Last week, I turned on my PC, installed a Windows update, and rebooted to find Microsoft Edge automatically open with the Chrome tabs I was working on before the update. I don’t use Microsoft Edge regularly, and I have Google Chrome set as my default browser. Bleary-eyed at 9AM, it took me a moment to realize that Microsoft Edge had simply taken over where I’d left off in Chrome. I couldn’t believe my eyes. I never imported my data into Microsoft Edge, nor did I confirm whether I wanted to import my tabs. But here was Edge automatically opening after a Windows update with all the Chrome tabs I’d been working on. I didn’t even realize I was using Edge at first, and I was confused why all my tabs were suddenly logged out.
ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.
New York Attorney General Letitia James sued Citibank over its failure to defend customers against hacks and scams and refusing to reimburse victims after allowing fraudsters to steal millions from their accounts. The NY Attorney General’s lawsuit against Citibank alleges that the financial institution also unlawfully denied reimbursement to victims of fraud, a violation of the Electronic Fund Transfer Act (EFTA). The complaint claims that because it’s providing online and mobile banking options for wire transfers, Citibank should also compensate fraud victims, akin to the protections afforded to victims of electronic credit or debit card fraud under the same legislation.
A Microsoft manager claims OpenAI’s DALL-E 3 has security vulnerabilities that could allow users to generate violent or explicit images (similar to those that recently targeted Taylor Swift). GeekWire reported Tuesday the company’s legal team blocked Microsoft engineering leader Shane Jones’ attempts to alert the public about the exploit. The self-described whistleblower is now taking his message to Capitol Hill. “I reached the conclusion that DALL·E 3 posed a public safety risk and should be removed from public use until OpenAI could address the risks associated with this model,” Jones wrote to US Senators Patty Murray (D-WA) and Maria Cantwell (D-WA), Rep. Adam Smith (D-WA 9th District), and Washington state Attorney General Bob Ferguson (D). GeekWire published Jones’ full letter.
Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc). Tracked as CVE-2023-6246, this security flaw was found in glibc’s __vsyslog_internal() function, called by the widely-used syslog and vsyslog functions for writing messages to the system message logger. The bug is due to a heap-based buffer overflow weakness accidentally introduced in glibc 2.37 in August 2022 and later backported to glibc 2.36 when addressing a less severe vulnerability tracked as CVE-2022-39046.
Proofpoint researchers recently identified the return of TA576, a cybercriminal threat actor that uses tax-themed lures specifically targeting accounting and finance organizations. This actor is typically only active the first few months of the year during U.S. tax season, generally targeting organizations in North America with low-volume email campaigns. In all campaigns, the actor will email requests for tax preparation assistance and will attempt to deliver remote access trojans (RATs). In the first two observed campaigns in January 2024, the actor used a compromised account to send benign emails purporting to request tax assistance. While the sender account was compromised, the emails featured a reply-to address with a recently registered domain that is likely owned by the threat actor. The threat actor provided a backstory and asked for pricing and availability. If the target replied, the threat actor responded with a malicious Google Firebase (web.app) URL.