Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Facebook, Instagram now mine web links you visit to fuel targeted ads

Also: Twitter hijackings, BEC arrest, and critical vulnerabilities

Brandon Vigliarolo Mon 8 Jan 2024  //  07:27 UTC

Infosec in brief We gather everyone's still easing themselves into the New Year. Deleting screens of unread emails, putting on a brave face in meetings, and slowly getting up to speed. While you're recovering from the Christmas break, Meta has been busy introducing fresh ways to monetize your web surfing habits while dressing it up as a user experience improvement.

The latest attempt to extract more sellable data comes in the form of link history, which lists the webpages you've visited using the browser built into Meta's apps. Link history stores records for 30 days, can be used to recall pages previously read, and excludes links sent in messages. This could be convenient, to be sure.

Less prominently mentioned on help pages describing the feature on Facebook and Instagram is, of course, perhaps the real reason for the capability: "We may use link history information from our browser to improve your ads across Meta technologies." 

And there we have it: A new feature that's actually a way to boost targeted advertising after changes by Apple and others hobbled Meta's ability to collect info on its users. If you don't want to be hit with adverts tailored to your browsing habits, see the above links to opt out.

Critical vulnerabilities: A very patchy new year

There's no rest for security teams heading into 2024, with the past week bringing us several security fixes for critical vulnerabilities, including several newly-reported issues in Chrome.

The latest stable channel release for Chrome Desktop includes six security fixes, four of which Google singled out for recognition in the release notes. Two issues in ANGLE were addressed, as were use after free issues in WebAudio and WebGPU. Patch ASAP!

Elsewhere:

  • CVSS 9.8 - Multiple CVEs: Rockwell Automation FactoryTalk Activation Manager software v4.00 contains a couple of out-of-bounds write bugs that could give an attacker full system control.
  • CVSS 9.8 - CVE-2023-6448: Unitronics Vision Series PLCs and HMIs are being shipped with default administrative passwords that need changing and CISA warns it's under active exploitation.
  • CVSS 9.6 - CVE-2023-39336: Ivanti Endpoint manager 2022 SU4 and all prior versions are vulnerable to SQL injection from anyone with access to the same network as a vulnerable machine.  

A couple of new exploits have been detected being used in the wild this week, too:

  • CVSS 8.8 - CVE-2023-7024: We reported on this Chrome heap buffer overflow at the end of last year.
  • CVE-2023-7101: There's no CVSS score available for this newly-discovered vulnerability in Spreadsheet::ParseExcel, a Perl module used to parse Excel files. Input isn't being validated properly, opening up an RCE window. 

Watch out for Twitter hijackings

If you missed it, Google-owned security firm Mandiant embarrassingly had its Twitter account hijacked this past week for a short while and turned into a pitch machine for cryptocurrency scams. 

Another victim, web3 firm CertiK, was hit by a similar group of miscreants as well. As in Mandiant's case, the CertiK's hijackers tried to trick the firm's crypto-conscious followers into falling for scams. 

It's not entirely clear how either incident happened. Mandiant noted: "As you likely noticed ... Mandiant lost control of this X account which had 2FA enabled. Currently, there are no indications of malicious activity beyond the impacted X account, which is back under our control. We'll share our investigation findings once concluded."

Consider the hijacks to be a reminder: Don't just check to be sure 2FA is still enabled on your X account, take steps to make sure these tokens can't be phished or obtained along with login credentials.

Apropos of nothing, we couldn't help but notice the chief exec of a collapsed crypto fund seemingly never existed in the first place...

Nigerian not-a-prince cuffed over BEC

A Nigerian national has been arrested and is awaiting extradition to the US on charges he defrauded two American charities out of more than $7.5 million via a business email compromise scheme. 

According to the US Justice Department, Olusegun Samson Adejorin allegedly purchased a credential-stealing tool and used it to harvest details for the two charities, one in Maryland and the other in New York. 

Using the stolen credentials, Adejorin allegedly asked the Maryland charity's bank to release large sums of cash to the New York charity. This isn't immediately suspicious, as the New York charity used the Maryland one for investment services. Withdrawals over $10,000 required approval from the Maryland charity, which Adejorin, allegedly having a foothold in both firms, was happy to provide. The bank details, of course, weren't for the New York charity, but controlled by Adejorin, it is claimed.

It's not clear how Adejorin was caught, but if convicted, his sentence could be considerable. Facing eight counts, the Nigerian could do up to 20 years for each of five wire fraud charges, five years for unauthorized access to a protected computer, and two years each for two counts of identity theft. ®
Send us news
20 Comments

US lawmakers push DoJ to prosecute tax prep firms for leaking taxpayer data to big tech

TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions accused of sharing info with Meta and Google

Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases

Legal proceedings underway with more details to follow

Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures

Unisys, Avaya, Check Point, and Mimecast settled with the agency without admitting or denying wrongdoing

Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting

US also charges an alleged Redline dev, no mention of an arrest

Here's a NIS2 compliance checklist since no one cares about deadlines anymore

Only two EU members have completed the transposition into domestic law

Penn State pays DoJ $1.25M to settle cybersecurity compliance case

Fight On, State? Not this time

Jetpack fixes 8-year-old flaw affecting millions of WordPress sites

Also, new EU cyber reporting rules are live, exploiters hit the gas pedal, free PDNS for UK schools, and more

Delta officially launches lawyers at $500M CrowdStrike problem

Legal action comes months after alleging negligence by Falcon vendor

Senator accuses sloppy domain registrars of aiding Russian disinfo campaigns

Also, Change Healthcare sets a record, cybercrime cop suspect indicted, a new Mallox decryptor, and more

Worker surveillance must comply with credit reporting rules

US Consumer Financial Protection Bureau demands transparency, accountability from sellers of employee metrics

macOS HM Surf vuln might already be under exploit by major malware family

Like keeping your camera and microphone private? Patch up

Microsoft says tougher punishments needed for state-sponsored cybercriminals

Although it also reaffirmed commitment to secure-by-design initiatives