Feedback & Followups
- Another interesting twist in the NSO Group Saga: Spyware maker NSO Group confirms acquisition by US investors — techcrunch.com/… (via Allison)
❗ Action Alerts
- Apple have already patched all their OS 26s, mostly to fix bugs, but they also patched one critical vulnerability in their font parser — tidbits.com/…
- The font parse bug affected older OSes too, so Apple have back-ported the fix to their older OSes — isc.sans.edu/… (iOS/iPadOS 18, VisionOS 2, and macOS 14 Sonoma & 15 Sequoia)
- ⚠️ WD MyCloud NAS Owners: Critical WD My Cloud bug allows remote command injection — www.bleepingcomputer.com/… (Supported models patched, but two older models are now unpatchable: My Cloud DL4100 & My Cloud DL2100!)
Worthy Warnings
- ⚠️ Discord Users: There has definitely been some kind of serious data breach affecting Discord users. At least 70,000 users have had their government-issued IDs stolen, and the hackers claim they have data on 5.5M users — www.bleepingcomputer.com/…
- It seems certain that Discord’s Zendesk support portal was breached, so anyone who ever contacted Discord support is probably affected
- The attackers claim there was a management app connected to Zendesk called ZenBar that let them perform admin actions against all Discord users, including stealing account data and altering MFA settings, but Discord are currently denying that.
- Discord have not been open and transparent about this breach, so it’s reasonable to assume they are not telling us everything, at least not yet.
- ⚠️ Gamers: Steam and Microsoft warn of Unity flaw exposing gamers to attacks — www.bleepingcomputer.com/…
- The Unity engine is used by many major games, and they’re all going to need to be patched
- Microsoft’s recommendation is to uninstall games until they are patched!
- A timely reminder of the importance of not reusing passwords: DraftKings warns of account breaches in credential stuffing attacks — www.bleepingcomputer.com/… (Password Stuffing is trying passwords leaked by one site on another)
- A reminder that cheap uncertified knock-offs are genuinely dangerous: X-ray scans reveal the hidden risks of cheap batteries — www.theverge.com/…
Notable News
- The many sides of AI on display again:
- Two timely reminders that the cutting edge of AI tech is still a very dangerous place:
A critical vulnerability in Perplexity’s Comet browser allows attackers to silently exfiltrate emails, calendar data, and other sensitive user information using a single malicious URL.
ASCII smuggling is an attack where special characters from the Tags Unicode block are used to introduce payloads that are invisible to users but can still be detected and processed by large-language models (LLMs). It’s similar to other attacks that researchers presented recently against Google Gemini, which all exploit a gap between what users see and what machines read … Regarding Gemini, its integration with Google Workspace poses a high risk, as attackers could use ASCII smuggling to embed hidden text in Calendar invites or emails … the researcher states that “for users with LLMs connected to their inboxes, a simple email with hidden commands can instruct the LLM to search the inbox for sensitive items or send contact details, turning a standard phishing attempt into an autonomous data extraction tool. … Claude, ChatGPT, and Microsoft CoPilot proved secure against ASCII smuggling, implementing some form of input sanitization
- A reminder that AI helps the defenders too: Google Drive for desktop gets AI-powered ransomware detection — www.bleepingcomputer.com/…
-
A reminder that the industry is evolving to secure AI: Google’s new AI bug bounty program pays up to $30,000 for flaws — www.bleepingcomputer.com/…
- Two timely reminders that the cutting edge of AI tech is still a very dangerous place:
-
Apple now offers $2 million for zero-click RCE vulnerabilities — www.bleepingcomputer.com/…
Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure.
- 🇺🇸 Apple and Google reluctantly comply with Texas age verification law — arstechnica.com/… & Apple Warns of Privacy Risks as Texas Age Verification Law Takes Effect — cyberinsider.com/…
- The fundamental problem with this law is that it applies to all apps, not just apps with adult content, making it impossible to install any app without having the documentation to prove your age, and entrusting app stores with that very sensitive information. This is a critical difference to the also controversial UK law that came into force a few months ago, which only applies to apps presenting adult content.
-
How Apple is complying: Apple sets new Rules for Texas under State’s Age Verification Law — www.macobserver.com/…
If you create a new Apple account in Texas next year, you’ll have to confirm whether you’re 18 or older. Anyone under 18 must join a Family Sharing group, and parents will need to approve every app download, purchase, and in-app transaction.
- 🇺🇸 FTC Sues Anonymous Messaging App Sendit For Collecting Children Data — cyberinsider.com/…
- Based on this suit it sounds like Sendit is the kind of app parents should banish from their children’s phones ASAP
- 🇪🇺 There’s an important EU vote coming up on a controversial proposed law that would force chat clients to implement client-side scanning similar to the proposals Apple was forced to abandon a few years ago – the Netherlands will be voting against the proposal — cyberinsider.com/…
- Editorial by Bart: to my fellow EU citizens, please reach out to your relevant ministers and ask them to follow the Dutch lead and also vote this thing down!
- Some nice new security enhancements:
Recipients who are not using Gmail receive an email notification with a secure link to access the encrypted message. This link opens a restricted, web-based version of Gmail where they can read and respond securely using a temporary guest Workspace account.
- Note that this is only for emails sent from Google Workspace (enterprise) accounts
-
Microsoft Outlook stops displaying inline SVG images used in attacks — www.bleepingcomputer.com/… (Attackers recently started abusing the rarely used JavaScript features supported in the SVG spec to sneak malicious code into emails)
-
Signal Adds Post-Quantum “Triple Ratchet” Protocol for Stronger Security — cyberinsider.com/…
-
Firefox to Roll Out Streamlined Profile Management with Data Isolation — cyberinsider.com/… (Profiles have existed in Firefox for decades, but they were extremely difficult to use, and required custom key combinations or obscure terminal commands to use, so this really is a meaningful improvement)
-
In 2018, California passed the California Consumer Privacy Act (CCPA) which required web services to allow users to opt out of tracking cookies. This is great, but every single web service has a different method and it’s tedious to do it on every single site. On October 8th, the California governor signed into law AB566 which requires web browsers to allow users to opt out of all third-party tracking with a single setting. Two additional bills were also signed into law, SB 361 gives consumers more information about what information is collected by data brokers, and AB 656 which requires social media companies to make canceling an account straightforward and clear and does full deletion of personal data.
- Editorial by Allison: Yay!
- California just passed three bills to boost internet privacy
Top Tips
- 🎧 From Allison: 🇺🇸 Random But Memorable: How to protect yourself from digital identity theft with Eva Velasquez — randombutmemorable.simplecast.com/…
- 1Password has an excellent podcast called Random But Memorable. Episode 15.6 included an interview with Eva Velasquez, CEO of the Identity Theft Resource Center. This is a non-profit organization people can turn to if their identity has been stolen, and they’ll be assigned a case manager to help them navigate untangling the situation. People can also call just to ask questions before something bad happens. The interview is very interesting, and knowing this resource is out there is important.
- The Identity Theft Resource Center — www.idtheftcenter.org/…
Excellent Explainers
- An excellent overview of the current state of the built-in protections on macOS and where AV product can still play a potentially useful role: Can Macs Really Get Viruses in 2025? What Every Mac User Needs to Know — www.intego.com/… (given the source, could easily have just been an ad, but it’s surprisingly dispassionate and avoids scare mongering)
- 🎧 An excellent discussion of how NodeJS users can stay safe as attackers poison the NPM package ecosystem: The Changelog: Software Development, Open Source: npm under siege, and what to do about it — overcast.fm/…
- Bart’s long-standing advice to avoid automatically-updating all packages all the time by committing
package-lock.jsonto Git and always usingnpm cirather thannpm installto initialise fresh Git clones is backed up by the expert guest.
- Bart’s long-standing advice to avoid automatically-updating all packages all the time by committing
Palate Cleansers
- From Allison: 502 Bad Gateway — brozu on mastodon.uno
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |