Twitter fined $150M for selling user data

According to a court complaint filed by the U.S. Department of Justice (DoJ), “While Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences.” The document lists the offenses as occurring between May 2013 and September 2019. In addition to paying the $150 million penalty, the settlement requires the company also to improve its compliance practices. Avast Security Evangelist Luis Corrons commented that this was a well-deserved fine. “Violating users’ privacy in such a way is outrageous,” he said. “If Twitter has behaved the same way with all its users, it could be facing fines way higher for violating Europe’s GDPR.” Twitter makes an annual revenue of $5 billion, with 90% of the money coming from advertisers. For more on this story, see The Guardian.  

No end in sight for chip shortage

A computer chip shortage caused by a supply chain disruption is driving manufacturers to come up with creative solutions to keep their businesses afloat. Computer chips have been hard to come by since the pandemic slowed down supply chains. Then the situation was exacerbated by trade tensions between the U.S. and China and the Russian invasion of Ukraine. Car makers are especially limited by the lack of chips, and some have taken to harvesting semiconductors from washing machines as a temporary source. For more, see WIRED.

New WhatsApp account hijacking method discovered

Researchers have found a call forwarding trick that can lead to WhatsApp account takeovers. The ruse requires social engineering and several preconditioned settings. First, the attacker must use social engineering to convince the victim to make a call to a certain number with a special hashtagged or asterisked code in front of it. That code triggers the victim’s mobile carrier to apply call forwarding to the number that follows. Then the attacker registers WhatsApp using the victim’s information, choosing to receive the one-time passcode via voice call. After getting the passcode, the attacker completes registration of the victim’s account on their device and sets up two-factor authentication to lock the victim out. For more, see Bleeping Computer. 

Amazon moves to web-only purchases for Kindle e-books

Because of Google’s required cut of 15% on all in-app purchases of digital content for apps sold on the Play Store, Amazon has shifted to only selling its Kindle books online and not in-app. In an email, the company explained that users will have to purchase digital content through their web browser and then access the books in their app’s digital library. The email noted that the change was necessary “to remain in compliance with updated Google Play Store policies.” Google said it will remove non-compliant apps from the Play Store starting this week. To learn more, see CNET.

Windows zero-day exploit active for 7 weeks

A critical code vulnerability in all supported versions of Windows has been under active exploit for seven weeks, allowing attackers to install malware on victims’ machines without triggering the systems’ defenses. The flaw stems from the Microsoft Support Diagnostic Tool (MSDT), which is called using the URL protocol from a calling application such as Word. Attackers exploiting the flaw can run arbitrary code that lets them install programs, view, change, or delete data, and create new accounts. Microsoft has not yet issued a patch. In the meantime, it advises users to disable the MSDT URL protocol. To learn how, see Ars Technica. 

This week’s must-read on the Avast blog 

It’s time for us to review the annual Verizon Data Breach Investigation Report, a compendium of cybersecurity trends that offers some of the best analyses in our field. Read up to find out more.