Feedback & Followups
- 🇺🇸 Un-redactions in an ongoing antitrust case against Google led by the state of Texas have revealed more details on how Google abuse their position of power in the ad world — in effect, they represent both parties in an auction they run and profit from and use that to inflate their earnings: www.wired.com/…
- Apple have patched the HomeKit bug we talked about last time: Apple Releases iOS 15.2.1 Update That Fixes HomeKit Bug — www.macobserver.com/…
- 🇷🇺 Russian authorities claim to have arrested key members of the REvil ransomware gang responsible for the Colonial Pipeline attack in the US — nakedsecurity.sophos.com/… & krebsonsecurity.com/…
- 🇺🇸 The bill to force side-loading on mobile devices continues to make its way through the legislative process, and Apple continue to be deeply unhappy about it — www.imore.com/…
Deep Dive 1 — 🧯 The Safari 15 Data Leak Bug Reported by FingerprintJS
The folks at FingerprintJS (a grey-hat company that sells browser fingerprinting services) have released details of a subtle privacy leak in Safari 15 on iOS & macOS.
TL;DR — there is a leak, but it’s extremely limited, and nowhere near as bad as most of the headlines would make you believe.
Cookies are an age-old mechanism for storing small snippets of unstructured data in our browsers. Websites had browsers cookies, and the browsers store them until the next time they visit the same website, at which point they hand them back. The information they store is literally a string of text.
Modern web apps (so-called progressive web apps) have valid reasons for storing more data in a more structured way within the browser, so the IndexedDB API was developed to allow JavaScript to store structured data in the browser.
Like cookies and JavaScript in general, IndexedDB databases should be protected by browsers’ same-origin policy. In Safari 15 that’s almost completely true, but not quite. Safari doesn’t leak the contents of one website’s local database to JavaScript running on another website (that would be a catastrophic failure), but it does leak the names of all the databases that exist, and the databases are named for the URLs of the web apps that created them. This means one website can know you use another website if an appropriately named IndexedDB database exists. Because the databases are named for the URLs that created them, and because some sites embed unique identifiers in their URLs, the database names also leak those identifiers. It would be a catastrophic security blunder to embed secrets in web app URLs, so these leaked IDs are not going to be things like keys or passwords, but more generic tokens like session or user IDs.
Apple are aware of the bug and working on a fix.
Until Apple patch this bug, it’s possible for a malicious website to know you use any other website that uses IndexedDB local storage, and depending on the site, also the user you log in as. No actual data is leaked.
Links
- Safari and iOS users: Your browsing activity is being leaked in real-time — arstechnica.com
- Apple’s working to fix a Safari bug that opens your browsing history up to websites — www.imore.com/…
Deep Dive 2 — iCloud Private Relay Teething Troubles
It’s been a very confusing few weeks in terms of Apple’s iCloud Private Relay.
First and foremost, remember this is still a beta feature!
The first development was new that EU carriers asking the European Commission to ban iCloud relay because of ‘digital sovereignty’ and because it hides data from them. I’ve tried to read their reasoning, but it just looks like technobabble to me. My honest opinion is that it’s intended to sound technical and intimidating, but not actually say anything, because they’re basically cranky about it preventing them spying on their customers to use monetise them as a second income stream.
This was followed a few days later with reports that some American users were unable to use PrivateRelay, and that it was being blocked by carriers. Initially many in the tech press jumped to the conclusion that it must be American carriers being evil, but it turns out to be more complicated than that.
There is still a lot of confusion, but some of all of the following three things are going on:
- Some carriers are intentionally disabling the feature for some customers, but for a really good reason — those customers have chosen to enable parental controls on their internet connection, and that’s literally impossible with PrivateRelay enabled. (How could the carrier filter web connections it can’t see?)
- There exists an obscure per-cellular-network toggle for controlling privacy protection that overrides the PrivateRelay toggle in the iCloud preferences. Some American users found that obscure toggle disabled, and it’s not at all clear why that is. It could be a setting pushed down by carriers.
- American carriers are claiming the latest version of iOS introduced a bug that’s disabling the feature. Apple has denied this, saying they didn’t change the PrivateRelay code at all in that update.
The situation in Europe is clear as glass — the carriers want permission to prevent users protecting themselves from being spied on, but the situation in America is clear as mud, the carriers could be up to no good, or it could be a bug.
Links
- 🇪🇺 EU carriers want to kill iCloud Private Relay over ‘digital sovereignty’ worries — www.imore.com/…
- 🇺🇸 Some of the initial, then updated reporting from the US: T-Mobile begins blocking iPhone users from enabling iCloud Private Relay in the US — 9to5mac.com/…
- 🇺🇸 T-Mobile says it isn’t widely blocking iCloud Private Relay — arstechnica.com
- 🇺🇸 T-Mobile says Apple is to blame for iCloud Private Relay being turned off — www.imore.com/…
- Related: a nice translation of Apple’s recent white paper on how iCloudRelay works from nerd-speak to human-speak: How Apple’s iCloud Private Relay Can Keep You Safe — www.wired.com/…
❗ Action Alerts
- It was an important Patch Tuesday for Windows users: ‘Wormable’ Flaw Leads January 2022 Patch Tuesday — krebsonsecurity.com/… & Wormable Windows HTTP hole – what you need to know — nakedsecurity.sophos.com/…
- Serious Security: Linux full-disk encryption bug fixed – patch now! — nakedsecurity.sophos.com/…
Worthy Warnings
- Home routers with NetUSB support could have critical kernel hole — nakedsecurity.sophos.com/…
- Red Cross Data Breach Affects 515,000 Vulnerable People — www.macobserver.com/…
- A timely reminder on the dangers of plugging in random USB devices: FBI: Hackers use BadUSB to target defense firms with ransomware — www.bleepingcomputer.com/…
- QR-code-based scams are on the rise, so remember that scanning a QR code is the equivalent of clicking a link, and check the URL when you arrive: Beware of Fake QR Codes on Parking Meters That Steal Your Money — www.macobserver.com/…
- If you use Teslamate to monitor your Tesla’s stats, be sure to patch, because a German teen found a nasty vulnerability which has now been patched — www.macobserver.com/…
Notable News
- I was curious how long Apple would allow people stay on iOS 14, now we know: Apple is no longer letting people stay on iOS 14, prompts iOS 15 update instead — www.imore.com/…
- Apple says it was never going to let people ignore iOS 15 forever — www.imore.com/…
- Related: Apple have updated earlier security bulletins to add more detail about the vulnerabilities iOS 15 fixes — www.imore.com/…
- 🇬🇧 The UK government has paid over half a million pounds for an ad campaign designed to turn the public against end-to-end encryption. The released documents reveal government officials asserting that the public are ignorant of the facts, so they are vulnerable to manipulation. The agency was also instructed to be careful not to trigger a debate on law enforcement -v- privacy and security tradeoffs — www.rollingstone.com/… (Editorial by Bart: hopefully all the publicity this story is getting will make UK residents less vulnerable to this government disinformation campaign. And yes, I do mean disinformation rather than misinformation — I consider this malicious propaganda because the intention is explicitly to avoid debate and hinder public understanding of the issues)
- 🇺🇸 After years of fraud powered by identity theft, the US IRS is moving to tighten security for online filing by out-sourcing verification to a private company, ID.me — IRS Will Soon Require Selfies for Online Access – Krebs on Security — krebsonsecurity.com/…
- 🇺🇸 A US court has found that cyber insurance companies can’t just declare a cyber-attack cyberwar so as to get out of paying up: Merck Wins Court Dispute Over ‘NotPetya’ Attack — www.macobserver.com/…
- 🇪🇺 A court in Austria has found that as it’s currently deployed, Google Analytics breaches the GDPR, and is hence not legally usable within the EU. There are similar cases pending in other European courts, if they go the same way, enforcement is likely, and Google may be forced to finally allow customers choose where their data is stored — tutanota.com/…
- Mozilla is partnering with journalists at The Markup to run the Facebook Pixel Hunt a study to track Facebook’s tracking — rally.mozilla.org/…
- 🇩🇪 Adblocking Does Not Constitute Copyright Infringement, Court Rules — torrentfreak.com/…
- 🇺🇸 Congress Introduces ‘TLDR’ Bill to Combat Confusing Terms of Service — www.macobserver.com/… (Editorial by Bart: it would be really nice if this became law, and was adopted in other countries too. Also, top-marks for a world-class backronym: ‘Terms Of Service Labeling, Design, and Readability Act’)
- Mac Security Tools Company ‘Objective-See’ Goes Non-Profit — www.macobserver.com/… (This is Patrick Wardle’s company)
Excellent Explainers
- A nice breakdown of what Apple’s Legacy Contacts feature does and doesn’t allow access to — www.imore.com/…
- 🎧 A good explanation of why many period trackers violate user privacy for profit: Short Wave: When Tracking Your Period Lets Companies Track You — overcast.fm/… (Also, Shortwave is an excellent short daily science podcast I highly recommend)
- An actively maintained list of known Pegasus spyware victims — www.haaretz.com/…
Interesting Insights
- Some worthy reads on the current AirTags panic
- Blockchain-based systems are not what they say they are — blog.mollywhite.net/…
Palate Cleansers
- 🎦 A physicist on TikTok explains how gravity is the weakest of the forces – shared by Allison and recommend following @evanthorizon: www.tiktok.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |