Feedback & Followups
- Mozilla says Claude’s Mythos AI helped uncover 271 flaws in Firefox — cyberinsider.com/…
- 🇺🇸 FCC Hands Netgear an Effective Monopoly on Router Sale in the US — appleinsider.com/… (no cybersecurity justification)
- As expected: Microsoft rolls out fast-track to reinstate Windows hardware dev accounts — www.bleepingcomputer.com/… (WireGuard, VeraCrypt, etc.)
- 🇺🇸 A preliminary court ruling has enjoined Apple & Google from obeying government orders to remove ICE blocking apps, but it’s not clear if this will have any real-world effect — appleinsider.com/…
- 🇮🇳 India has backed down from its plan to force cellphone manufacturers to preinstall a government app with significant privacy concerns — appleinsider.com/… (initial announcement a few months ago, pulled back for ‘review’, now killed)
❗ Action Alerts
- Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days — www.bleepingcomputer.com/… & krebsonsecurity.com/…
- Don’t forget to patch Office, very important for Word & Excel this time!
- Bug Fix Updates for iOS 26.4.2 iPadOS 26.4.2 Are Out Now — appleinsider.com/… (including security fixes)
- New ‘Pack2TheRoot’ flaw gives hackers root Linux access — www.bleepingcomputer.com/… (Affects Ubuntu & Fedora among others)
- Be sure to patch Firefox: Firefox flaw enables cross-site tracking, undermines Tor Browser defenses — cyberinsider.com/… (patched)
Worthy Warnings
- A timely reminder to responsibly recycle obsolete routers: New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com/…
- ⚠️ Apple Users: Apple account change alerts abused to send phishing emails — www.bleepingcomputer.com/…
- “To conduct the attack, the threat actor creates an Apple ID and inserts the phishing message into the account’s personal information fields, splitting the text across the first and last name fields.”
- This means the emails will be weirdly formatted!
- Apple should limit the length of these fields to stop entire phishing messages from fitting into them.
- ⚠️ AppStore Users: timely reminders that none of the app stores are free from abuse:
- Something to consider before using X’s new messaging app: XChat launches standalone iOS app as security concerns remain — cyberinsider.com/…
- ⚠️ Hallmark, McGraw Hill, & Amtrak Users: three corporations have suffered data breaches that contain physical addresses, have not been transparent with their users, but the data sets have been uploaded to Have-I-Been-Pwned:
- Hallmark data breach exposed information of 1.7 million accounts — cyberinsider.com/…
- Breach details — Have-I-Been-Pwned
- Data breach at edtech giant McGraw Hill affects 13.5 million accounts — www.bleepingcomputer.com/…
- Breach details — haveibeenpwned.com/…
- Amtrak data breach exposed information of 2.1 million accounts — cyberinsider.com/…
- Breach Details — haveibeenpwned.com/…
- Biggest risk is targeted phishing, but extra potent threat due to physical addresses matching the digital details
- ⚠️ Notion Users with Public Pages: Notion pages have leaked user data via an unauthenticated API since 2022 — cyberinsider.com/… (related to just one feature that I’m not sure is used by many NosillaCastaways?) Allison and Jill both use this!
- ⚠️ Obsidian Users: don’t open vaults shared by people you don’t know you can trust – Obsidian Plugin Abuse DeliversPHANTOMPULSE RAT in Targeted Finance, Crypto Attacks — thehackernews.com/… (social engineering, not vulnerability)
- ⚠️ Carnival Cruise Customers: unconfirmed reports of a data breach that could be especially dangerous for customers with up-coming cruises booked — cyberinsider.com/…
- ⚠️ Fiverr Users: Fiverr exposes sensitive data via public URLs indexed by Google — cyberinsider.com/… (no response from the company 🙁)
- Bitwarden CLI Users: Bitwarden CLI backdoored in Checkmarx supply chain attack — cyberinsider.com/… (only relevant if you installed the optional extra CLI app)
- No patch yet, so stop using the CLI for now!
Notable News
- 🇪🇺 The EU have started public testing of the privacy-preserving age verification service
- Conceptually sound, based on solid cryptographic concepts that ensure the site gets a verifiable assertion that the user is over the required age, but no other information about them
- The technical implementation is off to a rough start — lots more work to be done!
- This was a beta release designed to open the app to testing before a real release, so this is the process working as it should, but, perhaps foolishly, EU President Ursula von der Leyen overhyped the release in a big press briefing!
- 🧯 Hackers Trick Apple AirTags Into Showing Completely Fake Locations — www.macobserver.com/…
- Does not impact the AirTag’s only supported use case — list item finding!
- Requires physical proximity to the tag for a long time — simply relays the tag’s rotating Bluetooth beacons to a remove device so it can be rebroadcast there and then registered by other passing iPhones at that wrong location
- Interesting research, but appears to have no practical use — a thief who would be motivated to do this would need to know the tag was there, and decide this was a better solution to the item they stole having a tracker than simply taking the battery out of the tracker!
- 🇬🇧 UK probes Telegram, teen chat sites over CSAM sharing concerns — www.bleepingcomputer.com/… (by independent communications regulator Ofcom)
- Tor VPN for Android security audit confirms robust design — cyberinsider.com/…
- Some nice upcoming cybersecurity enhancements:
- Microsoft adds Windows protections for malicious Remote Desktop files — www.bleepingcomputer.com/… (interrupts automatic sharing of local folders to remote computers with a confirmation dialogue — a very useful feature now commonly abused in scams, so a good response)
- Windows Update gets new controls to reduce forced restarts — www.bleepingcomputer.com/… (in beta on the Windows Insiders program now)
- Related: Microsoft rolls out revamped Windows Insider Program — www.bleepingcomputer.com/…
- An important Google Search update: Introducing a new spam policy for “back button hijacking” — developers.google.com/… (About time!)
- Google expands Gemini AI use to fight malicious ads on its platform — www.bleepingcomputer.com/…
- Apple Plans Stricter Network Security Rules for OS 27 Updates — www.macobserver.com/…
- Only relevant if you manage Macs with Mobile Device Management (MDM) using a service like Jamf, Apple Business, or Microsoft Intune
- Apple are simply enforcing recent versions of TLS/SSL, given how critical MDM security is, this should affect no one, but alas, it will probably break some working (and irresponsibly insecure) setups, likely in smaller organisations.
Top Tips
- Save your iPhone by unlocking with an old passcode — www.cultofmac.com/…
- By default, you can use your old passcode for 72 hours to recover your account if you forget your new one!
- There is a corollary to this useful feature reminder — if you need to reset your password to lock someone unwanted out of your phone, you must invalidate the old password immediately!
Excellent Explainers
Interesting Insights
- Agentic AI that actually make sense to me: Here’s What Agentic AI Can Do With Have I Been Pwned’s APIs — www.troyhunt.com/…
Palate Cleansers
- From Bart:
- 🎦 NASA Astronomy Picture of the Day for 22 April 2026: Earthset with an iPhone — apod.nasa.gov/…
- 🖥️ VidBITS: Matt Sephton’s Wall of Tiny Apps — tidbits.com/…
- Suite of little Tim Verpoorten Apps from a developer who scratched their own itches for years, and has finally released all his little does one thing apps to the Mac/iOS AppStores
- No one is likely to want all of them, but everyone is likely to find something useful in there! (for me it was the USB device debugger that shows the physical layout of your USB hubs and devices)
- From Allison:
- Want another chance to tear up over how important it was that we sent humans to the moon? A dramatic reading of a writing called “Copy, Moon Joy” by Anna Lisa: podfeet.slack.com/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |