Security Bits Logo no alpha channel

Security Bits — 29 May 2022

Feedback & Followups

🧯 Deep Dive 1 — Duck Duck Go’s Browser Tracking Kerfuffle

A security researcher has found that the Duck Duck go web browser makes an explicit exception to one of its advanced privacy protections for Microsoft-owned sites.

The context here is very important because the actual scope of this exception is much much smaller than most people realise:

  • This does not affect the Duck Duck Go search engine
  • This does not affect the Duck Duck Go Browser’s 3rd-Party Cookie Blocking
  • This only affects a Duck Duck Go-only advanced feature that stops known tracker JavaScript files from being loaded by the browser

So what does that mean? The Duck Duck Go browser never even loads most tracking scripts, so that speeds up web page load times, and it stops your visit to the site showing up in the logs on the server hosting the script, but for the Microsoft properties the script is loaded, so the fact that your IP address loaded the script will appear in the server logs just like it would on every other browser! The script will then run, and try to set a 3rd-party cookie, which the Duck Duck Go browser will then block like it does all 3rd-party cookies!

So this is a teeny tiny leak of a piece of data that is actually very poor at tracking people that is also leaked by every other browser. In other words, there’s no real there here from a technical POV.

But, there is a potential problem from the trust POV — Duck Duck Go were not up-front about this pretty meaningless exception to their very robust privacy protections.

You might wonder why this even happened, and the answer is that it’s required by their contract with Microsoft for their anonymous search partnership. It also appears that this contract is at the root of Duck Duck Go’s lack of up-front disclosure. The contract has a privacy clause that prevents disclosure of all kinds of things, including the existence of the privacy clause, and stuff like the tracking exception.

Now that the news is out, Duck Duck Go are free to ignore that bit of the contract, and their CEO has said that they have been working to re-negotiate that part of the contract for some time and will continue that fight.

This looks a lot worse than it is, but for a company that’s built on trust, this is a lot more damaging than it would be for known-privacy abusers like Meta, Twitter, etc. It also makes Microsoft look pretty bad!

What makes all this so stupid is that the most plausible explanation for this whole mess is that the contract pre-dates Duck Duck Go even starting work on their browser, so this was a small irrelevant clause that didn’t have any effect at all when it was included in the presumably massive document.

Microsoft should have dropped the clause when asked, then none of this would have happened — a frustrating missed opportunity to do the right thing 🙁


🧯 Deep Dive 2 — Security Researchers Find a Way to Run Malware on iOS Devices Even When they’re ‘Off’

TL;DR The headline sounds pretty scary, but at least for now, this is an interesting new area for research rather than a practical way of attacking devices.

Since iOS 15, iPhones have had the ability to do certain things even when they’re “off”. This is what makes it possible for an iPhone to be a reliable car key, a reliable transit ticket, and to be reliably findable on the FindMy network. This is achieved by keeping a small number of low-level chips powered on even when the phone itself is off. Those chips have firmware, and if you can inject malware into that firmware then it can run all the time, even when the phone is “off”.

Researchers have found that this firmware is not as well secured as it could (and should) be, and they have demonstrated an actual attack, but it requires either physical access in a lab, or jailbreaking the phone.

Bruce Schneier sums it up well:

“The research is fascinating, but the attack isn’t really feasible. It requires a jailbroken phone, which is hard to pull off in an adversarial setting.” (…)

Apple now have an opportunity to harden the firmware’s defences in future iPhones, hopefully before someone finds a way of injecting malware via some kind of remote attack (which is very non-trivial!).

Read more:…

❗ Action Alerts

Worthy Warnings

Notable News

  • The privacy-focused Brave browser for iOS has been updated with a new privacy hub —…
  • 🇺🇸 The DOJ has announced that it will stop using the problematic Computer Fraud & Abuse Act (CFAA) against good-faith security researchers —…
    • Editorial by Bart: This is literally the bare minimum they could do, and it does little more than spin an acceptance of last year’s Supreme Court decision greatly limiting the law’s vague and hence overly broad scope as some kind of wonderful initiative by the DOJ. This also doesn’t address the core problem — the CFAA is a terrible law that makes the world less safe and has been abused to ruin lives.
  • 🇬🇧 The Information Commissioners Office (ICO) have announced the final details of their judgment against ClearView AI — the company must stop including UK citizens in its DB, delete any existing data on UK citizens, and pay a £7.5M fine (a lot less than the previously promised £17M!) —…
  • A good news story from Allison: the EFF are retiring their HTTPS-Everywhere browser plugin because it’s not needed anymore, browsers now have this functionality baked in —… (Editorial by Bart: my annual donation at work changing the world for the better 🙂)

Interesting Insights

  • The Irish Council for Civil Liberties has released a detailed report into how Google and others (but not Facebook or Amazon for some reason 🤨) operate their Real-Time Bidding system for selling ads — they are very critical of the way the system is operated, describing it as ‘a massive privacy breach ‘…
    • ““Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billion of times per day””

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top