Cyber Security Headlines: Google Home snooping, 3Commas API leak, Ireland investigating Twitter data sale

Snooping bug found on Google Home speakers

A security researcher discovered a bug in Google Home smart speakers that could allow for installing a backdoor. The researcher discovered that adding new users required a device name, certificate, and “cloud ID” from the device’s local API. With this information they could add a new user. Once doing so, they created a script to automate local device data exfiltration. The latest firmware to Google Home disables this attack approach. The researcher received a $107,500 bug bounty from Google for disclosing the vulnerability. 

(Bleeping Computer)

3Commas API database leaked

A leaker on Twitter published over 10,000 API keys belonging to users of the crypto trading service 3Commas. They claim to have obtained roughly 100,000 that will be leaked in the coming days. 3Commas CEO Yuriy Sorokin confirmed the legitimacy of the API keys. The company asked Binance, Kucoin, and other exchanges to revoke all keys. 3Commas previously confirmed users lost at least $6 million to attackers since October through executing trades through API keys. 

(CoinDesk)

Ireland investigating Twitter users data for sale

The country’s DPC launched an investigation into “Twitter’s compliance with data-protection law” as it relates to an alleged hack that claims to have exfiltrated data on 400 million accounts. The threat actors alleging the attack asked for $200,000 to hand over the data. This included phone numbers and emails of politicians and celebrities. The threat actor claims they obtained the information through an API bug that Twitter said it fixed earlier this year.  

(BBC)

Alibaba CEO takes reins of cloud unit

On December 18th, Alibaba Cloud experienced an extended outage. This took service offline for some customers in Hong Kong and Macau for over 24 hours. This resulted in suspended withdrawals at the cryptocurrency exchange OKX and other site outages. Now the company announced that Alibaba Group CEO and chairman Daniel Zhang Yong will serve as the acting president of Alibaba Cloud Intelligence. Alibaba framed this as essential for maintaining customer trust in its cloud operations. The cloud unit’s former chief Jeff Zhang will continue to lead Alibaba’s in-house R&D team Damo Academy.

(South China Morning Post)

And now a word from our sponsor, Tines 

Tines is the solution for security teams struggling with too much work, a talent shortage, and inevitable security incidents. Tines breaks the silos that exist between technologies and teams, so employees can focus on meaningful, not menial, tasks. Fewer manual errors and faster response times. Visit Tines.com to learn more.

Appeals court revives Youtube privacy lawsuit

In October 2019, Google agreed to pay $170 million to settle charges by the US FTC and the New York attorney general that it illegally collected personal data on children without consent. Back in July 2021, U.S. District Judge Beth Labson Freeman in San Francisco dismissed lawsuits filed by private plaintiffs under various state privacy laws against YouTube and content providers. This lawsuit alleged that Google did not comply with the settlement until January 2020. Judge Freeman ruled at the time that the federal Children’s Online Privacy Protection Act, or COPPA preempted state law.

COPPA only allows the Federal Trade Commission and state attorneys general to file lawsuits regarding data collection on children. Now the 9th U.S. Circuit Court of Appeals in Seattle ruled 3-0 that it was “nonsensical” to suppose Congress intended to bar private plaintiffs from invoking state laws on the subject. The appeals court returned the case to Judge Freeman to consider other grounds that Google and content providers might have to dismiss the case. 

(Reuters)

Mango Markets trader charged with fraud 

The US Department of Justice charged crypto trader Avraham Eisenberg with commodities fraud and commodity manipulation, following a series of trades on the Solana-based exchange Mango Markets. Back in October, the market said a hacker manipulated its price oracle, resulting in $110 million worth of crypto drained from the exchange. Eisenberg admitted to being “involved with a team that operated a highly profitable trading strategy” related to the incident shortly thereafter. The DOJ alleges Eisenberg sold the exchanges governing token MNGO from one account to another under his control, then began buying large amounts to increase the value of his holdings, before borrowing against his holdings and withdrawing the $110 million. Mango’s insurance fund was insufficient to cover the loss, resulting in the platform essentially becoming insolvent. 

(Bloomberg)

Hacktivist groups using customized Telegram app

The Record covered the use of the Partisan Telegram, or P-Telegram, app by several hacktivist groups across Belarus, Ukraine, and Iran. P-Telegram builds off the source code of the standard Telegram messaging app, but includes a feature that automatically deletes selected chats when entering in a specific SOS password. It also supports sending notifications to others when an SOS password is used, allows designated accounts to remotely activate an SOS password on the device, and takes a picture of the front camera when using the SOS code. The app first appeared in 2021, with roughly 10,000 downloads on GitHub. 

(The Record)

iOS vulnerability used in iPhone app

Developer Zhuowei Zhang published a “proof-of-concept app” that uses a known iOS exploit to allow users to overwrite the default font on the OS without a jailbreak. The exploit impacts iOS 16.1.2 and earlier versions and effectively allows for arbitrary code execution. Zhang says the app should be safe to use, as all changes are reversed on a reboot, but still recommends backing up devices. The app isn’t available on the App Store for obvious reasons. Instead users have to compile the Xcode project to install the app, or manually sign the IPA file with a developer certificate.

(9to5Mac)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.