Weekly Privacy Roundup #11
"Transparency is for those who carry out public duties and exercise public power. Privacy is for everyone else." - Glenn Greenwald
Niche Dating Apps Expose 100,000s of Users in Massive Data Breach
Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach leaking incredibly sensitive images from numerous niche dating and hook up apps.
The apps were built for people with alternative lifestyles and particular tastes, such as ‘Cougars,’ queer dating, fetishes, and group sex. At least one app was dedicated to people with STIs, such as herpes.
Based on our research, the apps share a common developer. As a result, user media from each app had been stored on a single Amazon Web Services (AWS) account.
Aside from exposing potentially millions of users of the apps to danger, the breach also exposed the various apps’ entire AWS infrastructure through unsecured admin credentials and passwords.
Massive Spying On Users Of Google’s Chrome Shows New Security Weakness
A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.
Mozilla VPN – Firefox private network VPN is finally arriving
Mozilla has announced to release its highly anticipated virtual private network (VPN) service in the “next few weeks.” The product’s beta version was launched in the USA in 2019 as Firefox Private Networks VPN, and it has now been rebranded as Mozilla VPN to expand its scope to a wider audience.
Also, the company has expanded the product’s scope from an extension to a full-device VPN having the capability of routing traffic for the operating system including other browsers.
Your Login Credentials Are Worth $0.00005
Hacking group, Shiny Hunters, has gained quite a bit of notoriety in recent months by stealing, and then selling, credentials for a broad range of organizations. In total, the group’s user record haul stands at just over 174,000,000 accounts, all of which have been placed for sale on the dark web. Victim organizations include Tokopedia, Zoosk, HomeChef, Chatbooks, StyleShare, and more.
Facebook Helped the FBI Hack a Child Predator
For years, a California man systematically harassed and terrorized young girls using chat apps, email, and Facebook. He extorted them for their nude pictures and videos, and threatened to kill and rape them. He also sent graphic and specific threats to carry out mass shootings and bombings at the girls' schools if they didn't send him sexually explicit photos and videos.
Buster Hernandez, who was known as “Brian Kil” online, was such a persistent threat and was so adept at hiding his real identity that Facebook took the unprecedented step of helping the FBI hack him to gather evidence that led to his arrest and conviction, Motherboard has learned. Facebook worked with a third-party company to develop the exploit and did not directly hand the exploit to the FBI; it is unclear whether the FBI even knew that Facebook was involved in developing the exploit. According to sources within the company, this is the first and only time Facebook has ever helped law enforcement hack a target.
The FBI used a Philly protester’s Etsy profile, LinkedIn, and other internet history to charge her with setting police cars ablaze
Jeremy Roebuck reports:
As demonstrators shouted, fires burned outside City Hall, and Philadelphia convulsed with outrage over the death of George Floyd, television news helicopters captured footage of a masked woman with a peace sign tattoo and wearing a light blue T-shirt setting a police SUV ablaze.
More than two weeks after that climactic May 30 moment, federal authorities say they’ve identified the arsonist as 33-year-old Philadelphia massage therapist Lore Elisabeth Blumenthal by following the intricate trail of bread crumbs she left through her social media history and online shopping patterns over the years.
230k+ Indonesian COVID-19 patients’ records for sale in the Darkweb
As part of our regular deepweb and darkweb sweeps, we identified a credible actor in one of the darkweb markets who was selling the database of Covid-19 patients of Indonesia comprising of around 230,000+ users’ records.
NSO Group spyware used against Moroccan journalist days after company pledged to respect human rights
In October 2019 Amnesty International published a first report on the use of spyware produced by Israeli company NSO Group against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui. Through our continued investigation, Amnesty International’s Security Lab identified similar evidence of the targeting of Omar Radi, a prominent activist and journalist from Morocco from January 2019 until the end of January 2020.
Evidence gathered through our technical analysis of Omar Radi’s iPhone revealed traces of the same “network injection” attacks we described in our earlier report that were used against Maati Monjib. This provides strong evidence linking these attacks to NSO Group’s tools.
These findings are especially significant because Omar Radi was targeted just three days after NSO Group released its human rights policy. These attacks continued after the company became aware of Amnesty International’s first report that provided evidence of the targeted attacks in Morocco. This investigation thus, demonstrates NSO Group’s continued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy.