A binfull of data exposure. Online proctoring.

Summary

By the CyberWire staff

At a glance.

Data exposure at Le Figaro.
Indonesian online store breached.
COVID-19 symptom tracker exposed.
Xiaomi user tracking.
Australia's SkillsSelect platform proves leaky.
Facial recognition when masks are widespread.
Privacy issues with online proctoring.

Data exposure at Le Figaro.

An unsecured Elasticsearch database belonging to the Parisian national daily Le Figaro has exposed more than eight terabytes of data containing personally identifiable information on at least 42,000 users. An unspecified number of reporters and employees were also affected, BleepingComputer reported. In addition to personal information, the data that were exposed included admin accounts, communication protocols, SQL query errors, and logs of network traffic among Le Figaro servers. The researchers at Safety Detectives who found the exposed data say that the database was not password protected.

Indonesian online retailer breached.

A hacker has leaked data taken from Tokopedia, the largest online retailer in Indonesia, to an online forum, ZDNet writes. The leak, which is believed to represent only a fraction of the data taken in a March 2020 intrusion, included information on fifteen-million users. The dump included full names, emails, phone numbers, hashed passwords, and dates of birth. It also included information related to their Tokopedia accounts: account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and so on. The hacker was not able to extract passwords, and posted the partial take in order to ask for help retrieving them. Tokopedia has advised its customers to change their passwords.

Indian cellular network exposes results of COVID-19 symptom checker.

TechCrunch reports that Jio, India's largest cellular service, inadvertently left a database exposed to the Internet. It contained information about users and the results they reported. Jio introduced a COVID-19 symptom tracker in March, shortly after the Indian government issued a general stay-at-home order. Jio says it immediately took the database down upon notification that it was exposed. “The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms," a company representative told TechCrunch.

Xiaomi reported to be tracking browser and phone usage.

Chinese phone, device, and accessory manufacturer Xiaomi is tracking ostensibly private information collected from users of its phones and of its Mi and Mint browsers, Forbes reports. Researcher Gabi Cirlig told Forbes that the data he observed being collected from his own device included all the websites he visited, search engine queries (and these included queries with either Google or DuckDuckGo), and everything viewed in a Xiaomi news feed. The folders he opened, his movements among screens, and the songs played on the Xiaomi music app were also followed. The data were sent to servers in Singapore and Russia, to domains registered in Beijing. The collection occurred even when the researcher moved to a private, incognito mode.

Xiaomi told BleepingComputer that the data it collects are all properly anonymized and obtained in compliance with applicable laws. “Xiaomi was disappointed to read the recent article from Forbes," the company said. "We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.” But BleepingComputer reports that researchers have evidence that this is not the case, and that the report in Forbes is substantially correct.

Australia's Home Affairs Department exposed migrants' data.

The Guardian reports that Australia's Home Affairs Department has exposed data about 774,000 migrants, including names and outcomes of applications. The problem appears to have arisen within the Department's SkillSelect platform, a system designed to invite "skilled workers and business people to express an interest in migrating to Australia."

Facial recognition through the mask.

Companies producing facial recognition software are considering how well their products might adapt to an indefinitely prolonged future in which people routinely wear masks. It's not clear how well facial recognition systems might be adapted to work under such conditions, WIRED reports, but it's not necessarily an insoluble biometric problem.

Online examination proctoring raises privacy issues.

A turn toward online learning during the COVID-19 pandemic has led students to return, more strongly, to concerns they'd already had about online proctoring. The Verge has an account of one such product, Examity, and how it's being received by students. It makes them feel, for one thing, "creeped out." That in itself isn't necessarily damning; lots of things creep people out, and sometimes that's just part of the donnée. But Examity is designed as a tool for ensuring a reasonable degree of academic honesty, and so it asks for a great deal of information. There are conventional requests for full name, email, and phone number, more intrusive requirements to upload a picture of the student's photo ID to Examity’s website, and then collection of a behavioral biometric template from the student's keystrokes. The proctor, a live natural person, finally asks the student to show a webcam view of the entire desktop and its immediate surroundings.

It's difficult to fault any of these as ways of preventing students from cheating. If it's a closed book test, for example, you want to be able to see that there are no notes or references around the student, and you want to ensure that the student's eyes don't wander to any source of assistance that may be outside the webcam's field of view. And of course you'd want reasonable assurance that the students are in fact who they claim to be, and that they're the ones actually producing the work. But there's also a lot of information being asked for.

Two other issues arose. First, some of the questions a student answered were such that Chrome autofilled credit card information. The student deleted it and moved on, but the numbers were briefly displayed on the page. It was Chrome autofill and not Examity that displayed the card number, but such are the difficulties inherent in stitching together an online service. And second, the proctoring was conducted over Zoom, which has had its own struggles with privacy as it's sought to keep pace with exploding demand.

This is the second case of online proctoring to raise privacy concerns during the pandemic emergency. The CyberWire Pro Privacy Briefing earlier discussed another service, Proctorio, in its April 21st issue.

Selected Reading

()

Cliqz pulls the plug on a European anti-tracking alternative to Google search (TechCrunch) Cliqz, a Munch-based anti-tracking browser with private search baked in that has sought to offer a local alternative to Google powered by its own search index, is shutting down — claiming this arm of its business has been blindsided by the coronavirus crisis. Today was not great. We closed pa…

How Well Can Algorithms Recognize Your Masked Face? (Wired) Makers of facial-recognition technology scramble to adapt to a world where people routinely cover their faces to avoid spreading disease.

Why you should think before you Zoom (ComputerWeekly) Zero-day exploits are big business. As with the sale of guns; the sale of drugs; and hacking, not all sales or use of zero day exploits are malign, although many may be.

Latest growing pains for Zoom: 500,000 logins are being sold on the dark web (Phone Arena) Zoom has seen the number of people participating in a chat daily rise from 10 million to 300 million users. But it has had a number of issues related to user privacy.

Microsoft Teams Impersonation Attacks Flood Inboxes (Threatpost) Two separate attacks have targeted as many as 50,000 different Teams users, with the goal of phishing Office 365 logins.

Beware This New Microsoft Teams Password Hacking Threat To 75 Million Users (Forbes) Security researchers have observed thousands of cloned Microsoft Team login pages being used in an attempt to harvest account credentials.

()

Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use (Forbes) Xiaomi is collecting users’ browser habits and phone usage, raising red flags for privacy researchers.

Xiaomi tracks private browser and phone usage, defends behavior (BleepingComputer) New research claims that China-based Xiaomi is tracking sensitive information and sending it to their servers if you use the Mi browser, which is bundled with all Redmi and Mi phones.

Hacker leaks 15 million records from Tokopedia, Indonesia's largest online store (ZDNet) The Tokopedia data has been published on a well-known hacking forum.

French daily Le Figaro database exposes users’ personal info (BleepingComputer) French daily newspaper Le Figaro exposed roughly 7.4 billion records containing personally identifiable information (PII) of reporters and employees, as well as of at least 42,000 users.

Cybersecurity Expert Reaction On Fingerprints Exposed By OnePlus Vulnerability (Information Security Buzz) A OnePlus 7 security flaw could have exposed users’ fingerprints to hackers, according to Trusted Reviews. Although the vulnerability has now been fixed, it has not yet been revealed how long it was present for, meaning that bad actors may have been able to gain access to bitmap fingerprint images. This technology has previously proven to be …

Microsoft catches cybercriminals adding malware to "John Wick 3," "Contagion" torrents (TechRepublic) In a Twitter thread, Microsoft warned people in Spain and South America to watch what they torrent.

4 in 5 users removing private information from social media apps globally (ETTelecom.com) The Internet consumers are becoming more aware of their personal data and 82 per cent users have tried to remove private information from websites or ..

Acting Intelligence Chief says he's "increasingly concerned" over handling of sensitive U.S. person information among agencies and orders broad review (CBS News) CBS News has exclusively reviewed the April 29 memo mandating the review.

ODNI’s 2019 Statistical Transparency Report: The FBI Violates FISA…Again (Just Security) Buried in the ODNI's 2019 statistical transparency report—released Thursday—is information about a major instance of non-compliance with the law that ODNI hasn’t previously reported.

Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services... (Register) Malware maker urges judge to dump lawsuit over WhatsApp phone snooping

NSO Group is disputing claims it used U.S.-based servers to spy on WhatsApp users (CyberScoop) NSO Group is claiming in court that WhatsApp's allegations it used U.S.-based infrastructure to spy on WhatsApp users is false.

WhatsApp warning: How a single phone call hacked phones worldwide (Express) NEWLY published documents have revealed how a single call led to "unauthorised" access of the WhatsApp servers - leaving hundreds of users at risk. Here's what you need to know about this latest WhatsApp hack.