** If you deleted a photo from the Photos app but forgot to clear the Recently Deleted album, don’t worry. In the latest iOS versions, accessing this album requires authentication with your Apple ID or password. This added security provides that even if someone gets hold of your iPhone, they won’t be able to retrieve your deleted photos.

If you regularly back up your iPhone using iTunes/Finder or have automatic iCloud backups enabled, it’s important to create a new backup after emptying the trash. This prevents deleted photos from reappearing if you ever restore your iPhone.

****5\. Perform a Factory Reset to Erase All iPhone Data****

The last option to safely and permanently delete photos on your iPhone is to perform a factory reset. However, use this method with caution; it erases not just photos but all personal data, apps, and settings. This is the best way to guarantee no trace of your data remains, which makes it ideal if you’re selling or giving away your device rather than just clearing a few photos.

**Note:** If you have already emptied your Recently Deleted album and plan to perform a factory reset to confirm no one else can access your deleted photos, make sure to back up your data first. This will preserve your important files and settings before you reset your phone, effectively wiping all content from your device.

1.  On your iPhone, go to the Settings app, scroll down, and tap on ‘General.’
2.  At the bottom of the General settings, tap on ‘Transfer or Reset iPhone.’
3.  Select ‘Erase All Content and Settings.’ You may be asked to enter your Apple ID password to confirm the action.
4.  Confirm that you want to erase everything after entering your credentials. Your iPhone will begin the reset process, which can take a few minutes to complete.
5.  After these steps, your iPhone will return to its original factory state, free from any of your personal data and ready for a new owner without any remnants of your information.

****Conclusion****

Confirming a photo is fully removed means either clearing it from the Recently Deleted album (or waiting 30 days for it to disappear automatically) or performing a factory reset.

While a factory reset is the fastest way to wipe your iPhone clean, we recommend deleting photos manually first. This gives you a chance to recover any images you may have accidentally removed. If you do choose a factory reset, remember that you can only restore your photos if you have a backup that includes them.

However, restoring from a backup will bring back all deleted photos, not just the ones you want. In our opinion, the best time to reset an iPhone is when you give it to someone else, which guarantees that none of your personal data remains.

How to Permanently and Securely Delete Photos from an iPhone

A list of topics we covered in the week of March 10 to March 16 of 2025

March 14, 2025 - A shocking amount of iOS apps in Apple's App Store contained hard-coded secrets. Secrets that could lead criminals to user data.

March 13, 2025 - To parents worried about their children's presence on Roblox, the CEO said don't let your kids be on Roblox.

March 12, 2025 - Apple has patched a vulnerability in iOS and iPadOS that was under active exploitation in extremely sophisticated attacks.

March 12, 2025 - Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

March 12, 2025 - Google spies on Android device users, starting from even before they have logged in to their Google account.

 A week in security (March 10 &#8211; March 16) 

Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

Knifings, firebombings, shootings, and murder-for-hire plots—all linked to a splinter group of the 764 crime network called “No Lives Matter.” According to its own manifesto, the group seeks to “purify mankind through endless attacks” and has released at least two “kill guides” tied to violent plots in the US and Europe. Intelligence documents reviewed by WIRED reveal growing concern among analysts, but experts remain unsure how to stop the group’s spread.

On Monday, X experienced intermittent outages after a botnet flooded the social network with junk traffic in an attempt to take down its system. Elon Musk stated that the distributed denial-of-service attack originated from Ukrainian IP addresses, implying that the country—already under siege by a Russian invasion and frequently mocked by the centibillionaire—may have been responsible. Security experts tell WIRED that this is not how DDoS attacks work.

Meanwhile, inside the Cybersecurity and Infrastructure Security Agency, mass layoffs are hurting US cyberdefense, weakening protections against foreign adversaries. Vital staff cuts have left employees overworked and strained international partnerships, according to interviews with staff at the agency that helps safeguard cities, businesses, and nonprofits from cyberattacks. “A lot of people are scared,” says one employee. “We’re waiting for that other shoe to drop. We don't know what's coming.” As WIRED takes you inside the agencies at the center of the uncertainty and chaos of the second Trump administration, we've updated our quick and easy guide to using Signal to help you get the most out of the messaging app’s end-to-end encryption.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Those “green bubbles,” the cross-platform text messages that annoy iPhone owners and keep Android users relegated to a group-chat underclass, aren’t just a cultural disconnect. They’re also a security issue: Text messages sent between Android and iOS devices—unlike blue-bubble iMessage texts or Android-to-Android messages—aren’t end-to-end encrypted, leaving them open to surveillance or interception. Now, that may finally be changing.

The GSM Association, responsible for many widely used telecom standards, this week announced that its Rich Communication Services (or RCS) protocol will now support end-to-end encryption for cross-platform texting, and Apple revealed that it will now integrate that feature of RCS into its iOS devices. Until now, Apple and Google had both supported RCS’s other features in texts sent between iOS and Android, but not end-to-end encryption, which ensures that only the devices sending and receiving messages can decrypt them and not any server or snoop that sees them in transit.

Neither Apple nor the GSMA has said exactly when the new privacy features are launching. Until then, anyone sending cross-platform messages would be wise to stick with apps like WhatsApp or Signal that have long provided end-to-end encryption—and have also helped Android and iPhone users avoid personal disputes over bubble colors.

**Sean Plankey Nominated as Head of CISA, America’s Top Cybersecurity Agency**

The White House has tapped Sean Plankey to run CISA, the agency within the Department of Homeland Security primarily responsible for American digital defense. Plankey, long considered the leading contender for the role, served in multiple cybersecurity positions in the first Trump administration and previously held senior roles in US Cyber Command. In that DOD agency focused on cyber offense, he served as a weapons and tactics branch chief and earned a Bronze Star for hacking operations in Afghanistan. CISA, like many federal agencies, has faced hundreds of personnel cuts in recent weeks, and its previous director, Chris Krebs, came under harsh criticism under the previous Trump administration for the agency’s work to counter disinformation and secure elections. Krebs was fired in a Trump tweet near the end of his term after CISA described the 2020 election, whose results Trump baselessly contested, as the “most secure in American history.”

**Elon Musk Visits the National Security Agency**

Not even the National Security Agency has been spared from Elon Musk’s scorched-earth campaign to gut the federal government. On Wednesday, The Wall Street Journal reported that Musk had visited the intelligence agency in Fort Meade, meeting with leadership to discuss staff reductions and operational changes, according to current and former US officials who spoke to the Journal.

Despite being one of the most insulated branches of US intelligence, the NSA has still found itself pulled into Musk’s orbit. The visit to Fort Meade is another sign of the sweeping nature of his influence and the extraordinary access the world’s richest man has been granted over even the most secretive federal operations.

Last month, staff at the intelligence agency received emails offering deferred resignations, signaling impending changes. Then, a week ahead of his visit, Musk publicly called for an overhaul of the intelligence and cybersecurity agency. Posting to his social media site X, Musk wrote, “The NSA needs an overhaul,” alongside an apparent agency recruitment graphic featuring a group of college-aged people of color and a list of universities where the NSA was conducting outreach—seemingly mocking the agency’s recruitment efforts.

**A Buzzy Crypto Cracking Firm Had a Hidden CoFounder Accused of Sexual Assault**

The cryptocurrency recovery firm Unciphered has made headlines with its feats of whitehat wallet cracking on behalf of customers who have lost access to their cryptocurrency fortunes. In the fall of 2023, for instance, the company cracked a model of encrypted IronKey USB drive believed to hold 7,000-plus bitcoins now worth well over half a billion dollars. Now, The Washington Post reports that one of the cofounders of that company was Morgan Marquis-Boire, a once-lauded hacker and security researcher for Google and Citizen Lab who was later accused of sexually assaulting multiple women. The reported involvement of Marquis-Boire, who has largely disappeared from the cybersecurity world after facing the sex crime accusations in 2017, was kept secret from even many of the startup’s staff, and the revelations of his role have left the company in “disarray,” according to the Post.

**A Reporter Behind an Indian Hacker-for-Hire Story Is Fighting to Regain His Citizenship**

In November of 2023, Raphael Satter was one of a team of Reuters reporters who published an in-depth feature on Appin Technology, a startup that allegedly hacked numerous celebrity and civil society targets on behalf of clients. A group with a similar name responded by suing, and obtained a court ruling that for a time successfully censored Reuters’ story—a remarkable case of an Indian judge restricting free speech internationally. Satter is now fighting a different battle following publication of that story. In late 2023, his Overseas Citizen of India (OCI) card—a kind of international citizenship extended to foreign citizens of Indian origin and those married to Indians—was revoked around the same time as the judge filed the injunction. A letter sent to Satter in December of that year accused him of “maliciously creating adverse and biased opinion against Indian institutions in the international arena.” Satter is now petitioning a Delhi court to reverse that revocation, which has prevented him from entering India to visit family there.

End-to-End Encrypted Texts Between Android and iPhone Are Coming

A shocking amount of iOS apps in Apple's App Store contained hard-coded secrets. Secrets that could lead criminals to user data.

Researchers found that most of the apps available on Apple’s App Store leak at least one hard-coded secret.

The researchers looked at 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, including very sensitive secrets like keys to cloud storage, various Application Programming Interfaces (APIs), and even payment processors.

The researchers noted how:

“The average app’s code exposes 5.2 secrets, and 71% of apps leak at least one secret.”

Secrets hard-coded in the source code of the apps are considered exposed because they are relatively easy to find and abuse by cybercriminals.

While you may think that’s the publisher’s problem, these hard-coded secrets can have serious consequences for the an app’s users, particularly when these are credentials which provide access to cloud storage services like AWS S3 buckets or Azure Blob Storage. The researchers found 78,000 apps which exposed cloud storage buckets.

We have posted plenty of examples of exposed AWS S3 buckets over the years, often leading to millions of exposed customer records. Depending on the type of app these records can contain financial data, location data, and other personal information.

Unless you’re able to reverse engineer an app, there is not a lot you can do after the fact. But you can keep this information in mind before you install an app. Do you trust the developers to follow best practices and do you really need it? Also keep a tight rein on the permissions you allow an app.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Research on iOS apps shows widespread exposure of secrets 

The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say.

Over the past decade, encrypted communication has become the norm for billions of people. Every day, Signal, iMessage, and WhatsApp keep billions of messages, photos, videos, and calls private by using end-to-end encryption by default—while Zoom, Discord, and various other services all have options to enable the protection. But despite the technology’s mainstream rise, long-standing threats to weaken encryption keep piling up.

Over the past few months, there has been a surge in government and law enforcement efforts that would effectively undermine encryption, privacy advocates and experts say, with some of the emerging threats being the most “blunt” and aggressive of those in recent memory. Officials in the UK, France, and Sweden have all made moves since the start of 2025 that could undermine or eliminate the protections of end-to-end encryption, adding to a multiyear European Union plan to scan private chats and Indian efforts that could damage encryption.

These latest assaults on encryption come as intelligence agencies and law enforcement officials in the United States have recently backtracked on years of anti-encryption attitudes and now recommend that people use encrypted communication platforms whenever they can. The drastic shift in attitude followed the China-backed Salt Typhoon hacker group’s widespread breach of major US telecoms, and it comes as the second Trump administration ramps up potential surveillance of millions of undocumented migrants living in the US. Simultaneously, the administration has been straining longtime, crucial international intelligence-sharing agreements and partnerships.

“The trend is bleak,” says Carmela Troncoso, a longtime privacy and cryptography researcher and the scientific director at the Max-Planck Institute for Security and Privacy in Germany. “We see these new policies coming up as mushrooms trying to undermine encryption.”

End-to-end encryption is designed so only the sender and receiver of messages have access to their contents—governments, tech companies, and telecom providers can’t snoop on what people are saying. Those privacy and security guarantees have made encryption a target for law enforcement and governments for decades, because officials claim that the protection makes it prohibitively difficult to investigate urgent threats such as child sexual abuse material and terrorism.

As a result, governments around the world have frequently proposed technical mechanisms to bypass encryption and allow access to messages for investigations. Cryptographers and technologists have repeatedly and definitively warned, though, that any backdoor created to access end-to-end encrypted communications could be exploited by hackers or authoritarian governments, compromising everyone’s safety. Additionally, it is likely that criminals would find ways to continue to use self-made encryption tools to conceal their messages, meaning that backdoors in mainstream products would succeed at undermining protections for the public without eliminating its use by bad actors.

Broadly, the recent threats to encryption have come in three forms, says Namrata Maheshwari, the encryption policy lead at international nonprofit Access Now. First, there are those where governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. At the end of February, for example, Apple pulled its encrypted iCloud backup system, called Advanced Data Protection, from use in the UK after the country’s lawmakers reportedly hit the Cupertino company with a secret order demanding Apple provide access to encrypted files. To do so, Apple would have had to create a backdoor. The order, which has been criticized by the Trump administration, is set to be challenged in a secret court hearing on March 14.

Meanwhile, lawmakers in Sweden are also considering legislation that would require encrypted messaging companies, such as Signal and WhatsApp, to keep copies of messages that people send on their platforms so they could allow law enforcement to access suspects’ histories. Signal has said it would pull out of Sweden if the potential law goes ahead. While in France earlier this year, a proposed amendment to a drug trafficking law outlined plans to require encrypted messaging services to hand over decrypted chat messages within 72 hours of a request or face fines of up to 2 percent of annual global revenue. This week, the proposal was reportedly scrapped, while some politicians said they supported the idea.

“We’re seeing some democracies revert back to very crude approaches to circumventing encryption that we maybe thought were something of the past,” Callum Voge, the director of governmental affairs and advocacy at nonprofit Internet Society, says of efforts that could require a backdoor to be created.

In January, the head of EU law enforcement agency Europol told the Financial Times that tech companies have a “social responsibility” to provide access to encrypted messages. “Anonymity is not a fundamental right,” Catherine De Bolle told the publication. The comments expanded upon a previous statement from European police chiefs saying “we do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other.”

The second threat, Maheshwari says, relates to an increase in proposals related to a technology known as “client-side scanning.” The process, which is sometimes called “on-device scanning,” involves scanning messages locally on a person’s device before they are encrypted, and comparing them against a database of prohibited content that is held elsewhere. Client-side scanning is an effort to contort encryption backdoors into something more palatable to privacy proponents by keeping people’s personal data on their own devices.

Ultimately, though, cryptographers and digital rights advocates have repeatedly warned that client-side scanning does not sidestep the fundamental dangers posed by creating a way for a third party to access encrypted data. The Internet Society’s Voge describes such efforts as a more “sophisticated” way that democracies have been trying to circumvent encryption in recent years.

For instance, politicians in the EU have been fiercely debating plans to scan billions of messages for potential child sexual abuse material using client-side scanning for more than three years. The unresolved debates have proved highly controversial, with multiple countries pushing to weaken encryption. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Apple officials said in a letter first reported by WIRED in August 2023, after the company ditched its own, separate plans to introduce a form of client-side scanning on iPhones.

“It’s very divided in Europe, \[there are\] countries strongly in favor of scanning and countries strongly against it as well,” Voge says of the EU’s long-running chat monitoring plans. In May 2023, WIRED obtained leaked documents that stated many European countries’ positions on encryption. At the time, Spanish officials said they would like to prevent end-to-end encryption entirely in the EU, while many others were in favor of scanning people’s messages. Other countries, such as Germany, were against weakening encryption. Dutch political documentation says the country’s intelligence agency, AIVD, considers client-side scanning to be “too great a security risk for the digital resilience of the Netherlands.”

Finally, Maheshwari says, there is always the looming threat of potential bans or blocks for encrypted services. Toward the end of 2024, Russian officials blocked access to Signal amid the country’s ongoing full-scale war against Ukraine and widescale efforts to censor and control information environments. India has an ongoing lawsuit against WhatsApp, which could threaten its ability to operate in the country or necessitate that the platform retreat from end-to-end encryption in that market. Maheshwari also points out that while all virtual private networks do not specifically use end-to-end encryption, India has already banned multiple VPN services.

While each potential proposal that could undermine encryption is slightly different, the Internet Society’s Voge says that they’ve been met with some “stronger” pro-encryption voices coming from government or law enforcement services around the world, particularly when it comes to protecting national security.

In December, two officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, encouraged more people to use encrypted communications systems after China’s Salt Typhoon hackers gained deep access to US telecoms providers, exposing unencrypted calls and texts. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” one of the officials said.

Voge points out that as well as CISA and the FBI’s calls to use encrypted messaging, the Swedish armed forces has specifically cleared Signal for use with unclassified material, saying it can stop messages and calls from being intercepted by third parties.

Ahead of the UK’s March 14 legal hearing about the backdoor order reportedly made to Apple, US senators and privacy groups urged there to be more transparency about the demands and the risks to global encryption it presents. A bipartisan group of five members of Congress said the “cloak of secrecy” should be removed.

UK civil liberties groups Privacy International and Liberty also filed legal challenges over the secrecy of the proceedings. “While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others,” Privacy International said in a statement.

Ultimately, Access Now’s Maheshwari says, efforts to defend encryption will almost certainly continue, as they have for decades, to protect people’s human rights.

“Encryption right now is exceptionally important because it's a crucial enabler of the full spectrum of human rights,” Maheshwari says. “It’s not just privacy. It is what enables you to speak freely, to exercise your freedom of expression, to organize, to assemble, to associate.”

A New Era of Attacks on Encryption Is Starting to Heat Up

Apple has patched a vulnerability in iOS and iPadOS that was under active exploitation in extremely sophisticated attacks.

Apple has patched a vulnerability in iPhone and iPad that was under active exploitation by cybercriminals.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** > **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update Now

Overall, security updates were issued for:

If you use Malwarebytes for iOS, you can use the app to check if you need to update, and be guided through the update process.

Malwarebytes for iOS Trusted Advisor

**Technical details**

WebKit is the browser engine developed by Apple that helps display web content in applications. It allows apps to show web pages without the need for a full web browser. WebKit is used in many Apple products, such as Safari, Mail, and the App Store, as well as in other devices like PlayStation consoles and Amazon Kindle e-readers.

The actively exploited vulnerability is tracked as CVE-2025-24201.

> “An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).”

Simply put, that means an attacker could send or lure a target to open a web page which would cause an overflow in the allocated memory for WebKit. The overflow would then enable the attacker to escape from the Web Content Sandbox, which is a security feature used in web browsers to isolate web content, such as web pages and scripts, from the rest of the system. It’s designed to stop malicious code from accessing sensitive system resources or user data outside of the browser.

About a month ago, we reported how Apple fixed another extremely sophisticated attack, that was used against targeted individuals. This one is much more likely to be used against more users so should you prioritise updating your phone as soon as you can.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacks” 

Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in "extremely sophisticated" attacks.
The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component.
It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it

Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems.
"The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers

Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

While countries and companies are fighting over access to encrypted files and chats, our data privacy may get crushed.

Data privacy issues are a hot topic in a world where we apparently don’t know who to trust anymore.

A few weeks ago, we reported how the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. This week, Apple decided to pull the plug on Advanced Data Protection (ADP) for UK users.

ADP is an opt-in data security tool designed to provide Apple users a more secure way to protect data stored in their iCloud accounts. Enabling ADP would ensure that even Apple could not access the data, which would mean that Apple was unable to hand over any information to law enforcement.

Something similar happened when Sweden’s law enforcement and security agencies started to push legislation which would force Signal and WhatsApp to create technical backdoors, allowing them to access communications sent over the encrypted messaging apps. The proposed bill prescribes that companies like Signal and WhatsApp need to store all messages sent using the apps.

President of the Signal Foundation, Meredith Whittaker, told Swedish SVT News that the company will leave Sweden if the bill becomes a reality.

So basically, by seeking to obtain encryption backdoors, which are not likely to remain exclusive, these governments are undermining the data privacy options of their citizens. A backdoor can and will eventually be found by those that we absolutely didn’t want to snoop around in our backups and chat logs.

It doesn’t just affect the countries at the heart of the request. The US director of national intelligence is reportedly going to investigate whether the UK broke a bilateral agreement by issuing the order that would allow the British to access backups of data in the company’s encrypted cloud storage systems,

The bilateral agreement in question is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) Agreement, which—among other things—bars the UK from issuing demands for the data of US citizens and vice versa. The CLOUD Act primarily allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored in the US or on foreign soil. Provisions in the act state that the United Kingdom may not issue demands for data of US citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the US.

Globally, governments and law enforcement agencies continue to seek more control over data through new legislations and rules. States regulate data to protect national security and provide domestic firms access to user (and anonymous) data to boost competitiveness, ease law enforcement’s qualms when accessing data, and ward off foreign surveillance.

But at the end of the day, the criminals that law enforcement agencies are after, will end up using expensive private phone networks, and the general population will be left with tools that have been broken on purpose. Backdoors that have been created will be waiting for cybercriminals to find the cracks and access our “encrypted” data.

Meanwhile, privacy is recognized as a universal human right while data protection is not. And it should be. Even if we think we “have nothing to hide” cybercriminals will find a way to use that data against us, if only to make their phishing attempts more credible. Let alone, trade and economic secrets that could fall into the hands of competitors or “unfriendly” nations.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#apple