OpenAI faces lawsuit for scraping of internet data. Study shows 25% of kids apps violate COPPA. UoM attack reportedly exposed over one million NHS patients. Read More
The CyberWire
The all in one place for non-profit security aid.
OpenAI faces lawsuit for scraping of internet data. Study shows 25% of kids apps violate COPPA. UoM attack reportedly exposed over one million NHS patients. Read More
The CyberWire
Google Pays $5 Billion to End ‘private mode’ Tracking Lawsuit
A landmark settlement has been reached in a class-action lawsuit against Google, accusing the tech giant of breaching user privacy by tracking activity in “private mode” browsing modes.
This decision, announced on Thursday, marks a significant victory for consumers and underscores the intensifying scrutiny directed toward Big Tech’s data collection practices, reads BBC report.
The lawsuit, filed in 2020, alleged that Google surreptitiously tracked user activity even when browsing in “Incognito” mode on Chrome and similar “private” modes on other browsers.
According to the plaintiffs, this covert data gathering transformed Google into an “unaccountable trove of information” on user preferences and potentially sensitive online behavior.
The lawsuit further argued that Google’s practices constituted an egregious violation of user privacy, demanding immediate cessation.
In its defense, Google maintained that it had been transparent about the data it collected during private browsing, even if many users held different expectations.
The company argued that collecting search history, even in private mode, enabled website owners to “better evaluate the performance of their content, products, marketing and more.”
This rationale, however, failed to convince Judge Yvonne Gonzalez Rogers, who rejected Google’s bid to dismiss the case earlier this year, declaring reasonable doubt regarding user consent for such data collection.
The specific terms of the settlement remain undisclosed, but its mere existence represents a significant concession by Google.
The $700 million settlement announced earlier this month in an antitrust lawsuit regarding the Play Store further amplifies the company’s financial pressure due to growing concerns about its market dominance and data collection practices.
This settlement holds wider implications beyond the financial ramifications for Google.
The post Google Pays $5 Billion to End ‘private mode’ Tracking Lawsuit appeared first on Cyber Security News.
Cyber Security News
GitLab High-severity Flaw Let Attackers Takeover Account – Update Now
[[{“value”:”
GitLab released security patches 16.11.1, 16.10.4, and 16.9.6 for both Community and Enterprise Editions, and upgrading to these versions is strongly recommended to address vulnerabilities.
Scheduled patch releases occur twice a month, while ad-hoc critical patches are released for high-severity vulnerabilities. Details of the vulnerabilities will be made public 30 days after the corresponding patch release.
If the described vulnerabilities affect the installation, upgrade right away. This applies to all deployment types (omnibus, source code, helm chart, etc.) unless a specific type is mentioned as exempt.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
It identified several vulnerabilities requiring immediate attention. Under specific circumstances, an attacker could potentially take over a GitLab account when using Bitbucket for OAuth authentication (High).
Two vulnerabilities (High) expose GitLab to denial-of-service attacks (DoS) and allow unauthorized access to restricted files: path traversal and a Regular Expression Denial-of-Service (ReDoS) in FileFinder triggered by wildcard filters.
GraphQL subscriptions might disregard personal access token limitations (Medium), and malicious actors could bypass domain-based restrictions using a specially crafted email address (Medium).
GitLab versions before 16.9.6, 16.10.4, and 16.11.1 are vulnerable to an account takeover attack when using Bitbucket as an OAuth provider, and an attacker with a Bitbucket account could potentially take control of a linked GitLab account under specific circumstances.
The critical issue (CVE-2024-4024) has been patched in the latest GitLab releases and was identified internally by the GitLab security team.
It is updating Bitbucket authentication. Before May 16th, 2024, sign in to GitLab with the Bitbucket credentials to relink the accounts. Otherwise, manual re-linking will be required.
The change may affect users with mismatched email addresses between GitLab and Bitbucket. In such cases, use the GitLab username and password to log in and re-link Bitbucket.
The versions before 16.9.6, 16.10.4, and 16.11.1 are vulnerable to two high-severity attacks, and a path traversal flaw (CVE-2024-2434, CVSS: 8.5) allows unauthenticated attackers to potentially read restricted files and crash the application (DoS).
A separate vulnerability (CVE-2024-2829, CVSS: 7.5) exists in project file search, where a specially crafted wildcard filter can trigger a denial-of-service attack. Upgrading to the latest GitLab version is essential to address these issues.
Versions before 16.9.6 and some later versions contain two vulnerabilities. The first (CVE-2024-4006) is that GraphQL subscriptions didn’t properly enforce Personal Access Token scopes, potentially allowing users to access unauthorized data.
In the second (CVE-2024-1347), a specially crafted email address could bypass domain-based restrictions on groups or instances, which have now been patched in the latest GitLab releases.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
The post GitLab High-severity Flaw Let Attackers Takeover Account – Update Now appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s PC And Servers
The Phoenix SecureCore UEFI firmware has discovered a new vulnerability, which runs on several Intel Core Desktop and mobile processors.
This vulnerability has been assigned CVE-2024-0762, and its severity has been given as 7.5 (High).
This was initially identified on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen, which uses the latest Lenovo BIOS updates, but later, Phoenix Technologies took responsibility to come forward and acknowledge the same issues exist on multiple versions of their multiple versions of SecureCore firmware.
According to the reports shared with Cyber Security News, this vulnerability exists on multiple Intel processor families and multiple generations of Intel core Processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.
These processors are used by a wide range of OEMs (original equipment manufacturers) and ODMs (Original Design Manufacturers).
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Further, the same vulnerability also affects several vendors, affecting hundreds of PC products that rely on Phoenix SecureCore UEFI firmware.
However, this vulnerability allows a local threat actor to elevate their privileges and execute remote code within the UEFI firmware during runtime.
The vulnerability lies in the UEFI code handling TPM (Transform Platform Module) configuration, leading to buffer overflow and malicious code execution.
The possibility of exploiting this vulnerability depends on the configuration and permission assigned to the TCG2_CONFIGURATION variable, which is different on every platform.
Nevertheless, this vulnerability can be exploited similarly to firmware backdoors, which are widely used by threat actors.
If threat actors could exploit this vulnerability and plant a backdoor on vulnerable devices, it could enable them to evade security measures that run on the operating system and software layers.
Further, manipulating runtime code can also increase the difficulty of detecting these attacks.
The module that has been identified as vulnerable was GUID: E6A7A1CE-5881-4B49-80BE-69C91811685C.
Two calls are made to GetVariable with the “TCG2_CONFIGURATION” argument and the same DataSize that does not have sufficient checks.
If a threat actor attacks the TCG2_CONFIGURATION by manipulating the value, it could allow them to set it to a value for longer periods.
Further, the first call to GetVariable returns EFI_BUFFER_TOO_SMALL, and the data_size is set to the length of the UEFI variable.
The second call allows them to overflow the buffer successfully, eventually leading to stack buffer overflow.
Users of these firmware versions are advised to upgrade their vendor-issued patches to patch this vulnerability.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s PC And Servers appeared first on Cyber Security News.