Behind the lock lies a flaw.
Zero-day clickjacking flaws affect major password managers. The FBI warns that Russian state-backed hackers are exploiting a long-known Cisco flaw. Apple releases emergency patches for a zero-day flaw in the Image I/O framework. Home Depot faces a proposed class action lawsuit accusing it of secretly using facial recognition at self-checkout kiosks. A VPN browser extension has been exposed for secretly spying on users. Browser fingerprinting overtakes cookies as the dominant method of online tracking. Agentic AI browsers prove easily scammed. A Scattered Spider member earns 10 years in federal prison. Ron Zayas, CEO of Ironwall by Incogni, to discuss the massive data sharing and privacy risks in the leading Buy Now Pay Later apps. An Australian bank’s AI cutbacks are put on permanent hold.
Today is Thursday August 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Zero-day clickjacking flaws affect major password managers.
At DEF CON 33, Czech researcher Marek Tóth revealed zero-day clickjacking flaws affecting major password managers, including 1Password, Bitwarden, LastPass, iCloud Passwords, and others. These vulnerabilities allow attackers to trick users into leaking sensitive data—like passwords, 2FA codes, credit card details, and personal info—by overlaying malicious elements on legitimate sites. Despite disclosure, several vendors remain unpatched, with 1Password and LastPass dismissing the issue as “informative,” and LogMeOnce not responding at all. While Bitwarden has since released a fix, other managers are still vulnerable as of August 2025. Attendees at DEF CON expressed concern, given how easily trusted tools could be subverted. Security experts urge password manager vendors to implement stronger defenses, such as confirmation prompts, though this adds usability tradeoffs.
The FBI warns that Russian state-backed hackers are exploiting a long-known Cisco flaw.
The FBI has issued a warning that Russian state-backed hackers tied to the FSB, tracked as Berserk Bear, are exploiting a long-known Cisco flaw, CVE-2018-0171, to target critical infrastructure worldwide. The vulnerability, found in Cisco IOS Smart Install, allows attackers to crash devices or execute arbitrary code remotely. The FBI reports that hackers collected configuration files from thousands of devices linked to U.S. critical sectors, modified settings for backdoor access, and conducted reconnaissance into industrial control systems. Cisco first flagged active exploitation in 2021 and has again urged admins to patch immediately. Cisco Talos confirmed the campaign, noting that compromised telecom, education, and manufacturing networks span multiple continents. Attackers are also deploying persistence tools and implants, making urgent patching essential.
Apple releases emergency patches for a zero-day flaw in the Image I/O framework.
Apple has released emergency patches for CVE-2025-43300, a zero-day flaw in the Image I/O framework exploited in a “sophisticated attack” against targeted individuals. The vulnerability, caused by an out-of-bounds write, could enable memory corruption, crashes, or remote code execution when processing malicious image files. Apple fixed the issue with improved bounds checking across iOS, iPadOS, and macOS, affecting a wide range of iPhones, iPads, and Macs. Though likely used in limited attacks, Apple urges all users to update immediately to stay protected.
Home Depot faces a proposed class action lawsuit accusing it of secretly using facial recognition at self-checkout kiosks.
Home Depot is facing a proposed class action lawsuit accusing it of secretly using facial recognition at self-checkout kiosks. Plaintiff Benjamin Jankowski claims cameras scanned and recorded his face during a visit to a Chicago store, where a green box appeared around his face on-screen. He alleges the company introduced “computer vision” in 2024 to reduce theft, but failed to disclose data collection or obtain consent, violating Illinois’ Biometric Information Privacy Act (BIPA). That law requires notice, explanation, and written consent before collecting biometric data. Jankowski seeks to represent customers at 76 Illinois stores, asking for damages of $1,000 per negligent violation and $5,000 per willful violation. The case follows a federal ban on Rite Aid’s use of facial recognition after similar misuse.
A VPN browser extension has been exposed for secretly spying on users.
Researchers at Koi Security report a VPN extension promoted as FREEVPN.ONE with 100,000+ installs and even featured on Google has been exposed for secretly spying on users. Instead of protecting privacy, recent versions silently capture screenshots of every website visited, including banking sessions, work documents, and personal photos, then upload them to external servers. The extension masks this surveillance under an “AI Threat Detection” feature, but hidden scripts trigger constant background captures. Updates in mid-2025 expanded permissions, injected content scripts across all sites, and later added encryption to evade detection. Researchers confirmed it also gathers device data and location details. Despite its verified Chrome Web Store status, Google’s safeguards failed to catch the malicious behavior. The developer denied wrongdoing but stopped responding to inquiries, leaving users at serious privacy risk.
Browser fingerprinting overtakes cookies as the dominant method of online tracking.
In 2025, browser fingerprinting has overtaken cookies as the dominant method of online tracking. Unlike cookies, fingerprints rely on inherent traits—screen size, fonts, GPU quirks—that form a unique identifier nearly impossible to erase. According to a report from the Public Interest Technology Group, advertisers, fraud detection firms, and even governments use these techniques to track users across the web. Fingerprinting is stealthy, persistent, and harder to regulate than cookies. While some browsers like Brave and Safari add randomization or blocklists to disrupt tracking, Chrome lags behind. Users can protect themselves by enabling anti-fingerprinting settings, blocking trackers with tools like uBlock Origin, and masking IP addresses with VPNs, iCloud Private Relay, or Tor. Testing tools like Cover Your Tracks help measure vulnerability. Ultimately, privacy requires active defense, since fingerprinting is now the web’s invisible surveillance layer.
Agentic AI browsers prove easily scammed.
AI-powered browsers are no longer theoretical—Microsoft Edge now embeds Copilot, OpenAI is testing “agent mode,” and Perplexity’s Comet fully automates browsing tasks. These Agentic AI tools don’t just assist—they act on our behalf, searching, shopping, and clicking. But convenience brings new risks. Researchers at Guardio Labs found Comet could be tricked into buying from fake stores or handling phishing emails, bypassing the human’s natural skepticism. Even worse, prompt injection attacks can secretly steer AI into downloading malware or sharing sensitive data. This “Scamlexity” era means scammers only need to fool the AI, not the human, and exploits can scale massively. Without built-in guardrails like phishing detection, URL checks, and anomaly monitoring, AI browsers risk becoming blind, over-trusting intermediaries. Security must be integral, not optional, as AI browsing goes mainstream.
A Scattered Spider member earns 10 years in federal prison.
A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution for his role in the cybercrime group Scattered Spider (a.k.a. Oktapus). Urban, known online as “King Bob” and “Sosa,” pleaded guilty to conspiracy and wire fraud charges tied to SIM-swapping and SMS phishing campaigns that compromised more than 130 companies, including Twilio, LastPass, and DoorDash. Prosecutors say Urban and co-conspirators stole cryptocurrency, company data, and customer information. Urban was also active in the notorious Star Fraud SIM-swapping group, linked to attacks on MGM Resorts and Caesars Entertainment. Despite his age, the judge imposed the maximum sentence after noting security breaches connected to Urban’s associates even during his prosecution. Urban called the ruling “unjust.”
An Australian bank’s ai cutbacks are put on permanent hold.
The Commonwealth Bank of Australia has performed a neat corporate backflip, reinstating 45 jobs it had proudly declared obsolete thanks to its shiny new AI “voice-bot.” At the time, CBA insisted the bot would lighten workloads and trim calls. In reality, call volumes spiked, managers were yanked onto phones, and overtime became the hottest item on the menu. The Finance Sector Union promptly hauled the bank before the Fair Work Commission, declaring victory after CBA admitted it had made a, shall we say, “miscalculation.” Affected staff can now keep their jobs, redeploy, or leave altogether—though the union dryly noted the damage was done. Critics say CBA tried to rebrand job cuts as innovation, even as the bank reported a record $10.25 billion profit. Meanwhile, CEO Matt Comyn mused on AI’s “long-term potential,” while also acknowledging the bank had recently hired thousands—mostly in India. Evidently, the future is automated, just not evenly distributed.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
