Security Bits Logo no alpha channel

Security Bits — 30 May 2021

Feedback & Followups

Deep Dive 1 — Facebook’s Next Sneaky Trick – Location Data by the Back Door

Some nice sleuthing by Forbes has exposed yet another way Facebook chooses to get around the spirit of the law while sticking to the letter of it. When you use either the OS setting to deny Facebook GPS location data, or even when you use the Facebook settings to indicate that you don’t want your location tracked, Facebook still infer and store your location based on the EXIF metadata embedded in photos and videos you upload to any of their services.

The EXIF metadata standard provides fields for storing coordinates, and most cameras with built-in GPS receivers will populate these fields in the photos they take. This includes smartphones. This is how apps like Apple Photos can group your photos by place, and display them on a map.

For privacy reasons, all the social networks have been stripping the location fields from the EXIF data on all uploaded images and videos before they’re shared with other users. Because the EXIF data is gone when people see the images, the assumption has always been that Facebook deletes the data — NOPE! Facebook store the stripped data and use it to target ads!

The writers at Forbes suggest two possible defences — you can install share-sheet apps that strip metadata and use those to filter your images before Facebook can get their hands on them, or, they suggest not uploading images or videos to any Facebook apps. I have a third suggestion — delete your account 🙂


Deep Dive 2 — 🧯 That Un-patched Safari Bug

There’s been a lot of breathless reporting about Apple not patching a bug in Safari they were told about three weeks ago, but there’s absolutely no need to panic, we’re in no immediate danger!

A bug does exist, Apple have not yet patched it, but it doesn’t actually pose an imminent danger because it only breaks through one of the layers of defence Apple puts around Safari, not all of them, so it can’t be used to execute arbitrary code, at least not yet.

The biggest danger here is a hypothetical future discovery of another vulnerability that can be combined with this one to and perhaps multiple others to form a so-called exploit chain that does break through all the protections. If that happens, then it becomes important Apple rush a patch out, but until that happens, it’s OK for Apple to take their time and get this out some time relatively soon.

What’s more interesting here than the bug itself is its story. The bug was found in the open source WebKit engineer that powers Safari. The open source community released a patch to WebKit that fixed this bug, and that was how the world learned about it. Apple have not yet taken that fix from the upstream WebKit project and merged it into Safari. This is a great example of one of the potential metaphorical open source roundabouts that slightly counteracts all those metaphorical open source swings. It’s such a common problem it even has a name — the patching gap, and the act of exploiting a bug in the window between it being fixed in an upstream open source project, and another derived product is called patch-gapping in the malware community.


Deep Dive 3 — 🧯 The M1racle M1 unpatchable Vulnerability

Yes, it’s true, there is something that is technically a bug baked into Apple’s new M1 chips, but there’s absolutely nothing to worry about.

There are two bits inside an apparently unused CPU register that have overly broad permissions. This doesn’t provide a way in for malware, nor does it allow malware to read data from other processes or parts of the filesystem it shouldn’t have access to. All it does is allow two pieces of malware already installed on an M1 Mac to share two bits of data behind the OS’s back.

In other words, if you’ve already been hacked twice or more, the malwares can very very slowly chat among themselves without the OS overhearing their conversation.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Just Because it’s Cool 😎

  • Security researcher Brian Krebs has a very simple suggestion for protecting yourself from Russian-adjacent malware — set your default keyboard to one for a country in Russia’s sphere of influence. Much of this malware uses keyboard settings to avoid friendly fire on targets the Russian government would not take kindly to them exploiting —…

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top