The campaign is part of a larger operation with multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies.

More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies.

The campaign appears to be widespread and well-orchestrated as the operators waited for the ads to run their course before activating the malicious components in the applications, researchers say.

Full update delivers infostealer

A technical analysis from cybersecurity services company Truesec describes the process of TamperedChef infostealer being delivered to a user’s system.

The researchers discovered that the malware was delivered through multiple websites that promoted a free tool called AppSuite PDF Editor.

Based on internet records, the investigators determined that the campaign started on June 26, when many of the websites involved were either registered or started to advertise AppSuite PDF Editor.

However, the researchers found that the malicious app had been verified through the VirusTotal malware scanning services on May 15th.

It appears that the program behaved normally until August 21st, when it received an update that activated malicious capabilities built to collect sensitive data like credentials and web cookies.

According to Truesec, TamperedChef infostealer is delivered with the “-fullupdate” argument for the PDF editor’s executable.

The malware checks for various security agents on the host. It also queries the databases of installed web browsers using the DPAPI (Data Protection Application Programming Interface) -  a component in Windows that encrypts sensitive data.

Digging deeper for the distribution method, Truesec researchers found evidence suggesting that the threat actor spreading TamperedChef within AppSuites PDF Editor relied on Google advertising to promote the malicious program.

The threat actor likely had a strategy to maximize the number of downloads before activating the malicious component in AppSuites PDF Editor, as they delivered the infostealer just four days before the typical expiration period of 60 days for a Google ad campaign.

Looking further into AppSuites PDF Editor, the researchers found that different versions of the program were signed by certificates “from at least four companies,” among them ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC, BHD.

Joining a residential proxy

Truesec found that the operator of this campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers.

It is worth noting that OneStart is usually flagged as a potentially unwanted program (PUP), which is typically the term for adware.

However, researchers at managed detection and response company Expel also investigated incidents involving AppSuites PDF Editor, ManualFinder, and OneStart, all “dropping highly suspicious files, executing unexpected commands, and turning hosts into residential proxies,” which is closer to malware-like behavior.

They found that OneStart can download AppSuite-PDF (signed by an ECHO INFINI SDN. BHD certificate), which can fetch  PDF Editor.

The code-signing certificates used in this campaign have already been revoked, but the risk is still present for current installations.

In some instances of PDF Editor, the app would show users a message asking for permission to use their device as a residential proxy in return for using the tool for free.

The researchers note that the proxy network provider may be a legitimate entity not involved in the campaign and that the operator of PDF Editor is capitalizing as affiliates.

It appears that whoever is behind PDF Editor is trying to maximize their profit at the expense of users worldwide.

Even if the programs in this campaign are considered PUPs, their capabilities are typical of malware and should be treated as such.

The researchers warn that the operation they uncovered involves more apps, some of them not yet weaponized, capable of distributing malware or suspicious files, or executing commands surreptitiously on the system.

Both reports from Truesec and Expel [1, 2] include a large set of indicators of compromise (IoCs) that could help defenders protect users and assets from getting infected.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 31 August 2025 at 6:39 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

In a brief security advisory, Meta has announced that it has patched the CVE-2025-5517 vulnerability which was happening due to incomplete authorization of "linked device synchronization messages". Interestingly, hackers could chain another vulnerability, CVE-2025-43300, to execute the processing of content from an arbitrary URL without any interaction from the user, making it a zero-click attack.

Interestingly, the latter security flaw is actually related to Apple's core image library, according to Amnesty International Security Lab's Donncha Ó Cearbhaill on X (formerly Twitter). This OS-level flaw was recently patched by Apple but in its previous state, it allowed malicious actors to infiltrate devices through apps other than WhatsApp too.

Meta has reportedly reached out to potentially impacted users to let them know that they may have received a message which has compromised their device due to a combination of vulnerabilities. The company is urging users to factory reset their handsets just in case, despite the bug being fixed. This is because an exploit could still be present in the device.

The scale of the attack is unclear but we know that it has been happening for at least the past three months. Apparently, the exploitation process was quite sophisticated, so it's possible that it was primarily after high-value targets, but there's no way to know for sure right now. WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 are unprotected so make sure that you upgrade these versions as soon as possible.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 August 2025 at 12:36 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Explained in a new support document available on Steam, Valve says that UK Steam users must verify their age first to access any game store page or a community hub that has any mature content.

While the controversial age verification requirement has made major platforms go for a variety of user checking methods, such as uploading national IDs or selfies, Valve says it went for this credit card method to make sure it "preserves the maximum degree of user privacy."

"The data processed in the verification process is identical to that of the millions of other Steam users who make purchases or store their payment details for convenience," says the company. "The verification process therefore provides no information about a user's content preferences to payment providers or other third parties."

The support page only mentions credit cards, but some user reports say that valid debit cards also pass the test, though we cannot confirm this.

"Ofcom’s guidance on the OSA states that one highly effective age assurance measure is credit card checks," continues Valve, explaining why this sudden change is happening. "This is because, in the UK, an individual must be at least 18 years of age to obtain a credit card, therefore credit card issuers are obliged to verify the age of an applicant before providing them with a credit card."

As for other major gaming platforms, both Microsoft and Sony are rolling out similar age verification systems in the United Kingdom for Xbox and PlayStation, respectively, as well.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 August 2025 at 12:35 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Now, more details have emerged from a court filing (seen by the Financial Times) that suggest the government's demand was even more expansive than initially thought.

According to FT, it is clear that the Home Office's technical capability notice was not limited to that optional, extra-secure Advanced Data Protection feature. The government also sought access to standard iCloud services, which the vast majority of Apple's customers use daily.

The filing, published by the Investigatory Powers Tribunal (IPT), states the order included "obligations to provide and maintain a capability to disclose categories of data stored within a cloud-based backup service".

Since the dispute kicked off in February, a lot of things have happened behind the scenes. The United States government voiced "grave concerns" that a British law could be used to snoop on Americans' data, a sentiment reportedly shared by both Vice President JD Vance and President Donald Trump.

Things got interesting last week when the US Director of National Intelligence, Tulsi Gabbard, announced that the UK had agreed to drop its demand. But this new IPT filing indicates the Home Office has not yet legally modified or rescinded the order, leaving its global reach intact.

Because the UK government refuses to confirm or deny the order's existence, the IPT is forced to hear Apple's legal challenge based on "assumed facts" to prevent anyone from violating the Official Secrets Act.

The entire case will be argued in open court in early 2026.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 August 2025 at 12:34 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

The company says this zero-click flaw (tracked as CVE-2025-55177) affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.

"Incomplete authorization of linked device synchronization messages in WhatsApp [..] could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device," WhatsApp said in a Friday security advisory.

"We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users."

When Apple released emergency updates to patch the CVE-2025-43300 zero-day flaw earlier this month, it also stated that the flaw had been exploited in an "extremely sophisticated attack."

While the two companies are yet to publish further information regarding the attacks, Donncha Ó Cearbhaill (the head of the Security Lab at Amnesty International) said that WhatsApp just warned some users that they've been targeted in an advanced spyware campaign over the last 90 days.

"We've made changes to prevent this specific attack from occurring through WhatsApp. However, your device's operating system could remain compromised by the malware or be targeted in other ways," the alerts read.

In the threat notifications sent to potentially impacted individuals, WhatsApp advises them to perform a device factory reset and to keep their devices' operating system and software up to date.

In March, WhatsApp patched another zero-day flaw—following reports from security researchers at the University of Toronto's Citizen Lab—that was exploited to install Paragon's Graphite spyware.

"WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We've reached out directly to people who we believe were affected," a WhatsApp spokesperson told BleepingComputer at the time.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 August 2025 at 3:07 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Don’t believe everything you read—especially when it’s part of a marketing pitch designed to sell security services.

The latest example of the runaway hype that can come from such pitches is research published today by SquareX, a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a “major passkey vulnerability” that undermines the lofty security promises made by Apple, Google, Microsoft, and thousands of other companies that have enthusiastically embraced passkeys.

Ahoy, face-palm ahead

“Passkeys Pwned,” the attack described in the research, was demonstrated earlier this month in a Defcon presentation. It relies on a malicious browser extension, installed in an earlier social engineering attack, that hijacks the process for creating a passkey for use on Gmail, Microsoft 365, or any of the other thousands of sites that now use the alternative form of authentication.

Behind the scenes, the extension allows a keypair to be created and binds it to the legitimate gmail.com domain, but the keypair is created by the malware and controlled by the attacker. With that, the adversary has access to cloud apps that organizations use for their most sensitive operations.

“This discovery breaks the myth that passkeys cannot be stolen, demonstrating that ‘passkey stealing’ is not only possible, but as trivial as traditional credential stealing,” SquareX researchers wrote in a draft version of Thursday’s research paper sent to me. “This serves as a wake up call that while passkeys appear more secure, much of this perception stems from a new technology that has not yet gone through decades of security research and trial by fire.”

In fact, this claim is the thing that's untested. More on that later. For now, here’s a recap of passkeys.

FIDO recap

Passkeys are a core part of the FIDO specifications drafted by the FIDO (Fast IDentity Online) Alliance, a coalition of hundreds of companies around the world. A passkey is a public-private cryptographic keypair that uses ES256 or one of several other time-tested cryptographic algorithms. During the registration process, a unique key pair is made for—and cryptographically bound to—each website the user enrolls. The website stores the public key. The private key remains solely on the user’s authentication device, which can be a smartphone, dedicated security key, or other device.

When the user logs in, the website sends the user a pseudo-random string of data. The authentication device then uses the private key bound to the website domain to cryptographically sign the challenge string. The browser then sends the signed challenge back to the website. The site then uses the user’s public key to verify that the challenge was signed by the private key. If the signature is valid, the user is logged in. The entire process is generally as quick, if not quicker, than logging in to the site with a password.

As I’ve noted before, passkeys still have a long way to go before they’re ready for many users. That’s mainly because passkeys don’t always interoperate well between different platforms. What’s more, they’re so new that no service yet provides accounts that can only be logged in to using a passkey and instead require a password to be registered as a fallback. And as long as attackers can still phish or steal a user’s password, much of the benefit of passkeys is undermined.

That said, passkeys provide an authentication alternative that’s by far the most resistant to date to the types of account takeovers that have vexed online services and their users for decades. Unlike passwords, passkey keypairs can’t be phished. If a user gets redirected to a fake Gmail page, the passkey won’t work since it’s bound to the real gmail.com domain. Passkeys can’t be divulged in phone calls or text messages sent by attackers masquerading as trusted IT personnel. They can’t be sniffed over the wire. They can’t be leaked in database breaches. To date, there have been no vulnerabilities reported in the FIDO spec.

A fundamental misunderstanding of security

SquareX is now claiming all of that has changed because it found a way to hijack the passkey registration process. Those claims are based on a lack of familiarity with the FIDO spec, flawed logic, and a fundamental misunderstanding of security in general.

First, the claim that Passkeys Pwned shows that passkeys can be stolen is flat-out wrong. If the targeted user has already registered a passkey for Gmail, that key will remain safely stored on the authenticator device. The attacker never comes close to stealing it. Using malware to hijack the registration process is something altogether different. If a user already has a passkey registered, Passkeys Pwned will block the login and return an error message that prompts the user to register a new passkey. If the user takes the bait, the new key will be controlled by the attacker. At no time are any passkeys stolen.

The research also fails to take into account that the FIDO spec makes clear that passkeys provide no defense against attacks that rely on the operating system, or browser running on it, being compromised and hence aren't part of the FIDO threat model.

Section 6 of the document lists specific “security assumptions” inherent in the passkeys trust model. SA-3 states that “Applications on the user device are able to establish secure channels that provide trustworthy server authentication, and confidentiality and integrity for messages.” SA-4 holds that “the computing environment on the FIDO user device and the… applications involved in a FIDO operation act as trustworthy agents of the user.” WebAuthn, the predecessor spec to FIDO, hints at the same common-sense limitation.

By definition, an attack that relies on a browser infected by malware falls well outside the scope of protections passkeys were designed to provide. If passkeys are weak because they can’t withstand a compromise of the endpoint they run on, so too are protections we take for granted in TLS encryption and end-to-end encryption in messengers such as Signal—not to mention the security of SquareX services themselves. Further discrediting itself, Thursday’s writeup includes a marketing pitch for the SquareX platform.

“In my personal view, this seems like a dubious sales pitch for a commercial product,” Kenn White, a security engineer who works for banking, health care, and defense organizations, wrote in an interview. “If you are social engineered into adding a malicious extension, ALL web trust models are broken. I know that on the conference program committees I participate in, a submission like this would be eliminated in the first round."

When you’re in a hole, stop digging

I enumerated these criticisms in an interview with SquareX lead developer Shourya Pratap Singh. He held his ground, saying that since Passkeys Pwned binds an attacker-controlled passkey to a legitimate site, “the passkey is effectively stolen.” He also bristled when I told him his research didn’t appear to be well thought out or when I pointed out that the FIDO spec—just like those for TLS, SSH, and others—explicitly excludes attacks relying on trojan infections.

He wrote:

This research was presented on the DEFCON Main Stage, which means it went through peer review by technical experts before selection. The warnings cited in the FIDO documents read like funny disclaimers, listing numerous conditions and assumptions before concluding that passkeys can be used securely. If we stick with that logic, then no authentication protocol would be considered secure. The purpose of a secure authentication method or protocol is not to remain secure in the face of a fully compromised device, but it should account for realistic client-side risks such as malicious extensions or injected JavaScript.

 

Passkeys are being heavily promoted today, but the average user is not aware of these hidden conditions. This research aims to highlight that gap and show why client-side risks need to be part of the conversation around passkeys.

The Passkeys Pwned research was presented just weeks after a separate security company made—and promptly withdrew—claims that it devised an attack that bypassed FIDO-based two-factor authentication. In fact, the sites that were attacked offered FIDO as only one means for 2FA, but also allowed other, less secure forms of 2FA. The attacks attacked those other forms, not the one specified by FIDO. Had the sites not allowed fallbacks to the weaker 2FA forms, the attack would have failed.

SquareX is right in saying that passkeys haven’t withstood decades of security research the way more traditional forms of authentication have. There very possibly will be vulnerabilities discovered in either the FIDO spec or various implementations of it. For now, though, passkeys remain the best defense against attacks relying on things like credential phishing, password reuse, and database breaches.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 29 August 2025 at 5:22 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

TfL's survey from June 2025 indicated that around 70% of 1,000 surveyed commuters have experienced disturbance while traveling due to someone playing loud music or taking calls without a headset. Although the city understands that 4G and 5G connectivity have made it easier to stay connected with the rest of the world regardless of where you are, it has noted that these loud disturbances are a nuisance to others, especially those who suffer from autism or heightened sensitivity to sound.

This is why the authority has extended its #TravelKind campaign, initially launched in 2017, to also put up posters along the Elizabeth line railway network, reminding the public to use headsets. It has also partnered with JBL to run an Instagram competition, through which it is raffling five pairs of wireless JBL Live 770 NC headphones.

Deputy Mayor for Transport, Seb Dance, highlighted that:

The vast majority of Londoners use headphones when traveling on public transport in the capital, but the small minority who play music or videos out loud can be a real nuisance to other passengers and directly disturb their journeys.

 

TfL's new campaign will remind and encourage Londoners to always be considerate of other passengers. However Londoners spend their journey, whether catching up on their favorite series or listening to music, we want everyone to have a pleasant journey.

Starting from October, TfL will also be putting the same posters on buses, Docklands Light Railway, London Overground, London Underground, and London Tram services. It has also encouraged commuters to look up from their phone screens intermittently just to check if someone needs their seat more than they do.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 28 August 2025 at 4:37 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Android's open nature set it apart from the iPhone as the era of touchscreen smartphones began nearly two decades ago. Little by little, Google has traded some of that openness for security, and its next security initiative could make the biggest concessions yet in the name of blocking bad apps. Google has announced plans to begin verifying the identities of all Android app developers, and not just those publishing on the Play Store. Google intends to verify developer identities no matter where they offer their content, and apps without verification won't work on most Android devices in the coming years.

Google used to do very little curation of the Play Store (or Android Market, if you go back far enough), but it has long sought to improve the platform's reputation as being less secure than the Apple App Store. Years ago, you could publish actual exploits in the official store to gain root access on phones, but now there are multiple reviews and detection mechanisms to reduce the prevalence of malware and banned content. While the Play Store is still not perfect, Google claims apps sideloaded from outside its store are 50 times more likely to contain malware.

This, we are led to believe, is the impetus for Google's new developer verification system. The company describes it like an "ID check at the airport." Since requiring all Google Play app developers to verify their identities in 2023, it has seen a precipitous drop in malware and fraud. Bad actors in Google Play leveraged anonymity to distribute malicious apps, so it stands to reason that verifying app developers outside of Google Play could also enhance security.

However, making that happen outside of its app store will require Google to take a page from Apple's playbook and flex its muscle in a way many Android users and developers could find intrusive. Google plans to create a streamlined Android Developer Console, which devs will use if they plan to distribute apps outside of the Play Store. After verifying their identities, developers will have to register the package name and signing keys of their apps. Google won't check the content or functionality of the apps, though.

Google says that only apps with verified identities will be installable on certified Android devices, which is virtually every Android-based device—if it has Google services on it, it's a certified device. If you have a non-Google build of Android on your phone, none of this applies. However, that's a vanishingly small fraction of the Android ecosystem outside of China.

Google plans to begin testing this system with early access in October of this year. In March 2026, all developers will have access to the new console to get verified. In September 2026, Google plans to launch this feature in Brazil, Indonesia, Singapore, and Thailand. The next step is still hazy, but Google is targeting 2027 to expand the verification requirements globally.

A seismic shift

This plan comes at a major crossroads for Android. The ongoing Google Play antitrust case brought by Epic Games may finally force changes to Google Play in the coming months. Google lost its appeal of the verdict several weeks ago, and while it plans to appeal the case to the US Supreme Court, the company will have to begin altering its app distribution scheme, barring further legal maneuvering.

Among other things, the court has ordered that Google must distribute third-party app stores and allow Play Store content to be rehosted in other storefronts. Giving people more ways to get apps could increase choice, which is what Epic and other developers wanted. However, third-party sources won't have the deep system integration of the Play Store, which means users will be sideloading these apps without Google's layers of security.

It's hard to say how much of a genuine security problem this is. On one hand, it makes sense Google would be concerned—most of the major malware threats to Android devices spread via third-party app repositories. However, enforcing an installation whitelist across almost all Android devices is heavy handed. This requires everyone making Android apps to satisfy Google's requirements before virtually anyone will be able to install their apps, which could help Google retain control as the app market opens up. While the requirements may be minimal right now, there's no guarantee they will stay that way.

The documentation currently available doesn't explain what will happen if you try to install a non-verified app, nor how phones will check for verification status. Presumably, Google will distribute this whitelist in Play Services as the implementation date approaches. We've reached out for details on that front and will report if we hear anything.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 August 2025 at 6:40 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

uBlock Origin has been updated in the Microsoft Edge Add-ons store, and now, it is uBlock Origin Lite, a Manifest V3-based extension that complies with Google's latest extension rules. As such, uBlock Origin Lite lacks plenty of features that made the original version so beloved among enthusiasts.

Fortunately, like with Google Chrome, there is still a way to bring back the original uBlock Origin to Microsoft Edge. While the process is not as straightforward as one-click installation in the Microsoft Edge Add-ons store, it will only take you a few minutes. Here is what to do:

1. Go to uBlock Origin's GitHub repository and download the latest release for Chromium.
2. Unpack the archive wherever convenient.
3. Launch Microsoft Edge and go to edge://extensions.
4. Toggle on "Developer mode."
5. Click "Load unpacked."

   

6. Find the unpacked folder with the extension files.

That's it. Now you have the old uBlock Origin extension with all of its capabilities and features.

Interestingly, Microsoft has no detailed plans regarding Manifest V2 extensions. The official documentation still has no exact details on when Microsoft plans to stop accepting updates for existing MV2 extensions (new ones are no longer accepted) or when installed extensions will stop working. While we wait for Microsoft to share more details, you can enjoy uBlock Origin while you can. The same applies to other Manifest V2-based extensions.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 August 2025 at 5:39 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Here's a comment Gorhill posted on GitHub (thanks to Saampei Nihira for the tip).

The original story follows....have a laugh at my expense! (and Gorhill's)

Did you have uBlock Origin installed in Microsoft Edge? Has it been replaced by uBlock Origin Lite?

The Microsoft Edge extension has been updated, the new version doesn't bring new features, instead, the add-on automatically downgrades itself to uBlock Origin Lite.

The update was spotted by multiple users on reddit, one of whom shared a screenshot of the add-ons result page on Edge's store. The screenshot looked odd, because it showed 2 versions of the add-on. I decided to check it myself, and indeed, there are 2 versions of uBlock Origin Lite on the Edge add-ons store. That's a little weird.

If you look closely at their icons, it's easy to tell the difference. The add-on that has a - symbol in its icon, is uBlock Origin Lite (Version 2025.818.1918), whereas the extension that has the uBO icon is the original add-on (Version 2025.824.1755). But both extensions are now named uBlock Origin Lite.

As for why the add-on was downgraded to uBlock Origin Lite, it's fairly obvious. Chrome has deprecated support for Manifest V2 APIs, which in turn spelled the end for many extensions. This included uBlock Origin too, and the only options for users were to use some flags to extend Manifest V2 support (more on this in a bit), or to switch to uBlock Origin Lite.

While the Chrome web store "removed" the uBlock Origin extension because it was unsupported, the Microsoft Edge add-ons store still had the extension. Not anymore, apparently. It is being replaced by uBlock Origin Lite.

Okay, but why do this now? Up until now, Chrome and Chromium based browsers, have allowed users to extend support for Manifest V2 by enabling some flags in the browser. These flags are being removed from Chrome 140, and the shortcut workaround may not available for long. There is a way to load an unpacked extension in Chrome, but it will not work after Chrome 142. Its flag expires in Chrome 139. More details about this method are available at the official uBlock Origin subreddit.

Raymond Hill (aka Gorhill), the developer of uBlock Origin had stated in November 2024 that,

"Manifest v2 uBO will not be automatically replaced by Manifest v3 uBOL. uBOL is too different from uBO for it to silently replace uBO -- you will have to explicitly make a choice as to which extension should replace uBO according to your own prerogatives.

Ultimately whether uBOL is an acceptable alternative to uBO is up to you, it's not a choice that will be made for you."

But it has now. Perhaps things have changed since? This is pure speculation, but it makes sense to replace the original extension with uBlock Origin Lite, because otherwise users would be left without an ad-blocker, and exposed to trackers, advertisements, etc. By switching to the Lite version via an automatic update, they will be protected without manual intervention. It's a little unusual, but I think this is a good move for the privacy and security of users.

Still, an official announcement couldn't have hurt, given the confusion among users. Consider this article a PSA, uBlock Origin for Microsoft Edge didn't disappear or get removed, it's uBlock Origin Lite now.  I can confirm that this is the case, my Edge browser had uBlock Origin 1.65.0 installed.

But after forcing an update via Developer mode, it got replaced by uBlock Origin Lite 2025.824.1755, which was released on August 25, 2025. Neowin also reported this today! It's unclear when Microsoft Edge will stop supporting Manifest V2, the official support page doesn't mention an EOL date.

uBO Lite is pretty good, and should suffice for most users. It was recently released for Safari on iOS, iPadOS, and macOS. On a side note, uBlock Origin is still available on Opera's add-ons store, though I'm not sure how long it would be supported. It should be obvious, but I'll say it anyway, the Firefox version of the ad blocker is not affected by this change. Ironically, Microsoft Edge began recommending uBlock Origin a while back. Edge really is the new Internet Explorer!

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 August 2025 at 5:37 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

This malware infiltration was discovered by Zscaler's ThreatLabs team while investigating a new infection wave with Anatsa (Tea Bot) banking trojan targeting Android devices.

While most of the malicious apps (over 66%) included adware components, the most common Android malware was Joker, which researchers encountered in almost 25% of the analyzed apps.

Once Joker malware is installed on a device, it can read and send text messages, take screenshots, make phone calls, and steal contact lists, access device information, and subscribe users to premium services.

A smaller percentage of the apps included maskware, a term used to define a malicious app that disguises itself as something that would not raise any suspicion.

This type of malware may pose as a legitimate app that works as advertised. However, it performs malicious activity in the background, such as steal credentials, banking info, or other sensitive data (location, SMS). Cybercriminals can also use maskware to deliver other malware.

Zscaler researchers also found a variant of the Joker malware called Harly, which comes as a legitimate app that has a malicious payload hidden deeper in the code to avoid detection during the review process.

In a report in March, Human Security researchers said that Harly can hide in popular apps, like games, wallpapers, flashlights, and photo editors.

Anatsa trojan keeps evolving

According to Zscaler, the latest version of the Anatsa banking trojan has further expanded its targeting scope, increasing the number of banking and cryptocurrency apps to 831, from 650 previously, that it attempts to steal data from.

The malware operators use an app named 'Document Reader – File Manager' as a decoy, which only downloads the malicious Anatsa payload after installation, to evade Google's code review.

The latest campaign has switched from remote DEX dynamic code loading used in the past to direct payload installation, unpacking it from JSON files, and then deleting them.

In terms of evasion, it uses malformed APK archives to break static analysis, runtime DES-based string decryption, and emulation detection. Package names and hashes are also periodically changed.

Capability-wise, Anatsa abuses Accessibility permissions on Android to auto-grant itself extensive privileges.

It fetches phishing pages from its server for over 831 apps, now also covering Germany and South Korea, while a keylogger module has also been added for generic data theft.

This latest Anatsa campaign follows another recent wave discovered by ThreatFabric in July, where the trojan sneaked into Google Play posing as a PDF viewer, achieving over 50,000 downloads.

Older Anatsa campaigns include a PDF and QR Code Reader attack in May 2024 that achieved 70,000 infections, a Phone Cleaner and PDF attack in February 2024 that got 150,000 downloads, and another PDF Viewer attack in March 2023 that achieved 30,000 installs.

Malicious app wave on Google Play

In addition to the malicious Anatsa apps, Zscaler discovered this time, most were adware families, followed by 'Joker,' 'Harly,' and various maskware.

"ThreatLabz identified a sharp rise in adware applications on the Google Play Store alongside malware, such as Joker, Harly, and banking trojans like Anatsa," explained Zscaler researcher Himanshu Sharma

"Conversely, there has been a noticeable decline in malware families such as Facestealer and Coper."

Tools and personalization apps accounted for over half of the lures used to spread those apps, so these two categories, together with entertainment, photography, and design, should be treated as high-risk.

In total, the 77 malicious apps, including those containing Anatsa, were downloaded 19 million times from Google Play.

Zscaler reports that Google removed all of the malicious apps they discovered this time from the Play Store following their reporting.

Android users must ensure their Play Protect service is active on their device to flag malicious apps for removal.

In the case of Anatsa trojan infections, separate steps need to be taken with the bank to protect potentially compromised e-banking accounts or credentials.

To minimize the risk from malware loaders on Google Play, only trust reputable publishers, read at least a couple of user reviews, and only grant permissions that are directly related to the app's core functionality.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 August 2025 at 5:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Cybersecurity sleuths at Koi Security recently uncovered perhaps what might be defined as the worst security and privacy nightmare for most users: a popular Google Chrome extension, FreeVPN.One, with over 100,000 installs, has been secretly grabbing screenshots of every website the user visits and sending them to a domain controlled by the software's anonymous developer.

Perhaps more concerning, the extension is touted as "the fastest free VPN for Chrome." The tool also boasts a "Featured" badge, which is an accolade Google awards to software that aligns with its technical best practices while simultaneously maintaining a "high standard" user experience and design.

But as it now seems, FreeVPN.One has been going against this rule and breaching users' privacy for months on end.

Per the report by the cybersecurity experts, the extension silently grabs screenshots a second after each website page you visit loads before transmitting them to a remote server.

The security experts acknowledge that VPN extensions require permissions like proxy and storage to function, FreeVPN.Online is pushing the envelope farther by asking for more permissions that facilitate its deceptive data collection ploy, including tabs and scripting.

This then allows the extension to inject a script into every website you visit, allowing it to grab screenshots. "No user action, no UI hint, the screenshots are taken in the background without you ever knowing," Koi security added. The odd occurrence reportedly started sometime in July via minor updates, which upped the ante by requesting additional permissions.

Per FreeVPN.One's privacy policies, the extension can grab screenshots of your activities while using the internet, but this only happens when the AI Threat Detection Feature is enabled. It essentially grabs a screenshot and related page information, including the URL and page content, which are then transmitted from your browser to the platform's servers for vetting by analysts.

However, the extension's developer indicated that it may "use anonymized usage data" to build the platform's threat intelligence database, regardless of whether you've enable the AI-powered feature or not.

There are some discrepancies with FreeVPN.One's privacy policies, which were updated on July 20, are now missing a critical section about anonymized usage data. "This system is in beta and provided 'as is' without warranties or guarantees of any kind, express or implied, including but not limited to accuracy, reliability, or fitness for a particular purpose," the security firm added.

The update also scrapped information about who operates FreeVPN.One. The header previously indicated that the platform was operated by a company called CMO Ltd. The only way to get a hint of this information is through the email provided by contacting the developer. However, the domain associated with the provided email address redirects to a page for Phoenix Software Solutions with a suspicious URL, making the situation worse.

Speaking to The Register, a FreeVPN.One developer claimed that the extension is "fully compliant with Chrome Web Store policies, and any screenshot functionality is disclosed in our privacy policy."

According to the developer:

"All data collected is encrypted and handled according to standard practices for browser extensions. We are committed to transparency and user privacy and welcome readers to review our documentation for further details."

While the developer claims that the extension is compliant with Google Chrome's Web Store policies, Koi researchers aren't convinced by the claims that the tool only grabs screenshots when encountering a suspicious domain.

They further shared their findings, highlighting the tool grabbing screenshots of trusted domains, including Google. However, the screenshots aren't being used or stored but are briefly analyzed for potential threats.

Despite these concerning findings from Koi security, FreeVPN.One continues to be available for installation as of the time of publication. It is unclear if Google is looking into the report and whether it intends to scrap the extension from its Chrome Web Store, as it violates its policies.

Sounds like Windows Recall all over again

The AI wave, in which Google and its Gemini LLM are major players, has directly and indirectly caused major changes to the video-sharing monolith YouTube over recent months.

Despite recent efforts to crack down on AI slop through updated monetization policies that target accounts uploading "inauthentic content," YouTube has now been accused of using AI to alter user content without permission from the uploaders.

Rhett Shull, who runs a popular music-focused YouTube channel with nearly 750,000 subscribers, uploaded a video on August 15 detailing their findings. In the video, Shull provides visual evidence of the changes to YouTube Shorts uploaded by Rick Beato, another popular influencer.

Convinced YouTube was pulling the same stunts with their content, Shull analyzed a short they'd uploaded to both Instagram and YouTube. Indeed, there is blatant evidence of alterations to the YouTube content.

Elsewhere, hair looks unrealistic, like it's attached to a doll. Skin seems too smooth, and ears seem to change shape as videos run.

It's something I've personally noticed on several YouTube Shorts, and I know I'm not the only one. A thread in the YouTube subreddit from two months ago provides evidence of video tampering, with plenty of users adding replies that back up the OP's claims.

It's important to stress that YouTube is changing these videos without permission from the uploaders. That's perhaps the worst part of the entire situation, and Shull makes a prescient point on the matter:

The security issue is a server-side request forgery (SSRF) now identified as CVE-2025-9074, and it received a critical severity rating of 9.3.

“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” reads Docker’s bulletin.

“This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability.”

Security researcher and bug bounty hunter Felix Boulet found that the Docker Engine API could be reached without authentication at ‘http://192.168.65.7:2375/’ from inside any running container.

The researcher demonstrated the creation and start-up of a new container that binds the Windows host’s 😄 drive to the container’s filesystem by using two wget HTTP POST requests.

Boulet’s proof-of-concept (PoC) exploit does not require code execution rights inside the container.

Philippe Dugre, a DevSecOps engineer at technology company Pvotal Technologies and a challenge designer for the NorthSec cybersecurity conference, confirmed that the vulnerability affected Docker Desktop Windows and macOS but not the Linux version.

Dugre says that the vulnerability is less dangerous on macOS due to safeguards in the operating system. While he was able to create a file in the user's home directory on Windows, the same could not be achieved on macOS without the user providing permission.

"On Windows, since the Docker Engine runs via WSL2, the attacker can mount as an administrator the entire filesystem, read any sensitive file, and ultimately overwrite a system DLL to escalate the attacker to administrator of the host system," - Phillippe Dugre

"On MacOS, however, the Docker Desktop application still has a layer of isolation and trying to mount a user directory prompts the user for permission. By default, the docker application does not have access to the rest of the filesystem and does not run with administrative privileges, so the host is a lot safer than in the Windows case," he says.

Nevertheless, the researcher warns that there is room for malicious activity even on macOS because an attacker has complete control over the application and the containers, which creates the risk of backdooring or modifying the configuration without the need for permission.

Dugre says that the vulnerability is easy to leverage, and his exploit confirms this as it consists of just three lines of Python code.

The vulnerability was reported responsibly to Docker, who responded quickly and addressed it in a new Docker Desktop version, 4.44.3, released last week.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 26 August 2025 at 5:28 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

In the recently updated Microsoft 365 Roadmap entry ID 325873, the Redmond tech firm has quietly amended the description of the feature, noting that based on "further view" it is not able to continue the rollout of this feature right now. It has just apologized to customers for the inconvenience and pushed the release date back by a year, to August 2026.

It is unclear why Microsoft decided to halt release plans at this time, but it may have to do with privacy reasons. It is unlikely that commercial customers would have been okay with giving Copilot unfettered access to screen-share sessions, even if it resulted in the model giving more context-aware answers. Sometimes, people also share sensitive information with other viewers accidentally, and while that data leak can be contained if you have trustworthy colleagues (or guardrails that prevent you from inadvertently exposing confidential data in the first place), having Copilot just accessing that information is probably not ideal.

That said, this is all speculation at this point since Microsoft did not disclose the actual reason publicly. Copilot already has access to meeting transcriptions and chats, but this particular feature would have allowed it to analyze the content being shown in a screen-sharing session of a recorded meeting too. This would have allowed customers to achieve more contextual outcomes quickly through prompts like "Rewrite the paragraph shared on the screen incorporating the feedback from the chat".

It is interesting to note that a similar feature is already present in Insider builds of Windows 11, through Copilot Vision. It enables Copilot to see your entire desktop in real-time, and can be triggered through the Copilot app.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 22 August 2025 at 3:25 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Tracked as CVE-2025-43300, this security flaw is caused by an out-of-bounds write weakness discovered by Apple security researchers in the Image I/O framework, which enables applications to read and write most image file formats.

An out-of-bounds write occurs when attackers successfully exploit such vulnerabilities by supplying input to a program, causing it to write data outside the allocated memory buffer, which can lead to the program crashing, corrupting data, or, in the worst-case scenario, allowing remote code execution.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company revealed in security advisories issued on Wednesday.

"An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption."

Apple has addressed this issue with improved bounds checking to prevent exploitation in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

The complete list of devices impacted by this zero-day vulnerability is extensive, as the bug impacts both older and newer models, including:

• iPhone XS and later,
• iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation,
• and Macs running macOS Sequoia, Sonoma, and Ventura.

The company has yet to attribute the discovery to one of its researchers and has not yet published details regarding the attacks it described as "extremely sophisticated."

While this flaw is likely only exploited in highly targeted attacks, it is strongly advised to install today's security updates promptly to prevent any potential ongoing attacks.

With this vulnerability, Apple has fixed a total of six zero-days exploited in the wild since the start of the year, the first in January (CVE-2025-24085), the second in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201).

In 2024, the company has patched six other actively exploited zero-days: one in January, two in March, a fourth in May, and two others in November.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 22 August 2025 at 3:21 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

A blog published by Koi Security explains how the FreeVPN.One extension in Chrome is breaching the trust of its customers. Perhaps the most problematic way it is doing so is that it is secretly capturing screenshots as users move from one web page to the next. These screenshots are taken through a sophisticated mechanism that does not give the user any hints about what is happening.

Screen grabs are captured exactly 11 seconds after a page loads, which ensures that content has been fully rendered with potentially sensitive information before it is practically stolen. Although the extension does disclose that will take a screenshot of your page and upload it to a server for a scan if you utilize the AI Threat Detection feature, it periodically takes snapshots even if you don't use this particular capability.

Koi Security additionally claims that the extension requires excessive permissions, and it queries location and device details on startup and sends them to a server too. The security team says that while FreeVPN.One initially started out as a harmless extension, the developer began integration of malicious code in April 2025. Most recently, version 3.1.4 released on July 25, even deploys AES-256 encryption to stolen data in transit to make it difficult to identify what's being transmitted.

When Koi Security reached out to the developer of FreeVPN.One, he said that the automatic screenshots are taken for suspicious domains only as a part of the Background Scanning feature. However, it was noticed that snapshots are captured even for mainstream domains like Google Photos and Google Sheets. The developer also emphasized that the feature is enabled by default for now, but will be disabled in a future update. He additionally claimed that screenshots are not retained or sold for monetary benefits, but when asked to provide proof, he stopped responding to emails.

This is a particularly worrying incident especially since FreeVPN.One is featured by Google on the web store and even touts a "verified" badge. It seemingly has over a hundred thousand users, which calls into question Google's evaluation practices for extension submissions. It's a major breach of trust that went unnoticed for months by Google, and emphasizes the need for downloading software only from trusted vendors.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 21 August 2025 at 2:40 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

CRLite operates entirely on-device, which eliminates the need for online checks. This on-device operation also prevents page load slowdowns and the leaking of visited sites to third parties. For those wondering if all this on-device processing leads to any kind of slowdown, the answer is no, it’s efficient enough to store all certificate revocations locally. The only data requirement that the feature has is 300KB per day of continuous updates to stay current - that’s a very small requirement in this day and age.

The development of CRLite is notable because other browsers have deployed similar approaches but could only store a small fraction of the revoked certificates. Clever algorithms and techniques were used to achieve this performance, technical details have been outlined in a Hacks post.

Mozilla says that CRLite “sets a new standard for revocation security” and that it hopes this level of security will be adopted by other browsers and internet clients. The browser maker has designed it in such a way that makes it easy to adopt or adapt for other browser vendors.

If you want to learn more about the technical details of CRLite, you can check out the accompanying Hacks post as well as a 12-page technical paper that goes even more in-depth. The development of CRLite has taken several years and involved individuals residing inside and outside of Mozilla. The first version of Firefox to use CRLite is Firefox 142, which Neowin reported on recently.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 21 August 2025 at 2:39 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.

While users believe they are interacting with harmless clickable elements, they trigger autofill actions that leak sensitive information.

The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity company Socket later verified the findings and helped inform impacted vendors and coordinate public disclosure.

The researcher tested his attack on certain versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios.

Exploitation methods

The main attack mechanic is to run a script on a malicious or compromised website that uses opacity settings, overlays, or pointer-event tricks to hide the autofill dropdown menu of a browser-based password manager.

The attacker then overlays fake intrusive elements (e.g. cookie banners, popups, or CAPTCHA) so that the user’s clicks fall on the hidden password manager controls, resulting in completing the forms with sensitive information.

Tóth demonstrated multiple DOM-based subtypes that constitute exploitation variants of the same flaw, including direct DOM element opacity manipulation, root element opacity manipulation, parent element opacity manipulation, and partial or full overlaying.

The researcher also demonstrated the possibility of using a method where the UI follows the mouse cursor, so any user click, no matter where it’s positioned, triggers data autofill.

Tóth says that a universal attack script can be used to identify the password manager active on the target’s browser and then adapt the attack in real-time.

Vendor impact and responses

The researcher tested 11 password managers chosen for their popularity and found that all of them were vulnerable to at least one attack method.

With the help of Socket, all vendors were notified of the issues in April 2025. The researcher also alerted them that public disclosure would follow in August at DEF CON 33.

1Password rejected the report, categorizing it as “out-of-scope/informative,” arguing that clickjacking is a general web risk users should mitigate.

Similarly, LastPass marked the report as “informative,” while Bitwarden acknowledged the issues but downplayed the severity. However, Bitwarden told BleepingComputer that the issues have been fixed in version 2025.8.0, rolling out this week.

It is unclear if LastPass and 1Password are planning to address the problem.

LogMeOnce did not respond to any communication attempts, either by Tóth or Socket.

Currently, the following password managers, which together have around 40 million users, are vulnerable to Tóth's attack methods

• 1Password 8.11.4.27
• Bitwarden 2025.7.0
• Enpass 6.11.6 (partial fix implemented in 6.11.4.2)
• iCloud Passwords 3.1.25
• LastPass 4.146.3
• LogMeOnce 7.12.4

The vendors that implemented fixes are Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, and Keeper (v17.2.0 released in July). However, users should make sure that they're running the latest available versions of the products.

Until fixes become available, Tóth recommends that users disable the autofill function in their password managers and only use copy/paste.

BleepingComputer has contacted all vendors who haven’t pushed fixes onto their products yet, and we will update this post with their responses once they reach us.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 21 August 2025 at 2:38 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

There’s little doubt that online businesses reliant on advertising revenue are negatively affected by increasing use of ad blocking solutions.

Yet it’s thanks to abusive and invasive ads, and threats to privacy due to incessant online tracking, that ad blockers became so popular.

There’s a good argument today that an effective ad blocking solution is not just a way to keep out an avalanche of mostly unwanted advertising. In many cases ad blockers are seen as an essential tool in the internet user’s security toolbox and as a result, people are reluctant to turn them off.

Axel Springer Acquires Target, Misses, Switches to New Weapon

For German publisher Axel Springer, ad blocking solutions are mechanisms that fundamentally undermine the company’s ability to generate revenue. Hoping to force change, over a decade ago the company took legal action against Eyeo GmbH, the company behind Adblock Plus, arguing that the software interfered with its business model. In April 2018, Adblock Plus and Eyeo came out on top, when Germany’s Supreme Court found no breach of competition law.

Still determined to take ad blocking out of the game, Springer changed tack. In a new lawsuit, the publisher alleged that AdBlock Plus removes ads by interfering with the “programming code of websites” which violates its exclusive rights under copyright law.

Eyeo dismissed the claim as “almost absurd” and in January 2022 the Hamburg Regional Court denied Springer’s request for an injunction, ruling that there was no unauthorized copying or reworking of copyrighted computer programs as defined under local law.

Springer appealed and in 2023 lost again, this time at the Higher Regional Court of Hamburg. Refusing to accept defeat, the publisher filed yet another appeal at the Federal Court of Justice (BGH).

Treatment of Software Under German Copyright Law

While competition law may have been a dead end, copyright law can offer novel opportunities for the determined.

Axel Springer’s argument is built on provisions in German copyright law for the protection of software. According to § 69a para. 3 UrhG, a piece of software (‘computer program’) is afforded protection under copyright law if it “represents an individual work to the extent that it is the result of the author’s own intellectual creation.”

Protection applies to “all forms of expression” in the program but does not extend to “ideas and principles” underlying its elements. This effectively means that people can’t copy or distribute a piece of software verbatim, but they are free to write their own version of the software as long as there’s no direct copying of the original.

In more general terms, computer programs are treated as literary works under the Copyright Act and as such enjoy the same protection. This means that the author of a computer program (or their employer) holds exclusive rights to reproduce, distribute and make the program publicly available, just as an author of a book would.

Springer Argues Websites Are Computer Programs

Axel Springer argues that the software used to create its online media presence (i.e its website) qualifies for protection as software under § 69a (1) and (2) of the Copyright Act.

§ 69a – Definition of software (German Copyright Act)

Based on the assumption that its software does indeed qualify for protection under § 69a, Axel Springer notes that further protection is afforded under § 69c, with certain exclusive rights granted to the rightsholder.

Under § 69c, third parties must obtain permission for any of the following acts:

§ 69c – Exclusive rights for qualifying software under § 69a (German Copyright Act)

§ 69c (2) “the translation, adaptation, arrangement and other modifications of a computer program as well as the reproduction of the results obtained.”

Axel Springer’s argument is that when Adblock Plus blocks or manipulates its website code (‘computer program’) present in the user’s browser, that amounts to a violation of its exclusive right of modification available under § 69c (2) and its reproduction right under § 69c (1).

Federal Court of Justice Overturns Decision of Lower Court

The above matters and others focused on the technical issues are detailed in the ruling handed down by the Federal Court of Justice (BGH). The ruling (Werbeblocker IV / Ad Blocker IV) is clearly a setback for Eyeo GmbH; the Higher Regional Court of Hamburg previously ruled in favor of the Cologne-based company, a decision the BGH has just overturned.

In a nutshell, the BGH states that the Hamburg court arrived at its decision without first establishing important fundamentals. These details may support the decision of the Hamburg court or undermine it, but that can only be determined once the facts are established.

“When examining whether an infringement of a copyrighted right to a protected object (here: a computer program within the meaning of Section 69a (1) of the Copyright Act) has occurred, it is not always necessary to determine whether this protected object meets the requirements of a copyrighted work, computer program, or related right. Rather, this circumstance can be assumed, provided that there is no unlawful infringement of copyright,” the decision reads.

 

“It should be noted, however, that the question of an infringement of a property right may depend on a clear definition of the protected object and its features justifying protection. Denying an infringement of a copyright-protected right while simultaneously assuming that the protected object in question is eligible for copyright protection is therefore only possible in such a case if the object itself deemed to be protected by copyright and the features justifying its protection are clearly defined.”

Technical Matters

Lubberger Lehment, the law firm acting for Axel Springer, highlights a technical aspect mentioned in the BGH decision which it believes warrants much closer attention.

“In particular, the Higher Regional Court did not sufficiently consider Axel Springer’s argument that a browser is a virtual machine controlled by a website program as byte code. In its reasoning, the Federal Supreme Court quotes in unusual detail what we presented with the help of external experts,” their statement reads.

The decision notes that this is not just about “changing variable data in the memory of a computer, but rather changing code created by the bytecode of the website ‘computer program’ as a form of expression of the website programming itself.”

For those interested in the technical argument, full details are available in the decision (pdf, German). Which elements will make or break the case, if any, is still unclear.

Outcome Could Have Far-Reaching Implications

The scale of the fallout from an Axel Springer win could be significant and given the background, hard to balance in the bigger picture. Switching to copyright law purely because competition law proved insufficient, suggests that copyright may have been viewed as a means to an end. Whether wider disruption will find balance in the benefits claimed by the plaintiffs is another question.

Lubberger Lehment state that the case isn’t just about protecting the integrity of online media.

“It is about the question of whether at all and in what quality online journalism can be offered and used in the future – it is about freedom of information without paywalls. This is fundamental to democracy,” the company writes.

Whether the developer community will come to view the following in a positive light remains to be seen.

“[T]he case is of fundamental importance for the entire software industry. This is because all browser applications work with the same technical components, namely HTML5, CSS, PHP, and Java Script. This affects all cloud-based applications such as computer games, standard software, SAP, etc. The ad blocker trial will determine whether this future technology is protected by copyright or can be manipulated at will by third parties.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 20 August 2025 at 5:00 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

The translation models download automatically once and then work entirely offline on the user’s device. Mozilla says that Firefox doesn’t track the content users translate with this tool.

The team of developers who worked on this feature had to overcome some technical challenges to make on-device translation for CJK languages work efficiently on mobile devices with limited resources. Mozilla said that earlier algorithms couldn’t handle the character-based scripts of these languages and the lack of open-source data for training CJK models made development even harder. The team upgraded their machine learning models and optimized performance, especially for low-end Android devices. Specifically, the new algorithms prioritize translating only the visible parts of the web page to save memory and processing power.

One of the big issues when working with language translations is checking that translations are accurate. Mozilla said that its engineers do not speak every language they support, so have had to rely on community volunteers and internal colleagues to test the new features. Testers provided essential feedback on early versions, helping to refine the models and ensure accurate, real-world translations.

One specific example given was a restaurant menu item translating “stuffed mushrooms” as a plush toy, which a tester pointed out. The company also noted that automated tools used for measuring accuracy were no substitute for native speakers’ feedback.

Since making these languages available to translate in Firefox for the desktop (it was made available previously), the number of active translation users in Asia has doubled. With the rollout on Android ongoing now, the company hopes to expand this secure, private translation capability to even more people. Users can update Firefox and Android or desktop and tap the translate icon to begin using the new feature.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 20 August 2025 at 4:59 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Long story short, Axel Springer sued Eyeo GmbH (owners of Adblock Plus), in a lawsuit that has dragged on for over a decade. It was complaining about lost revenue due to ads being blocked by the extension's users.

Springer lost multiple appeals based on competition law. Then the publishers turned to copyright law. It claimed that ad blockers violated copyright law by modifying a website's HTML code in order to block ads, i.e. the browser displayed the website differently. The appeal was rejected by a Hamburg court, which said that changing the way a website is displayed by a browser does not amount to modifying the code, and hence did not violate the copyright law.

The German Federal Court of Justice, Bundesgerichtshof (BGH), heard an appeal from Springer, which argued that the DOM node tree, and CSS Structure used by the website (for formatting), are forms of user expression, and that these are protected by copyright. The BGH decided that the previous ruling by the Hamburg Court, was not sufficiently substantiated. The lower court has been asked to hear the case again. (via: Heise.de)

Mozilla published an article about this drama, and its headline resulted in quite the confusion, perhaps that could have been avoided. Its article clearly states that the case has been returned to a lower court for additional fact-finding, and it may take a couple of years before a resolution is reached.

Back on topic, should one company's complaint compromise the privacy and security of millions? China banned ad-blockers in 2022, so yes it is a possibility, but I doubt such a law would be passed in a democracy, where privacy is a fundamental right.

Ad-blockers don't merely block ads, they add a layer of protection that prevents malicious scripts from loading, and they also prevent users from being tracked or fingerprinted, thus protecting their privacy. By removing an ad-blocker, you would be exposing users to serious security and privacy risks.

In the unlikely event that ad-blockers are banned in Germany, I'm not quite certain how this would work, will browser makers have to ban ad-blockers like Adblock Plus, AdGuard, uBlock Origin, etc., from their extension stores like China did? Would it be illegal for users to have such add-ons installed, even via side-loading them from a different source? What about the built-in ad filtering in browsers? I suppose advanced users could use system-wide ad blockers, or self-host a Pi-hole.

Forget AIs for a minute, the immediate threat to privacy are laws like this. They want backdoors in your phones, want you to verify your age by submitting IDs, they try to strong-arm messaging services to disable encryption. It feels like we are living in some sort of cheap fiction novel.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 20 August 2025 at 4:58 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

According to multiple outlets which have seen the massive PayPal data dump, such as Hackread and Cybernews, the "Global PayPal Credential Dump 2025" repository on the dark web contains email addresses and plaintext password pairs for 15.8 million accounts. The seller also claims to have access to user-specific endpoints which can be leveraged to automate logins and abuse other PayPal services. Altogether, the trove weighs in at about 1.1GB, and the seller is asking for $750 for anyone who wants access to it.

PayPal downplayed this issue in a statement to Cybernews, claiming that the data dump is not a result of a new breach, rather, it is from a cybersecurity incident in 2022. In that year, PayPal suffered credential-stuffing attack, and in January 2025, the company paid a $2 million fine to U.S. regulators after it was deemed that its platform security measures weren't strong enough to govern who gets access to personal user data like phone numbers, emails, addresses, and social security numbers.

That said, the seller has denied that this data comes from an older breach, and says that it is actually from an incident in May 2025. Interestingly, PayPal hasn't disclosed any cybersecurity lapse that occurred during this timeframe. This indicates that if the data is indeed valid, it may have been captured through an infostealer malware. That said, it is impossible to verify the authenticity of the data without getting full access to it. As always, make sure you have a strong password that was recently updated and that you leverage multi-factor authentication (MFA) mechanisms.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 19 August 2025 at 5:49 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

The case stems from online media company Axel Springer’s lawsuit against Eyeo - the maker of the popular Adblock Plus browser extension.

Axel Springer says that ad blockers threaten its revenue generation model and frames website execution inside web browsers as a copyright violation.

This is grounded in the assertion that a website’s HTML/CSS is a protected computer program that an ad blocker intervenes in the in-memory execution structures (DOM, CSSOM, rendering tree), this constituting unlawful reproduction and modification.

Previously, this claim was rejected by a lower-level court in Hamburg, but a new ruling by the BGH found the earlier dismissal flawed and overturned part of the appeal, sending the case back for examination.

Mozilla’s Senior IP & Product Counsel, Daniel Nazer, delivered a warning last week, noting that due to the underlying technical background of the legal dispute, the ban could also impact other browser extensions and hinder users' choices.

“There are many reasons, in addition to ad blocking, that users might want their browser or a browser extension to alter a webpage,” Nazer says, explaining that some causes could stem from the need "to improve accessibility, to evaluate accessibility, or to protect privacy."

As per BGH’s ruling, Springer’s argument needs to be re-examined to determine if DOM, CSS, and bytecode count as a protected computer program and whether the ad blocker's moodifications are lawful.

“It cannot be excluded that the bytecode, or the code generated from it, is protected as a computer program, and that the ad blocker, through modification or modifying reproduction, infringed the exclusive right thereto,” reads BGH’s statement (automated translation).

While ad blockers haven’t been outlawed, Springer’s case has been revived now, and there’s a real possibility that things may take a different turn this time.

Mozilla noted that the new proceedings could take up to a couple of years to reach a final conclusion. As the core issue is not settled, there is a future risk of extension developers to be held liable for financial losses.

Mozilla explains that, in the meantime, the situation could cause a chilling effect on browser users’ freedom, with browser developers locking down their apps further, and extension developers limiting the functionality of their tools to avoid legal troubles.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 19 August 2025 at 2:55 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Starting on December 10, many Australian teenagers will no longer be as online as their peers in other countries. The Social Media Minimum Age Bill, passed in 2024, stipulates that a person must be at least 16 years old to have an account on platforms like Instagram, TikTok, Snapchat, and YouTube.

Across the world, people young and old are increasingly recognizing the negative impacts that social media has on adolescents. Nearly half of teenagers in the US claim these platforms harm people their age; parents are even more concerned. While several US states have introduced legislation to safeguard kids online, a national ban seems far off.

Australia, by contrast, fast-tracked its prohibition: Annabel West, a lawyer and mother in Adelaide, read Jonathan Haidt’s book The Anxious Generation, and told her husband—South Australia premier Peter Malinauskas—that he had to do something. He proposed legislation in his small state, and it rapidly gained support across the country. A few months later, the social media ban was signed into law, making Australia the first country in the world to make such a move.

“Parents want their kids off their phones and on the footy field,” Prime Minister Anthony Albanese told the Australian Broadcasting Corporation last fall after the national ban was proposed. “So do I.”

The legislation has seen resounding support among Australian parents and legislators. It passed in Parliament with an overwhelming, bipartisan majority; 77 percent of Australians support the ban. Perhaps unsurprisingly, it’s less popular with tech companies—who may face fines if they can’t keep kids off their platforms—and with teenagers themselves.

“At first it seemed like a good idea, but over time, I’ve become more and more against it,” says Elena Mitrevska, an 18-year-old who lives in Melbourne. “I honestly think it is removing spaces for connection and community.”

More than most teens, Mitrevska has a say in how the social media bill’s provisions take shape in real life. She’s a member of the eSafety Youth Council, a group of 17 Australians, ages 13 to 24, who advise the country’s eSafety office, which will enforce the new legislation when it goes into effect in December. They didn’t vote on the bill, but now they have input on how it’ll be enacted. (Mitrevska and the other teenagers quoted in this article are expressing their own views, not the views of the eSafety Youth Council or Commissioner.)

Like other members of the council, Mitrevska believes that social media can be harmful for young people, especially in terms of addictive design and graphic material shared in online communities. But she worries an outright ban won’t get to the root of the problem. “It seems really disingenuous to me to remove entire online spaces for young people, versus just talking and trying to fix those particular issues,” she says. “It really feels like an attempt to bury young people’s heads in the sand.”

Australian regulators disagree. They believe the ban will give adults the chance to teach kids some internet literacy one-on-one before they are fully immersed in social media. The goal is to improve mental health outcomes while putting the onus on tech companies to verify the ages of their users.

“We’re aware that delaying children’s access to social media accounts won’t solve everything but it will introduce some friction in a system that has previously had none,” eSafety Commissioner Julie Inman Grant tells WIRED via email. She emphasized that it’s designed to let parents set the ground rules, “giving them valuable time to help their children develop the resilience, critical thinking and digital literacy they need.”

Mitrevska stresses that for many teenagers, social media platforms are where they develop beliefs and community. She has used apps like TikTok and Instagram to find other young people who are politically engaged; it’s also been transformative in terms of exploring her own identity. “I grew up believing a lot of homophobic rhetoric, and the thing that got me out of that spiral was YouTube short films from art colleges,” she says. “There’s no phonebook for finding other gay kids like you, and social media is really great for that.”

When the ban passed last year, tech companies warned it could send teens to darker corners of the internet. Facing fines of nearly 50 million Australian dollars ($32 million), they’re now figuring out how they’ll keep kids under 16 off their platforms. They can ask for government ID, or perhaps use facial scanning technology, but the specific mechanisms each platform will use—and how kids might try to get around them—have yet to be determined.

Raghu Vijayan, a 17-year-old from Adelaide on the eSafety Youth Council, believes that the social media bill is a start—although he cautions that a ban alone isn’t enough. He also stresses that turning 16 doesn’t immediately equip someone with the tools to handle social media, that “they’re going to magically learn how to deal with harmful content,” especially if they’ve been shielded from it. He believes the law needs to be paired with comprehensive education about social media, tailored by young people, and a social media trial period, like a learner’s permit before a driver’s license.

Vijayan also worries that the ban will discourage young people from reporting dangerous content or experiences online. The bill states that while social media companies will be fined, teenagers won’t be prosecuted for accessing platforms, “but if you’re a young person, you probably won’t remember that,” he says. That’s part of the role of the Youth Council: to help the eSafety Commission structure its regulatory guidance and communicate the law to young people in a way that they’ll trust.

Vijayan wishes that social media companies would make the changes themselves. “They’ve allowed cyber bullying, echo chambers, and harmful content, and they’ve created a system where image-based abuse is allowed to fester, so we think the onus should be on them to try and design a system to solve it,” he says. “Then we wouldn’t have to ban social media for young people.”

For adults, the idea of doing away with social media for young people is appealing. Work like Haidt’s The Anxious Generation calls for a return to an earlier time, one where kids made friends by playing outside and sustained relationships in-person. But teenagers know that social media is the water they swim in.

“There’s such a big focus on bringing back adolescence and protecting childhood, but removing social media for under-16s isn’t going to make being under 16 like it was before social media,” says Mitrevska. “It’s such an integrated part of daily life.” Despite the negative impacts, these platforms are where young people learn and spend their social lives; without investment in alternative spaces, the ban will leave a sizable gap.

The members of the Youth Council are focused on how to help 16-year-olds safely navigate social media for the first time. “I feel personal expertise comes from experience, so if young people are not spending that time in digital spaces, they’re going to enter those spaces again much less informed and in a way, much more vulnerable,” says Mitrevska. Like with any pressing issue, the teens are looking for answers on social media and in the group chat.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 19 August 2025 at 2:53 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix