Hey #Feedly, don’t you want to start using Referrer Policy on your website? Currently, when your users click a link you will typically leak their user ID and some info about how they organize their feeds via the Referer header. #privacy
The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data? #privacy #Microsoft #Bing #infosec
I've published an update on the #Xiaomi #privacy situation (no technical details this time). Yes, a change has been implemented. The default behavior is nothing short of horrifying however. If you use a Xiaomi browser, you should ditch it ASAP.
I investigated the inner workings of #Xiaomi's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.
Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata. #privacy
I got my hands on a sample of Jumpshot data. My analysis confirms what everybody already suspected: Avast failed anonymizing the data they sold, leaving plenty of personal data untouched. #Avast #Jumpshot #privacy
I'm rather late to the party but the Avast story took the not quite unexpected turn. I wonder whether this investigation will really conclude that Avast's practices were all GDPR-compliant. #Avast #privacy
#Avast keeps stating that any data shared with #Jumpshot was "de-identified." Experts have been skeptical (in fact, I found a four years old quote from @gcluley on the matter) and I now found quite a bit of info suggesting that they were right. #privacy
I finished analyzing updates to Avast Online Security extension. It is indeed far more privacy friendly now and properly respecting user's choices. Quite surprising development given how they denied anything being wrong with it. #avast #privacy #spyware
Did you expect "Avira Browser Safety" to offer you shopping deals? Me neither, and I also didn't expect this to be implemented by running remote code in the context of the extension or any website. #Avira #infosec #privacy @Avira
My blog posts on #Avast security vulnerabilities are only due in January. However, when doing my research I noticed a massive #privacy issue in their products. I've written about it now, and if you are an Avast user you should definitely read this. https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/
Not the conclusion I expected: "The point should no longer be that we want the right to use the web anonymously to remain. We should rather fight to get this right back, because at some point somewhere along the way we lost it and nobody noticed." This post is the more explicit version of my thread here yesterday.
I wish I could say that these revelations about Amazon Echo privacy were surprising but they are not. Two weeks ago I looked into how Echo works and apparently this device has neither speech recognition nor a voice synthesizer. https://www.heise.de/newsticker/meldung/Amazon-reveals-private-voice-data-files-4256015.html
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.