The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby.

These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews.

At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses.

The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are then sent to the attacker's server.

"The weaponized extensions captures wallet credentials directly from user input fields within the extension’s own popup interface, and exfiltrate them to a remote server controlled by the group," explains Koi Security's Tuval Admoni.

"During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes."

The crypto-draining operation is complemented by dozens of Russian-speaking pirated software websites that facilitate the distribution of 500 distinct malware executables, and also a network of websites impersonating Trezor, Jupiter Wallet, and fake wallet repair services.

In the cases of malware, the payloads include generic trojans, info-stealers (LummaStealer), or even ransomware.

All of these sites are linked to the same IP address, 185.208.156.66, which serves as a command-and-control (C2) hub for the GreedyBear operation

Koi Security reported its findings to Mozilla, and the offending extensions have been removed from Firefox's add-ons store.

However, its wide scale and apparent ease in execution are a demonstration of how AI can help cybercriminals create large-scale schemes and quickly recover from total takedowns.

"Our analysis of the campaign's code shows clear signs of AI-generated artifacts," explains the report.

"This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection."

The previous large-scale attack on the Firefox store occurred last month, involving over 40 fake extensions pretending to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.

It's notable that these fraudulent extensions still find their way into the Firefox store despite Mozilla having deployed a system in June 2025 to detect crypto-drainer add-ons.

Koi Security also reports seeing signs that the operators of GreedyBear are exploring expansion to the Chrome Web Store, as they already spotted a malicious Chrome extension named "Filecoin Wallet" that uses the same data-theft logic and communicates with the same IP address.

To minimize the risk from these threats, always read multiple user reviews and check extension and publisher details before installing add-ons on your browser.

You can find the official wallet extensions on the websites of the projects themselves, either hosted directly or linking to the legitimate add-on on online stores.

BleepingComputer contacted Mozilla and Google about this campaign and their efforts to protect users, and will update this article with any responses.

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 2:31 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The new feature is rolling out more widely to beta testers as part of the WhatsApp beta for Android 2.25.22.22 update but is only rolling out for some users right now. The About section lets you set a short profile note that is separate to your 24-hour Status update. While this boosts WhatsApp’s status as an ephemeral platform where information disappears, it does add a layer of complexity which some people might find confusing.

When you set an About status, it will be displayed in the conversation header and will alternate with your last seen information. You can also set an emoji character if you want to tell people your mood or current activity. When the timer expires, nobody else will be able to see your status, but it will be saved in your private history, accessible only by you.

While the move will be portrayed by Meta as a privacy feature, it could also be seen as an aggressive move to keep users engaged and informed of their contacts’ activities and could see users oversharing, rather than maintaining privacy.

While the timer will remove the status, users will still be able to update or remove the status at any time before it expires. People also need to remember that the About status is different to the traditional 24-hour Status.

Users on the stable version of WhatsApp will not yet see the feature, as it’s only coming to a limited number of beta testers. Meta has also not disclosed a full rollout timeline, so while the expanded rollout indicates that it’s getting closer, we don’t know for sure when it will arrive.

Source and image via WABetaInfo

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 2:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Microsoft has announced the general availability of sensitive content detection in Teams. As the name suggests, this capability automatically prevents customers from sharing sensitive content during screensharing sessions in Teams. This includes confidential data like credit card numbers, bank account numbers, social security numbers, passport numbers, taxpayer IDs, and similar identification details.

Teams will automatically scan a shared screen and alert the user when they are sharing any of the aforementioned content types. This alerting mechanism will be twofold; it will notify the presenter and the organizer, and it will prompt the presenter to stop sharing their screen. Attendees will not be made aware of this process in any way.

Sensitive content detection works on web, mobile, and desktop versions of Teams, but keep in mind that it requires a Teams Premium license. Those with access to it can enable it from meeting options, under Advanced protection > Detect sensitive content during screen sharing. This mechanism will work automatically in the background, but it won't proactively block your screensharing session, as it could cause unnecessary disruptions in case of a false positive. Microsoft wants the user to remain in control while this particular feature just acts as a "guardian angel" for your screen. This is arguably a very handy capability to have in your arsenal as it decreases the chances of customers accidentally sharing private information.

This isn't Microsoft's only recent feature in the domain of screensharing. Just last week, it announced that Teams admins will be able to see telemetry data for screensharing in order to ensure compliance and detect if confidential information is being leaked to external personnel.

Source

Hope you enjoyed this news post.

Posted Thursday 7 August 2025 at 2:10 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Dell has issued an advisory indicating that lots of its PCs have a critical flaw due to a vulnerability present in the Broadcom series BCM5820X chip. This hardware is typically used in Dell Precision and Latitude laptops, which are primarily leveraged in business settings but may be used in personal environments too.

The advisory has been tagged as DSA-2025-053, and it lists five vulnerabilities, namely:

• CVE-2025-24311
• CVE-2025-25215
• CVE-2025-24922
• CVE-2025-25050
• CVE-2025-24919

All of these security holes deal with issues in the built-in ControlVault3 feature, which is a hardware-based mechanism used to store sensitive information such as passwords, biometrics, and more in the firmware.

A quick view of the vulnerabilities on the National Vulnerability Database (NVD) indicates that specially crafted ControlVault3 APIs can be used by malicious actors to leak information, arbitrarily free memory, execute code remotely, and write to out-of-bounds memory locations. All of these have CVSS scores of greater than 8.0, tagging them as "high", which is probably why Dell has classified its updates as "Critical" in its own advisory.

A Dell spokesperson informed The Register that customers were privately informed of this vulnerability on June 13. It appears that details have only recently been made public in light of generally available fixes. The spokesperson noted that

Working with our firmware provider, we addressed the issues quickly and transparently disclosed the reported vulnerabilities in accordance with our Vulnerability Response Policy. Customers can review the Dell Security Advisory DSA-2025-053 for information on affected products, versions, and more.

 

[...] As always, it is important that customers promptly apply security updates that we make available and move to supported versions of our products to ensure their systems remain secure.

Patches for ControlVault3 driver and firmware are accessible through the dedicated links in Dell's advisory here. There has not been any evidence of the security flaw being exploited in the wild. The scope of the issue is currently unclear too, but it's expected to impact tens of millions of PCs given how common Dell Precision and Latitude laptops are in business environments.

Source

Hope you enjoyed this news post.

Posted Wednesday 6 August 2025 at 4:09 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Most of the banned accounts were a part of an organized scam group based out of Southeast Asia. These scam centers lure innocent people by offering attractive crypto investment opportunities and pyramid schemes. WhatsApp also joined hands with its parent company, Meta, to crack down on a criminal scam center in Cambodia.

In addition to doing things at the backend, WhatsApp is also introducing some new anti-scam tools that will help people protect themselves from scams. For group messaging, WhatsApp will show you a safety overview when someone, not in your contacts, adds you to a group. You will be able to exit the group without ever needing to look at the chats. Moreover, notifications from such groups will remain silenced unless you choose otherwise.

For individual messages, the social media platform is testing a new alerts feature that will provide more context, such as who you are chatting with, to users when they initiate a conversation with an unknown contact.

WhatsApp also encourages people to stay vigilant and self-aware and pause before replying to an unknown contact. They can question their urgency and verify who is at the other end. If things look too good to be true, and something you weren't expecting, chances are high that it is a legit scam. You can also cross-check by calling their number or putting them up on a video call to see who's on the other side.

Source

Hope you enjoyed this news post.

Posted Wednesday 6 August 2025 at 4:08 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The two security bugs, tracked as CVE-2025-21479 and CVE-2025-27038, were reported through the Google Android Security team in late January 2025.

The first is a Graphics framework incorrect authorization weakness that can lead to memory corruption due to unauthorized command execution in the GPU micronode while executing a specific sequence of commands. CVE-2025-27038, on the other hand, is a use-after-free vulnerability that causes memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

Google has now integrated the patches announced by Qualcomm in June, when the wireless tech giant warned that "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation."

"Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible," Qualcomm said.

CISA has also added the two security bugs to its catalog of actively exploited vulnerabilities on June 3rd, ordering federal agencies to secure their devices against ongoing attacks by June 24.

With this month's Android security updates, Google has also fixed a critical security vulnerability in the System component that attackers with no privileges can exploit to gain remote code execution when chained with other flaws in attacks that don't require user interaction.

Google has issued two sets of security patches: the 2025-08-01 and 2025-08-05 security patch levels. The latter bundles all fixes from the first batch and patches for closed-source third-party and kernel subcomponents, which may not apply to all Android devices.

While Google Pixel devices receive security updates immediately, other vendors will often take longer to test andtweak them for their specific hardware configurations.

In March, Google also patched two zero-day vulnerabilities exploited in targeted attacks by Serbian authorities to unlock confiscated Android devices.

Last November, the company addressed a second Android zero-day (CVE-2024-43047) used by the Serbian government in NoviSpy spyware attacks, which was first tagged as exploited by Google Project Zero in October.

Source

Hope you enjoyed this news post.

Posted Wednesday 6 August 2025 at 2:17 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The add-on was previously only available for Windows and Linux browsers such as Chrome, Brave, Edge, Vivaldi, etc.

Download uBlock Origin Lite for Safari from the App Store. It is compatible with iOS 18.0, iPadOS 18.0, macOS 15.0, Apple visionOS 2.0 or above.

Note: You need to be on Safari 18.6 or above for it to work. I tried it on Safari 18.5, and the add-on wasn't compatible with the old version of the browser.

Once you have installed uBlock Origin Lite for Safari, go to your iPhone's Settings > Safari > Extensions, and enable some permissions for the add-on.

According to the app's description, uBlock Origin Lite uses its own built-in filter lists, and also supports EasyList, EasyPrivacy and Peter Lowe’s Ad and tracking server list. All of these lists are enabled by default. But there are more lists that you can optionally enable from the settings page.

Open any web page in Safari, and tap on the extensions button, and you'll be able to manage uBlock Origin Lite. It works right out of the box, and should block most if not all ads. The add-on's pop-up panel has a slider that lets you control the filtering level: No filtering, Basic, Optimal (default), and Complete.

uBlock Origin Lite for Safari has the element zapper for those pesky banners, and other elements that might annoy you. Keep in mind that things that are zapped are only gone temporarily, they'll be back when you reload the web page. Ads on the other hand are blocked properly without user intervention.

And now to the big question, does it work on YouTube? Yes, uBlock Origin Lite for Safari blocked ads on YouTube perfectly. I tested the extension on iOS 18.6 and macOS 26.0 Beta.

The Lite version may not have all the capabilities that uBlock Origin does, but it's still pretty darn good.

If you're already using an ad blocker, disable it and enable uBlock Origin Lite. It is not advisable to use multiple content blockers at the same time.

Have you tried the add-on on your iPhone, iPad or Mac?

Source

Hope you enjoyed this news post.

Posted Wednesday 6 August 2025 at 2:15 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Proton fixed a bug in its new Authenticator app for iOS that logged users' sensitive TOTP secrets in plaintext, potentially exposing multi-factor authentication codes if the logs were shared.

Last week, Proton released a new Proton Authenticator app, which is a free standalone two-factor authentication (2FA) application for Windows, macOS, Linux, Android, and iOS.

The app is used to store multi-factor authentication TOTP secrets that can be used to generate one-time passcodes for authentication on websites and applications.

Over the weekend, a user posted in a now-deleted Reddit post that the iOS version was exposing TOTP secrets in the app's debug logs found under Settings > Logs.

"Imported my 2FA accounts, enabled backup and sync, everything looked good at first. At some point, after I changed the label on one of my entries and switched apps briefly," reads an archive of the post.

"I came back to find that about half of my 2FA entries were gone. I think it might've happened after the label edit, but I'm not 100% sure. Could've been something else. Either way, they disappeared without any error or warning."

"I wanted to do the right thing and submit a bug report. While preparing it, I opened the log file the app generates, and that's when it went from mildly annoying to deeply concerning. Turns out, the log contains full TOTP secrets in plaintext. Yes, including the one for my Bitwarden account."

Another commenter noted that the leak stems from code on the iOS app [1, 2] that adds a lot of data about a TOTP entry to a params variable, which is then passed to two functions used for adding or updating a TOTP secret on the app.

When this is done, the functions will also add this data to a log entry, which exposes the TOTP secret.

Proton confirmed the bug in the iOS version, stating that it is now fixed in version 1.1.1, released to the App Store approximately 7 hours ago.

"Secrets are never transmitted to the server in plaintext, and all sync of secrets is done with end-to-end encryption. Logs are local only (never sent to the server), and these secrets can also be exported on your device to meet GDPR data portability requirements," Proton told BleepingComputer.

"In other words, even if this was not in the logs, somebody who has access to your device to get these logs, would still be able to obtain the secrets. Proton's encryption cannot protect against device side compromise, so you must always secure your device as that is outside of our threat model."

"We have updated the iOS app to change the logging behavior, but this isn't a vulnerability that can be exploited by an attacker, and if the attacker has access to your device to access the local logs, they will anyways be able to obtain the secrets, and there is nothing Proton (or any 2FA app) can do to prevent that."

While this log data can't be exploited remotely, the concern was that if the logs were shared or posted anywhere to help diagnose an issue or bug, it would also expose the sensitive TOTP secret to a third party.

These secrets could then be imported to another Authenticator to generate one-time passcodes for that account.

Source

Hope you enjoyed this news post.

Posted Tuesday 5 August 2025 at 12:21 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Mozilla's add-on platform hosts over 60,000 browser extensions and more than 500,000 themes used by tens of millions of users worldwide.

According to Mozilla's advisory, these phishing emails are impersonating the AMO team and claim that the targeted developer accounts require updates to maintain access to development features.

"The developer community should be aware we've detected a phishing campaign targeting AMO (addons.mozilla.org) accounts. Add-on developers should exercise extreme caution and scrutiny when receiving emails claiming to be from Mozilla/AMO," Mozilla cautioned on Friday.

"Phishing emails typically state some variation of the message' Your Mozilla Add-ons account requires an update to continue accessing developer features.'"

To secure their accounts, developers are advised to always verify if emails they receive are sent from a Mozilla domain (firefox.com, mozilla.org, mozilla.com, or their subdomains), that they pass standard email authentication checks (including SPF, DKIM, and DMARC), and not to click on links embedded in suspicious emails.

Mozilla also urged developers to navigate directly to its websites rather than following email links, and only enter their login credentials on official Mozilla or Firefox domains.

While Mozilla has yet to disclose the scale of this phishing campaign, the end goal of the attacks, or whether any developer accounts had already been successfully compromised, at least one developer claims to have fallen victim.

Mozilla said it would provide updates if additional details about this campaign become available.

The warning comes after last month's announcement that Mozilla's Add-ons Operations team has launched a new security feature to help block malicious Firefox extensions designed to drain cryptocurrency wallets.

Andreas Wagner, the Add-ons Operations Manager who oversees the content security and review efforts for addons.mozilla.org (AMO), stated that Mozilla has identified and removed hundreds of extensions, including fraudulent cryptocurrency wallets, over the past few years.

While not all of these extensions were directly linked to malicious activities, cybercriminals stole $494 million worth of cryptocurrency last year through wallet-draining attacks affecting over 300,000 wallet addresses.

Source

Hope you enjoyed this news post.

Posted Tuesday 5 August 2025 at 3:47 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.

Some email security services include a link wrapping feature that rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations.

Legitimizing phishing URLs

Cloudflare’s Email Security team discovered that the adversary legitimized the malicious URLs after compromising Proofpoint and Intermedia-protected email accounts, and likely used their unauthorized access to distribute the “laundered” links.

“Attackers abused Proofpoint link wrapping in a variety of ways, including multi-tiered redirect abuse with URL shorteners via compromised accounts,” the researchers said.

"The Intermedia link wrapping abuse we observed also focused on gaining unauthorized access to email accounts protected by link wrapping“ - Cloudflare Email Security

The threat actor added an obfuscation layer by first shortening the malicious link before sending it from a protected account, which automatically wrapped the link.

The researchers say that the attacker lured victims with fake notifications for voicemail or shared Microsoft Teams documents. At the end of the redirect chain was a Microsoft Office 365 phishing page that collected credentials.

In the campaign that abused Intermedia’s service, the threat actor delivered emails pretending to be a “Zix” secure message notification for a viewing a secure document, or impersonated a communication from Microsoft Teams informing of a newly received message.

The link allegedly leading to the document was a URL wrapped by Intermedia’s service and redirected to a fake page from digital and email marketing platform Constant Contact hosting the phishing page.

Clicking on the reply button in the fake Teams notification led to a Microsoft phishing page that would collect login credentials.

By disguising the malicious destinations with legitimate email protection URLs, the threat actor increased the chances of a successful attack, the Cloudflare researchers said.

It should be noted that abusing legitimate services to deliver malicious payloads is not new but exploiting the link-wrapping security feature is a recent development on the phishing scene.

Source

Hope you enjoyed this news post.

Posted Monday 4 August 2025 at 12:13 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

While the idea behind the change was to make the user data more secure, the problem arises as a result of the lack of knowledge among people who may be blissfully unaware that their system is encrypted and that they will need to ensure their BitLocker recovery key is stored securely. On failure to do so, rampant data loss is quite possible and is apparently happening out there, per reports.

This is also why Microsoft often insists on signing in with a Microsoft Account, as it automatically backs up the Auto DE recovery key, and this is probably the best way forward for most novice users, unless you get locked out.

Meanwhile, Canonical is finally adding TPM-based Full Device Encryption (FDE) with Ubuntu 25.10. The feature has been on the roadmap for a while, and last year, some progress was announced as part of release 24.10. It is still under testing, though, and is being added as an "experimental" option that is only available to users whose systems are "ok to run with it."

If you are wondering what that means, if a user chooses to opt for "hardware-based encryption" and Ubuntu detects some issue, then the dialog box would clearly display the problem. As in the example images Canonical provided, PCR7 and PC4 errors were noted.

Thus, the approach appears to be friendly and easy to follow, and unlike in the case of Windows 11, the user gets clear choices on whether they wish to opt for hardware TPM encryption or not.

Additionally, there is also an option to regenerate a key for admins, similar to how something like a "forgot password" option works on various authentication portals, as Canonical notes that "the security center offers you to regenerate a new one if you are an administrator on your system."

Aside from that, the new implementation will also warn users about the recovery key backup when someone tries to perform a firmware update. Canonical writes:

... we want to protect our users to not end up in a situation where they update some firmware without knowing their recovery key. This would mean otherwise that they can’t reboot their machine as it will prompt for the recovery key they don’t have handy. So, we double check by asking for it before applying any update in the firmware updater!

To be fair, Windows also warns users about BitLocker recovery key backups in such situations and sometimes also suspends BitLocker during a firmware update; though these also depend on the OEM and how a vendor has decided to implement it.

Not only that, Canonical also adds that Ubuntu will warn users about other encrypted installs, like that of Windows, even in the case their Ubuntu installation is not encrypted. The firm writes:

Another use case is firmware upgrade impacting other TPM-related installation even if your Ubuntu installation is not TPM/FDE enabled. For instance, if you have another operating system like Windows with BitLocker installed on your machine, and you update some firmware or DBX from your Ubuntu system, Windows will prompt you for your BitLocker recovery key on next boot. We display a warning before letting the user upgrade their firmware if we detect such a situation.

Thus, it looks like Canonical here is really trying to look out for the user such that data encryption and a misplaced key do not lead to important data loss of a user's entire library. You can find the full details here in the announcement blog post.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 12:35 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

In the week’s least surprising news, Amazon CEO Andy Jassy revealed that the company is exploring ways to bring ads to Alexa Plus, its new generative-AI-powered voice assistant. During a conference call following the company’s second-quarter earnings report, Jassy said that “there will be opportunities, as people are engaging in more multiturn conversations [with Alexa Plus], to have advertising play a role to help people find discovery, and also as a lever to drive revenue.”

Basically, people will talk more to Alexa, so there will be more ways to push ads at them. He also hinted that Alexa Plus, which is currently free for Prime members but will cost $19.99 a month without Prime, could one day cost more. “As we keep adding functionality [there] could be some sort of subscription element beyond what there is today,” he said.

Considering Amazon’s Devices & Services division, which includes Alexa and Echo, has reportedly struggled to make money, Jassy is looking for ways to make its hot new thing, Alexa Plus, more profitable. Charging non-Prime members $20 a month may sound like one way. But who’s going to pay $20 when you can spend $15 for Prime and get Alexa Plus, plus all the Prime benefits?

Advertising is the obvious path, as ads already exist on Amazon Echo devices with regular Alexa on board. These include full-screen ones on Echo Show smart displays that appear randomly and can’t be opted out of.

Another way Alexa pushes ads is with its “By the way” feature, which tacks on suggestions to a response after you’ve asked something. These often involve encouraging you to buy something from Amazon.

When Amazon announced Alexa Plus back in February, I asked head of Devices & Services Panos Panay if “By the way” and full-screen ads would stick around. “I don’t think a lot of that changes,” he said, adding that advertising models on devices like Echos are designed to keep the costs down for customers.

I’ve been testing Alexa Plus for a few weeks now and haven’t seen any ads or received any “By the ways.” But the assistant is still in an Early Access beta phase, and it sounds like the plan is that this new Alexa will come with new ways to push ads. But I really wish it wasn’t.

The new Alexa Plus had burgeoning agentic abilities, including being able to navigate websites like Thumbtack to find an electrician.

Photo by Jennifer Pattison Tuohy / The Verge

In terms of what that might look like, back in 2022, Amazon said it had developed a Customers Ask Alexa feature that would allow brands to submit their own answers to questions people asked Alexa, such as “How can I remove pet hair from my carpet?” Alexa Plus, with its chattier, more helpful persona, would be an ideal platform to deliver this type of sponsored result. But that won’t cut it if Amazon is going to succeed in making Alexa Plus the “World’s best personal assistant,” which is Jassy’s stated goal. Why would anyone choose to use an assistant that is getting paid to push specific products?

One of those higher tiers for Alexa Plus Jassy hinted at could be an ad-free version, as TechCrunch first speculated. Amazon did exactly this with Prime Video, creating a higher price, ad-free tier and booting everyone else to ads. But either way, Alexa will really have to prove its worth if we’re going to pay for its new capabilities.

Based on my initial testing of Alexa Plus, it’s not at a point where I can delegate my daily tasks and chores to it, as I would do if I could ever afford to hire a real personal assistant. But the potential is there.

There’s no doubt that generative AI is going to transform how we use digital voice assistants, and Amazon has a head start. It has actually launched its revamped assistant with more conversational natural language abilities, something neither Apple nor Google seems close to doing. Alexa Plus is also one of the few generative AI-powered services that can take actions in real life.

Whether people will be willing to pay for AI features is still being tested. OpenAI, Google, Anthropic, and others currently charge for different tiers of access to their more advanced AI-chatbot tools. As an Alexa user for many years, I’d consider paying for a really good Alexa that does what I ask without fail, has all the features Amazon has promised are coming, and never shows me an ad. However, what I know for sure that I don’t want, is a chattier AI pushing products at me in my home.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 12:33 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Delta spent July dealing with backlash over what the airline company claims is widespread public confusion over its AI pricing system.

Now, Delta has finally come forward to break down precisely how the AI pricing works to dispute what it claims are "incorrect" characterizations by consumer watchdogs, lawmakers, and media outlets.

In a letter to lawmakers who accused Delta of using AI to spy on customers' personal data in order to "jack up" prices, Delta insisted that "there is no fare product Delta has ever used, is testing, or plans to use that targets customers with individualized prices based on personal data."

Confusion arose after Delta Air Lines President Glen William Hauenstein discussed the AI pricing on a summer earnings call. Hauenstein hyped the AI pricing as working to propel revenue, confirming that about 3 percent of domestic flights were sold using the AI pricing system over the past six months and that Delta planned to expand that to 20 percent of tickets by the end of the year.

Critics demanded transparency, raising concerns that Delta's AI pricing could lead to discriminatory pricing based on a customer's search history or prior purchases. But Delta did not rush to clarify how its AI pricing actually works until lawmakers sent a letter probing Delta's AI practices. Those lawmakers had just announced the Stop AI Price Gouging and Wage Fixing Act, with a press release that called out Delta among companies whose AI pricing models needed to be banned to prevent surveillance pricing that lawmakers fear will disproportionately disrupt fair pricing for the least wealthy.

Responding, Delta's chief external affairs officer, Peter Carter, thanked lawmakers for their "thoughtful questions regarding Delta’s use of AI," then cautioned them against making assumptions about Delta's AI pricing.

"Your letter presupposes that we are using, and intend to use, AI for 'individualized' pricing or 'surveillance' pricing, leveraging consumer-specific personal data, such as sensitive personal circumstances or prior purchasing activity to set individualized prices," Carter said. "To clarify, this is incorrect and this assumption, unfortunately, has created confusion and misinformation in the public discourse."

Delta scandal highlights value of transparency

According to Delta, the company has "zero tolerance for discriminatory or predatory pricing" and only feeds its AI system aggregated data "to enhance our existing fare pricing processes."

Rather than basing fare prices on customers' personal information, Carter clarified that "all customers have access to the same fares and offers based on objective criteria provided by the customer such as origin and destination, advance purchase, length of stay, refundability, and travel experience selected."

The AI use can result in higher or lower prices, but not personalized fares for different customers, Carter said. Instead, Delta plans to use AI pricing to "enhance market competitiveness and drive sales, benefiting both our customers and our business."

Factors weighed by the AI system, Carter explained, include "customer demand for seats and purchasing data at an aggregated level, competitive offers and schedules, route performance, and cost of providing the service inclusive of jet fuel." That could potentially mean a rival's promotion or schedule change could trigger the AI system to lower prices to stay competitive, or it might increase prices based on rising fuel costs to help increase revenue or meet business goals.

"Given the tens of millions of fares and hundreds of thousands of routes for sale at any given time, the use of new technology like AI promises to streamline the process by which we analyze existing data and the speed and scale at which we can respond to changing market dynamics," Carter wrote.

He explained the AI system helps Delta aggregate purchasing data for specific routes and flights, adapt to new market conditions, and factor in "thousands of variables simultaneously." AI could also eventually be used to assist with crew scheduling, improve flight availability, or help reservation specialists answer complex questions or resolve disputes.

But "to reiterate, prices are not targeted to individual consumers," Carter emphasized.

Delta further pointed out that the company does not require customers to log in to search for tickets, which means customers can search for flights without sharing any personal information.

For AI companies paying attention to the Delta backlash, there may be a lesson about the value of transparency in Delta's scandal. Critics noted Delta was among the first to admit it was using AI to influence pricing, but the vague explanation on the earnings call stoked confusion over how, as Delta seemed to drag its feet amid calls by groups like Consumer Watchdog for more transparency.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 12:31 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The latest Edge update fixes a memory-related security issue when the browser still uses memory after releasing it. In this case, the problem occurs in Media Stream, a Chromium component responsible for audio and video streaming. The vulnerability allows for corrupting a memory allocation area and using it to execute malicious code or crash the browser.

From the CVE records:

• CVE-2025-8292: Use after free in Media Stream in Google Chrome prior to 138.0.7204.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Version 138.0.3351.121 is one of the final updates for Edge 138. Next week, Microsoft plans to ship Edge 139, which is currently available in the Beta Channel. The upcoming feature update will introduce some important changes and upgrades, including more WebUI 2 components for even faster performance, real-time notifications for compromised passwords, changes to Edge Wallet, and more.

Despite the improvements and new features, such as the recently announced Copilot Mode, Microsoft Edge still lags behind Chrome pretty far. The latest data from Statcounter shows that Edge has lost quite a chunk of users. Meanwhile, Google Chrome is increasing its dominance over the competition.

You can update Microsoft Edge by heading to edge://setting/help. The browser can also apply updates automatically next time you restart it.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 4:16 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Reddit is pausing its plans to let people make subreddits with content behind a paywall, CEO Steve Huffman said as part of Thursday’s earnings. The company is making the change as part of a shift in how it’s prioritizing its resources.

Huffman said last year that the company was looking into a way for users to make subreddits with “exclusive content or private areas,” and he hinted at the possibility of those subreddits having a paywall. Earlier this year, he said the feature was set to arrive in 2025.

But now, “to stay focused on what matters most, we’re shifting resources away from a few areas, such as work on the user economy,” Huffman (who goes by spez on Reddit) said on in a post. “This includes what some have referred to as paid subreddits. It’s still an opportunity we believe in, but right now, we’re all-in on strengthening our core product, making Reddit the go-to place for search, and accelerating international growth.”

In another post, he added that the team working on the user economy will join “our efforts” to improve Reddit’s core app, including working on things like onboarding and personalization. “That gets at our most important need today, which is logged-in core user growth.”

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 4:07 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Faced with mounting backlash, OpenAI removed a controversial ChatGPT feature that caused some users to unintentionally allow their private—and highly personal—chats to appear in search results.

Fast Company exposed the privacy issue on Wednesday, reporting that thousands of ChatGPT conversations were found in Google search results and likely only represented a sample of chats "visible to millions." While the indexing did not include identifying information about the ChatGPT users, some of their chats did share personal details—like highly specific descriptions of interpersonal relationships with friends and family members—perhaps making it possible to identify them, Fast Company found.

OpenAI's chief information security officer, Dane Stuckey, explained on X that all users whose chats were exposed opted in to indexing their chats by clicking a box after choosing to share a chat.

Fast Company noted that users often share chats on WhatsApp or select the option to save a link to visit the chat later. But as Fast Company explained, users may have been misled into sharing chats due to how the text was formatted:

"When users clicked 'Share,' they were presented with an option to tick a box labeled 'Make this chat discoverable.' Beneath that, in smaller, lighter text, was a caveat explaining that the chat could then appear in search engine results."

At first, OpenAI defended the labeling as "sufficiently clear," Fast Company reported Thursday. But Stuckey confirmed that "ultimately," the AI company decided that the feature "introduced too many opportunities for folks to accidentally share things they didn't intend to." According to Fast Company, that included chats about their drug use, sex lives, mental health, and traumatic experiences.

Carissa Veliz, an AI ethicist at the University of Oxford, told Fast Company she was "shocked" that Google was logging "these extremely sensitive conversations."

OpenAI promises to remove Google search results

Stuckey called the feature a "short-lived experiment" that OpenAI launched "to help people discover useful conversations." He confirmed that the decision to remove the feature also included an effort to "remove indexed content from the relevant search engine" through Friday morning.

Google did not respond to Ars' request to comment and declined to comment on Fast Company's reporting—leaving it unclear if all indexed chats have been removed yet and what role the search giant may have played in how private chats were displayed.

Véliz told Fast Company that even a "short-lived" experiment like this is "troubling," noting that "tech companies use the general population as guinea pigs," attracting swarms of users with new AI products and waiting to see what consequences they may face for invasive design choices.

"They do something, they try it out on the population, and see if somebody complains," Véliz said.

To check if private chats are still being indexed, a Fast Company explanation suggests that users who still have access to their shared links can try inputting the "part of the link created when someone proactively clicks 'Share' on ChatGPT [to] uncover conversations" that may still be discoverable on Google.

OpenAI declined Ars' request to comment, but Stuckey's statement suggested that the company knows it has to earn back trust after the misstep.

"Security and privacy are paramount for us, and we'll keep working to maximally reflect that in our products and features," Stuckey said.

The scandal notably comes after OpenAI vowed to fight a court order that requires it to preserve all deleted chats "indefinitely," which worries ChatGPT users who previously felt assured their temporary and deleted chats were not being saved. OpenAI has so far lost that fight, and those chats will likely be searchable soon in that lawsuit. But while OpenAI CEO Sam Altman considered the possibility that users' most private chats could be searched to be "screwed up," Fast Company noted that Altman did not seem to be as transparently critical about the potential for OpenAI's own practices to expose private user chats on Google and other search engines.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 4:05 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The record bounty targets zero-click security flaws that allow code execution without user interaction on the messaging platform used by more than three billion people worldwide.

Meta, alongside Synology and QNAP, is co-sponsoring the Pwn2Own Ireland 2025 competition, which will take place from October 21 to October 24 in Cork, Ireland.

"As you might have guessed from the title, we're excited to announce that Meta is co-sponsoring this year's event, and they are hoping to see some great WhatsApp exploits. They are so excited for it, we're putting up $1,000,000 for a 0-click WhatsApp bug that leads to code execution," the Zero Day Initiative announced Thursday.

"We also will have lesser cash awards for other WhatsApp exploits, so be sure to check out the Messaging section for full details. We introduced this category last year, but no one attempted it. Perhaps a number with two commas will provide the needed motivation."

The contest features eight categories targeting mobile phones, messaging apps, home networking equipment, smart home devices, printers, network storage systems, surveillance equipment, and wearable technology, including Meta's Ray-Ban Smart Glasses and Quest 3/3S headsets, as well as Samsung Galaxy S25, Google Pixel 9, and Apple iPhone 16 flagship smartphones.

The ZDI has also expanded the attack vectors for the mobile category to include USB port exploitation for mobile devices, requiring contestants to compromise locked phones through physical connections. Traditional wireless protocols, such as Wi-Fi, Bluetooth, and near-field communication, remain valid attack methods.

Registration closes on October 16 at 5 p.m. Irish Standard Time, with the contest order determined by a random drawing. The Zero Day Initiative operates the event to identify vulnerabilities before malicious actors can exploit them, coordinating responsible disclosure with affected vendors.

After the flaws are exploited during Pwn2Own events, vendors have 90 days to release security updates before Trend Micro's Zero Day Initiative publicly discloses them.

Last year's Pwn2Own Ireland event awarded $1,078,750 for over 70 unique zero-day vulnerabilities, with Viettel Cyber Security collecting $205,000 for flaws demonstrated in QNAP NAS, Sonos speakers, and Lexmark printers.

Source

Hope you enjoyed this news post.

Posted Saturday 2 August 2025 at 4:04 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Privacy experts are demanding transparency after YouTube announced it would test using AI to estimate user ages in the US ahead of a wider rollout of the age check system.

Throughout the first half of August, YouTube will begin interpreting "a variety of signals" to determine if certain users are under 18. No new user data will be collected, but those signals could include things like "the types of videos a user is searching for, the categories of videos they have watched, or the longevity of the account," YouTube said.

Anyone determined to be too young will automatically be hit with protections, with YouTube disabling their personalized advertising, "turning on digital wellbeing tools," and "limiting repetitive views of some kinds of content" determined to be harmful or too mature.

YouTube claims it has been estimating age in other markets "for some time, where it is working well." But it's clearly not a perfect system, as the company has set up an appeals process for any adults accidentally flagged as teens by AI.

That appeals process seems problematic, privacy experts told Ars,  as it requires users to submit a government ID, credit card, or selfie to verify their actual age. YouTube does not specify in its blog what will happen with this data. Asked for comment, YouTube would only confirm to Ars that the company "does not retain data from" a user's "ID or Payment Card for the purposes of advertising."

"I think we can assume that means it will be retained for other purposes," David Greene, senior staff attorney and civil liberties director for the Electronic Frontier Foundation (EFF), told Ars. But the lack of transparency leaves users guessing about those other purposes, as risks of leaks or breaches seemingly risk exposing vulnerable users who rely on anonymity to use YouTube.

Greene told Ars that YouTube's statement on data retention is even weaker and stands in "stark contrast" to "hollow statements" sometimes made by companies, such as "we'll do our best to protect your data" or "we've been assured that the third-party vendor we use will not retain the data."

Suzanne Bernstein, who serves as counsel for the Electronic Privacy Information Center (EPIC), said it's "tough" to rely on any company's promises when it comes to using data for other purposes, like enhancing its user profiles or selling data to third parties. She suggested that users would be better informed if YouTube shared more information about how data collected for reverse age checks is stored, whether it's ever sold, and, perhaps most importantly, how soon it's deleted.

Until then, "discomfort with certain appeals processes which require providing really sensitive personal information is totally understandable," Bernstein said.

"I think the increased surveillance of user behavior is not privacy protective," Bernstein said. "The most privacy protective option involves retaining the least amount of information and certainly not sharing it with third parties, which is not something that YouTube here has promised to do."

What’s worse, sharing a selfie or a credit card?

In addition to a lack of transparency around the data retention practices, Bernstein noted that YouTube is not being very transparent about how effective its AI age checks are—which is a recurring AI industry pattern that's often repeated as the tech is hyped across many sectors. Greene noted that YouTube does not seem to have conducted any external audits on the AI system or provided any "academic way of looking at it."

Neither expert felt comfortable quantifying a potential error rate, but it's likely that AI could guess users' ages wrong. Even the best age-estimation tech has about a two-year error window on each side, experts pointed out. That could mean users between 16 and 20 are especially susceptible to incorrect age estimations—with potential errors going both ways, perhaps labeling teens as adults or adults as teens—in addition to perhaps anyone whose viewing habits strike the system as immature.

Companies launching AI tools that heighten data privacy risks—especially on platforms as big and irreplaceable for many as YouTube—is part of the reason why groups like the EFF and EPIC push for state or federal legislation to minimize consumer data collection and provide other protections to help put personal data back under users' control, no matter how tech evolves. Bernstein suggested that users alarmed by the AI age checks should "encourage legislators to require significant privacy and data security safeguards for any kind of age assurance" systems.

Bernstein and Greene agreed that due to the lack of comprehensive data privacy legislation, YouTubers who want to appeal AI mistakes do not have great options.

"They're all bad," Greene said. But in particular, sharing selfies or any "kind of biometric age estimation tools without significant privacy and data security safeguards" is risky, Bernstein said.

As Greene explained, any biometric data collection "is really bad and creepy and inhibiting to users who are sensitive" about "identifying themselves while online line," such as political dissidents or victims of abuse. Suddenly, it could be their "burden" to "submit biometric information or government ID in order to use the service," Greene said. That's a huge change for people used to being on YouTube without using their real name or without allowing their information to be traced across the Internet.

"A breach of biometric information is far more significant than a breach of some other information," Greene said. "So we should be concerned about them collecting selfies."

But that doesn't mean the selfie option is the worst choice for everyone who can't abandon YouTube, Greene noted. Each user will have to assess their own risks, with some likely more vulnerable to having their identity exposed and others likely more vulnerable to having financial data exposed.

Greene expects that the more pressure platforms and websites face to age-gate services, the more radically it could change people's relationships with the Internet. On a platform where creators reliably generate the highest earnings, YouTube's AI age checks could possibly serve as a harbinger of a future Internet where every popular account can be unmasked and linked to a known entity.

"Once you get into this bad situation where it's impossible to use these services anonymously, then it really depends on someone's own threat model about what's going to be the least harmful way for them to use the site," Greene said.

Source

Hope you enjoyed this news post.

Posted Friday 1 August 2025 at 11:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

On the same day Microsoft is cutting off autofill with its Authenticator app, Proton has announced a potential alternative. Proton Authenticator is a free two-factor authentication (2FA) app available on Windows, iOS, Android, macOS, and Linux.

To be clear, Proton already had a password manager called Proton Pass that has been around for a couple of years. Proton Authenticator is a dedicated 2FA app that adds an additional layer of security to your accounts.

But considering the change to Microsoft Authenticator, some people are likely on the hunt for a new authentication app. Proton Authenticator is not a one-to-one replacement for Microsoft Authenticator, but it could be an option for people searching for a new app to secure logins.

Several 2FA apps are available, but Proton has made an effort to make its app stand out. Proton Authenticator is open source, uses encrypted sync, and lacks ads or tracking. It also supports exporting and importing 2FA data.

Google Authenticator, Microsoft Authenticator, and Duo support some of those features, but none of them support all of the features highlighted by Proton.

The company also emphasizes that "Proton Authenticator will always be free to use on desktop and mobile apps."

You can download Proton Authenticator for free through the company's website, which will direct you to the appropriate app store for your device.

Proton Authenticator is now available for free on iOS, Android, Windows, macOS, and Linux. It syncs your one-time passwords across all devices and even generates the code that will follow after the current one. The app also supports automatic backups, offline mode, import/export, and biometric authentication for extra security. Finally, Proton Authenticator is open-source, end-to-end encrypted, ad-free, and it lets you use it with or without a Proton account.

In the announcement post, Proton throws shade at big corporations, such as Google and Microsoft, for their data-harvesting practices. The latter recently crippled its Authenticator app and removed its password-storing capabilities in an attempt to make the Edge browser more popular. In addition, Proton offers the new app as a reliable alternative to "bad authenticator apps that may disappear from the market."

Here is what Eamonn Maguire, Head of Account Security at Proton, said about the launch of Proton Authenticator:

Two-factor authentication is essential for everyone – not just those who care about their privacy. Proton Authenticator is built for anyone who wants a secure, transparent and convenient way to protect their accounts.

 

We believe strong security should never come at the cost of your convenience or privacy. That's why we've developed Proton Authenticator: to give users peace of mind that their 2FA codes are available wherever they need them, without relying on Google or Microsoft. We're putting users firmly in control not only over their data, but the way they access their online accounts."

You can download Proton Authenticator for all your devices using the links on the official website.

Source

Hope you enjoyed this news post.

Posted Friday 1 August 2025 at 4:13 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday.

The researchers with security firm Group-IB said the “unprecedented tactic allowed the attackers to bypass perimeter defenses entirely.” The hackers combined the physical intrusion with remote access malware that used another novel technique to conceal itself, even from sophisticated forensic tools. The technique, known as a Linux bind mount, is used in IT administration but had never been seen used by threat actors. The trick allowed the malware to operate similarly to a rootkit, which uses advanced techniques to hide itself from the operating system it runs on.

End goal: Backdooring the ATM switching network

The Raspberry Pi was connected to the same network switch used by the bank’s ATM system, a position that effectively put it inside the bank’s internal network. The goal was to compromise the ATM switching server and use that control to manipulate the bank’s hardware security module, a tamper-resistant physical device used to store secrets such as credentials and digital signatures and run encryption and decryption functions.

The group behind the attack is tracked in the industry under the name UNC2891. The financially motivated threat group has been active since at least 2017 in targeting the infrastructures of banks. It has earned a well-deserved reputation for proficiency in its use of custom malware in attacks targeting Linux, Unix, and Oracle Solaris systems.

In 2022, Google’s Mandiant division said it had observed UNC2891 spending years inside a targeted network, during which time the intrusion went largely unnoticed. Mandiant researchers went on to identify CakeTap, a custom rootkit for Solaris systems. Among other things, CakeTap manipulated messages passing through an infected ATM switching network, most likely for use in unauthorized cash withdrawals using fraudulent bank cards. Mandiant documented two other custom pieces of malware, which the company named SlapStick and TinyShell.

Group-IB’s report on Wednesday shows that UNC2891 is still active and finding new and advanced ways to burrow into bank networks without detection.

“One of the most unusual elements of this case was the attacker’s use of physical access to install a Raspberry Pi device,” Group-IB Senior Digital Forensics and Incident Response Specialist Nam Le Phuong wrote. “This device was connected directly to the same network switch as the ATM, effectively placing it inside the bank’s internal network. The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data.”

To maintain persistence, UNC2891 also compromised a mail server because it had constant Internet connectivity. The Raspberry Pi and the mail server backdoor would then communicate by using the bank’s monitoring server as an intermediary. The monitoring server was chosen because it had access to almost every server within the data center.

The Network Monitoring Server as an intermediary between the Raspberry Pi and the Mail Server.

Credit: Group-IB

As Group-IB was initially investigating the bank’s network, researchers noticed some unusual behaviors on the monitoring server, including an outbound beaconing signal every 10 minutes and repeated connection attempts to an unknown device. The researchers then used a forensic tool to analyze the communications. The tool identified the endpoints as a Raspberry Pi and the mail server but was unable to identify the process names responsible for the beaconing.

The forensic triage tool is unable to collect the relevant process name or ID associated with the socket.

Credit: Group-IB

The researchers then captured the system memory as the beacons were sent. The review identified the process as lightdm, a process associated with an open source LightDM display manager. The process appeared to be legitimate, but the researchers found it suspicious because the LightDM binary was installed in an unusual location. After further investigation, the researchers discovered that the processes of the custom backdoor had been deliberately disguised in an attempt to throw researchers off the scent.

Phuong explained:

The backdoor process is deliberately obfuscated by the threat actor through the use of process masquerading. Specifically, the binary is named “lightdm”, mimicking the legitimate LightDM display manager commonly found on Linux systems. To enhance the deception, the process is executed with command-line arguments resembling legitimate parameters – for example,

 

lightdm –session child 11 19 — in an effort to evade detection and mislead forensic analysts during post-compromise investigations.

 

These backdoors were actively establishing connections to both the Raspberry Pi and the internal Mail Server.

As noted earlier, the processes were disguised using the Linux bind mount. Following that discovery, Group-IB added the technique to the MITRE ATT&CK framework as “T1564.013 – Hide Artifacts: Bind Mounts.”

Group-IB didn’t say where the compromised switching equipment was located or how attackers managed to plant the Raspberry Pi. The attack was detected and shut down before UNC2891 was able to achieve its final goal of infecting the ATM switching network with the CakeTap backdoor.

Source

Hope you enjoyed this news post.

Posted Thursday 31 July 2025 at 12:19 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Source

Hope you enjoyed this news post.

Posted Thursday 31 July 2025 at 3:41 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend

On July 25th, the UK became one of the first countries to widely implement age verification. Its Online Safety Act requires sites hosting porn and other content deemed “harmful” — including Reddit, Discord, Grindr, X, and Bluesky — to verify that users are over the age of 18. The early results have been chaotic. While many services have complied, some have pulled out of the country rather than face the risk and expense. Users have tricked the verification tools or bypassed them with VPNs. It’s just a taste of the issues that many other countries might face as they launch their own systems, and it’s a situation that privacy and security experts have long warned about — to little avail.

Following a yearslong political push to make the internet safer for kids, age verification has started seeping into online spaces across the globe. Lawmakers in the US, Europe, Australia, and elsewhere have all passed age-gating rules, and platforms have begun to comply. The likely methods for verification are similar to those in the UK. Platforms typically ask users to either enter a payment card, upload a government-issued ID, take a selfie, or allow a platform to use their data (like account creation dates and user connections) to “estimate” their age. Most rely on third-party services: Bluesky uses the Epic Games-owned Kids Web Services; Reddit is working with Persona; and Discord has partnered with k-ID.

The outcome so far is an assortment of online services handling sensitive user information — a “privacy nightmare,” says Cody Venzke, senior policy counsel at the American Civil Liberties Union. “There is no standardization of how age verification is supposed to take place.”

Some age verification platforms promise to erase your data after a certain period of time, like the seven days that Persona says it will keep the information used to verify your age on Reddit. But there’s no guarantee every service will do this, and there are still massive security risks given how common data breaches have become. Last year, a security researcher found that AU10TIX — an identity verification solution used by TikTok, Uber, and X — left user information and driver’s license photos exposed for months, 404 Media reported.

“When uploading your ID ... you are handing it over to a third party,” Venzke says. “You’re going to take their word that they’re going to delete it or remove it after they’re done using it.”

Despite these potential pitfalls, governments are plowing toward the future of an age-gated internet anyway. In addition to a crackdown in the UK, the European Union is hurdling toward a broad rollout of digital IDs, Australia is age-gating search engines, and users in many US states need IDs to access porn sites.

Age verification was long viewed as unconstitutional in the US, but the Supreme Court overturned that precedent earlier in 2025, concluding “adults have no First Amendment right to avoid age verification” if it’s meant to protect underage users from “obscene” content. Several states, including Alabama, Idaho, Indiana, Kentucky, North Carolina, and Texas, have implemented laws requiring verification measures on adult websites. Some have tried to extend this to social media or app stores as a whole, but so far, they’ve failed — lawsuits filed by NetChoice, a technology trade group backed by Google, Meta, X, Amazon, Discord, and other tech giants, have successfully blocked bills in California, Arkansas, Georgia, Ohio, and Florida.

As in the UK, there’s no guarantee against privacy and security breaches for states with age verification laws, and there’s little standardization in this bevy of rules. Efforts in the US also coincide with escalating government digital surveillance and attempts to declare expressions of LGBTQ sexuality, like drag shows, as obscene, raising the risks of handing over personal data even further.

Not all age verification efforts entrust users’ privacy to third-party services with a host of different methods. The EU is trialing not only age-gating requirements, but also government-managed digital IDs. It has started testing an age verification system prototype designed to “bridge the gap” before digital IDs arrive by the end of next year. The solution will allow users to upload their passport or government ID card to a government-built system, which then generates a “proof of age attestation” that is passed to sites. Sites can also use the customer identification methods employed by banks and mobile carriers. The goal is that users can upload sensitive information to a single system that can be held to a high privacy standard and is simple for sites to use.

Though having a centralized age verification solution may prevent users from having to pass their information through multiple verification services, plenty of questions remain regarding surveillance and accessibility. Aside from the ever-present possibility of data breaches, digital IDs may also restrict undocumented individuals from accessing content online. And, without the proper safeguards, digital identity systems may still “phone home” to the ID’s issuer when a user’s age is verified, potentially allowing providers to track online activity.

“If I pull up my ID at the liquor store, the DMV doesn’t know that, but with digital identification, there’s a potential for that,” says Alexis Hancock, the director of engineering at the Electronic Frontier Foundation (EFF).

Down the line, the EU says it plans to enhance the framework with technology called zero-knowledge proof (ZKP). This is a cryptographic verification method that allows a service to prove something is true or false without revealing any additional information, as outlined by the EFF. That means an app could verify that a user is over the age of 18 without disclosing their exact birthdate. Google has already built a ZKP system into Google Wallet and has since open-sourced the technology, which it’s encouraging EU members to adopt.

Even with ZKP in place, Hancock says that there are still concerns about what sites and apps can ask for information about a user’s age. “I haven’t seen anything remotely promising at the moment that actually reels in verifiers in particular,” Hancock says. “There’s not a lot of scope restriction on who can actually ask for this and if it’s even needed in some cases.”

Lawmakers and regulators have argued that there are overwhelming benefits to protecting children from harmful content or exploitative social media platforms. Melanie Dawes, the chief executive of Ofcom, the UK’s communications regulator, boasted that “prioritizing clicks and engagement over children’s online safety will no longer be tolerated in the UK,” and US lawmakers and regulators have declared porn and social media a public health crisis. “Putting in place commonsense guardrails that protect our kids from the dangers of social media is critical for their future and America’s future,” Sen. Katie Britt said in an announcement about the Kids Off Social Media Act.

While keeping kids safe online is important, this messaging downplays or ignores the ripple effects. Right now, there just isn’t any clear-cut way to verify someone’s age online without risking a leak of personal information or hampering access to the internet. Until lawmakers stop and think about the bigger picture, everyone’s privacy is going to be at risk.

Source

Hope you enjoyed this news post.

Posted Thursday 31 July 2025 at 2:59 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Tracked as CVE-2025-6558, the security bug is due to the incorrect validation of untrusted input in the ANGLE (Almost Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU commands and translates OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.

The vulnerability enables remote attackers to execute arbitrary code within the browser's GPU process via specially crafted HTML pages, potentially allowing them to escape the sandbox that isolates browser processes from the underlying operating system.

Vlad Stolyarov and Clément Lecigne of Google's Threat Analysis Group (TAG), a team of security experts dedicated to defending Google customers against state-sponsored attacks, discovered CVE-2025-6558 in June and reported it to the Google Chrome team, who patched it on July 15 and tagged it as actively exploited in attacks.

While Google has yet to provide further information on these attacks, Google TAG frequently discovers zero-day flaws exploited by government-sponsored threat actors in targeted campaigns aimed at deploying spyware on devices of high-risk individuals, including dissidents, opposition politicians, and journalists.

On Tuesday, Apple released WebKit security updates to address the CVE-2025-6558 vulnerability for the following software and devices:

• iOS 18.6 and iPadOS 18.6: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Sequoia 15.6: Macs running macOS Sequoia
• iPadOS 17.7.9: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
• tvOS 18.6: Apple TV HD and Apple TV 4K (all models)
• visionOS 2.6: Apple Vision Pro
• watchOS 11.6: Apple Watch Series 6 and later

"Processing maliciously crafted web content may lead to an unexpected Safari crash," Apple explained when describing the impact of CVE-2025-6558 successful exploitation. "This is a vulnerability in open source code and Apple Software is among the affected projects."

On July 22, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. cyber defense agency, also added this security bug to its catalog of vulnerabilities known to be exploited in attacks, requiring federal agencies to patch their software by August 12.

While the Binding Operational Directive (BOD) 22-01, which mandates federal agencies to secure their systems, only applies to federal agencies, CISA advised all network defenders to prioritize patching the CVE-2025-6558 vulnerability as soon as possible.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned last week.

Apple has also patched five zero-day flaws exploited in targeted attacks since the start of the year, including one zero-day in January (CVE-2025-24085), one in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201).

Source

Hope you enjoyed this news post.

Posted Thursday 31 July 2025 at 2:58 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend  

Devices confirmed to be impacted are IdeaCentre AIO 3 24ARR9 and 27ARR9, and the Yoga AIO 27IAH10, 32ILL10, and 32IRH8.

UEFI is the modern replacement for the traditional PC BIOS, acting as a firmware interface between the computer's hardware and the OS, controlling early initialization and booting.

The flaws, discovered by Binarly, mirror those the researchers uncovered earlier this month, which impacted dozens of Gigabyte motherboard models, enabling local attackers to execute arbitrary code in System Management Mode (SMM).

The SMM is a CPU mode that is separate from the operating system (OS) and hypervisor, running with higher privileges at a lower level (Ring-2). Exploiting flaws in SMM could help attackers plant 'undetectable' malware, bypassing OS-level security defenses, such as SecureBoot.

InsydeH2O is one of the most widely deployed commercial UEFI BIOS frameworks used in OEM laptops and desktops.

Insyde also published a bulletin explaining that the flaws arise from OEM-specific customizations made by Lenovo in InsydeH2O UEFI firmware images, and do not apply to all systems using InsydeH2O UEFI.

"The newly identified Lenovo vulnerabilities arise from the same recurring challenges tied to inconsistencies within the software supply chain," commented Binarly's Alex Matrosov to BleepingComputer.

"All six vulnerabilities were found in System Management Mode (SMM)‑level code, the invisible layer of firmware that loads before your operating system and persists after every re‑image, making them perfect launch pads for stealthy implants and Secure Boot bypasses."

The six flaws are summarized as follows:

• CVE-2025-4421: bug in an SMI handler (Callback7 via EfiSmiServices) allows an attacker to write to an attacker-controlled SMRAM address using an unvalidated RSI register, leading to SMM privilege escalation and persistent firmware compromise (CVSS score: 8.2)
• CVE-2025-4422: bug in an SMI handler (EfiSmiServices, via gEfiSmmCpuProtocol and EfiPcdProtocol) can lead to SMM memory corruption and privilege escalation. (CVSS score: 8.2)
• CVE-2025-4423: bug in an SMI handler (SetupAutomationSmm) allows arbitrary memory writes in SMM, leading to SMM privilege escalation and code execution. (CVSS score: 8.2)
• CVE-2025-4424: improper input validation in an SMI handler (SetupAutomationSmm) allows unsanitized calls to SmmSetVariable, leading to firmware settings manipulation. (CVSS score: 6)
• CVE-2025-4425: stack buffer overflow in an SMI handler (SetupAutomationSmm) can lead to SMM privilege escalation and arbitrary code execution. (CVSS score: 8.2)
• CVE-2025-4426: bug in an SMI handler (SetupAutomationSmm) leaks SMRAM contents, enabling sensitive information disclosure. (CVSS score: 6)

Binarly reported the vulnerabilities to Lenovo on April 8, 2025, and received confirmation from the company on June 16. The coordinated disclosure was published yesterday, following the expiration of the 90-day disclosure window.

Lenovo has released firmware security updates for IdeaCenter AIO 3 models, urging users to upgrade to version O6BKT1AA.

Yoga AIO updates aren't currently available, but the computer vendor plans to release fixes between September 30 and November 30, 2025.

Source

Hope you enjoyed this news post.

Posted Thursday 31 July 2025 at 2:57 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864

RIP Matrix | Farewell my friend