AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/25/2020

1 – Developers Hack McDonald’s Reward System to Get Free Hamburgers

A couple of German software developers discovered an oversight in McDonalds’ promotion systems that allowed them to get as many hamburgers as they wanted, without paying anything. While software vulnerabilities or loopholes are sometimes used for nefarious purposes, that’s not always the case. The same can be said of white hackers and software developers who want to make the online world a safer place. McDonald’s has a promotions systems that offers rewards for some orders, which is not out of the ordinary. But, according to a Vice report, a couple of developers found the code behind the promotion system could be exploited in a way that would allow them to get pretty much anything from the fast-food chain.


2 – Venmo did what with my data? My location was shared when I paid with the app

Many of us have ditched cash and, instead, use smartphone apps like Venmo to pay for goods and services. The app is free, it takes just a second to initiate and finish a transaction. I don’t have to write a check or pull out some cash. It’s great. But you know what, there’s no such thing as free. I discovered this week that when I opened PayPal-owned Venmo to pay my personal trainer and made sure to click “private,” yet the app recorded my GPS location (home address) and the trainer’s name, and sent it off to Braze, a third-party data collection firm. Think about that for a minute. You use the app to pay your bill, and, in return, some company you’ve never heard of now has your address and associations. How icky is that? 


3 – Google is cracking down on Android apps that track your location in the background

Google is placing new restrictions on which Android apps can track your location in the background, with a new review process that will check whether an app definitely needs access to the data. The changes were announced in a blog post to Android developers earlier this week. Google says that from August 3rd all new Google Play apps that ask for background access will need to pass review, expanding to all existing apps on November 3rd. Although location tracking is an essential feature for many apps and services, it can be pretty invasive when apps indiscriminately ask for location access. Background tracking is even worse, because it means that you might be completely unaware of which apps on your phone are tracking you at any moment in time. The new review process will force apps to justify why they need to use the feature, and have them limit their tracking when they can’t.


4 – Google addresses Huawei ban and warns customers not to sideload apps like Gmail and YouTube

Google on Friday evening published a support article meant to clarify the ongoing situation with Huawei. Last year, the United States government barred companies in the US from working with the Chinese hardware maker. “Google is prohibited from working with Huawei on new device models or providing Google’s apps including Gmail, Maps, YouTube, the Play Store and others for preload or download on these devices,” Tristan Ostrowski, legal director for Android and Google Play, wrote in the post, which was picked up by 9to5Google. According to Google, there’s still plenty of confusion around what’s going on — and exactly which products are subject to the Google services ban.


5 – Google Is Letting People Find Invites to Some Private WhatsApp Groups

Google is indexing invite links to WhatsApp group chats whose administrators may want to be private. This means with a simple search, random people can discover and join a wide range of WhatsApp group chats. “Your WhatsApp groups may not be as secure as you think they are,” Jordan Wildon, a multimedia journalist for German outlet Deutsche Welle, tweeted on Friday. Using particular Google searches, people can discover links to the chats, Wildon explained. App reverse-engineer Jane Wong added in a tweet that Google has around 470,000 results for a simple search of “chat.whatsapp.com,” part of the URL that makes up invites to WhatsApp groups.


6 – Facebook is considering making it clearer that pro-Bloomberg posts come from paid staffers

Facebook is concerned about a lack of transparency in how Mike Bloomberg’s field organizers are using the platform to advocate for his presidential campaign, without identifying that they work for him, according to a source at the company. The source said Facebook is considering taking steps to make it clearer that the people posting messages of support are paid employees. Facebook has taken a range of steps to improve transparency around political advertising since the Cambridge Analytica scandal in March 2018. A New York Times report revealed that the political consulting firm improperly obtained information about Facebook users, then used that information to target political ads supporting Donald Trump’s 2016 presidential campaign.


7 – Rallyhood exposed a decade of users’ private data

The social network designed to help groups communicate and coordinate left one of its cloud storage buckets containing user data open and exposed. The bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone who knew the easily-guessable web address access to a decade’s worth of user files. Rallyhood boasts users from Girl Scout and Boy Scout troops, and Komen, Habitat for Humanities, and YMCA factions. The company also hosts thousands of smaller groups, like local bands, sports teams, art clubs and organizing committees. Many flocked to the site after Rallyhood said it would help migrate users from Yahoo Groups after Verizon (which also owns TechCrunch) said it would shut down the discussion forum site last year. The bucket contained group data as far back to 2011 up to and including last month. In total, the bucket contained 4.1 terabytes of uploaded files, representing millions of users’ files.


8 – Washington state Senate passes bill to rein in facial recognition

The American Civil Liberties Union (ACLU) dubbed 2019 the year that proved that ubiquitous facial recognition surveillance isn’t inevitable. The latest (tentative) win for legislative restrictions on the increasingly pervasive technology: the state of Washington. On Wednesday, the state senate passed a bill – Senate Bill 6280 – that would prohibit state and local government agencies from using facial recognition in most instances, including… Ongoing surveillance – meaning tracking people as they move through public places over time, be it in real-time or through use of a service that relies on historical records. And… Persistent tracking – which refers to the use of facial recognition to persistently track someone without first having identified them or verified their identity. If passed, the law will require law enforcement to first get a search warrant before using those types of faceprint-reliant tracking and surveillance, or else would be limited to emergency situations in which people’s lives are at risk.


9 – U.K.’s top cop calls for government to legislate police use of AI

Britain’s most senior police officer on Monday called on the government to create a legal framework for police use of new technologies such as artificial intelligence. Speaking about live facial recognition, which police in London started using in January, London police chief Cressida Dick said that she welcomed the government’s 2019 manifesto pledge to create a legal framework for the police use of new technology like AI, biometrics and DNA. “The best way to ensure that the police use new and emerging tech in a way that has the country’s support is for the government to bring in an enabling legislative framework that is debated through Parliament, consulted on in public and which will outline the boundaries for how the police should or should not use tech,” Dick said.


10 – New discoveries in neuroscience show what’s right and wrong with AI

Two separate studies, one by UK-based artificial intelligence lab DeepMind and the other by researchers in Germany and Greece, display the fascinating relations between AI and neuroscience. As most scientists will tell you, we are still decades away from building artificial general intelligence, machines that can solve problems as efficiently as humans. On the path to creating general AI, the human brain, arguably the most complex creation of nature, is the best guide we have. Advances in neuroscience, the study of nervous systems, provide interesting insights into how the brain works, a key component for developing better AI systems. Reciprocally, the development of better AI systems can help drive neuroscience forward and further unlock the secrets of the brain.


11 – Cybersecurity alliance launches first open source messaging framework for security tools

A new language framework designed to breach fragmentation gaps between cybersecurity tools has been released to the open source community. Launched by the Open Cybersecurity Alliance (OCA), a consortium of cybersecurity vendors including IBM, Crowdstrike, and McAfee, on Monday, the OCA said that OpenDXL Ontology is the “first open source language for connecting cybersecurity tools through a common messaging framework.” OpenDXL Ontology, now available, aims to create a common language between cybersecurity tools and systems by removing the need for custom integrations between products that can be most effective when communicating with each other — such as endpoint systems, firewalls, and behavior monitors — but suffer from fragmentation and vendor-specific architecture. 

Related Posts