ICT Security-Sécurité PC et Internet

A New York Times investigation has found that apps such as GasBuddy and The Weather Channel are among at least 75 companies getting purportedly “anonymous” but pinpoint-precise location data from about 200 million smartphones across the US.

They’re often sharing it or selling it to advertisers, retailers or even hedge funds that are seeking valuable insights into consumer behavior. One example: Tell All Digital, a Long Island advertising firm, buys location data, then uses it to run ad campaigns for personal injury lawyers that it markets to people who wind up in emergency rooms.

The Times reviewed a database holding location data gathered in 2017 and held by one company, finding that it held “startling detail” about people’s travels, accurate to within a few yards and in some cases updated more than 14,000 times a day. Several of the businesses whose practices were analyzed by the Times claim to track up to 200 million mobile devices in the US.

The data being sold is supposedly anonymous, as in, not tied to a phone number. The Times could still easily figure out who mobile device owners were through their daily routines, including where they live, where they work, or what businesses they frequent.

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data

The latest Facebook privacy SNAFU (Situation Normal, All Facebooked Up) is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.

On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.

Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.

Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook

Forscher der Princeton University haben kürzlich ein anspruchsvolles Tool entdeckt, dass den Namen „Session-Replay Script“ trägt. Damit sind Berichte über das User-Verhalten selbst bis ins kleinste Detail möglich. Die eingebetteten Code-Schnipsel beobachten und verfolgen jede Interaktion eines Webseitenbesuchers mit der Webseite in Echtzeit. Es ist so, als ob ihm jemand beim Surfen über die Schulter sieht. Anders ausgedrückt ermöglichen diese „Screen Recordings“ das Aufzeichnen jeder Tastatureingabe, jeder Mausbewegung oder jedes Page Scrollings. Alles wird zusammen mit dem Content der Webseite zu einem Paket geschnürt und an Third-Party Server – also an Dritte – zur Analysierung geschickt.

Wir haben die Session-Replay Scipts von sieben der beliebtesten Anbieter solcher Tools untersucht. Das Ergebnis: 482 der weltweit 50.000 meistbesuchten Webseiten benutzen eines der Scripte. Sicherlich ist das nur ein winziger Teil des Internets, wahrscheinlich liegt die tatsächliche Zahl der im Gebrauch befindlichen Scripts weitaus höher.

Was sind die Risiken von Session-Replay Scripts?
Eigentlich sind die Scripts für legitime Anwendungszwecke gedacht. Dazu gehört beispielsweise das Verstehen, wie die User mit der eigenen Webseite zurechtkommen oder das Aufspüren von unverständlichen Abschnitten. Der Einsatz von Session-Replay-Scripts kann aber profunde Auswirkungen auf die Privatsphäre und die Sicherheit haben. Am wichtigsten ist die Tatsache, dass so ein Script nicht zwischen sensiblen und profanen Daten unterscheidet. Ohne angemessene Sicherheitsmaßnahmen können sensible Nutzerdaten preisgegeben werden, wie Login-Daten, Kreditkartendaten oder Informationen zum Gesundheitszustand. Außerdem tracken die Scripts Informationen, die in Echtzeit in ein Feld eingegeben werden, ohne dass sie schon an den Server übermittelt sind – das Aufzeichnen von eigentlich gelöschten Eingaben ist damit möglich.

Weiterhin beabsichtigen die Scripts das Aufzeichnen und Abrufen von individuellen Browser Sessions. Anonymität kann dadurch nicht gewährleistet werden. Aus dem vorangegangenen Whitepaper geht hervor, dass einige Provider sogar echte Namen einzelnen User-Sessions zuordnen.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts

https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking

Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.

“The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab, who introduced his research here at the RSA Conference on Tuesday. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.”

Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by an ISP or even by malware installed on a target’s home router, researchers said.

Not only can unprotected data be collected, but it can also be intercepted by a cybercriminal who can modify it to show malicious ads, enticing users to download a trojan application, which turn out to be malware, according to Unuchek.

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

As location-aware advertising goes mainstream—like that Jack in the Box ad that appears whenever you get near one, in whichever app you have open at the time—and as popular apps harvest your lucrative location data, the potential for leaking or exploiting this data has never been higher.

It’s true that your smartphone’s location-tracking capabilities can be helpful, whether it’s alerting you to traffic or inclement weather. That utility is why so many of us are giving away a great deal more location data than we probably realize. Every time you say “yes” to an app that asks to know your location, you are also potentially authorizing that app to sell your data.

Dozens of companies track location and/or serve ads based on this data. They aim to compile a complete record of where everyone in America spends their time, in order to chop those histories into market segments to sell to corporate advertisers.

Marketers spent $16 billion on location-targeted ads served to mobile devices like smartphones and tablets in 2017. That’s 40% of all mobile ad spending, research firm BIA/Kelsey estimates, and it expects spending on these ads to double by 2021.

The data required to serve you any single ad may pass through many companies’ systems in milliseconds—from data broker to ad marketplace to an agency’s custom system. In part, this is just how online advertising works, where massive marketplaces hold ongoing high-speed auctions for ad space.

Learn more / En savoir plus / Mehr erfahren:

 https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

https://gustmees.wordpress.com/2014/03/05/often-asked-questions-are-there-cyber-security-dangers-with-apps-and-whats-about-privacy/

Die Internet-Organisation ICANN scheint auch knapp vier Monate vor Inkrafttreten der EU-DSGVO keinen praktikablen Plan zu haben, wie ihre Whois-Datenbank sich mit den neuen Vorschriften vertragen könnte.

Die Datenschutzgrundverordnug der Europäischen Union sorgt nicht nur in Europa, sondern weltweit für verstärkte Aufmerksamkeit für Datenschutzfragen. Die im englischen Sprachraum als "European Union's General Data Protection Regulation" (GDPR) bezeichneten Vorschriften betreffen unter anderem auch das Whois-Sytem, den weltweiten Verzeichnisdienst für Domain-Namen.

Diese Daten sind in der Whois-Datenbank gespeichert und öffentlich abrufbar. Und da nicht nur simple Zuordnungen von Nameserver-Adressen und Domain-Namen in der Datenbank enthalten sind, sondern auch personenbezogene Daten wie die Namen von für den Domain-Betrieb Verantwortlichen (AdminC, TechC oder BillingC), entspricht das Whois-System nicht den Ende Mai 2018 inkrafttretenden EU-Vorschriften.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=GDPR

Have you watched a YouTube video lately in a country where English is widely used?

If so, we’re willing to bet that you’ve seen an advert for Grammarly, an online spelling and grammar checker.

In fact, we’ll suggest you’ve seen the Grammarly ad many times, perhaps even very many times – we certainly have.

The ads seem to be working, with the product currently closing in on 1,000,000 installs in Firefox, and already claiming more than 10,000,000 in Chrome.

As the product pitch in the Firefox add-on store explains:

Once you register your new account, you will start to receive weekly emails with personalized insights and performance stats (one of our most popular new features). Working on a large project, an essay, or a blog post? No sweat. You can create and store all of your documents in your new online editor.

In other words, your Grammarly account ends up knowing a lot about you, and holding copies of a lot of what you’ve written.

A security hole in Grammarly could therefore tell crooks much more about you than you’d like them to know.

Learn more / En savoir plus / Mehr erfahren.

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Grammarly

As Ars Technica reports, YouTube has been spotted pushing ads onto users.

That, in itself, isn't newsworthy of course. But these ads are surreptitiously stealing resources from visiting computers to mine for cryptocurrencies:

On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that's controversial because it allows subscribers to profit by surreptitiously using other people's computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving just barely enough resources for it to function.

You should run an ad blocker when you surf the web.

==================================================

Not just because ads are invariably ugly and ruin the user experience. Not just because you don't want ads tracking your online behaviour. Not just because ads slow down your online experience and gobble up your bandwidth. Not just because ads can infect your computer with malware, or be secretly sapping your computer resources by mining for cryptocurrencies in the background.

==================================================

But because even Google, one of the world's largest advertising companies (with its own considerable security prowess), seems to be incapable of guaranteeing a stream of safe ads. What hope for the other advertising networks if Google can't get it right?

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Coinhive

https://www.scoop.it/t/securite-pc-et-internet/?&tag=crypto-currency

https://www.scoop.it/t/securite-pc-et-internet/?&tag=cryptojacking

A secretive special air service base has been inadvertently revealed by a fitness app that has created a heatmap of running routes around the country.

A SAS base in Hereford, along with a nuclear deterrent naval base and the government's spy agency GCHQ has been placed on a heatmap of Strava's customers, including the profiles of several people who regularly run to-and-from the highly sensitive buildings. 

The buildings appear on a global, interactive map created by Strava, which is an app that allows users to track cycling or running speeds and distances and share them with friends. But unbeknown to many of its users, Strava has used their location data to in a worldwide heatmap including three trillion coordinates, titled "Where We Play".

"When sensitive sites, such as the GCHQ, are quite literally highlighted by GPS activity, it raises concern not only for the individual connected to the device, but the institution as a whole. The UK’s security services must be hyper-aware of what they’re sharing – regardless of what may be labelled as ‘excluded’ within the device. If a device or application has the capability to share location in any respect, it signifies a breach in security protocols."

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2012/11/05/naivety-in-the-digital-age/

https://www.scoop.it/t/securite-pc-et-internet/?&tag=wearables

Ein internationales Forscherteam hat die Leistungsfähigkeit von Datenschutz-Tools für Internet-Browser untersucht. Während viele Anti-Tracking-Erweiterung einen deutlichen Mehrwert liefern, entpuppen sich andere als Schlangenöl.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

This website is a resource to educate the public about the main elements of the General Data Protection Regulation (GDPR)
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines. 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site. 

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/luxembourg-europe/?&tag=LIST

https://www.scoop.it/t/luxembourg-europe/?&tag=CNPD

https://www.scoop.it/t/luxembourg-europe/?tag=Digital+L%C3%ABtzebuerg

https://www.scoop.it/t/luxembourg-europe/?&tag=GDPR

Jeden Tag hören Mitarbeiter Tausende aufgezeichnete Gespräche ab, die die Kunden mit Amazons Assistenzsoftware Alexa geführt haben. Die Begründung des US-Konzerns für diese bislang verschwiegene Maßnahme klingt abenteuerlich.
30

Nutzer von Amazons Assistenzsoftware Alexa sollten sich zweimal überlegen, worüber sie sprechen: Der US-Internetriese lässt zum Teil Mitarbeiter aufgezeichnete Befehle von Nutzern an Alexa anhören und abtippen, um die Spracherkennung zu verbessern.

Der Konzern bestätigte die Vorgehensweise am Donnerstag dem Finanzdienst Bloomberg. „Wir versehen nur eine sehr geringe Auswahl an Alexa-Sprachaufnahmen mit Kommentaren, um das Kundenerlebnis zu verbessern.“

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Alexa

Das Tracking wird über die US-Firma Laserlike abgewickelt. Damit die Empfehlungen in der Seitenleiste auch passen, ist der umfangreiche Zugriff auf Daten, etwa den Browser-Verlauf und die aktuell geöffneten Seiten, nötig. Außerdem sammelt Laserlike IP-Adresse, Zugriffszeiten und Verweildauer auf Webseiten.

Im Rahmen von Test-Pilot tracken Laserlike und Mozilla noch Daten zur Nutzung von Advance, etwa Verweildauer auf empfohlenen Seiten oder Informationen zum Betriebssystem. Was man Mozilla zugute halten muss: Sie verschweigen das Thema Tracking nicht und bauen einen Schalter ein, um Advance pausieren zu lassen.

Auch im Privatmodus oder mit eingeschaltetem Tracking-Schutz funktioniert die Erweiterung nicht. Wer möchte, kann die übermittelten Daten einsehen und löschen.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking

A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent.

US cell carriers are selling access to your real-time phone location data

The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.

Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.

The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.

But that website had a bug that allowed anyone to track someone's location silently without their permission.

"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.

"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.

Xiao said the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data

Spätestens seit dem Cambridge-Analytica-Skandal stehen viele Menschen Facebook skeptisch gegenüber. Wie Forscher nun herausgefunden haben können beim "Login mit Facebook" Skripte von Drittfirmen die Facebook-Identität des Besuchers nachverfolgen.

Wenn ein Internet-Nutzer auf einer Webseite die Funktion "Login mit Facebook" verwendet, gibt er der Webseite, auf der er sich befindet, unter Umständen Zugriff auf sein öffentliches Facebook-Konto. Forscher der Princeton-Universität in den USA warnen nun davor, dass auf dieser Webseite eingebettete Skripte von Dritten ebenfalls Zugriff auf diese Daten haben. Laut den Forschern sammeln Tracker so die Informationen der Webseitenbesucher – in den meisten Fällen wohl ohne dass die betroffene Webseite davon Kenntnis hat. Derartige Scripte fanden sie auf 434 der eine Million meistbesuchten Seiten im Netz.

Die meisten der Dritt-Skripte fragen den Facebook-Namen und die E-Mail-Adresse des Besuchers ab, der sich über Facebook auf der Seite anmeldet. Zwar ist die ID, welche die Skripte abgreifen, erst einmal auf die Anmelde-Routine der besuchten Webseite beschränkt; wie die Forscher zeigen, lassen sich darüber allerdings die öffentlichen Facebook-Informationen des Besuchers extrahieren. Dazu gehört dessen Facebook-Name und sein Profilbild.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.

Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.

The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

Learn more / En savoir plus / Mehr erfahren:

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

Das Sicherheitsunternehmen Digital Shadows findet auf ungeschützten Servern Milliarden an Datensätzen, auch S3 ist betroffen.

Das Bundesamt für Sicherheit in der Informationstechnik weist auf eine interessante Studie der Sicherheitsforscher von Digital Shadows hin: Viel Medienaufmerksamkeit erhielten zwar in den letzten Jahren Hacker, die in fremde Netze einbrechen, sehr oft sind aber persönliche Daten völlig frei zugänglich und liegen ungeschützt auf diversen Servern. Grund dafür sind wohl oft fehlendes Fachwissen und vielleicht auch Mängel bei den Voreinstellungen von NAS-Speichergeräten.

Die Forscher haben in den letzten drei Monaten mit einem selbst entwickelten Scan-Tool nach per Web zugänglichen Freigaben gesucht: SMB-Freigaben, rsync-Freigabe, FTP-, Amazon S3- oder auch ungeschützten Webseiten und NAS-Servern. Dabei spürten sie insgesamt 1,5 Milliarden an Daten mit einer Dateigröße von 12 TB auf, auf die man problemlos per Web zugreifen kann. Bei einer Analyse der Daten fanden sich darunter unter anderem Steuer-Unterlagen, Patientenlisten und Medizin-Daten. Über eine einzige SMB-Freigabe konnten die Forscher in einem Fall auf über zwei Millionen an Körperscans zugreifen, vielleicht Daten eines italienischen Krankenhauses. Am stärksten betroffen war die USA mit 16,3 Prozent der frei zugänglichen Dateien, Deutschland immerhin mit knapp 8 Prozent.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.

Researchers at Trend Micro dubbed the family of malicious extensions Droidclub and discovered they included a software library with so-called "session-replay scripts" used by online analytics firms.

Princeton's Center for Information Technology in November drew attention to the increasing use of session-replay scripts by third-party analytics firms on high-traffic websites.

The study looked at replay services from Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam, which were found on nearly 500 popular sites.

The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit".

But instead of allowing a site owner to record and play back what users do on one site, Droidclub extensions allow the attacker to see what victims do on every single site they visit.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts

A flaw in Hotspot Shield can expose VPN users, locations
The virtual private network says it provides a way to browse the web "anonymously and privately," but a security researcher has released code that could identify users' names and locations.

A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy.

Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user's internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits.

But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user's Wi-Fi network name, if connected.

That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.

"By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located," said Paulos Yibelo, who found the bug. Combined with knowing the user's country, "you can narrow down a list of places where your victim is located," he said.

ZDNet was able to independently verify Yibelo's findings by using his proof-of-concept code to reveal a user's Wi-Fi network. We tested on several machines and different networks, all with the same result.

VPNs are popular for activists or dissidents in parts of the world where internet access is restricted because of censorship, or heavily monitored by the state, as these services mask a user's IP addresses that can be used to pinpoint a person's real-world location.

Being able to identify a Hotspot Shield user in an authoritarian state could put them at risk!!!

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=VPN

Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data.

Tavis Ormandy, a security researcher at Google's Project Zero who found the "high severity" vulnerability, said the browser extension exposed authentication tokens to all websites.

That means any website can access a user's documents, history, logs, and other data, the bug report said.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," said Ormandy, because "users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

In proof-of-concept code, he explained how to trigger the bug in four lines of code.

More than 22 million users have installed the grammar-checking extension.

Ormandy filed his bug report Friday, subject to a 90-day disclosure deadline -- as is the industry standard. Grammarly issued an automatic update Monday to fix the issue.

Ormandy has in recent months examined several vulnerable web browser extensions. Earlier this year, he found a remote code execution flaw in the Cisco WebEx Chrome extension, and a data-stealing bug in the popular LastPass password manager.

A spokesperson for Grammarly did not immediately return a request for comment.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=DATA-BREACHES