WebProNews

Tag: Zach Edwards

  • TikTok Under Fire for Potential Keylogging, Some Say Concern Is Overblown

    TikTok Under Fire for Potential Keylogging, Some Say Concern Is Overblown

    A security researcher has called out TikTok for inserting code in its in-app browser that could be used to log keystrokes, but not everyone is convinced.

    TikTok is frequently in the news over concerns with its handling of user data and how much influence — and access to that data — Beijing has. In the latest round of concerns, security researcher Felix Krause has highlighted the dangers of apps that have their own in-app web browsers, including TikTok.

    According to Krause, TikTok’s in-app browser injects JavaScript into third-party websites when a user visits them from within the app. The code can be used for a variety of purposes, including logging keystrokes and collecting sensitive information.

    Krause admits that he can’t say for sure how TikTok is using the JavaScript code it’s inserting:

    We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.

    Read more: Oracle Begins Audit of TikTok’s Algorithms for Beijing’s Influence

    Zach Edwards ― the security researcher that discovered some Microsoft trackers were not blocked by DuckDuckGo before the latter fixed the issue — pointed out the dangers of conflating what could happen with what is happening.

    TikTok sent the following statement to Motherboard, strongly denying Krause’s implication:

    The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.

    Only time will tell if TikTok is collecting the data people type in the in-app browser, although doing so would likely be the smoking gun regulators would need to crack down on the service. Given how high the stakes are and the lack of any evidence, it seems unlikely that TikTok is guilty of this particular offense.

    At the same time, TikTok remains one of the most controversial apps or services available, with more than its fair share of privacy issues. That alone will make it hard for some people to believe the company isn’t guilty.

  • Researcher Discovers DuckDuckGo Allows Some Microsoft Trackers

    Researcher Discovers DuckDuckGo Allows Some Microsoft Trackers

    DuckDuckGo is receiving criticism for the terms of a deal with Microsoft that has resulted in some Microsoft trackers being whitelisted.

    DDG has made a name for itself as a privacy-first company, building a search engine, browser extensions, and web browsers around the premise of protecting user privacy. The company is one of the few that truly makes an effort to protect user privacy and data. Unfortunately, its terms with Microsoft have caused some concern.

    Unlike Google, Bing, or Brave, DDG gets its search results from other engines, with the bulk of them coming from Bing. The company has long claimed to strip out trackers from the search results it provides, although clicking an ad from Microsoft in the search results is handled differently. DDG has never made a secret of the fact that clicking on those ads sends a user’s IP address to Microsoft, since the user is leaving DDG and entering Microsoft’s space.

    Unfortunately, DDG had not been able to disclose the terms of the deal that whitelisted some Microsoft trackers, due to a confidentiality clause in the agreement between the two companies. Security researcher Zach Edwards first made the discovery and tweeted about it:

    Sometimes you find something so disturbing during an audit, you’ve gotta check/recheck because you assume that *something* must be broken in the test. But I’m confident now. The new @DuckDuckGo browsers for iOS/Android don’t block Microsoft data flows, for LinkedIn or Bing.

    — Zach Edwards (@thezedwards), May 23, 2022

    Ironically, DDG doesn’t even block Microsoft’s data trackers on Workplace.com, a Facebook-owned domain that it brags about blocking Facebook’s trackers on.

    Needless to say, DDG CEO Gabriel Weinberg is doing his best to put out the fire:

    We’ve been working tirelessly behind the scenes to change these requirements, though our syndication agreement also has a confidentially provision that prevents disclosing details. Again, we expect to have an update soon that will include more third-party Microsoft protection.

    — Gabriel Weinberg (@yegg), May 23, 2022

    Of course, Weinberg might not have to put out so big a fire if his company had disclosed this issue first, rather than waiting until it was uncovered by a security researcher.

    In the meantime, Shivan Kaul Sahib, Privacy Engineer for Brave, highlighted the inherent conflict of interest for a company that relies on the good graces of another company making money off of ad trackers.

    This is shocking. DuckDuckGo has a search deal with Microsoft which prevents them from blocking MS trackers. And they can’t talk about it! This is why privacy products that are beholden to giant corporations can never deliver true privacy; the business model just doesn’t work.

    — Shivan Kaul Sahib (@shivan_kaul), May 23, 2022

    Speaking of Brave, the company is one of the only ones on the market that provides a truly independent alternative to Google and Bing. The company bought Tailcat, allowing it to build its own search engine that relies on a completely independent web index. This keeps Brave from being beholden to Microsoft, Google, or any other company.

    With a privacy-focused browser and a truly independent search engine, Brave is quickly establishing itself as a much better privacy solution than DDG.

    In the meantime, here is a statement from Weinberg that was provided to WPN:

    “We have always been extremely careful to never promise anonymity when browsing, because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft. 

    What we’re talking about here is an above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would using Safari, Firefox and other browsers. This blog post we published gets into the real benefits users enjoy from this approach, like faster load times (46% average decrease) and less data transferred (34% average decrease). Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.” 

    “I understand this is all rather confusing because it is a search syndication contract that is preventing us from doing a non-search thing. That’s because our product is a bundle of multiple privacy protections, and this is a distribution requirement imposed on us as part of the search syndication agreement that helps us privately use some Bing results to provide you with better private search results overall. While a lot of what you see on our results page privately incorporates content from other sources, including our own indexes (e.g., Wikipedia, Local listings, Sports, etc.), we source most of our traditional links and images privately from Bing (though because of other search technology our link and image results still may look different). Really only two companies (Google and Microsoft) have a high-quality global web link index (because I believe it costs upwards of a billion dollars a year to do), and so literally every other global search engine needs to bootstrap with one or both of them to provide a mainstream search product. The same is true for maps btw — only the biggest companies can similarly afford to put satellites up and send ground cars to take streetview pictures of every neighborhood.

    Anyway, I hope this provides some helpful context. Taking a step back, I know our product is not perfect and will never be. Nothing can provide 100% protection. And we face many constraints: platform constraints (we can’t offer all protections on every platform do to limited APIs or other restrictions), limited contractual constraints (like in this case), breakage constraints (blocking some things totally breaks web experiences), and of course the evolving tracking arms race that we constantly work to keep ahead of. That’s why we have always been extremely careful to never promise anonymity when browsing outside our search engine, because that frankly isn’t possible. We’re also working on updates to our app store descriptions to make this more clear. Holistically though I believe what we offer is the best thing out there for mainstream users who want simple privacy protection without breaking things, and that is our product vision.”

    Updated 5/25/22: Edited for clarity and to add Gabriel Weinberg’s statement.

  • Walgreens Exposed COVID Testing Data, Refused to Fix Issue

    Walgreens Exposed COVID Testing Data, Refused to Fix Issue

    In a shocking display of negligence and incompetence, Walgreens left COVID testing data exposed and refused to fix the issue when notified.

    Walgreens quickly emerged as one of the most popular places for individuals to get tested for COVID-19, even touting itself as “a vital partner in testing and community education.” Individuals could register online, take the test through the company’s drive-thru and receive the results via email.

    Unfortunately, according to Recode, Walgreens left the data on the open web, where virtually anyone could gain access to it. The data included name, address, email address, gender, date of birth and phone number of those who were tested. In some cases, it was even possible to access test results.

    According to Recode, Alejandro Ruiz, a consultant with Interstitial Technology PBC, found the security issues in March. Ruiz informed Walgreens of the issues, using multiple channels, but the company was not responsive.

    To make matters worse, security experts told Recode the issues were so basic that any company with as large a web presence as Walgreens should have known how to avoid them. Ruiz believes it’s further evidence of Walgreens’ lack of concern.

    “Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said. 

    Recode contacted Walgreens directly and gave them time to fix the vulnerabilities before publication. Shockingly, Walgreens refused to do so.

    “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” the company told Recode.

    As if the lack of security was not worrying enough, researchers found a number of ad trackers attached to the company’s testing confirmation webpages, including from Adobe, Akami, Dotomi, Facebook, Google, InMoment and Monetate, in addition to data-sharing partners.

    “Just the sheer number of third-party trackers attached to the appointment system is a problem, before you consider the sloppy setup,” Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.

    The other security experts were even more damning in their evaluation of the situation.

    “This is a clear-cut example [of this type of vulnerability], but with Covid data and tons of personally identifiable information,” said Zach Edwards, privacy researcher and founder of the analytics firm Victory Medium. “I’m shocked they are refuting this clear breach.”

    “It’s just another example of a large company that prioritizes its profits over our privacy,” Ruiz said.