Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

No match.

Moodle official production repository

RSS Atom

CVE-2023-5549: Official Moodle git projects - moodle.git/search

Cross-Site Request Forgery (CSRF) vulnerability in SAKURA Internet Inc. TS Webfonts for ??????????? plugin <= 3.1.2 versions.

**Solution**

 Fixed

Update the WordPress TS Webfonts for さくらのレンタルサーバ plugin to the latest available version (at least 3.1.3).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Broken Access Control vulnerability in WordPress TS Webfonts for さくらのレンタルサーバ Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has been fixed in version 3.1.3.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-34169: WordPress TS Webfonts for さくらのレンタルサーバ plugin <= 3.1.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

CVE-2023-5550: Official Moodle git projects - moodle.git/search

It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion.

Thursday, November 9, 2023 14:11

I found the juxtaposition of stories on the Talos blog over the past week-plus kind of funny. 

On one hand, we had a massive story about Arid Viper, a Middle Eastern threat actor spreading spyware, one of the most dangerous types of malware out there right now, operating out of Gaza no less. 

Then, we had “Roblox,” a children’s video game (which I’ve written about multiple times and I maintain was the OG metaverse).  

The scale of these attacks is obviously vastly different. Spyware is being used across the globe to monitor some of the most vulnerable activists, journalists and government officials to track their physical movement.  

Meanwhile, “Roblox” players are losing money in a game where the characters look like vague LEGO minifigure knockoffs.  

And the blog homepage is just a perfect encapsulation of how cybersecurity means more than just blocking malware. It can mean teaching your children how to stay safe when they go online, how to properly lock down your login credentials and just being smart at spotting scams. 

But it can also have global implications in areas where there is a global military conflict, just like we’ve written about countless times in Ukraine. 

I would never call one security researcher’s work more “important” than another's — everyone in the security community works extremely hard to keep the internet safe, no matter what company you work for or what your area of expertise is. Tiago from our Outreach team who wrote about the “Roblox” scams has certainly done way more malware research beyond this. But it’s clear that the real-world implications of both these threats are very different. 

For me, the takeaway is just to leave room for all of this. It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion. But that doesn’t mean we can ignore the “small stuff” either because those problems are more likely to end up on our virtual front door. 

If I may continue to plug Talos’ work, we have a new video series launching today, too, under our Threat Spotlight banner. Each month, Decipher reporters and Talos researchers will team up to recap the top stories, malware and threats in the headlines. We’re excited about this new partnership with Decipher.

 **The one big thing **

Attackers are using a new tactic to get spam through their email inbox filters via Google Forms. Google Forms has a “quiz” option for their fields, and adversaries have found a workaround to send the “answers” to a quiz to targets, which are actually spam messages that appear to the user like they’re legitimate messages coming from Google. In one case, we found a deep cryptocurrency-related scam using this method, and other actors are just hoping to get the user to click on a malicious link that could lead to other scams or malware.  

**Why do I care? **

The average user is going to see a message from Google Forms, especially after they just filled out a Form, and assume it’s legitimate, so attackers are more likely to be successful using this method of delivering their spam compared to traditional email methods. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently. 

**So now what? **

As with all types of spam, follow the basic rule, “If it seems too good to be true, it probably is.” While there is no concrete method of blocking these comments and quiz results from coming through, if you’re using Google Forms, be weary of illegitimate messages making their way through. Look for things like misspellings, typos, or URLs that you don’t recognize.  

**Top security headlines of the week **

**A coalition of more than 40 international governments, including the European Union and Interpol, have agreed to not pay ransomware attackers’ extortion payments.** The commitment came from last week's U.S.-led Counter Ransomware Initiative meeting and applies to those countries’ government agencies. Private companies who operate in these nations are most often the targets of ransomware, however, but leaders hope the pledge will influence them to take the same stance. Whether to pay the ransom is often a tough decision for the private sector, which needs to balance the cost of keeping their network operations offline during recovery versus having their files returned as quickly as possible. However, there is never a guarantee that the ransomware actor will provide a decryption key as promised. Government officials hope that cutting off the flow of income to the threat actors will dry up their resources and discourage future attacks. (Axios, Reuters) 

**Atlassian elevated a recently disclosed vulnerability to the maximum severity rating after threat actors started exploiting it to deliver the Cerber ransomware.** CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server, which first received a patch on Oct. 31. Adversaries can exploit this vulnerability on internet-facing Confluence servers by sending specially devised requests to setup-restore endpoints. Confluence accounts hosted in Atlassian’s cloud environment are not affected, according to the company. In its initial disclosure of CVE-2023-22518, Atlassian warned of “significant data loss if exploited” and said, “customers must take immediate action to protect their instances.” (SC Media, Ars Technica) 

**The Mozi botnet mysteriously has gone offline, and experts are unsure if the original creators are responsible.** Mozi was once a massive network that attackers used to carry out distributed denial-of-service (DDoS) attacks, data exfiltration and payload execution against internet-of-things (IoT) devices. Once one of the largest botnets in the world, it’s now essentially offline, according to security researchers. A kill switch seems to be the root cause, though it’s unclear if the operators did this on their own volition if they had their hand forced by law enforcement, or if another third party was involved. The kill switch code shares some code snippets with the original botnet, and whoever deployed it used the correct private keys to sign the payload. Botnets tend to still come back to life after reported takedowns, so there is no guarantee that Mozi is gone forever. (Dark Reading, The Register) 

**Can’t get enough Talos? **

*   Threat Roundup for Oct. 27 - Nov. 3 
*   Talos Takes Ep. #161 (XL Edition): The top incident response trends of Q3 
*   Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers 
*   Cyber attackers are increasingly targeting web applications 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

_Riyadh, Saudi Arabia_ 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf**   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A new video series, Google Forms spam and the various gray areas of cyber attacks

By Waqas
Hive Ransomware had its infrastructure seized by the FBI and Europol back in January 2023.
This is a post from HackRead.com Read the original post: Hive Ransomware Resurfaces as Hunters International, Bitdefender Claim

Bitdefender researchers and the cybersecurity community speculate that Hunters International might be a revival or successor to the Hive Ransomware, especially in the absence of any reported arrests by the authorities.

Hive, one of the most notorious global ransomware operators, targeted over 1,300 companies and amassed $100 million in ransom payments. However, it was **dismantled** in January 2023 through a joint operation by the FBI and law enforcement agencies in the Netherlands and Germany.”

However, no arrests were made at the time due to the group’s covert, transnational operations. According to Bitdefender’s research, the group appears to have recommenced its activities under a new name, Hunters International.

Bitdefender’s **blog post** revealed that Hive’s leadership strategically ceased operations and transferred their remaining assets to Hunters International. This information was initially reported by security researcher @rivitna2 in a **post** on X (formerly Twitter) on October 20, 2023.

“#Hive is back! Now they are #Hunters International!”

Security researcher Will Thomas @BushidoToken also found startling similarities and code overlaps between both groups’ codes. Thomas **reportedly** found a 60% match between both sets.

“Ever since the takedown of Hive ransomware by the FBI, it seems the operators have been busy developing their next project: Hunters International. Multiple code overlaps and similarities link Hive and Hunters together, at least +60% match from my research 🔍 h/t @rivitna2.”

While these discoveries seem to confirm that Hunters International is a rebranded version of Hive, the group has refuted these assumptions in a surprising turn. Hunters International maintains that they are an independent entity formed after acquiring and rectifying Hive’s infrastructure and source code.

Their preference lies in data exfiltration rather than data encryption, and the dismantling of Hive provided them with the ideal opportunity to pursue this avenue.

“All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them,” the group stated.

Here’s what Hunters International had to say in response to claims made by researchers

This opportunistic group doesn’t focus on specific regions or industries. Primarily, they target victims in the United States, the UK, Germany, and Namibia including hospitals. The group employs a simplistic approach because it uses fewer command line parameters, has streamlined the process of encryption key storage, and their **preferred malware** is less verbose. 

The gang offer Ransomware-as-a-Service, using Rust language ransomware. Their approaches are rather unique as they don’t embed the encryption key in each file. Instead, they generate two key sets in memory for file encryption and store both as the encrypted drive’s root with a .key extension.

Their ransomware family, identified by Bitdefender’s flagship security platform GravityZone, was Trojan.Ransom.Hunters**.** Regarding their payment method, the victims have to access a chat portal using the credentials provided in the ransom note.

Ransom note from Hunters International 

Whether Hive has resurfaced as Hunters International or not, there’s no doubt that ransomware groups are constantly evolving and developing new techniques. Therefore, extended international cooperation and implementing strong cybersecurity measures are essential to mitigate the threats timely.

**_**RELATED ARTICLES**_**

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Mamba ransomware that encrypts entire hard drives resurfaces**
3.  **BBTok Malware Returns, Targeting Over 40 Banks in Brazil and Mexico**
4.  **US-Led Alliance of 40 Countries Unites to Combat Ransomware Threat**
5.  **RansomedVC Ransomware Quitting and Selling its Entire Infrastructure**

Hive Ransomware Resurfaces as Hunters International, Bitdefender Claim

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for November 3 to November 10

Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin.

_Written by:_ **Andy Olchawa**_,_ **Milenko Starcik**

We continued our review of **NASA’s Open MCT** software (v3.1.0) and discovered a stored Cross-Site Scripting (XSS) vulnerability. Its impact can be significant since the examined version lacks CSP flags and CSRF protection.

Two new CVEs have been assigned and are discussed in this report:

\-        XSS: **CVE-2023-45885**

\-        CSRF: **CVE-2023-45884**

**Stored XSS**

The _flexibleLayout_ plugin of Open MCT is vulnerable to an XSS. Depending on the system's configuration (i.e., whether the persistence is enabled), the vulnerability is either Stored Client XSS or Stored Server XSS. The vulnerability is currently in the frame.vue:162, see Figure 1.

Figure 1: XSS vulnerability is shown in the code of flexibleLayout.

As the screenshot above shows, the domainObject.name is assigned to another component's innerHTML property. Given that the domainObject.name is controlled by the user input (i.e., it is set by the user by creating a widget or component), exploiting this functionality to trigger a Cross-Side Scripting vulnerability is possible. The affected component (element id: js-fl-drag-ghost) is dynamically updated when the _flexibleLayout_ component is in edit mode, and the user drags its element between the columns.

**Steps to reproduce:**

a)     Create a _flexibleLayout_

Figure 2: flexibleLayout contains a couple of columns.

b)     Create a new component and inject the XSS payload.

In our case, we create a new clock within the _flexibleLayout_ and set its Title to a simple XSS payload (as shown in Figure 3):

XSS Payload:

Figure 3: Creation of a new Clock and set its Title to an XSS payload.

c)      Edit the _flexibleLayout_

Figure 4 shows the _flexibleLayout_ in edit mode with one component included (the previously created clock).

Figure 4: flexibleLayout in edit mode.

d)     Drag and drop the clock component between the columns.

Drag-and-drop action will trigger the XSS, as shown in Figure 5.

Figure 5: Trigged XSS.

**Recommendations:**

Consider using a sanitisation method, such as the one already used in the Notebook plugin (NotebookEntry.vue:246).

**Missing CSP**

Open MCT doesn't set the CSP, leading to much more severe exploitation of XSS vulnerabilities. To demonstrate this, we've used the earlier described XSS vulnerability to call the attacker's server, fetch a malicious JavaScript code and execute it on the user's Web Browser.

**Steps to reproduce:**

a)     Create a remote payload XSS payload. This code will be hosted on an attacker's server:

b)     Create the XSS payload that exploits the lack of CSP.

An on-error event triggers this code if the browser fails to load an image from the specified source. It then creates an HTML script tag, loads the script from the source (hosted on the attacker's server), and appends it to the DOM.

c)      Create a new clock and set its title to the XSS payload, as shown in Figure 6.

Figure 6: New Clock with XSS payload set as its Title.

d)     Edit the _flexibleLayout_ and drag and drop the clock component.

Figure 7: Triggered XSS.

The console log presented in Figure 7 shows how the XSS payload first fetches from the attacker's server and then executes the malicious payload.

Figure 8: Python HTTP server hosting the malicious payload.

Figure 8 displays the incoming connection from the Open MCT to retrieve the malicious JavaScript file. We recommend including CSP based on the **OWASP cheat sheet**.

**CSRF**

Open MCT doesn't have any protection against CSRF. Combined with XSS and the lack of CSP described earlier, it creates more opportunities for system exploitation. Below, we demonstrate how chaining these vulnerabilities can lead to a CSRF, such as calling the backend database.

**Steps to reproduce:**

a)     Create a CSRF Remote Payload.

The payload above will call the backend database, which will then be followed by another call to the attacker's server to exfiltrate the returned data.

b)     Create CSRF Payload and set it as Title in the Clock component.

As before, the CSRF payload will call the attacker's server to retrieve and execute a malicious JavaScript file.

c)      Edit the _flexibleLayout_ and drag and drop the component.

Figure 9: Triggered XSS

As shown in Figure 9, once the XSS is triggered, the browser fetches and executes the malicious script. The script calls the database to retrieve all entries and sends it back to the attacker's server.

This can be observed on the attacker's console hosting the malicious script, as shown in Figure 10.

Figure 10: Exfiltrated data shown on the attacker's console.

Further, decoding the exfiltrated data (URL-encoded to avoid any transmission issues) can be seen as the actual content of the database (see Figure 11).

Figure 11: Decoded data exfiltrated from the database.

We recommended implementing the CSP to minimise the flexibility of the payload that can be executed and to consider implementing the **CSRF countermeasures** recommended by OWASP.

**Further readings**

Our previous report on a Prototype Pollution vulnerability in Open MCT is **here**. If you like this work, check our **review of YAMCS** or pass by our **blog**, where we have more space-related content.

CVE-2023-45885: XSS in NASAs Open MCT v3.1.0

The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft.
Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.
The issue, tracked as CVE-2023-47246, concerns a path traversal

The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft.

Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers.

The issue, tracked as **CVE-2023-47246**, concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software.

"After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware," Microsoft said.

"This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment."

According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service.

The web shell, besides providing the threat actor with backdoor access to the compromised host, is used to deliver a PowerShell script that's designed to execute a loader that, in turn, loads Gracewire.

Also deployed by the attackers is a second PowerShell script that's used to erase evidence of the exploitation after the malicious payloads had been deployed.

Furthermore, the attack chains are characterized by the use of the MeshCentral Agent as well as PowerShell to download and run Cobalt Strike, a legitimate post-exploitation framework.

Organizations that use SysAid are highly recommended to apply the patches as soon as possible to thwart potential ransomware attacks as well as scan their environments for signs of exploitation prior to patching.

The development comes as the U.S. Federal Bureau of Investigation (FBI) warned that ransomware attackers are targeting third-party vendors and legitimate system tools to compromise businesses.

"As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims' account," FBI said.

Should a victim fall for the ruse and call the provided phone number, the malicious actors directed them to install a legitimate system management tool via a link provided in a follow-up email."

The attackers then used the management tool to install other authentic software that can be repurposed for malicious activity, the agency noted, adding the actors compromised local files and network shared drives, exfiltrated victim data, and extorted the companies.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability

A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

A federal judge has refused to bring back a class action lawsuit that alleged four car manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record customers’ text messages and mobile phone call logs.

The judge ruled that the practice doesn’t meet the threshold for an illegal privacy violation under state law. The plaintiffs had appealed a prior judge’s dismissal.

Car manufacturers Honda, Toyota, Volkswagen, and General Motors were facing five related privacy class action suits. One of those cases, against Ford, had been dismissed on appeal previously.

Infotainment systems in the company’s vehicles began downloading and storing a copy of all text messages on smartphones when they were connected to the system. Once messages have been downloaded, the software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.

The Seattle-based appellate judge ruled that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In a recent Lock and Code podcast, we heard from Mozilla researchers that the data points that car companies say they can collect on you include social security number, information about your religion, your marital status, genetic information, disability status, immigration status, and race. And they can sell that data to marketers.

This is alarming. Given the increasing number of sensors being placed in cars every year, this is becoming an increasingly grave problem.

In the same podcast, we also explored the booming revenue stream that car manufacturers are tapping into by not only collecting people’s data, but also packaging it together for targeted advertising.

According to the Mozilla research, popular global brands including BMW, Ford, Toyota, Tesla, Kia, and Subaru:

> “Can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.”

In fact, the seasoned Mozilla team said “cars are the worst product category we have ever reviewed for privacy” after finding that all 25 car brands they researched earned the “Privacy Not Included” warning label.

Since that doesn’t give us much of a choice to go for a brand that respects our privacy, I suggest we turn of our phones before we start the car. It’s both safer and better for your privacy.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Judge rules it&#8217;s fine for car makers to intercept your text messages 

Meta now offers users an ad-free option, but it’s only available in Europe for those who can afford the €10-a-month subscription.

Meta just launched its first ad-free option for Facebook and Instagram. The update is in response to the European Union’s General Data Protection Regulation, passed in 2018. Subscriptions for the ad-free experience are only available to users located in the EU as well as Iceland, Liechtenstein, Norway, and Switzerland.

In these locations, anyone 18 and older on Facebook or Instagram now gets to decide whether they want to use the social media platforms for free or pay €10 every month for ad-free access. Meta provides the ad-free option without charge to users who are younger than 18.

What happens if you sign up? “We don't use any data for ad purposes at all. That turns off first-party data as well as stopping any third parties, like Nike, sending us information about you,” says Alex Dziedzan, a policy communication spokesperson at Meta. While it won’t be used for targeted advertising, Meta confirms that first-party data about you will still be used for functions not related to advertising.

Users who choose the free option allow Meta to perform targeted advertising by tracking their information. The company previously argued that consent was not required to target adults in the EU with hyper-specific advertising—before changing course and rolling out this new subscription tier for Facebook and Instagram. Earlier in 2023, Meta received a billion dollar fine for transferring data on European users to the United States.

When will this option roll out in the US? It’s unlikely Meta will ever offer an ad-free experience for users in the US, unless American lawmakers pass more aggressive legislation to regulate data privacy.

How to Get Ad-Free Facebook

If it’s an option that’s available in your region, you can expect to see a pop-up the next time you log in to Facebook or Instagram with a sign-up option for the ad-free social media. “This is part of our process for getting consent under the GDPR,” says Dziedzan. “It's a requirement for us to make sure that everyone sees the choice that they can make.” He emphasizes that Meta is not hiding this new option from users.

A subscription to ad-free Facebook or Instagram costs €10 per month if you sign up on your desktop. Anyone who signs up through the smartphone app pays €3 more a month for the subscription. No matter where your subscription starts, the ad-free plan includes both in-app and web browsing.

Want to sign up later? You can find the option in the Settings of your Facebook or Instagram account. Return to the same place if you ever want to get rid of your Meta subscription.

Your subscription can cover multiple profiles in your accounts center, for now. Meta plans to increase the price for users with more than one Facebook or Instagram in March of next year. After the company’s introductory pricing ends, each additional account will cost €6 a month if you sign up in your browser or €8 if you sign up in-app.

“If you have, let's say, a Facebook account and an Instagram account you would have to pay for both,” he says. “The reason for that is they’re two separate services.” So a person who signs up in a browser for ad-free access in their Facebook and Instagram accounts can soon expect to pay around €192 a year.

Why Is This Change Controversial?

It’s common for services, like Netflix, to offer ad-free versions of their products at a higher price. So why are privacy experts critical of Meta’s subscription plan?

“When you’re buying Netflix, you’re buying the convenience of not seeing ads,” says Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation. “Buying into not being tracked is more about a pay-for-privacy scheme.” If Meta tracks the browsing habits of every adult user, except those who cough up €10 or more a month, then aspects of online privacy are out of reach for people without disposable income.

Dziedzan disagrees with the characterization of Meta’s ad-free subscription as a pay-for-privacy plan. He points out the privacy options that are available to all Facebook and Instagram users, like the ability to turn off aspects of third-party advertising. “The GDPR still applies to everybody who chooses to use the free version of our service, as do all the other privacy laws,” says Dziedzan.

Privacy advocates continue to push back against Meta’s advertising. “We already disagree with behavioral advertising to begin with,” says Klosowski. “Paying to get out of that just adds a second layer of confusion for users and grossness from the company.”

Tag

#web