Twitter bug leaks to iOS users’ location data to partner

By Lisa Vaas

On Monday, Twitter said that it goofed: it mistakenly collected and shared some accounts’ location data with one of its partners, even if a user hadn’t opted in to sharing the data.

The bug, which only affected some Twitter users, has already been fixed.

It involved inadvertently collecting and sharing location data at the postal code or city level. The bug specifically affected some people who were using more than one Twitter account on iOS and who had opted into using the precise location feature in one of those Twitter accounts. On the affected devices, the location data sharing accidentally spilled from one opted-in account to other, non-opted-in accounts on the same device, Twitter said.

Twitter told Engadget that employees discovered the glitch.

Separately, Twitter says it intended to remove location data from fields sent to a trusted partner during an advertising process known as real-time bidding. That didn’t go as planned. The partner couldn’t see precise locations, as in, it didn’t get more precise than a postal code or city – an area equivalent to 5km squared, Twitter said.

Read more at https://nakedsecurity.sophos.com/2019/05/15/twitter-bug-leaks-to-ios-users-location-data-to-partner/

Update iOS and Mojave now! Apple patches are out

By John E Dunn

Apple has released its May 2019 security updates, taking iOS to version 12.3 and macOS Mojave to version 10.14.5.

There are three elements to this month’s new software – new capabilities (which tend to get the most attention, and which we’ll ignore), a sizable pile of important security fixes, and a smattering of minor security tweaks.

One of the interesting things about Apple’s advisories is the large number of third-party researchers the company name checks.

That’s a positive – the more researchers combing for flaws, the fewer will be exploited and hurt people. What’s less clear without reading deeper into the CVEs (which aren’t always explanatory until user updating has occurred) is which ones are more serious.

iOS 12.3

This month iOS generated 42 CVEs, bulked by the number affecting WebKit, which amount to 20 in all.

The ones that jump out usually involve a vulnerability that might allow a remote attacker or local app to take control of the device at some level – like most of the WebKit flaws.

For example, CVE-2019-8585 in CoreAudio, which could give malware a route to compromise using a malicious movie file. That’s serious because it doesn’t appear it would necessarily require the victim to do anything.

Read more at https://nakedsecurity.sophos.com/2019/05/15/update-ios-and-mojave-now-apple-patches-are-out/

Facebook sues app developer Rankwave over data misuse

By Lisa Vaas

It sounds a lot like Facebook has gotten itself into (or encouraged and is now pretending it’s aghast about it all) another Cambridge Analytica-ish data privacy fiasco.

Facebook announced on Friday that it’s filed a lawsuit against a South Korean social media analytics firm called Rankwave, alleging that the company abused Facebook’s developer platform’s data and that Rankwave has refused to cooperate with the platform’s mandatory compliance audit and Facebook’s request that it delete data.

Facebook already suspended Rankwave’s apps and any accounts associated with the company. Now it’s looking for the court to get it to comply with a data audit and to delete whatever Facebook data it has, as well as to cough up the $9.8m USD it made off selling data it never should have, as Facebook tells it.

From its announcement:

By filing the lawsuit, we are sending a message to developers that Facebook is serious about enforcing our policies, including requiring developers to cooperate with us during an investigation.

The suit, filed in California Superior Court for the County of San Mateo, says that beginning around 2010, Rankwave starting developing apps on Facebook’s platform in order to sell advertising and marketing analytics and models, in violations of Facebook’s policies and terms. It operated at least 30 apps on the Facebook platform, according to the complaint.

Read more at https://nakedsecurity.sophos.com/2019/05/15/facebook-sues-app-developer-rankwave-over-data-misuse/

Update WhatsApp now! One call could give spies access to your phone

By Mark Stockley

On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone.

The vulnerability is now fixed, which means that if you’re one of WhatsApp’s 1,500,000,000 users you need to go to the well and drink up the latest version.

There’s a good chance your app’s already updated itself, but this is a serious vulnerability so we advise you to check all the same.

WhatsApp isn’t exactly shouting about this. The Facebook Security page, WhatsApp’s company website and WhatsApp’s Twitter feed are bereft of information.

The What’s New sections of the app’s Google Play and Apple App Store listings would love you to know that with the latest version of the app you can now see stickers in full size when you long press a notification but couldn’t find room for this is the only version that doesn’t allow remote spying.

Instead, Facebook has done the digital equivalent of pinning a security advisory for CVE-2019-3568 to the back of the toilet door in an unlit basement while nobody was looking. It reads as follows:

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

What the description is trying to tell you is that some people who knew about this vulnerability used phone calls to vulnerable devices to install spyware that could listens in on calls, read messages and switch on the camera.

Read more at https://nakedsecurity.sophos.com/2019/05/14/update-whatsapp-now-one-call-could-give-spies-access-to-your-phone/