From Digital Age to Nano Age. WorldWide.

Tag: users039

Robotic Automations

Security bugs in popular phone-tracking app iSharing exposed users' precise locations | TechCrunch

Last week when a security researcher said he could easily obtain the precise location from any one of the millions of users of a widely used phone-tracking app, we had to see it for ourselves.

Eric Daigle, a computer science and economics student at the University of British Columbia in Vancouver, found the vulnerabilities in the tracking app iSharing as part of an investigation into the security of location-tracking apps. iSharing is one of the more popular location-tracking apps, claiming more than 35 million users to date.

Daigle said the bugs allowed anyone using the app to access anyone else’s coordinates, even if the user wasn’t actively sharing their location data with anybody else. The bugs also exposed the user’s name, profile photo and the email address and phone number used to log in to the app.

The bugs meant that iSharing’s servers were not properly checking that app users were only allowed to access their location data or someone else’s location data shared with them.

Location-tracking apps — including stealthy “stalkerware” apps — have a history of security mishaps that risk leaking or exposing users’ precise location.

In this case, it took Daigle only a few seconds to locate this reporter down to a few feet. Using an Android phone with the iSharing app installed and a new user account, we asked the researcher if he could pull our precise location using the bugs.

“770 Broadway in Manhattan?” Daigle responded, along with the precise coordinates of TechCrunch’s office in New York from where the phone was pinging out its location.

The security researcher pulled our precise location data from iSharing’s servers, even though the app was not sharing our location with anybody else. Image Credits: TechCrunch (screenshot)

Daigle shared details of the vulnerability with iSharing some two weeks earlier but had not heard anything back. That’s when Daigle asked TechCrunch for help in contacting the app makers. iSharing fixed the bugs soon after or during the weekend of April 20-21.

“We are grateful to the researcher for discovering this issue so we could get ahead of it,” iSharing co-founder Yongjae Chuh told TechCrunch in an email. “Our team is currently planning on working with security professionals to add any necessary security measures to make sure every user’s data is protected.”

iSharing blamed the vulnerability on a feature it calls groups, which allows users to share their location with other users. Chuh told TechCrunch that the company’s logs showed there was no evidence that the bugs were found prior to Daigle’s discovery. Chuh conceded that there “may have been oversight on our end,” because its servers were failing to check if users were allowed to join a group of other users.

TechCrunch held the publication of this story until Daigle confirmed the fix.

“Finding the initial flaw in total was probably an hour or so from opening the app, figuring out the form of the requests, and seeing that creating a group on another user and joining it worked,” Daigle told TechCrunch.

From there, he spent a few more hours building a proof-of-concept script to demonstrate the security bug.

Daigle, who described the vulnerabilities in more detail on his blog, said he plans to continue research in the stalkerware and location-tracking area.

Read more on TechCrunch:

To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

Software Development in Sri Lanka

Robotic Automations

Meta (again) denies that Netflix read users' private Facebook messages | TechCrunch

Meta is denying that it gave Netflix access to users’ private messages. The claim recently began circulating on X after X owner Elon Musk amplified multiple posts about the matter by replying “Wow” and “Yup.” The claim references a court filing that emerged as part of the discovery process in a class-action lawsuit over data privacy practices between a group of consumers and Facebook’s parent, Meta.

The document alleges that Netflix and Facebook had a “special relationship” and that Facebook even cut spending on original programming for its Facebook Watch video service so as not to compete with Netflix, a large Facebook advertiser. It also says that Netflix had access to Meta’s “Inbox API” that offered the streamer “programmatic access to Facebook’s user’s private message inboxes.”

This is the part of the claim that Musk responded to in posts on X, leading to a chorus of angry replies about how Facebook user data was for sale, so to speak.

Meta, for its part, is denying the accuracy of the document’s claims.

Meta’s communications director, Andy Stone, reposted the original X post on Tuesday with a statement disputing that Netflix had been given access to users’ private messages.

“Shockingly untrue,” Stone wrote on X. “Meta didn’t share people’s private messages with Netflix. The agreement allowed people to message their friends on Facebook about what they were watching on Netflix, directly from the Netflix app. Such agreements are commonplace in the industry.”

In other words, Meta is claiming that Netflix did have programmatic access to users’ inboxes, but did not use that access to read private messages.

Beyond Stone’s X post, Meta has not provided further comment.

However, The New York Times had previously reported in 2018 that Netflix and Spotify could read users’ private messages, according to documents it had obtained. Meta denied those claims at the time via a blog post titled “Facts About Facebook’s Messaging Partnerships,” where it explained that Netflix and Spotify had access to APIs that allowed consumers to message friends about what they were listening to on Spotify or watching on Netflix directly from those companies’ respective apps. This required the companies to have “write access” to compose messages to friends, “read access” to allow users to read messages back from friends, and “delete access,” which meant if you deleted a message from the third-party app, it would also delete the message from Facebook.

“No third party was reading your private messages, or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct,” the blog post stated.

In any event, Messenger didn’t implement default end-to-end encryption until December 2023, a practice that would have made these sorts of claims a non-starter, as it wouldn’t have left room for doubt. The lack of encrypted communications combined with read/write access to message inboxes means there’s no guarantee that messages were protected, even if that wasn’t the focus of the business arrangement.

While Stone is downplaying Netflix’s ability to snoop on private messages, it’s worth noting that the streamer was provided with a level of access that other companies did not have.

The document claims that Netflix had access to Facebook’s “Titan API,” a private API that had allowed it to integrate with Facebook’s messaging app. In exchange for the Inbox API access, Netflix also agreed to provide the social networking company with a “written report every two weeks” with information about its recommendation sends and recipient clicks and agreed to keep its API agreement confidential.

By 2015, Netflix was spending $40 million on Facebook ads, the document says, and was allowing Netflix user data to be used for Facebook ad targeting and optimization. In 2017, Netflix agreed to spend $150 million on Facebook ads and provide the company with “cross-device intent signals.”

Netflix and Facebook maintained a close relationship, with then-Netflix CEO Reed Hastings (and Facebook board member until April 2019) having direct communications with Facebook (Meta) execs, including CEO Mark Zuckerberg, COO Sheryl Sandberg, Comms VP Elliot Schrage and CTO Andrew Bosworth.

To maintain Netflix’s advertising business, Zuckerberg himself emailed the head of Facebook Watch, Fidji Simo, in May 2018 to tell her that Watch’s budget for originals and sports was being cut by $750 million as the social network exited from competing directly with Netflix. Facebook had been building the Watch business for two years and had only introduced the Watch tab in the U.S. in August 2017.

Elsewhere in the filing, Meta details how it snooped on Snapchat traffic in secret, among other things.

Software Development in Sri Lanka