At a glance.
- LinkedIn is working on a privacy bug.
- DuckDuckGo reviews its handling of favicons.
- Alleged University of Michigan breach was really a minor wave of credential-stuffing.
- Dating apps leak personal information through exposed, unsecured databases.
- BMW owners database for sale in criminal markets.
Privacy bug found in LinkedIn.
ZDNet reports that a beta version of iOS 14, which includes a feature that enables users to see each paste notification, has revealed an inadvertent feature of LinkedIn: the app reads clipboard content after each keystroke. Contacted about the issue, LinkedIn said the behavior was inadvertent, that they "don't store or transmit the clipboard contents," and that the company is working to eliminate the bug as soon as possible.
DuckDuckGo questioned over favicon handling.
DuckDuckGo users, as one would expect a touchy lot with respect to privacy, are complaining to the privacy-focused search engine about the way it handles favicons, icons that carry frequently visited urls. HackRead reports that the problem amounts to collection of a user's browser history. The Daily Swig has an account of DuckDuckGo's response: this is, the company says, a bug, not a policy, and that the search engine intends to address the issue promptly.
In an apparently unrelated matter, users in India report that many of that country's ISPs are blocking access to DuckDuckGo. Why they're doing so isn't clear, and according to TechRadar several of the ISPs are restoring access. There's some speculation that the search engine was inadvertently swept up in New Delhi's ban of fifty-nine apps on the grounds that they're potentially susceptible to Chinese control and hence represent an unacceptable security risk.
Third-party data breaches affect University of Michigan students and alumni.
Rumor and alarum circulated Friday, the Detroit Free-Press reports, among University of Michigan alumni and students to the effect that the university had sustained a massive data breach that compromised their university email credentials. (One representative tweet read, "If you’re a Umich student or even if you just recently graduated, change your password!! Database got hacked and thousands of email and passwords have been released.") The university investigated, however, and found that there was no breach. Some accounts had been compromised, but that was due to older breaches at third-party sites like Chegg, Zynga, and LinkedIn being used in credential-stuffing attacks against those who reuse passwords. Michigan has reset passwords of affected accounts and is notifying the users; the university would also like people to please stop reusing passwords and while they're at it start using two-factor authentication.
Dating apps leaked personal information in exposed, unsecured databases.
Researchers at WizCase report that five dating apps based in three different countries (the US, South Korea, and Japan) have inadvertently left user data exposed in unsecured databases. The five services affected are:
- "Catholic Singles — Leaked email addresses and phone numbers put users at risk of phishing emails and phone scams."
- "SPYKX — Exposed cleartext passwords and email addresses could let hackers access personal data kept on the account, leading to identity theft and fraud."
- "YESTIKI — GPS data, venue addresses, and match dates and times make users vulnerable to stalkers."
- "Blurry — Exposed messages may contain identifiable private data that could be used to blackmail users."
- "Charin and Kyuun — Leaked data includes user search preferences and message content that can be used to blackmail victims who want to keep information private."
WizCase's blog does not indicate whether they disclosed their discovery to the five affected sites, nor does it say what if any action the sites took to secure the data.
WizCase says it also found six other databases whose ownership was unclear, but that appear to contain information scraped from other dating sites.
BMW owners database offered for sale in the underground.
Cybercriminals of the KelvinSecurityTeam are selling a database holding personally identifiable information from 384,319 British owners of BMWs. SC Magazine reports that the offer was discovered by Tel Aviv-based dark web intelligence shop KELA. The information includes initials and last names, emails, addresses, vehicle numbers, dealer names, and other material. KELA says the KelvinSecurityTeam represents the data as having been obtained from "a call center."
We heard from ImmuniWeb, whose founder and CEO Ilia Kolochenko sees the incident as one deriving from poorly managed IT, and he observes with regret that some of the intrusions that result from such carelessness may never be discovered, still less disclosed:
“At ImmuniWeb, we're observing a rapid and uncontrolled proliferation of shadow and abandoned IT assets, spanning from unprotected cloud to vulnerable web applications with business-critical data. The situation is dramatically exacerbated by third-parties with privileged access to organizations’ data - exactly what has reportedly happened with BMW, when a supplier is to blame for the incident."
"Even though stolen credit card data is now becoming cheaper amid the pandemic, many methods of credit card use require physical activities and human presence, so are in fact costlier and riskier to implement amid COVID-19. The situation is, however, rather a temporary fluctuation than a long-term trend.
"Against this background attackers are shifting their malicious efforts to target other goods such as PII*. We should also expect skilled cybercriminals to attack organizations for their trade secrets and other types of intellectual property. Worse, some of such intrusions are never discovered or reported.”