Hey , don’t you want to start using Referrer Policy on your website? Currently, when your users click a link you will typically leak their user ID and some info about how they organize their feeds via the Referer header.


“So is this some outdated functionality that is no longer in use and that nobody bothered removing yet? Very likely. Yet it could jump to life any time to collect more detailed information about your browsing habits.”

Show thread

“So that’s where this Honey privacy statement is clearly wrong: while the data collected doesn’t contain your email address, Honey makes sure to associate it with your account among other things. And the account is tied to your email address.”

Show thread

So when I order something in a -based shop, and they show the shipping address on the map in the order confirmation – they implicitly tell Maps which shops I buy at and when, and there is no opt out? How convenient…

The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data?


I've published an update on the situation (no technical details this time). Yes, a change has been implemented. The default behavior is nothing short of horrifying however. If you use a Xiaomi browser, you should ditch it ASAP.


I investigated the inner workings of 's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.


Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata.


While Avast is planning to shut down Jumpshot, there is an ongoing investigation into their practices. I wonder how this will go, according to Avast they are fully compliant...


Show thread

Even this limited sample contains lots of names, email addresses and even home addresses of Avast users. Jumpshot customers could have easily deanonymized the users the data belongs to, and some probably did.

Show thread

I got my hands on a sample of Jumpshot data. My analysis confirms what everybody already suspected: Avast failed anonymizing the data they sold, leaving plenty of personal data untouched.


I'm rather late to the party but the Avast story took the not quite unexpected turn. I wonder whether this investigation will really conclude that Avast's practices were all GDPR-compliant.


keeps stating that any data shared with was "de-identified." Experts have been skeptical (in fact, I found a four years old quote from @gcluley on the matter) and I now found quite a bit of info suggesting that they were right.


I finished analyzing updates to Avast Online Security extension. It is indeed far more privacy friendly now and properly respecting user's choices. Quite surprising development given how they denied anything being wrong with it.


Did you expect "Avira Browser Safety" to offer you shopping deals? Me neither, and I also didn't expect this to be implemented by running remote code in the context of the extension or any website. @Avira


Apparently, extensions have been removed from both and add-on stores now. Not sure who made it happen on Google's side but big thanks!


My blog posts on security vulnerabilities are only due in January. However, when doing my research I noticed a massive issue in their products. I've written about it now, and if you are an Avast user you should definitely read this. palant.de/2019/10/28/avast-onl

Not the conclusion I expected: "The point should no longer be that we want the right to use the web anonymously to remain. We should rather fight to get this right back, because at some point somewhere along the way we lost it and nobody noticed." This post is the more explicit version of my thread here yesterday.


I wish I could say that these revelations about Amazon Echo privacy were surprising but they are not. Two weeks ago I looked into how Echo works and apparently this device has neither speech recognition nor a voice synthesizer. heise.de/newsticker/meldung/Am

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.