For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account. #amazon #privacy
Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users. #privacy #infosec #Amazon
It deeply satisfies me to see search requests like “is miui spyware” in my logs. So people actually want to know, and they find my article. I hope that quite a few choose not to buy #Xiaomi hardware then. #privacy
Older research by @email@example.com: so Canvas Defender was adding constant noise to the canvas data, and that noise vector could be easily extracted. Not only did this allow removing the noise, it was also an additional #fingerprinting attribute! #privacy
Those browser extensions with anti-fingerprinting functionality? The sad truth is, they usually make matters worse. Not only do they fail to remove fingerprinting data reliably, they give websites additional data to work with. #privacy #fingerprinting
Hey #Feedly, don’t you want to start using Referrer Policy on your website? Currently, when your users click a link you will typically leak their user ID and some info about how they organize their feeds via the Referer header. #privacy
The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data? #privacy #Microsoft #Bing #infosec
I've published an update on the #Xiaomi #privacy situation (no technical details this time). Yes, a change has been implemented. The default behavior is nothing short of horrifying however. If you use a Xiaomi browser, you should ditch it ASAP.
I investigated the inner workings of #Xiaomi's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.
Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata. #privacy
I got my hands on a sample of Jumpshot data. My analysis confirms what everybody already suspected: Avast failed anonymizing the data they sold, leaving plenty of personal data untouched. #Avast #Jumpshot #privacy
I'm rather late to the party but the Avast story took the not quite unexpected turn. I wonder whether this investigation will really conclude that Avast's practices were all GDPR-compliant. #Avast #privacy
#Avast keeps stating that any data shared with #Jumpshot was "de-identified." Experts have been skeptical (in fact, I found a four years old quote from @gcluley on the matter) and I now found quite a bit of info suggesting that they were right. #privacy
I finished analyzing updates to Avast Online Security extension. It is indeed far more privacy friendly now and properly respecting user's choices. Quite surprising development given how they denied anything being wrong with it. #avast #privacy #spyware
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.