app accidentally makes users’ precise locations public

Apr 25 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s all bark and no byte 😬

 Today’s hottest cybersecurity news stories:

  • 📱 iSharing app accidentally makes users’ precise locations public 📍

  • 🛒 Google Ads for Facebook was redirecting people to a scam site ⚠️

  • 🐪 Iran tricks US military, govt Agencies in years-long cyber campaign

iShArinG Is cArinG 🙃

🚨 Security Bugs in phone-tracking app iSharing exposed users’ precise locations 🌐

🕵️‍♂️ When security researcher Eric Daigle revealed the ease with which he could pinpoint the precise location of users on the popular phone-tracking app iSharing, we knew we had to delve deeper.

🔍 The Discovery: Daigle, a student at the University of British Columbia, uncovered vulnerabilities in iSharing as part of his investigation into location-tracking app security. These flaws exposed users' coordinates, names, profile photos, email addresses, and phone numbers, even if they weren't actively sharing their location data.

🔒 The Bugs: The bugs stemmed from iSharing's servers failing to properly authenticate users' access to location data. This allowed anyone using the app to access the precise location of any other user, irrespective of whether the location was being actively shared.

🗺️ The Impact: Daigle's findings underscore the broader security risks associated with location-tracking apps, including the potential for exploitation by malicious actors, particularly in the case of stealthy "stalkerware" apps.

🛠️ Mitigation Measures: After notifying iSharing about the vulnerabilities, the company swiftly addressed the issues. Co-founder Yongjae Chuh expressed gratitude to Daigle for his discovery and outlined plans to collaborate with security professionals to enhance data protection measures.

🔧 Technical Details: Daigle detailed the vulnerabilities on his blog, highlighting the ease with which he identified the flaws and built a proof-of-concept script to demonstrate the security risks.

👁️ Looking Ahead: Daigle intends to continue his research in the realm of stalkerware and location-tracking, underscoring the ongoing importance of robust security measures in safeguarding user privacy.

🔒 Protecting User Data: As location-tracking apps become increasingly ubiquitous, it's imperative for developers to prioritise rigorous security protocols to prevent unauthorised access to sensitive user information. By addressing vulnerabilities promptly and collaborating with security experts, app makers can uphold user trust and privacy in an evolving digital landscape.

Google loses Face 😏

🚨 Malicious fake Google Ad for Facebook Redirects to Scam 🔍

The Issue: A recent discovery sheds light on a malicious ad campaign targeting Facebook users via Google search. Tech support scammers are leveraging ads for specific keywords to lure unsuspecting victims, raising questions about the authenticity of online advertising practices.

🤔 The How and Why: While it's widely known that tech support scammers use ads to attract victims, the intricacies of impersonating top brands and evading detection are lesser-known. Understanding the methods behind these attacks and questioning Google's oversight are crucial steps in combating online fraud and malware.

💼 Growing Threat: Malvertising attacks continue to pose a significant threat to consumers, with their prevalence on the rise. Public awareness and reporting are essential in addressing these threats and holding platforms accountable for their security measures.

🔍 Cloaking Technique: One particular technique at the heart of these attacks is cloaking, which enables scammers to display different content to users and ad platforms. Despite its potential for legitimate use, cloaking remains a favoured tool for malicious actors seeking to conceal their fraudulent activities.

🔒 Challenges for Platforms: Differentiating between legitimate affiliates and malicious actors presents a significant challenge for platforms like Google. While various data points about advertisers can aid in fraud detection, loopholes in ad verification processes, such as URL redirection, remain exploitable by threat actors.

🛡️ Safeguarding Measures: As malvertising threats persist, users can take proactive steps to protect themselves, including being cautious of sponsored results, considering ad-blocking tools, and recognizing scam pages for what they are.

👥 Collective Action: Addressing malvertising requires collaboration among platform providers, security vendors, and vigilant users. By raising awareness, reporting incidents, and implementing robust security measures, we can collectively mitigate the risks posed by malicious ad campaigns.

🔍 Continued Vigilance: As technology evolves, so too do the tactics employed by cybercriminals. Staying informed and remaining vigilant are essential in safeguarding against emerging threats in the digital landscape.

U.S: We tried to catch him but Iran 💀

🚨 Iranian Hackers Conduct Elaborate Cyber Espionage 🕵️‍♂️

In a brazen cyber espionage campaign, Iranian state-sponsored hackers infiltrated US government departments and private sector organisations over five years. 💼🔓

🎭 Sophisticated Tactics: The hackers, allegedly linked to Iran's IRGC, posed as a cybersecurity firm to launch spear phishing attacks. They targeted hundreds of thousands of employee accounts, compromising entities like the US Departments of Treasury and State. 💂‍♂️🔗

💬 Social Engineering Mastery: Utilising social media, the hackers posed as women to lure victims. Once clicked, malicious links deployed custom malware, enabling account takeovers and data theft. 💌🔥

📈 Tech-Enabled Espionage: A proprietary application named "Dandelion" allowed the hackers to manage their activities, tracking victims' IP addresses and browsing behaviour. 🌼🕵️‍♂️

🚨 Ongoing Threat: Despite indictments, the hackers remain at large, prompting a $10 million reward from the US State Department for their capture. Vigilance and collaboration are crucial in defending against such threats. 💪🤝🔒

🗞️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles