Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

**MLFlow unsafe deserialization**

High severity GitHub Reviewed Published Jun 4, 2024 to the GitHub Advisory Database • Updated Jun 5, 2024

GHSA-x38x-g6gr-jqff: MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

GHSA-76cg-cfhx-373f: MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

GHSA-ghv6-9r9j-wh4j: MLFlow unsafe deserialization

Financial Business and Consumer Solutions has filed a notification of a data breach which affects over 3 million US citizens.

The US debt collection agency Financial Business and Consumer Solutions (FBCS) has filed a data breach notification, listing the the total number of people affected as 3,226,631.

FBCS is a nationally licensed, third-party collection agency that collects commercial and consumer debts, with most of its activity involving the recovery of consumer debts on behalf of creditors. According to the official statement provided by FBCS, the exposed data includes:

*   Full names
*   Social security numbers
*   Birth dates
*   Account information
*   Drivers license or other state ID numbers

In some cases, it also includes medical claims information, provider information, and clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS has sent data breach notifications to those affected, detailing what data was compromised and offering 12 months of free credit monitoring.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Scan for your exposed personal data**

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Debt collection agency FBCS leaks information of 3 million US citizens 

Generative AI tools such as OpenAI’s ChatGPT and Microsoft’s Copilot are becoming part of everyday business life. But they come with privacy and security considerations you should know about.

Generative AI tools such as OpenAI’s ChatGPT and Microsoft’s Copilot are rapidly evolving, fueling concerns that the technology could open the door to multiple privacy and security issues, particularly in the workplace.

In May, privacy campaigners dubbed Microsoft’s new Recall tool a potential “privacy nightmare” due to its ability to take screenshots of your laptop every few seconds. The feature has caught the attention of UK regulator the Information Commissioner’s Office, which is asking Microsoft to reveal more about the safety of the product launching soon in its Copilot+ PCs.

Concerns are also mounting over OpenAI’s ChatGPT, which has demonstrated screenshotting abilities in its soon-to-launch macOS app that privacy experts say could result in the capture of sensitive data.

The US House of Representatives has banned the use of Microsoft’s Copilot among staff members after it was deemed by the Office of Cybersecurity to be a risk to users due to “the threat of leaking House data to non-House approved cloud services.”

Meanwhile, market analyst Gartner has cautioned that “using Copilot for Microsoft 365 exposes the risks of sensitive data and content exposure internally and externally.” And last month, Google was forced to make adjustments to its new search feature, AI Overviews, after screenshots of bizarre and misleading answers to queries went viral.

**Overexposed**

For those using generative AI at work, one of the biggest challenges is the risk of inadvertently exposing sensitive data. Most generative AI systems are “essentially big sponges,” says Camden Woollven, group head of AI at risk management firm GRC International Group. “They soak up huge amounts of information from the internet to train their language models.”

AI companies are “hungry for data to train their models,” and are “seemingly making it behaviorally attractive” to do so, says Steve Elcock, CEO and founder at software firm Elementsuite. This vast amount of data collection means there’s the potential for sensitive information to be put “into somebody else’s ecosystem,” says Jeff Watkins, chief product and technology officer at digital consultancy xDesign. “It could also later be extracted through clever prompting.”

At the same time, there’s the threat of AI systems themselves being targeted by hackers. “Theoretically, if an attacker managed to gain access to the large language model (LLM) that powers a company's AI tools, they could siphon off sensitive data, plant false or misleading outputs, or use the AI to spread malware,” says Woollven.

Consumer-grade AI tools can create obvious risks. However, an increasing number of potential issues are arising with “proprietary” AI offerings broadly deemed safe for work such as Microsoft Copilot, says Phil Robinson, principal consultant at security consultancy Prism Infosec.

“This could theoretically be used to look at sensitive data if access privileges have not been locked down. We could see employees asking to see pay scales, M&A activity, or documents containing credentials, which could then be leaked or sold.”

Another concern centers around AI tools that could be used to monitor staff, potentially infringing their privacy. Microsoft’s Recall feature states that “your snapshots are yours; they stay locally on your PC” and “you are always in control with privacy you can trust.”

Yet “it doesn’t seem very long before this technology could be used for monitoring employees,” says Elcock.

**Self-Censorship**

Generative AI does pose several potential risks, but there are steps businesses and individual employees can take to improve privacy and security. First, do not put confidential information into a prompt for a publicly available tool such as ChatGPT or Google’s Gemini, says Lisa Avvocato, vice president of marketing and community at data firm Sama.

When crafting a prompt, be generic to avoid sharing too much. “Ask, ‘Write a proposal template for budget expenditure,’ not ‘Here is my budget, write a proposal for expenditure on a sensitive project,’” she says. “Use AI as your first draft, then layer in the sensitive information you need to include.”

If you use it for research, avoid issues such as those seen with Google’s AI Overviews by validating what it provides, says Avvocato. “Ask it to provide references and links to its sources. If you ask AI to write code, you still need to review it, rather than assuming it’s good to go.”

Microsoft has itself stated that Copilot needs to be configured correctly and the “least privilege”—the concept that users should only have access to the information they need—should be applied. This is “a crucial point,” says Prism Infosec’s Robinson. “Organizations must lay the groundwork for these systems and not just trust the technology and assume everything will be OK.”

It’s also worth noting that ChatGPT uses the data you share to train its models, unless you turn it off in the settings or use the enterprise version.

**List of Assurances**

The firms integrating generative AI into their products say they’re doing everything they can to protect security and privacy. Microsoft is keen to outline security and privacy considerations in its Recall product and the ability to control the feature in **Settings > Privacy & security > Recall & snapshots**.

Google says generative AI in Workspace “does not change our foundational privacy protections for giving users choice and control over their data,” and stipulates that information is not used for advertising.

OpenAI reiterates how it maintains security and privacy in its products, while enterprise versions are available with extra controls. “We want our AI models to learn about the world, not private individuals—and we take steps to protect people’s data and privacy,” an OpenAI spokesperson tells WIRED.

OpenAI says it offers ways to control how data is used, including self-service tools to access, export, and delete personal information, as well as the ability to opt out of use of content to improve its models. ChatGPT Team, ChatGPT Enterprise, and its API are not trained on data or conversations, and its models don’t learn from usage by default, according to the company.

Either way, it looks like your AI coworker is here to stay. As these systems become more sophisticated and omnipresent in the workplace, the risks are only going to intensify, says Woollven. “We're already seeing the emergence of multimodal AI such as GPT-4o that can analyze and generate images, audio, and video. So now it's not just text-based data that companies need to worry about safeguarding.”

With this in mind, people—and businesses—need to get in the mindset of treating AI like any other third-party service, says Woollven. “Don't share anything you wouldn't want publicly broadcasted.”

AI Is Your Coworker Now. Can You Trust It?

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

Inside the Biggest FBI Sting Operation in History

YouTube remains the only major US-based social media platform available in Russia. It’s become "indispensable" to everyday people, making a ban tricky. Journalists and dissidents are taking advantage.

In December 2020, Vladimir Putin held his end-of-the-year press conference as normal. Despite the Covid-19 pandemic still raging in Russia and worldwide, the president insisted that things would be OK. He had set aside 350 billion rubles ($4.8 billion) “to give social benefits to people, families, both children, doctors, and students.”

Two weeks later and nearly 1,000 miles away, the opposition Anti-Corruption Foundation uploaded a video to its YouTube channel. In it, Alexei Navalny introduces the world to “Putin’s palace,” which he dubbed “the world’s largest bribe.”

Over nearly two hours, Navalny walks viewers through the trappings of the palatial datcha, on the Black Sea coast. A 2-million-ruble sofa, a 2-million-ruble vanity, a dining table worth nearly 4 million rubles. The ubiquitous gold leafing on the walls, a private theater, a velvet-lined hookah bar, a casino, even a _Dance Dance Revolution_ room. The construction of such a lavish abode would have cost Putin and his oligarchic backers over 100 billion rubles ($1 billion) of money pilfered from the Russian state, Navalny tells the viewer. Money that could have gone to people, families, children, doctors, and students.

The Russian-language video exploded, far surpassing anything Navalany and the Foundation had ever produced. Within weeks, it blew past 100 million views, and it has added another 32 million views since then—nearing the population of Russia itself.

The Foundation’s popularity on the world’s largest video-sharing platform had been growing massively over the preceding year—particularly as Russians were stuck indoors, and as the Kremlin intensified its crackdown on the independent press.

“Twenty years of total government control have turned television into an incessant marathon of disgraceful propaganda, lies, and censorship,” as Navalny told his viewers in a 2020 video. Behind him, a stack of TVs broadcast different clips of Russian TV presenter Vladimir Solovyov, a ubiquitous face on the Russia1 channel.

In December of that year, Navalny began his regular video dispatches with a startling introduction: “Hi, it’s Navalny. I know who wanted to kill me. I know where they live. I know where they work. I know their real names.”

Working with investigative journalism outfit Bellingcat, Navalny had posed as a Kremlin official in order to coax a confession out of one of his would-be assassins. The alleged agent recounted how the team of Russian operatives applied the nerve agent Novichok to Navalny’s underwear. Navalny recorded the whole thing and posted it directly to his YouTube channel.

In a follow-up video, Navalny continues to break down the failed murder plot in front of a wall featuring each of the men’s photos, maps of the operation, and red twine connecting everything.

In the West, Navalny’s appeal was often shortened to that of simply an opposition figure—a divisive one, for some, who became the de facto alternative to Putin after the other alternatives were killed or jailed.

But in the years leading up to his 2021 imprisonment and death in February 2024, Navalny became much more than just a politician—and the media apparatus he became the face of became bigger than him.

While Russia has grown considerably more autocratic in recent years, with its elections even more tightly scripted and its media ever more controlled by the Kremlin, YouTube remains one of the few US-based social media sites still available in the country and a reliable and effective conduit to the Russian public. It could be key to determining what happens next in Moscow—if YouTubers can stay ahead of Kremlin censorship.

“With minimal resources, we were essentially able to establish a direct competitor of Putin’s propaganda television,” says Vladimir Milov. “We are still behind them, but we are breathing down their back.”

Milov is a former deputy minister with the Russian government, a longtime Navalny associate, and a YouTube creator in his own right. I caught up with him in Vilnius, where he’s been exiled since Moscow began criminal proceedings against him. Last year, Milov was convicted by the Russian courts of disseminating “war fakes” and sentenced to eight years in prison in absentia.

Milov’s regular updates, which tend to focus on economics and finance, go out to his 500,000-plus subscribers, and often rack up around a million views. Leonid Volkov, another Navalny associate who helps run the Anti-Corruption Foundation, boasts another 165,000 followers. Dasha Navalnaya, Alexei Navalny’s daughter, has her own channel where she interviews GenZ Russians about the state of their country.

Above that, independent media have found a second home on YouTube as well. Meduza, an independent media organization that had to decamp to Latvia after being declared a “foreign agent” under Russian law, has nearly 800,000 subscribers. The BBC’s Russian service, which left the country amid a 2022 media crackdown, broadcasts regularly to its 2.5 million subscribers.

Cobbling together the analytics across these various channels, Milov says these opposition YouTubers have about 10 million to 15 million dedicated viewers inside Russia—while another 20 million viewers may stumble across their content from time to time.

​”Our message gets through to the Russian people,” Milov says. “We are serving as a very effective alternative broadcasting tool that really competes with Putin's propaganda.”

VCIOM, a pollster loyal to the Kremlin, has found that a plurality of Russians still prefer to get their news from heavily censored Russian television, but their trust in the format has plummeted, from nearly 50 percent in 2016 to just 25 percent today. Meanwhile, trust in online news has jumped by roughly the same degree.

Meanwhile, as Western programming becomes rarer and rarer, many Russians are turning to YouTube for their primary source of entertainment—especially for kids’ programming. Eight of the 10 most-subscribed Russian YouTube channels, according to rankings compiled by analytics firm Socialblade, are targeted at young children.

So Russians are losing faith in the state-approved TV news, increasingly trusting of online media, and are looking to YouTube for entertainment. It has delivered tens of millions of people right at the opposition’s doorstep.

Even if most Russian YouTube users are looking for content to pacify their children, bringing them on the platform has enormous benefits, Milov says. “There's this magical black box which is called YouTube recommendations.” He says plenty of his followers don’t even watch his videos—they listen. If Russians are letting the algorithm choose their next video while they cook dinner or fold laundry, it increases the chances his voice will reach a Russian who has never heard him before.

Milov stresses that YouTube isn’t just a one-way service: Because it allows users to comment and chat anonymously, it provides an extraordinary chance for regular Russians to express themselves without fear of censorship.

“The amount of our feedback is enormous,” he says. “Just myself, alone, I literally get messages, every day, from at least hundreds of people from across the country. When something serious happens? Thousands.” Sometimes, Milov says, his first indication that something terrible has happened in Russia is seeing just how many unread messages he has in his YouTube inbox.

Milov says this feedback reinforces the idea, supported even by Kremlin-approved pollsters, that opposition to the war in Ukraine is growing. But it also provides some important details and nuance. “So this is like, I would say, an enormous focus group, with which you can also communicate. You can ask them questions back.” He chuckles, thinking of the notorious Russian security and intelligence agency: “You know, the FSB would kill for this kind of information.”

“Obviously, the question is, why didn’t Putin shut down YouTube?” Milov says. “It’s easier said than done.”

In recent years, Moscow has deployed an array of strategies to cow and kill independent media and the open internet in Russia. Platforms like Facebook, Twitter, and TikTok have been blocked altogether. Independent media like Meduza, TV Rain, and The Insider have been declared “undesirable” or labeled “foreign agents.”

Through it all, YouTube has survived.

Milov says the Kremlin was too slow to move on YouTube. By the time Moscow was banning other popular Western platforms, the Google-owned video platform had become indispensable to everyday Russians. “They kind of let the genie out of the bottle,” Milov says.

“YouTube is mommies showing cartoons to kids, teenagers are watching music videos, people are watching comedians, elderly folks watching old Soviet movies, which are widely available there, and so on,” he says. “And you shut it all down? So you have these empty evenings now, from this point on.”

Unable to disrupt YouTube, the Kremlin tried desperately to compete with it.

Moscow had high hopes for Rutube, a long-suffering YouTube clone which was relaunched in 2020 after a merger with the media arm of state-controlled energy giant Gazprom. If the site’s “top videos” section is to be believed, it hasn’t worked—some had racked up view counts in the mid-thousands.

VK, Russia’s answer to Facebook, has fared slightly better with its video-sharing platform, and it is rife with pro-Kremlin broadcasters. But even its most popular channels have just a tiny fraction of the biggest Russian-language YouTube accounts.

“It's like a big room, but it's empty,” Milov says of these Kremlin-backed alternatives.

Having failed to compete with his online critics, Milov believes Putin opted for a more direct strategy. Just days before I arrived in Vilnius, thugs appeared outside the home of Leonid Volkov, former chair of the Anti-Corruption Foundation and Nalvany chief of staff. Armed with hammers, they savagely beat him. Lithuanian intelligence believe the men arrested were operating on orders from Russia. A week after the attack, Volkov was back on YouTube, his arm in a sling, “I am not going to stop—although I will gesticulate less in the coming weeks,” he said.

Milov emailed me the day I arrived to apologize that, due to his new security protocols, he wouldn’t be able to show me around his home broadcast studio.

Last November, the YouTube channel Volgograd Watch uploaded a new video trying to answer a difficult question: “When will the mobilized be returned?”

Subscribers of the channel were asking when Russia’s conscripts on the front line might return home. Evgeny Kochegin, host of the channel, responded by providing a litany of links recommending anti-war groups and resources on how to dodge the draft. Kochegin himself fled conscription and was convicted in absentia for disseminating “fake news.”

In exile, Kochegin has tried to help others avoid being pressed into military service, and took to YouTube to do it, racking up a modest 30,000 subscribers. In May, however, Kochegin found YouTube to be an unreliable partner. His video was blocked for Russian viewers.

Agents Media, an independent Russian news outlet, reviewed four different removal notices targeting human rights and anti-war YouTube channels. The news outlet obtained emails from YouTube’s legal team, threatening to take offline an entire channel. In the email to the OVD-Info channel, YouTube wrote that the channel had violated Russian Law #149-FZ and that “if you do not remove the content, Google may be required to block it.”

According to a company transparency report, Google has received hundreds of thousands of removal requests from the Russian government since 2022, including nearly 67,000 on the grounds of “national security,” over 200 for “government criticism,” and one for violating the electoral law.

More than 1,000 applications from Moscow specifically cited Law #149-FZ, asking for the removal of nearly 1 million pieces of content—which could include channels, videos, or comments. Google reports that it approved more than 80 percent of those removal requests.

An open letter published in May, signed by major Russian NGOs and Reporters Without Borders, called on Google to stop adhering to these requests from Moscow. “We are very concerned that the company appears to be helping the Russian censor to silence human rights and anti-war voices,” they wrote.

In a statement, a spokesperson for YouTube insisted that if the company has concerns that legal requests are being used to silence dissidents, “we will push back”—noting that Russian courts have fined Google in the past for refusing to comply with its orders.

YouTube says it has removed more than 12,000 channels and over 140,000 videos relating to the war in Ukraine for violating the platform’s policies—including pro-Putin propagandists, Kremlin-controlled media outlets, and content from the Russian Ministry of Foreign Affairs.

The YouTube spokesperson, however, ignored questions as to why it has been so willing to respond to requests under Law #149-FX.

Whether their channels are at risk from legal requests from Moscow, or whether Moscow blocks their channels entirely—the Russian dissidents are always making contingency plans. “They will not kill us by just shutting down one thing and making the other cooperate with the regime,” Milov says. “We'll navigate through.”

One such plan is to wind up right where the problem began: on TV.

Not long after Russia invaded Ukraine in February 2022, a group calling itself the Denis Diderot Committee began calling on major satellite television providers to stop beaming Kremlin propaganda into Russia and Europe — and replace it with real news.

“That's the ultimate goal of our effort—to actually provide alternative media channels into the Russian television space that are not controlled by the Russian government,” Jim Phillipoff, one half of the committee, told WIRED at the time.

Two years on, the committee scored a huge win. Satellite provider Eutelsat took up the committee’s challenge and inked a deal with Reporters Without Borders to broadcast 11 channels of independent Russian news and content into the region, with the option to add 14 more. They call it the Svoboda Satellite Package—using the Russian word for “freedom.”

Phillipoff told WIRED this week that they have begun broadcasting into 4.5 million households in Russia, and another 61 million households in the broader region—and they hope to grow that number by securing space on other regional satellites.

While the satellite is simply rebroadcasting some existing channels, Philipoff says they’ve also created some channels from scratch—in some cases made up of dissident Russians’ YouTube content. They’ve been in talks with Volkov to help rebroadcast some of the work from the Anti-Corruption Foundation and other opposition groups. (They have also explored how to cooperate with eQsat, a like-minded effort to broadcast digital news files using satellites, which WIRED revealed last September.)

While Russian television remains under the thumb of the Kremlin, and Google remains willing to block content at its behest, Svoboda exists to reject the censorship altogether, Phillipoff says.

“The goal of our project is to circumvent this control.”

Russians Love YouTube. That’s a Problem for the Kremlin

A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

**Reflected Cross-Site Scripting (XSS) in Dolibarr**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 4, 2024

GHSA-hv2j-6654-x74q: Reflected Cross-Site Scripting (XSS) in Dolibarr

Failing to sanitize content from unauthenticated  website visitors, the form component is susceptible to Cross-Site Scripting.

**TYPO3 Cross-Site Scripting (XSS) in form component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

GHSA-5j86-5xvg-7q93: TYPO3 Cross-Site Scripting (XSS) in form component

Failing to sanitize content from editors, the legacy form component is susceptible to Cross-Site Scripting. A valid editor account with access to a form content element is required to exploit this vulnerability.

**TYPO3 Cross-Site Scripting in legacy form component**

Moderate severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024

Tag

#git