15-year old Python bug causing problem
Back in 2007, a researcher submitted a path traversal bug in Python’s tarfile package, letting an attacker overwrite arbitrary files. Since then, the bug remains open with a documentation update warning submitted to warn developers about the risk. The bug does not appear to be exploited in the wild, but could impact the software supply chain. A security researcher at Trellix, Charles McFarland, rediscovered the bug. With help from GitHub, he determined that 588,840 unique repositories include import tarfile in its code, spanning a wide range of industries. McFarland estimates that around 60% of those contain the bug. Trellix released a patch in a forker version of the impacted repository.
LinkedIn Smart Links used for phishing
LinkedIn provides Smart Links for Sales Navigator and Enterprise users, letting them pack up to 15 documents in a single trackable link. These provide analytics about how they were viewed and shared. The analysts at Cofense observed campaigns of threat actors using them for phishing with Slovakian users. These alledgely came from the country’s postal service. Using Smart Links better allows these emails to get through usual spam filters and provides useful analytics to view how users interact with messages. Clicking through results in a phishing page that accepts “payment” and gathers further information on the victim. No word from LinkedIn if it began investigating the practice.
US military buys Augury network monitoring tool
According to documents seen by Motherboard, multiple branches of the US military bought access to the Augury monitoring tool developed by the cybersecurity firm Team Cymru. US Senator Ron Wyden also said a whistleblower contacted his office, alleging that the Navy’s civilian law enforcement agency used the tool without a warrant. Augury claims to cover over 90% of global internet traffic, letting analysts follow activity of a cyber actor and attribute attacks through petabytes of packet capture data. The Department of Defense Office of the Inspector General said its investigating the whistleblower report.
Meta tests letting people make policy
In his Platformer newsletter, Casey Newton reports Meta hired the consultant firm Behavioural Insights Team to bring Facebook users into its policy development process, testing around climate speech. This involved finding 250 people broadly representative of Facebook’s user base. Over a two week period the group received virtual education. This included learning about climate issues and platform policies. Meta also provided access to experts and Facebook staff. Facebook offered a variety of possible solutions for problematic climate information, which the group voted on. It’s not clear what specific policy recommendations the group made. BIT said participants report high levels of satisfaction with the process and outcome. Meta plans to run further experiments with this approach.
Thanks to today’s episode sponsor, 6clicks
Google starts rolling out search result takedown tool
At Google I/O earlier this year, Google announced it would introduce a tool to let users request search result takedowns about themselves. As part of this, Google began rolling out a new “Results About You” option in the Android Google app in the US and Europe. This provides a page that explains how users can request removing search results that contain a phone number, home address, or other personally identifiable information. The tool also shows a dashboard to monitor requests in process to remove search results once submitted.
Windows 11 update adds security features
Microsoft began rolling out Windows 11 version 22H2, its first major update since releasing the OS in October. This includes a new Smart App Control feature, which uses artificial intelligence and a database of security signals to prevent scripting attacks. The update now enables hypervisor–protected code integrity and the vulnerable driver block list by default on new Windows 11 devices. Microsoft Defender SmartScreen will now detect when entering passwords into known compromised sites.
TikTok shutdown political monetization
Ahead of the US midterm elections, TikTok turned off all advertising and monetization features for politicians and parties on its platform. Over the coming weeks, the platform will ban all campaign fundraising, including prohibiting politicians from directing viewers to websites to make donations. TikTok said it will use a combination of human review and automated systems to remove calls for political donations. Accounts for governments, politicians, and parties will also need to apply for verification. This doesn’t appear to be a temporary shift in advance of the elections, but a new permanent policy for the platform.
Developer sells “I Don’t Care About Cookies”
Croatian developer Daniel Kladnik sold the popular browser extensions. “I Don’t Care About Cookies” helped users avoid nagging cookie pop-ups by automatically accepting the minimal cookies needed for the site to work. He sold it to the antivirus company Avast. That company appears to be on the verge of being acquired by Broadcom subsidiary NortonLifeLock. Kladnik already released the extension’s code as open source, and Dutch developer Guus van der Meer created a fork for those interested.