Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.





Matrimonial Sites an Easy and Fast Platform to Dupe Brides-To-Be



Cybercrimes are at a rise once again and this time it's the matrimonial sites turning into a rather easy platform for those out to dupe the brides-to-be.

The recent case of a Hyderabad based software engineer who in the hopes of finding an ideal counterpart for her on a rather well-known and popular matrimonial site wound up giving up Rs 30,000 to somebody impersonating an All India Institute of Medical Sciences (AIIMS) Doctor.

Neha Saxena, the victim, has lodged a complaint at the Cyber-Crimes police station against the individual who hoodwinked her, said that she had given him the cash supposing he was a surgeon at AIIMS. First it was Rs 30,000 on the 7th of March and then it was Rs 20,000 more on the 20th of March.

Alarmingly, this is a not an irregular case as cyber matrimonial fraud is on the quick ascend, much to the worry of the cops, as in the previous six months alone more than 100 such cases have resurfaced.

U Rammohan, SP, Digital Violations, CID, says "There was an instance where an employee of a star hotel, posing as an IIT graduate with a salary of Rs 50 lakh per annum, duped up to 11 women. However, only one woman was ready to lodge a complaint, which is also a reason for the lack of swift action,"

Top cybercrime specialists said that most women neglect to report such cases as they dread harm of their reputation. In many cases though, women are also subjected to physical molestation and in some the victim were contacted over telephone and hoodwinked citing to personal emergency even surgery in some instances.

By and large, as the police say the fraudsters use profile information of actual person to reach the victim to anticipate doubt and shockingly enough women also are into matrimonial fraud.

The cybercrime police of the city thusly caution the many individuals who are already registered on such sites advising them to stay wary and alert.



Canadian Investigation Found Facebook to be Violating Privacy Laws



On Thursday, Canadian officials said that owing to its assailable security algorithms, Facebook exposed sensitive information of millions of its users. It has been counted as a critical failure on the company’s part which it did admit to letting happen but denied to fix.

Facebook has violated local as well as national laws when it gave access to private data of millions of its users to third parties, according to an investigation conducted by the information and privacy commissioner of British Columbia and the privacy commissioner for Canada.

The company CEO, Mark Zuckerberg put forth an apology for the major breach of trust that happened in the political scandal associated with Cambridge Analytica, however, they did not take into consideration the issued recommendations regarding the prevention of further exploitation of user data.

Putting the same into perspective, at a news conference, Daniel Therrien, head at federal privacy watchdog, said, “There’s a significant gap between what they say and what they do,”

As the regulators decided to push Facebook to a Canadian federal court which is likely to impose fines on the company, Mr. Therrien told that, “historically there have been very small penalties — in the tens of thousands of dollars.”

Facebook told the investigators that it does not agree with their findings, in response, Mr. Therrien said, “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”

Furthermore, he asserted the need to have more authorities for the inspection of companies and even strict privacy laws in the North American country, Canada.

Reportedly, Facebook has denied audits of its privacy procedures and said that it has taken necessary measures against the problems raised by the investigators.

Referenced from the statements given by Facebook on the account, “there’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed” that regulators consider the issues raised in this report unresolved,” the company added.




Facebook 'unintentionally' uploaded the email addresses of 1.5 million users without their knowledge


On Wednesday, Facebook admitted that it happened to upload email addresses of 1.5 million users without their consent. However, the contacts were not distributed to anyone and the company said that all the users whose email addresses were uploaded will be sent a notification stating the same.

While the company is in the process of deleting the imported contacts, it said that it had no intentions of uploading these user contacts and will delete them soon.
In the recent years, Facebook fall prey to various security-related problems, including the major Cambridge Analytica political scandal which revealed that the personal data of millions of users has been harvested from their Facebook profiles by Cambridge Analytica to be used for political purposes; another major hit that the company took was a glitch which put to risk the passwords of millions of people.
Facebook has been battling public relation issues for the management of its users’ personal data which it shared with app developers who paid handsomely for advertisements and those who were friends with the company CEO, Mark Zuckerberg.
This month, sensitive documents dealing with internal deliberations over personal data of users were leaked. The documents, which comprised of presentations, emails, meeting summaries and spreadsheets, were shared by a British journalist to various media outlets, as per by NBC News.
Reportedly, the documents indicated deliberations over the selling of users’ data to third-party app developers and seemingly, Facebook decided against it. However, they opt to share the data with CEO Mark Zuckerberg’s friends who in-turn provided their valuable data or spend a huge amount of money on Facebook advertisements.  
A report indicated that Facebook finalized deals of sharing their user data with developers of Sony, Microsoft, Tinder, and Amazon, whereas access to the same information to others was restricted by Facebook.
Referencing from the statements given by Facebook VP and Deputy General Counsel Paul Grewald, 'The documents were selectively leaked as part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data,
'The set of documents, by design, tells only one side of the story and omits important context,' he added.  





US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

WhatsApp May Oppose the Demand for Traceability of Messages




The government wants to probe into the sources of inciting and provocative messages and posts which have led to violence across the nation, incidents of lynching and various other controversial issues.

In order to do so, it has proposed certain guidelines that would require Whatsapp to unveil information regarding the origins of messages.

As doing so will contradict the end-to-end encryption WhatsApp provides, the company will oppose the proposed regulations. It will also be violating free speech and privacy rights. 

The intermediary guidelines which are reported to be made public after elections will include jail terms and penalties for heads and officials of various messaging platforms and social media companies for non-compliance.

Reasoning WhatsApp’s failure to act in accordance with the proposed guidelines, a person said, “WhatsApp feels the proposed guidelines are too broad and not in sync with privacy protection norms that are important to people everywhere,”

“What is expected from the rules is just not possible considering the end-to-end encryption the company provides — it would mean a new product.” He added.

The Facebook-owned app, which did not answer all the questions, believes that confidentiality is one of the key aspects of what they have to offer. They feel that gathering private information of users is contradictory to the whole idea of WhatsApp which was primarily designed to keep the conversations private. 

Putting the same into perspective, another person said, “The company will continue to push back against government’s attempts that it feels weaken its end-to-end encryption feature,”

While defending its stance on safety and privacy, WhatsApp previously said, “People rely on WhatsApp for all kinds of sensitive conversations, including with their doctors, banks, and families. The police also use WhatsApp to discuss investigations and report crimes,”  

“Attributing messages on WhatsApp would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. Our focus is on improving WhatsApp and working closer with others in society to help keep people safe.” 

Reasserting the intention of the government, an official told ET, “They don’t or refuse to understand this — we don’t want you to look into the video or the audio or content, just tell us where (it began) or who started it,”

Understanding the concern of national security and integrity, WhatsApp said that it has made essential changes in the product and has addressed misinformation via public education campaigns. Besides that, the company also made necessary alterations like limiting the times a message can be forwarded and letting people exit groups in one tap.

However, the government did not seem to be satisfied with these alterations and has continued to request for traceability.










Facebook Exposes Passwords of Hundreds of Millions of Its Users



A rather shocking vulnerability was uncovered by security researcher Brian Krebs, who reports that Facebook left the passwords of approximately 200 to 600 million users simply ‘stored’ in plain text.

A huge number of Facebook, Facebook Lite, and Instagram users may have had their passwords exposed as the aftereffect of a disturbing oversight by the social networking company.

Facebook just previously learned of the issue this past January and has since affirmed the shocking security failure, yet persists it has fixed the issue and has not discovered any proof that the data was 'abused.'

Albeit all users whose passwords were exposed will be informed, the 'shocking flaw' comes so far another blow to the already melting away trust of numerous Facebook users in the midst of the two years of consecutive privacy scandals.

The firm is as yet attempting to decide precisely the exact number of passwords which were exposed and to what extent, assures a source at Facebook who cautioned Krebs of the issue in the first place.

 ‘It’s so far unclear what caused some users’ passwords to be left exposed. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them, we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'
            - Facebook released a public statement with Krebs' report and affirms that it revealed the plain text passwords amid a standard security review in January.

In any case while Facebook says no password reset is as such required, it will caution the users if their information has been abused or will be abused in any way, the security experts still recommend the users to change their current passwords.



Hackers Tracking Location History via Google Photos Vulnerability


A vulnerability has been found in the web version of Google photos which lets malicious websites access the sensitive information related to the photos such as date and geographic coordinates.

On the basis of this metadata information of your photos, they will be tagged by Google photos automatically.

The metadata of any photo allows details to be moved along with the photograph file which is readable by end users, hardware and software.

How the Hack Functions

To begin with, the hackers have to befool the user and trick him into accessing the malicious website while he is logged into his Google Photos account.

As soon as the malicious website opens in the web browser, it generates answers to the questions the attacker has by stealthily generating requests to the Google Photos search endpoint.

As stated in a report by Imperva, the hacker can keep a record of the queries which have been already asked and resume the process from there on upon your next visit onto any of his infectious websites.

Reportedly, the vulnerability has been patched by Google after Imperva brought it to their knowledge.





Hacker Puts Up For Sale the Data of Six Companies, Totalling 26.42 Million User Records



Gnosticplayers, a hacker who already is for the most part known for putting up for sale more than 840 million user records in the previous month has yet again made an appearance and has returned with a fourth round of hacked data that he's selling on a dark web marketplace.

Ever since February 11 the hacker has set available for sale, data for 32 companies in three rounds on Dream Market, a dark web marketplace. This time, Gnosticplayers is more focused on the information of six companies, totalling 26.42 million user records, for which he's asking 1.2431 bitcoin which is approximately $4,940.

The difference between this Round 4 and the past three rounds is that five of the six databases Gnosticplayers set available for sale were gained amid hacks that have occurred a month ago, i.e. in February 2019. What's more, it merits referencing that a large number of the companies whose data Gnosticplayers has sold in the past three rounds have already affirmed breaches.

The six new companies targeted this time are , namely game dev. platform GameSalad, Brazilian book store Estante Virtual, online task manager and scheduling applications Coubic and LifeBear, Indonesia e-commerce giant Bukalapak, and Indonesian  student career site YouthManual.


"I got upset because I feel no one is learning,” the hacker said in an online chat "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry."

He says that he set up the data for sale essentially in light of the fact that these companies had neglected to ensure their passwords with solid encryption algorithms like bcrypt.

Albeit simply the last month the hacker said that he needed to hack and put up for sale more than one billion records and after that retire and vanish with the cash. But in a recent conversation, he says this is not his objective any longer, as he discovered that various other hackers have already just accomplished the similar objective before him.

Gnosticplayers likewise revealed that not every one of the information he acquired from hacked companies had been put on sale. A few companies surrendered to extortion demands and paid expenses so that the breaches would stay private.





Facebook to be reoriented towards user privacy and encryption says Mark Zuckerberg



On Wednesday, Facebook’s CEO, Mark Zuckerberg put forth a reoriented model of privacy for the social media platform which has continued to encourage generation after generation to share what’s up with their life via pictures and status updates.

In an essay Mark posted on his account, he announced his future plans regarding Facebook which are focused on safety, interoperability, private interactions, encryption, secure data storage and reducing permanence.

After consistently being in news for security issues, the company has finally decided to appropriately position itself for an unknown time which is yet to come. Seemingly, the plan of action has been fuelled by the descending trust of the users and ongoing arguments with regulators across the globe.

Explaining the new model, Zuckerberg told that Facebook would be subjected to a change which would remodel the platform after a living room, where people will have complete control over who can communicate with them and a trust that no one else can access what they share, which is in contrast to the initial model which was based into broadcasting information to large sections.

Referencing from Zuckerberg’s Facebook post, “Public social networks will continue to be very important in people's lives -- for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly. People find these valuable every day, and there are still a lot of useful services to build on top of them. But now, with all the ways people also want to interact privately, there's also an opportunity to build a simpler platform that's focused on privacy first.”

“In a few years, I expect future versions of Messenger and WhatsApp to become the main ways people communicate on the Facebook network. We're focused on making both of these apps faster, simpler, more private and more secure, including with end-to-end encryption. We then plan to add more ways to interact privately with your friends, groups, and businesses. If this evolution is successful, interacting with your friends and family across the Facebook network will become a fundamentally more private experience.”

The subtle and skeptical reactions to Mark’s announcement included privacy advocates questioning about the data that is collected for Facebook’s benefits, they asked if the practice will be minimized. Meanwhile, they asserted on the CEO’s need to talk beyond encryption and prioritize answering the questions on data collection for business purposes.

Referenced from the statements given by Jess Chester, executive director of a nonprofit privacy advocacy group in Washington, “Why does it always sound like we are witnessing a digital version of Groundhog Day when Facebook yet again promises — when it’s in a crisis — that it will do better,”

“Will it actually bring a change to how Facebook continually gathers data on its users in order to drive big profits?" He added.

Commenting on the matter, Jennifer Grygiel, assistant professor of communications at Syracuse University, questioned, “What’s not clear is how they are going to make this transition safely. We have already seen the risks associated with WhatsApp and private encryption in India, for example, where misinformation has led to mobs and the loss of life,”

Studies suggest that consumer trust in Facebook took critical hits due to continuous exploitation of users’ data. In terms of reputation among 100 highly visible public companies, Facebook fell from being 51st to 94th last year. Moreover, certain Facebook user polls implied people entirely getting rid of the app by uninstalling it.

While acknowledging the reduced trust quotient in his post, Zuckerberg wrote, “I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing,” he said. “But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.”


To Zuckerberg’s proposal of a future which would look different, Twitter bore witness to another skeptical remark as Ashkan Soltani, a former Federal Trade Commission official and privacy researcher, said “This move is entirely a strategic play to use privacy as a competitive advantage and further lock in Facebook as the dominant messaging platform.”

Hackers Target Popular Instagram Profiles


Cyber Hackers have now set their sights on the Instagram accounts of high-profile and social media influencers with phishing emails so as to gain access to their accounts before the influencers can even comprehend what's going on.

As indicated by sources it was reported that the hackers have especially targeted those Instagram profiles that have followers somewhere in the range of 15,000 and 70,000. Their targets for the most part go from well-known actors and artists to even proprietors of new companies.

Starting with the phishing emails showing up from Instagram requesting that the user should verify their accounts to get the 'Verified' batch on their respective Instagram profiles; it takes them to the phishing page that requests the following user certain details such as their date of birth, email, and credentials.

Once submitted, a batch notification shows up, yet for just four seconds. This is a trap to give the users the feeling that their profile has been verified thusly.

A visualization of how the hackers are stealing the Instagram profiles
As the user enters the credentials in the phishing page attackers gain access to those credentials and by utilizing them they access the Instagram profiles and change the data that requires recouping the stolen account.

The attackers change the username of the stolen address to show that it is hacked and use it to change the email address, over and over in order to trap the users with security emails making them feel as though the changes made were legitimate indeed.

Screenshot of the phishing email asking the user to verify his Instagram account
That is exactly what happened to a photographer who had approximately 15,000 followers on Instagram, when she had her account stolen.

The hackers nowadays have therefore, without any doubt become experts in areas where they 'lure' the victims into handing out their personal information to get a motivating force, particularly like the blue batch on their profiles and their mimicry of Instagram's messages nearly seems real.

Hence, here are some of the warnings users and organizations can keep an eye out for and eventually protect their accounts from being hacked;

1. Use of domains other than the social network's own
2. Dubious font styles (i.e., utilization of screenshots rather than genuine pictures)
3. Incorrect language and punctuation 
4. Emails that request credentials; social networks never request them outside of their real, secure login pages
5. Spam filters and Antispam portals.



Hackers Targeting Retail Websites and Online Shoppers via Formjacking



With the advent of online shopping, the e-commerce market has skyrocketed and by 2022, the figures are expected to touch a whopping $150 billion. The ever-expanding arena of e-shopping has given cybercriminals even more reasons to exploit user data employing all new ways. The most recent hacking method which affects online shoppers is known as ‘Formjacking’.

What is Formjacking?

It is a virtual ATM skimming method which is employed by cybercriminals to insert malicious codes into retail websites. These codes are programmed to leak payment details of the shoppers along with their card details.

A report from Symantec suggests that every month, over 4,800 different websites fall prey to Formjacking. It has also been observed that the number of Formjacking attacks has been increased over the past year and the data is also being sold on the dark web.
Referencing from the report, “By conservative estimates, cybercriminals may have collected tens of millions of dollars last year, stealing consumers’ financial and personal information through credit card fraud and sales on the dark web, with a single credit card fetching up to $45 in the underground selling forums,”
Expressing concern on the matter, Greg Clark, CEO, Symantec, said “Formjacking represents a serious threat for both businesses and consumers,”
 “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft. For enterprises, the skyrocketing increase in Formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised,”



Attention Binge-Watchers! A New Netflix Scam Is On the Loose






Netflix users, become the target of yet another cyber-attack, this time as a phishing scam email requesting for the users to update their billing information so as to unlock their accounts.

The email scam says that the user account has been briefly suspended because of a few issues in the "automatic verification process" in this way, to unlock their accounts, the users would need to update their billing information i.e. the details of their payment method and credit/debit cards.

Since the user will have to login to their respective Netflix accounts they will be in danger of having their 'identity' stolen and their bank account will be at risk of being cleared.

This kind of scam isn't new though, particularly for huge brands, such as Netflix.

"Unfortunately, scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information," a Netflix spokesperson said.

The email security service responsible for detecting the Netflix phishing email and releasing an announcement advising users to be alert was MailGuard ,which is known to detect and block the "criminal intent" messages.

Despite the fact that Netflix utilizes various proactive measures to distinguish such fake exercises, a spokesperson from the 'streaming giant'  told media and the users who need to figure out how to guard their Netflix personal data from scams to visit netflix.com/security or contact customer service directly when situations similar to these arise.

What's more, in the event that if the user has already entered their details on the phishing page, he prompted them to change passwords for the account being referred to, be it Netflix or some other service.

Furthermore, on the off chance that they've entered the payment information, then immediately contact their bank to block their cards and along these lines prevent any exchanges.


Apple's Delayed Response On FaceTime Flaw has put their Commitment to Security into Questioning


On 19th of January, an Arizona based teenager, Grant Thompson while using Apple’s FaceTime discovered an unusual bug which allows eavesdropping on the person being called. Thompson deduced the same when he was able to eavesdrop on the friend he called before the call was even answered.

Immediately after, Grant’s mother, Michele Thompson attempted to inform Apple of the hack by sending a video of the flaw which put to risk the privacy of millions of iOS users. When her warning did not fetch any response from the company, she resorted to other channels of communication like emailing, faxing and tweeting. She even tried to connect with Apple’s security department via Facebook.

It was on Friday, Ms. Thompson’s warning was entertained and she was encouraged by the product security team of Apple to create a developer account and then file a formal bug report.

On Monday, acknowledging the presence of the flaw, Apple said, “identified a fix that will be released in a software update later this week.” However, the company left unaddressed the question of how the flaw passed through quality assurance and what took the officials so long to respond to Ms.Thompson’s warnings.

The Group Facetime was disabled by Apple and it was said that the same is running on a fix but the fact to be noticed is that the company hurried to take action when a different developer brought the issue to their knowledge after it was also being addressed in an article which went viral.

As Apple is known for its unassailable security and the continuous advertising of its bug reward program, the delay in the responses and the preventive measures taken by the company has put its commitment to safety and security into questioning.

Insisting on their commitment to safety, the company’s chief executive, Tim Cook tweeted, “we all must insist on action and reform for vital privacy protections.”

How the flaw works?

It is a highly rare security flaw which allows such remote access and is so simple to be executed. After adding a second individual to the group FaceTime call, one can access the audio and video of the initial person called without even requiring him to answer the call.

Referencing from the statements given by Patrick Wardle, the co-founder of Digita Security, “If these kinds of bugs are slipping through, “you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught.”




Users Making Themselves Vulnerable To Hackers; Keeping Outdated Versions of Popular Applications on Their Pcs




The users and their own personal information are rapidly becoming to be vulnerable against security risks proves yet another research from the global security company Avast as it discharged its PC Trends Report 2019.

As per the said report the users are making 'themselves' defenseless against hackers by not implementing the security patches and keeping out-dated versions of well-known applications on their PCs, these include Adobe Shockwave, VLC Media Player and Skype.


This is a matter of grave concern as out-dated software's are turning into the greatest dangers of cyber-attack , as they give hackers unapproved access to the framework as well as the known vulnerabilities with which they can easily exploit the user in question.

 “While most of us replace our smartphone regularly, but the same cannot be said for our PCs. With the average age of a PC now reaching six years, we need to be doing more to ensure our devices are not putting us at unnecessary risk, but with the right amount of care, such as cleaning our hardware's insides using cleaners, optimisation and security products, PCs will be safe and reliable for even longer," says Ondrej Vlcek, President, Avast.

The report is said to have accumulated information from approximately 163 million devices over the globe, and has even covered the most popular PCs, software, hardware equipment utilized today in on a worldwide basis. Among the applications installed 55% of them are not their latest versions, those applications utilizing the structures and tools, contain vulnerabilities and for security reasons ought to be updated as soon as possible.

The most installed softwares of 2018 include, Google Chrome, Adobe Reader, WinRAR, Microsoft Office, and Mozilla Firefox.

PayPal Credentials Stolen Through Phishing Attacks




Recently an in-developed ransomware has been found that attempts to take the user's PayPal credentials through a phishing attack notwithstanding encrypting files. The ransomware itself is 'unremarkable', yet the cleverest part is the ransom note as it offers a choice to the user to pay through PayPal just as the typical Bitcoin course.

Found by the MalwareHunterTeam, the trick offers criminals a one-two punch of advantages: Individuals who pay utilizing the internet's payment technique will be coordinated to a persuading looking phishing website which will endeavor to take the unfortunate user's PayPal credentials.

Be that as it may, in case of the PayPal phishing site choice when users tap on the "Buy Now" button, they are thusly directed to the Credit card part of the phish, in this way skirting the login.

What's more, when the victim submits their data, it is sent to http://ppyc-ve0rf.890m.com/s2 [.]php, where personal data of the individual, for example, their address is stolen. The phishing page at that point tells the user that their account unlocked and they are diverted to the PayPal login page and incited to sign in.

Since ransomware is growing to be progressively advanced and for this situation, it's much increasingly deadly joined with yet another attack vector i.e. phishing. Consequently it's not constantly conceivable to abstain from being hit by ransomware, yet in the event that one is, some basic steps can help diminish its effect.

Jake Moore, cyber security expert at ESET says this phishing attempt “inherently uses classic techniques that have been used for years and can usually be overcome by educating users” later adds,  “Targets will always need to be on guard when sent to a link and it’s vital they actively check the URL - especially when the phishing site looks very genuine.”

In this manner the most reasonable activity is not to give away one’s personal details except if one is certain beyond a shadow of a doubt that the site is genuine. Also abstaining from tapping on any link or download or open a document except if the user is certain that it is from a 'reliable source'.


Detection of Suspicious Activity Leads Reddit into Locking Down Its Users Account




The discovery of a suspicious activity has driven Reddit into 'locking down’ a substantial number of its user accounts as a security concern.

Reddit brought up that the main cause of the accounts lockdown is caused by the utilization of straightforward and simple to detect passwords on its site and from the reuse of those passwords on different services. However, the users claim that they were still locked out of their accounts even after utilizing solid passwords and not utilizing the Reddit credentials on different sites.

While a few users reported that their accounts were locked in spite of the fact that the activity page indicates they were the only ones getting to them, others rather revealed that somebody got to their accounts and were accessing them from numerous locations around the world.

The users who were unfortunately locked out from their accounts were requested yet again to reset their passwords to re-establish their respective accounts.

 “Over the next few hours, affected accounts will be allowed to reset their passwords to be unlocked and restored. This will take the form of either a notification to the account (yes, you’ll be able to log in to get it) and/or an email to any support ticket you’ve already sent in.

It may be a little while before you receive your notice, but please be patient. There’s no need to file additional support tickets or send messages to the admins at this time. If you haven’t seen any update by tomorrow, contact us at that time via the Help Centre.

We’re sorry for the unpleasant surprise and are working to get you all back to redditing as usual. I’ll be monitoring this thread for a while to answer questions where I can, but please keep in mind we can’t answer most account-specific inquiries in public,” concluded the Reddit Admin.



Google Wins a Dismissal of a Lawsuit over the Biometric Privacy Act


The world's largest search engine had a lawsuit filed against it by its users, allegedly stating that Google had violated the privacy of its users by utilizing facial recognition software to examine their photos without their consent.

U.S. District Judge Edmond E. Chang in Chicago dismissed it referring to an absence of "concrete injuries" to the offended parties.

The original suit was known to have been documented in March 2016, a user sued Google for supposedly transferring their information to Google Photos by means of using the facial recognition software and further scanning it in order to create a template of their face without their permission, all the while crossing paths with a unique Illinois law.

In spite of the fact that Google is the first among those well-known who violated the law explicitly as Snapchat and Facebook also have had faced lawsuits for the same ,  Google emerges as the first to prevail upon a dismissal of a lawsuit over the biometric security act.

Google's triumph comes in the midst of open public backlash against the U.S. technology goliaths over misusing of user information and expanded the further examination of privacy policies.


Twitter API Bug Enables Third Party Access to User Data



An API bug found earlier this month that could host unapproved third-party developers in order to gain access to the user's information on Twitter was as of late looked for and removed by the said social networking site.

The bug was said to affect the permission dialog while approving and authorizing certain applications to twitter and left direct messages to be exposed to the third party without the user's knowledge. Instead of the OAuth token-based method, bug manifested with applications that require a PIN to finish the authorization procedure.

Terence Eden, who found the issue and thusly reported it to Twitter describes it as one coming directly from the official Twitter API keys and the privileged insights being uninhibitedly accessible, enabling the application developers to get to the Twitter API even without the administration's approval.

In spite of the fact that Twitter upheld a few confinements to anticipate imitating the official applications by utilizing the keys to divert to an alternate application than the one they are related with. They utilized a strategy to limit 'callback URLs', so a developer couldn't utilize the API keys with their application.

Yet, shockingly this assurance was not comprehensive, since some applications don't utilize a URL, or they may not bolster call-backs and for these, Twitter at that point resorts to a secondary, PIN based, approval system. Later on, Eden saw that the applications did not demonstrate the correct OAuth details to the user. For reasons unknown, the discourse wrongly informed the user that the application could not be able to access the direct messages, although the inverse was valid.




The researcher submitted his discoveries through HackerOne on November 6 and the issue was acknowledged around the same time subsequent to giving elucidations and exhibiting the privacy violation problem.

Nonetheless Twitter settled the issue on December 6 subsequently informing the analyst that he could distribute the subtleties of his report.



Telegram's 'secret chat' feature stores conversations in plain text



The desktop variant for Telegram for dispatched a new feature called 'secret chats' for the users who wish for complete privacy for their communication. It occurred in this way, that the Telegram secure messaging app was unsuccessful in protecting the chat content locally and thusly offered access to plain text conversations and media that generally was encrypted.

Since Telegram's attention towards administering secure communication is notable the application utilizes encryption to guarantee that an outsider can't peruse the conversations on their way to the 'destination' and by using end-to-end encryption it ensures that just the sender and the receiver can get to the content.



These safety measures are against altering or breaking privacy in transit; the conversations and media files Telegram Desktop stores locally are genuinely simple to access and read since they are not encoded.

Nathaniel Suchy, a reverse engineer and software developer, was, fortunately, able to peruse the application's database and the messages spared there. Suchy said that  “Telegram uses a somewhat difficult to read, but otherwise, not encrypted, SQLite Database to store messages. By analyzing raw data converted to a simpler viewing format, I also found names and phone numbers that could be correlated to one another. Even so, the information is not easy to read, but custom scripts could help make the details stand out in a more intelligible way and automate the extraction.”


The researchers have proven the 'secret chat' feature as it turned out that every one of the messages goes to a similar database, regardless of whether they gain from end-to-end encryption or not. Even Media documents are not far behind as they have a very comparative destiny.

Telegram Desktop features highlights passport protection to counteract unapproved access to the application, yet this security choice does not include encryption. A technically knowledgeable and excessively inquisitive computer user could still be able to access some other users' chats.


Ensuring the information saved locally is conceivable by empowering full disk encryption from the operating system. This is accessible on Windows through BitLocker, on macOS through FileVault; the feature is available on Linux too.