At a glance.
- Facebook fixes Messenger bug.
- COVID-19 contact tracing and GDPR.
- Google goes for end-to-end encryption.
- Pray.com inadvertently exposes user data in misconfigured AWS S3 buckets.
Facebook Messenger bug bugs your phone.
Facebook’s bug bounty program has led to detection of a security flaw that would allow an attacker to turn the victim’s phone into a listening device, reports Wired. Exploitation of the vulnerability, which was uncovered by Natalie Silvanovich of Google's Project Zero bug hunting team, would begin with a seemingly harmless phone call. At the same time the hackers place the call, they would send a hidden, malicious message that would allow the attackers to listen in from the time the phone begins ringing until the moment the victim answers the call. Facebook immediately remedied the vulnerability and soon determined that the bug had never been exploited, possibly because creation of the malicious message would require specialized reverse-engineering skills. Still, a discovery like this one can lead to future finds, and it highlights the advantages of collaboration in the tech community. The bug earned Project Zero a $60,000 reward, and in the ten years since its inception, Facebook’s bug bounty program has paid out $11.7 million in awards.
GDPR and COVID-19: privacy during the pandemic.
The COVID-19 pandemic poses distinct challenges for data protection. To help organizations navigate these challenges while still protecting individual privacy rights, the EU’s European Data Protection Board (EDPB) and the UK Information Commissioner’s Office (ICO) have provided special guidelines to supplement the recently established General Data Protection Regulation (GDPR). JD Supra offered a summary of some of the ICO’s recommendations in June and has now followed up with an overview of the remaining guidance and some updates. Areas discussed include work-from-home privacy regulation, contact tracing apps, and the handling of employee data to enforce workplace safety measures. Notably, since June the ICO has modified its advice for complying with regulations during the pandemic, reminding organizations that some adjustments must be made in these extreme circumstances. This includes penalizing organizations who misuse personal data to exploit the pandemic, recognizing the economic stresses privacy regulations impose on businesses already struggling due to the pandemic, and relaxing adherence to the 72-hour deadline for breach reporting.
Google optimizes messaging encryption.
Google has announced the launch of end-to-end encryption messaging on Android devices, reports Security Week. This feature will allow users to send messages that are completely protected from prying eyes as they travel from the sender’s device to the recipient. End-to-end encryption has been the cause of some controversy in the crypto wars: while the increased security is seen by digital rights activists as a welcome upgrade, some government officials argue that it might render messaging too secure. If such messages are hidden from everyone, that includes the police, leading to potential issues for law enforcement when the content of those messages could aid in the solving of a crime.
Popular faith app exposes user data.
Pray.com, a popular Christian prayer app, has exposed user data, vpnMentor reports. It's said to be a case of misconfigured AWS S3 buckets. Trevor Morgan, product manager at comforte AG, sent us comments on the incident:
“The unintentional but unfortunate exposure of personal data for which Pray.com is responsible for care-taking should remind every organization to rethink their data security for cloud-based applications and storage.
"The assumption that cloud providers take care of every aspect of security for their enterprise customers is a faulty one—each organization bears the responsibility to provide an adequate level of data protection for information they process or store in their cloud repositories. Because data within the cloud is frequently in motion, more traditional perimeter-based mechanisms can fall far short of effective.
"Organizations should consider data-centric protection methods such as tokenization and format-preserving encryption because they protect the data throughout its entire journey and lifecycle, obfuscating the sensitive information instead of depending on the perimeter security around that data. If protected sensitive data falls into the wrong hands, threat actors cannot compromise the tokenized or encrypted information.”