At a glance.
- Researchers discover covert user tracking technique used by Meta and Yandex.
- Vanta discloses customer data exposure.
- Extortion group uses vishing to target Salesforce instances.
Researchers discover covert user tracking technique used by Meta and Yandex.
Ars Technica reports that Meta and Yandex abused legitimate Internet protocols to covertly track and deanonymize potentially billions of Android users across websites. The companies sent identifiers from Firefox and Chromium-based browsers to apps installed on the user's device, linking the user's browsing history to accounts logged into Android apps for Facebook, Instagram, and various Yandex apps. Yandex has been using this technique since 2017, while Meta began using it last September. Meta's script appears to have been disabled early this morning.
The researchers who discovered the technique explained, "These native Android apps receive browsers' metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts."
Vanta discloses customer data exposure.
Compliance automation company Vanta has disclosed a bug that exposed customer data to other customers, TechCrunch reports. The company says the exposure was a mistake resulting from a product code change. Vanta says the incident resulted in "a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers," affecting fewer than 4% of the company's customers. (TechCrunch notes that Vanta has more than 10,000 customers.)
A Vanta customer told TechCrunch that the exposed data may have included employee names, roles, and information about configurations of some security tools.
Extortion group uses vishing to target Salesforce instances.
Google has published a report on a financially motivated threat actor tracked as "UNC6040" that uses voice phishing (vishing) to compromise organizations’ Salesforce instances for data theft extortion. Google states, "A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments."
Google says the attackers have had repeated success using this technique over the past few months. The attacks rely on pure social engineering, and don't involve any vulnerabilities affecting Salesforce. Salesforce has published guidance to help users avoid falling for these attacks.
