
Privacy Roundup: Week 4 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 19 JAN 2025 - 25 JAN 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
Privacy Tip of the Week
Some traditionally "non-privacy-respecting" services - especially those that try to force account creation - can be used with alternative frontends. These frontends can be beneficial for users wanting to use these services with JavaScript disabled.
Surveillance Tech in the News
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds
404Media
GeoSpy is an AI tool that can reliably predict the location of photos based on features inside the image itself. This is different than a tool reading metadata inside an image (which can include GPS location and device information); GeoSpy can still accurately predict a photo location without reading or using metadata in the image.
Face Scans to Estimate Our Age: Harmful and Creepy AF
EFF
This is predominately related to the age verification issue, where users must use identity verification (often furnishing documents and selfies) to prove their age. This is dependent on jurisdiction.
Enter "age estimation" technology designed to capture images of users' faces and then use an algorithm to guess their age. This technology is inaccurate and as it is privacy invasive and may be abused to try to infer other things -- such as honesty, emotions, and demographics.
Privacy Tools and Services
Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools
Access Your Bitwarden Vault Without a Password
Bitwarden
Bitwarden adds support for using another device to approve a login to your Bitwarden vault - without typing the master password.
Privacy Services
Introducing Rerank: a fast, easy way for users to customize Brave Search rankings
Brave
Brave introduces "Rerank" to Brave search. Rerank allows users to reorganize results according to their own preferences.
Proton Drive for iOS Adds Burst Photo Support
AlternativeTo
Proton adds support for Burst Photos on iOS.
Vulnerabilities and Malware
Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
Vulnerabilities
7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
Bleeping Computer
This vulnerability is tracked as CVE-2024-38213. If a user downloads a crafted archive with the Mark of the Web, 7-zip doesn't extend the MoTW to the extracted files. This flaw can be exploited to execute arbitrary code.
This was fixed in a 30 NOV 2024 update to &-zip. However, &-zip doesn't auto updated, so users should double check their installed versions and update if needed.
Subaru security vulnerability exposed millions of cars to tracking risks
Fast Company
Due to a vulnerability in Subaru Starlink, an attacker who knew the Subaru owner's last name and ZIP code, email address, phone number, or license plate could remotely start, stop, lock, and/or retrieve the vehicle's location history for at least the past year. The location data is precise and sometimes recorded several times in one day.
Cloudflare Issue Can Leak Chat App Users' Broad Location
404media
Technically, this isn't classified as a vulnerability in Cloudflare's CDN service; instead, it is feature abuse by threat actors.
By sending an image to a target on a messaging service using Cloudflare's CDN, a threat actor could learn which part of Cloudflare's infrastructure cached the image. Due to CDNs' tendency (this is intended as it makes loading content faster) to serve content from servers close to a user's approximate location, by seeing what data center (and where) served the image, the threat actor could get a general idea of where a user is located.
Hackers use Windows RID hijacking to create hidden admin account
Bleeping Computer
The Andariel threat group, linked to North Korea's Lazarus APT group, use Relative Identifier (RID) hijacking to create accounts with administrator privileges. Prior to executing this attack, the threat actor must first have SYSTEM access on the host.
QNAP fixes six Rsync vulnerabilities in NAS backup, recovery app
Bleeping Computer
QNAP fixes numerous CVEs in its latest update for Hybrid Backup Sync, commonly found on NAS devices. When these vulnerabilities are exploited, attackers could gain remote code execution privileges on unpatched devices.
Employees of failed startups are at special risk of stolen personal data through old Google logins
TechCrunch
Former employees of failed Startups could have their information accessed by threat actors re-registering domains and abusing Google OAuth features.
Malware
Malicious extensions circumvent Google’s remote code ban
Almost Secure
Even with Google's rollout and enforcement of manifestv3, which tried to curb extensions' ability of running code downloaded from remote web servers, malicious extensions circumvent this change.
Malicious extensions uncovered in these research appeared to have different goals, ranging from injecting ads into web pages to spying on users' browsing. Most of these extensions abuse the permission to access all visited websites and downloading its configuration from a web server.
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
Qualys
Murdoc botnet is another Mirai variant. This botnet has been targeting vulnerable Huawei Routers and AVTECH cameras, using existing exploits such as CVE-2024-7029 (unauthenticated remote command injection) and CVE-2017-17215 (arbitrary command execution in some Huawei Router models) to download and execute shell scripts.
Hundreds of fake Reddit sites push Lumma Stealer malware
Bleeping Computer
Threat actors a using fake pages mimicking Reddit discussion threads and the WeTransfer file sharing service to drop Lumma Stealer malware onto user devices. On the fake Reddit page, a user asks a question, another user comments a "solution" with a WeTransfer link, and a third user thanks the second for posting the link. The link is a fake WeTransfer page, where Lumma Stealer is downloaded to the system.
Telegram captcha tricks you into running malicious PowerShell scripts
Bleeping Computer
Piggybacking off of Ross Ulbricht's recent pardon, threat actors are using this event as a lure to trick people into joining malicious Telegram channels. On Telegram, users are requested to undergo an identity verification request, which is fake. A mini app in the malicious Telegram channel automatically copies a PowerShell command to the device's clipboard and prompts the user to run it.
The PowerShell script is naturally malicious, downloading various files. Among these files is a suspected Colbat Strike loader, which often precedes data theft and extortion attacks.
Fake Homebrew Google ads target Mac users with malware
Bleeping Computer
A malvertisement campaign abusing the Google Ads ecosystem directs users to fake Homebrew sites. Unsuspecting users are prompted to paste a command in the terminal to install Homebrew; however, this command will fetch and execute malware on the host. The malware in question is Amos, an information stealer that steals credentials, browser data, and crypto wallets.
Phishing and Scams
Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.
Phishing
Phishing Risks Rise as Zendesk Subdomains Facilitate Attacks
Infosecurity Magazine
Zendesk's platform can be exploited to facilitate phishing attacks and investment scams targeting users. Specifically, the free subdomains Zendesk allows free trial users to create can be abused to resemble legitimate companies. Emails from Zendesk also tend to be "trusted," bypassing email filters and landing in user inboxes.
Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures
Infosecurity Magazine
Phishing as a Service, Tycoon 2FA has evolved and attempts to steal Microsoft 365 session cookies to bypass 2FA and implements various obsfucation techniques, thwarting analysis of phishing web pages.
Scams
Warning: Don’t sell or buy a second hand iPhone with TikTok already installed
MalwareBytes
Without properly resetting the device, iPhones with TikTok installed likely still retain a wealth of personal information on the device... so, when sold, the new owner could potentially access this information.
Additionally, threat actors may try to leverage this frenzy to sell iPhones with malware or spyware installed on them.
Legislation/Regulations/Lawsuits
Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.
Lawsuits
PayPal to pay $2 million settlement over 2022 data breach
Bleeping Computer
This is a settlement. In December 2022, PayPal was the target of a law-scale credential stuffing attack. Approximately 35,000 accounts were breached, exposing sensitive information.
New York Department of Financial Services alleged that PayPal's security defenses weren't adequate, such as masking sensitive data on IRS forms and lack of rate limiting for failed account logins.
New York DFS reached a settlement with PayPal, with the company ordered to pay $2 million.
Legislation and Regulation
VICTORY! Federal Court (Finally) Rules Backdoor Searches of 702 Data Unconstitutional
EFF
A federal district court upheld that backdoor searches of databases containing details of American's private communications collected under Section 702 require a warrant.
Data Breaches and Leaks
Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.
Will not cover every data breach, naturally, due to frequency and scale.
Data breaches
What PowerSchool isn’t saying about its ‘massive’ student data breach
TechCrunch
Update to the PowerSchool breach saga. Many school districts are coming forward - aftering doing their own review - to say pretty much all their data in PowerSchool was accessed by the threat actors. Supposedly, PowerSchool "negotiated" with the threat actors, likely paying the ransom; it's unknown if PowerSchool received any meaningful receipts indicating the stolen data was truly deleted. The threat group responsible for this data breach is still unknown at time of writing.
UnitedHealth confirms 190 million Americans affected by Change Healthcare data breach
TechCrunch
The Change Healthcare data breach - the largest health-related breach in US history - originally occurred on in Feb 2024 and resulted in the theft of personal health information (PHI) and health insurance information. While UnitedHealth has been giving notification to those affected, its updated numbers indicate approximately 190 million US citizens are affected.