{"id":31016,"date":"2024-05-12T12:06:55","date_gmt":"2024-05-12T19:06:55","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=31016"},"modified":"2024-05-12T12:12:23","modified_gmt":"2024-05-12T19:12:23","slug":"sb-2024-05-12","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/05\/sb-2024-05-12\/","title":{"rendered":"Security Bits \u2014 12 May 2024"},"content":{"rendered":"<h1>Feedback &amp; Followups<\/h1>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>\ud83c\uddea\ud83c\uddfa Quick Digital Markets Act update:\n<ul>\n<li>The first 3rd-party iOS app store in the EU has gone live \u2013 AltStore PAL by Riley Testut \u2014 <a href=\"http:\/\/rileytestut.com\/blog\/2024\/04\/17\/introducing-altstore-pal\/\">rileytestut.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/ipados\/eu-deems-ipados-a-gatekeeper-despite-not-meeting-user-threshold\/\">EU Labels iPadOS as a Gatekeeper and Orders to Comply With DMA Within Six Months \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>Proving Apple&#8217;s point that DMA compliance is going to have tradeoffs and that every new API is a new opportunity for problems, a security researcher has found a way to abuse the initial beta version of Apple&#8217;s API for delivering apps directly from websites to track users across sites \u2014 <a href=\"https:\/\/www.mysk.blog\/2024\/04\/28\/safari-tracking\/\">www.mysk.blog\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/855180\/apple-exempts-freeware-from-controversial-core-technology-fee\/\">Apple exempts freeware from controversial Core Technology Fee \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>TikTok Discussion Followup:\n<ul>\n<li>\ud83c\udde8\ud83c\uddf3 In a move that seems unlikely to be coincidental, China has ordered Apple to remove WhatsApp &amp; Threads from their app stores in the country \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-forced-to-pull-whatsapp-and-threads-from-china-app-store\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>An excellent analysis piece: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/is-tiktok-safe-or-not-why-u-s-eu-and-app-store-bans-could-be-imminent\/\">Is TikTok safe, or not? Why U.S., EU, and App Store bans could be imminent \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>\ud83c\udfa7 <strong>Related fun Podcast Episode Recommendation:<\/strong> <a href=\"https:\/\/overcast.fm\/+MLcaysoiY\">Twenty Thousand Hertz: TikTok\u2019s Boom-Bling \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Attackers are continuing to target developers: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/millions-of-docker-repos-found-pushing-malware-phishing-sites\/\">Millions of Docker repos found pushing malware, phishing sites \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>Passkeys are continuing to roll out:\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/05\/google-announces-passkeys-adopted-by.html\">Google Announces Passkeys Adopted by Over 400 Million Accounts \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-rolls-out-passkey-auth-for-personal-microsoft-accounts\/\">Microsoft rolls out passkey auth for personal Microsoft accounts \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Deep Dive \u2014 Two VPN Problems, one Minor, one Major<\/h1>\n<p>Two unrelated VPN stories have broken recently, leading to a real danger of confusion \u2014 one is a minor short-term problem affecting only Android that\u2019s easy for Google to fix, and the other is a fundamental problem that changes how we need to think about the problems VPNs can and can\u2019t solve.<\/p>\n<h2>The Android-only DNS Leak (Minor Problem with Easy Fix)<\/h2>\n<p>Let\u2019s start with the easy one.<\/p>\n<p>Until Google fix one of the two DNS APIs in Android, one of them ignores the system-wide setting to route all traffic through the VPN connection, allowing some DNS queries from some VPN clients to briefly bypass the VPN and go directly to the internet.<\/p>\n<p>Since DNS is an old pre-encryption protocol, DNS queries leak information about what domains you\u2019re interacting with to any adversaries-in-the-middle, be they attackers or ISPs. For domains that don\u2019t implement digital signatures on their records, i.e. domains without DNSSEC enabled (still the case for most non-government domains \ud83d\ude41), an AiTM could also manipulate the leaked DNS responses, tricking your VPN client into connecting to a malicious server. Assuming your VPN client actually checks the validity of the TLS cert sent by the server, that kind of attack would fail though.<\/p>\n<p>In reality, the risk is small, and the fix for Google is trivial, add one <code>if<\/code> statement to one C function. Even before Google fix Android itself, VPN developers can fix their own apps by using the DNS API call that\u2019s working just fine rather than the one missing the check.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/android-bug-leaks-dns-queries-even-when-vpn-kill-switch-is-enabled\/\">Android bug leaks DNS queries even when VPN kill switch is enabled \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2><em>TunnelVision<\/em> \u2014 Why No VPN Can Keep You Save on an Untrusted Network<\/h2>\n<p>Now, let\u2019s dig into the big news \u2014 many of us have been using VPNs to solve a problem they cannot solve, never could, and never should have been marketed as solving.<\/p>\n<p><em>TLDR; VPNs enable you to safely connect <strong>through<\/strong> untrusted networks, not <strong>from<\/strong> untrusted networks.<\/em><\/p>\n<p>I have been guilty of saying that <em>one of the many problems VPNs can solve is safely connecting to the internet from an untrusted network<\/em>, but I was wrong. In my defence, many consumer VPNs are marketed in that way, and with the benefit of hindsight, it should always have been obvious that was not true.<\/p>\n<p>The three most common use cases used to market VPNs to consumers are:<\/p>\n<ol>\n<li>Securely connecting to the internet from untrusted networks like public WiFi, coffee shops, and hotels (WiFi or Ethernet!) \u2014 <strong>was never true, will never be true<\/strong><\/li>\n<li>Connecting to the internet without your ISP spying on you \u2014 <strong>has always been true,  still is<\/strong><\/li>\n<li>Accessing geo-restricted sites and services from anywhere \u2014 <strong>not security related but still true<\/strong><\/li>\n<\/ol>\n<p>One of the biggest of those promises has always been false and always will be, though workarounds are possible, even if they might amount to a new game of cat-and-mouse.<\/p>\n<p>Note that the typical Corporate use cases are also partially affected:<\/p>\n<ol>\n<li>Securely connect to the corporate network from anywhere \u2014 <strong>was only ever partly true, remains partly true<\/strong> \u2014 the remote network needs to be trusted, so home networks are fine, public WiFi, coffee shops, hotels etc are not<\/li>\n<li>Securely connect multiple corporate locations into a single apparent LAN \u2014 <strong>has always been true, remains true<\/strong> <\/li>\n<li>Securely project the corporate LAN into the cloud \u2014  <strong>has always been true, remains true<\/strong> <\/li>\n<\/ol>\n<p>Before I go on to explain why we need to rethink the problems VPNs solve, it\u2019s important to note that there is a simple workaround for the public network problem \u2014 <strong>use your VPN over a cellular network connection<\/strong> rather than an untrusted WiFi\/ethernet connection!<\/p>\n<p>One final point before we dive into the currently known attack vector, and the possible workarounds \u2014 <strong>the currently know attack is just one of an infinity of possible attacks<\/strong>, because the fundamental problem is that conceptually, VPN technology does not, and cannot, control the low-level setup of a computer\u2019s connections to local networks. VPNs sit on top of the TCP\/IP protocol, so everything lower down the network stack \u2014 including the Ethernet protocol (MAC addresses etc.), DHCP, and even the IP routing protocol \u2014 is out of their control!<\/p>\n<p>This <strong>current attack abuses an important DHCP feature to configure user devices to route some traffic around the VPN<\/strong> and through a malicious device before continuing, unencrypted to its destination.<\/p>\n<p>Because this attack doesn\u2019t even attempt to break the VPN encryption, <strong>no certificate warnings will be generated to alert the user of the problem<\/strong>. Also, to succeed, <strong>the attack must be fine-grained, routing only traffic to specific IP addresses around the VPN<\/strong>.<\/p>\n<p>To understand the attack you need to know the following:<\/p>\n<ol>\n<li>Every computer connected to a network over the IP protocol must have a local routing table that the OS uses to route packets appropriately.<\/li>\n<li>The IP protocol uses a <em>most specific match<\/em> rule to determine which routing table entry to apply to a given packet<\/li>\n<li>The reason regular users never need to enter IP settings into our devices is the ubiquitous use of the Dynamic Host Configuration Protocol (DHCP)\u2014 we in effect trust the network we\u2019re connecting to to tell our devices how to configure themselves on the network<\/li>\n<li>DHCP is another one of those old pre-encryption protocols, so anyone on a LAN can answer DHCP queries, and the first reply wins \u2014 if an attacker is faster than the legitimate router, their settings will get applied!<\/li>\n<li>As well as telling devices what IP address they should use, DHCP can also send routing table entries to clients when they ask for their network settings.<\/li>\n<li>Internally, within a device, a VPN connection is a virtual network device, a kind of pretend Ethernet port, so traffic is sent through the VPN connection using the IP routing table<\/li>\n<li>It is completely legitimate for devices to be configured to send some, but not all, traffic through a VPN connection (within VPN apps this feature is often labeled as a <em>split tunnel<\/em>)<\/li>\n<\/ol>\n<p>With all that out of the way, how does the <em>TunnelVision<\/em> attack work?<\/p>\n<p>A malicious actor joins a public network and enables their device to do two things:<\/p>\n<ol>\n<li>Act as a DHCP server<\/li>\n<li>Act as a router<\/li>\n<\/ol>\n<p>Before launching the attack the attacker sends out a DHCP query for their own device to learn the network\u2019s legitimate settings.<\/p>\n<p>When a victim broadcasts a DHCP request, the attackers answer very quickly with a malicious reply that has the legitimate network settings, plus, a number of malicious routing table entries with very specific rules to send traffic to specific IP addresses through the attacker&#8217;s device instead of the VPN\u2019s virtual network device. If the attacker beats the legitimate DHCP server in getting their reply out, the attack succeeds, if not, it fails!<\/p>\n<p>Key points:<\/p>\n<ol>\n<li>Because the attack depends on a race, it can never be 100% successful<\/li>\n<li>Because the attack relies on having a routing table entry that is more specific than the entry to route the desired traffic through the VPN, it can only ever be used for very targeted attacks<\/li>\n<li>The attack does not break any encryption, be that VPN encryption, or application-layer encryption like HTTPS, SSH, etc.<\/li>\n<li>The attack depends on the victim device supporting the DCHP option for adding routes<\/li>\n<\/ol>\n<p>By pure accident, <strong>Android is immune to this specific attack<\/strong>, because it does not support the DHCP option for setting routes. This has the side effect of causing no end of problems on corporate networks, but it\u2019s convenient for home users \ud83d\ude42<\/p>\n<p>So, possible mitigations? Again, these cannot change the fundamental reality than VPN protocols can\u2019t control the LAN configuration, but this specific attack, which is the only one we know of ATM, can be mitigated in at least two ways:<\/p>\n<ol>\n<li>At the OS level, the DHCP option for routing table entries could be disabled. This is fine for home users, but will break many corporate networks because that feature exists for good reason!<\/li>\n<li>VPN apps could augment their use of VPN protocols with the use of virtualisation features available in many modern OSes to effectively convert the entire host OS from the VPN\u2019s endpoint to just another untrusted network it securely tunnels through<\/li>\n<li>The routing table is visible to all processes on a computer, so VPN apps could provide a visualisation of the computer\u2019s routing setup showing which destination IP ranges are going through the VPN, and which are not. This would provide transparency to power users, who might well be happy using the <code>netstat<\/code> terminal command to check the routes themselves but is unlikely to help regular users.<\/li>\n<\/ol>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-tunnelvision-attack-leaks-vpn-traffic-using-rogue-dhcp-servers\/\">New attack leaks VPN traffic using rogue DHCP servers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2024\/05\/why-your-vpn-may-not-be-as-secure-as-it-claims\/\">Why Your VPN May Not Be As Secure As It Claims \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>The nerdy detail: <a href=\"https:\/\/thehackernews.com\/2024\/05\/new-tunnelvision-attack-allows.html\">New TunnelVision Attack Allows Hijacking of VPN Traffic via DHCP Manipulation \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>\u2757 Action Alerts<\/h1>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-fixes-fifth-chrome-zero-day-vulnerability-exploited-in-attacks-in-2024\/\">Google fixes fifth Chrome zero-day exploited in attacks this year \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Worthy Warnings<\/h1>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-warns-of-fake-verification-schemes-targeting-dating-app-users\/\">FBI warns of fake verification schemes targeting dating app users \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Warning is from US authorities but is <strong>relevant everywhere<\/strong><\/li>\n<li>Use the pretence of pretending to offer safety by using a supposed identity verification service that is actually an identity theft portal<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 \ud83c\uddf0\ud83c\uddf5 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies\/\">NSA warns of North Korean hackers exploiting weak DMARC email policies \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Warning is from US authorities but is <strong>relevant everywhere<\/strong><\/li>\n<li>Most relevant in a work context, where abuse of poorly configured DMARC settings on legitimate domains can result in very convincing spear-phishing attacks against low-level workers in organisations of interest to NK, or to important people with access to money or resources in any organisation<\/li>\n<\/ul>\n<\/li>\n<li>DropBox announced that their <em>DropBox Sign<\/em> service was compromised, and that account details (but not documents) leaked, including lots of PII as well as hashed passwords, 2FA\/MFA tokens, and API keys \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dropbox-says-hackers-stole-customer-data-auth-secrets-from-esignature-service\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Excellent response from DropBox\n<ul>\n<li>All affected passwords reset<\/li>\n<li>All affected users will be forced to reregister for 2FA\/MFA<\/li>\n<li>All affected API keys have been limited until the users generate new ones and re-configure their integrations\/apps to use them<\/li>\n<\/ul>\n<\/li>\n<li>For small businesses without full-time IT staff, rotating API keys may prove challenging<\/li>\n<li>An Interesting detail in DropBox&#8217;s notification \u2014 they are explicitly warning users <strong>not to click any links in emails purporting to be from DropBox about this breach<\/strong>, because legitimate emails actually from DropBox won&#8217;t ask you to click anything, but to go directly to DropBox yourself in your browser<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dell-api-abused-to-steal-49-million-customer-records-in-data-breach\/\">Dell API abused to steal 49 million customer records in data breach \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Notable News<\/h1>\n<ul>\n<li>Google has released their 2023 annual report on Play Store security \u2014 <a href=\"https:\/\/security.googleblog.com\/2024\/04\/how-we-fought-bad-apps-and-bad-actors-in-2023.html\">security.googleblog.com\/\u2026<\/a>\n<ul>\n<li><strong>Highlights:<\/strong>\u00a0\n<ul>\n<li>Prevented 2.3M policy-violating apps from being published<\/li>\n<li>Banned 333K bad accounts for violations like confirmed malware and repeated severe policy violations<\/li>\n<li>Almost 200K app submissions were rejected or remediated to ensure proper use of sensitive permissions such as background location or SMS access<\/li>\n<li>Worked with SDK authors to improve the privacy posture of 31 commonly used APIs, improving over 790K apps in the processes<\/li>\n<\/ul>\n<\/li>\n<li><strong>Related News:<\/strong>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-now-pays-up-to-450-000-for-rce-bugs-in-some-android-apps\/\">Google now pays up to $450,000 for RCE bugs in some Android apps \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddec\ud83c\udde7 The UK has passed a strong law banning the importation and sale of internet-connected devices, including routers, that have inherently insecure design features like default passwords \u2013 if this law is strongly enforced, it is likely to have a significant positive impact on router &amp; IoT security \u2014 <a href=\"https:\/\/thehackernews.com\/2024\/04\/new-uk-law-bans-default-passwords-on.html\">thehackernews.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/fcc-fines-carriers-200-million-for-illegally-sharing-user-location\/\">FCC fines carriers $200 million for illegally sharing user location \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/betterhelp-to-pay-78-million-to-800-000-in-health-data-sharing-settlement\/\">BetterHelp to pay $7.8 million to 800,000 in health data sharing settlement \u2014 www.bleepingcomputer.com\/\u2026<\/a> (with US Federal Trade Commission)<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The state of Pennsylvania in the US has passed a bill to criminalise unauthorised tracking with devices like AirTags &amp; Tiles \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/pennsylvania-to-crack-whip-on-airtag-secret-tracking-under-anti-stalking-laws\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>A timely reminder that fake web stores that simply steal your money are still a thing: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/massive-webshop-fraud-ring-steals-credit-cards-from-850-000-people\/\">Massive webshop fraud ring steals credit cards from 850,000 people \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>A timely reminder of the importance of 2FA\/MFA: \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa\/\">Change Healthcare hacked using stolen Citrix account with no MFA \u2014 www.bleepingcomputer.com\/\u2026<\/a><br \/>\n> <em>&#8221; \u2026 impacted a wide range of critical services used by healthcare providers across the U.S., including payment processing, prescription writing, and insurance claims, and caused financial damages estimated at\u00a0$872 million \u2026&#8221;<\/em><\/li>\n<li>\ud83e\uddef <a href=\"https:\/\/thehackernews.com\/2024\/05\/new-spectre-style-pathfinder-attack.html\">New Spectre-Style &#8216;Pathfinder&#8217; Attack Targets Intel CPU, Leak Encryption Keys and Data \u2014 thehackernews.com\/\u2026<\/a> (Excellent research, but existing mitigations are completely effective, so no need to panic)<\/li>\n<\/ul>\n<h1>Palate Cleansers<\/h1>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong>\n<ul>\n<li>\ud83c\udfa7 A new mini-series on the excellent <a href=\"https:\/\/www.wondery.com\/shows\/business-wars\/\">Business Wars podcast<\/a> telling the story of what happened when Open AI briefly fired Sam Altman last recently: <a href=\"https:\/\/wondery.com\/shows\/business-wars\/episode\/5296-sam-altman-amp-the-battle-for-openai-misalignment\/\">Business Wars: Sam Altman &amp; the Battle for OpenAI, Part 1: Misalignment \u2014 wondery.com\/\u2026<\/a><\/li>\n<li>Long Read: <a href=\"https:\/\/arstechnica.com\/gadgets\/2024\/04\/first-post-a-history-of-online-public-messaging\/\">First post: A history of online public messaging \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Legend<\/h1>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. \ud83c\uddea\ud83c\uddfa Quick Digital Markets Act update: The first 3rd-party iOS app store in the EU has gone live \u2013 AltStore PAL by Riley Testut \u2014 rileytestut.com\/\u2026 EU Labels iPadOS as a Gatekeeper and Orders [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[170,50,569,142,2003,4586],"class_list":["post-31016","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-hack","tag-security","tag-security-bits","tag-vpn","tag-vulnerabilities","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=31016"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31016\/revisions"}],"predecessor-version":[{"id":31020,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31016\/revisions\/31020"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=31016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=31016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=31016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}