This is a news item roundup of privacy or privacy-related news items for 26 JAN 2025 – 1 FEB 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.

Privacy Tip of the Week

Buying something online? Double check you’re not automatically opted in to marketing emails before finalizing your order. Consider using a masked email for your purchase.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

California Law Enforcement Misused State Databases More Than 7,000 Times in 2023

EFF

Of the 7,275 record of violations across California reported to the state’s Department of Justice, 6,789 of the abuse cases were committed by the Los Angeles County Sheriff’s Department (LACSD). These violations specifically concern a rule against searching databases to run background checks for concealed carry firearm permits.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Adding more security to Bitwarden user accounts

Bitwarden

Starting in February 2025, for accounts that do not have 2FA enabled, Bitwarden will start sending OTP codes to user emails in the event an unrecognized device logs into the vault.

Privacy Services

A Synchronized Start for Linked Devices

Signal

Signal introduces the ability to sync/transfer messages to other linked devices. The process is end-to-end encrypted.

For privacy: Change of our refund policy from 30 to 14 days

Mullvad

To reduce the retention of user data, Mullvad has changed its refund policy from 30 to 14 days.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Apple’s latest patch closes zero-day affecting wide swath of products

Cyberscoop

Apple has released iOS 18.3, which comes with numerous security fixes. This includes a fix for a zero-day, tracked as CVE-2025-24085; it is a use-after-free memory vulnerability in CoreMedia. When exploited, it could allow installed malicious applications to elevate their privileges.

iOS 18.3 also enables Apple Intelligence for users by default.

OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

darkreading

A major provider for online travel services, including hotels, car rentals, and booking flights had misconfigured its Oauth authentication flow.

This flaw, which allowed the attackers to redirect inputted credentials to a server under their control, could allow for account takeovers; giving the attacker full access to a victim’s stored information – which for airlines would include personal information alongside rewards and mileage data. It could be exploited by sending users a malicious link that appears to be genuine.

The vulnerability is now fixed as of writing.

Apple chips can be hacked to leak secrets from Gmail, iCloud, and more

ArsTechnica

Newer Apple chips, which power the latest releases of iPhones and Macs, are vulnerable to side channel attacks. In most cases (including this one), the side channel attacks “attack” a chip’s use of speculative execution. The attack relies on certain conditions being met, such as the user using the precise combination of device/chip/browser to be affected.

Infrastructure Laundering: Blending in with the Cloud

Krebs on Security

This isn’t a vulnerability, but rather an interesting look at how threat actors abuse cloud service providers such as AWS and Microsoft to host their infrastructure – which can include phishing pages, illegal gambling sites, scams, and pages used to serve malware.

Threat Actors Target Public-Facing Apps for Initial Access

Infosecurity Magazine

May especially be relevant for apps developers/maintainers and those who self-host on the public cloud. In Q4 of 2024, Cisco Talos observed threat actors increasingly exploiting public-facing web apps and services to gain initial access onto a network.

Malware

New Syncjacking attack hijacks devices using Chrome extensions

Bleeping Computer

Syncjacking is a multi-phase attack that originates with the threat actor creating a malicious Google Workspace domain; the threat actor then publishes a seemingly useful (but actually malicious) extension to the Chrome Web Store.

Upon opening a legitimate Google support page, the extension injects content into the page, abusing its read/write permissions. It encourages the user to enter their credentials, and when they do so, all the stored data is accessible to the attacker.

Subsequently, with the profile hijacked, the attackers could then take over the browser using another legitimate link, which turns malicious because of the read/write capability (and thus, content injection) of the installed extension. With the browser compromised, attackers could then abuse Chrome’s Native Messaging API to communicate with the operating system.

WhatsApp says it disrupted a hacking campaign targeting journalists with Paragon spyware

TechCrunch

Meta (who owns WhatsApp) disrupted a hacking campaign targeting approximately 90 users – most of them being journalists. The hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets with Paragon spyware.

While this campaign was extremely targeted, I included it because it highlights the importance of vigilance when using messaging platforms; users should be exercise caution when sent unsolicited links or attachments.

North Koreans clone open source projects to plant backdoors, steal credentials

The Register

A large-scale supply chain attack by North Korean APT group “Lazarus” involved cloning legitimate…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/privacy-week5-2025