Category Archives: Social Networks

Twitter will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers

Twitter has announced that the platform will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers.

To date, Twitter has offered three methods of 2FA: text message, authentication app, and security key. However, the company has announced that it will limit the use of SMS-based two-factor authentication (2FA) only to its Blue subscribers.

The move is the response of the company to the use/abuse of the authentication method by threat actors.

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors.” reads the post published by the social media and social networking service. “So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.”

Non-Twitter Blue subscribers that are using the text message/SMS method of 2FA will have 30 days to enroll in another authentication method. 

“After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method.” continues the statement. “At that time, accounts with text message 2FA still enabled will have it disabled. Disabling text message 2FA does not automatically disassociate your phone number from your Twitter account. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, authentication)

Twitter restricted in Turkey after the earthquake amid disinformation fear

Global internet monitor NetBlocks reported that Twitter has been restricted in Turkey in the aftermath of the earthquake.

Global internet monitor NetBlocks reported that network data confirm that Twitter has been restricted in Turkey in the aftermath of the earthquake.

The data show that multiple internet providers in Turkey blocked the popular platform as of Wednesday 8 February 2023. TurkTelekom and Turkcell have completely blocked access to Twitter, while Vodafone still allows slower access to Twitter, reported the Balkaninsight website. NetBlocks metrics confirm that the social network Twitter has been restricted by “means of SNI filtering on major internet providers.”

The decision of the government to block Twitter followed growing public anger towards the Turkish government’s response to the devastating earthquakes.

Turkish authorities raise concerns over disinformation online that can destabilize the political contest in the country while responding to this emergency.

“Network data confirm the restriction of Twitter on multiple internet providers in Turkey as of Wednesday 8 February 2023.” reported Netblocks. “Service was restored the next morning after state media reported that Turkish authorities had held a meeting with Twitter’s head of policy on disinformation and the need for content takedowns.”

However, the use of VPN services can be used by people in the country to circumvent internet censorship measures. Twitter remains a crucial source of information for relatives of victims, survivors, and rescuers.

It is important to highlight that natural disasters usually have a significant impact on internet connectivity. NetBlocks reported similar problems in Turkey after the earthquake as reported the by following tweet from the organization:

The use of internet filtering in the aftermath of an earthquake is absurd, because of its impact on the population that is facing a tragic situation.

This isn’t the first time that the government restricted access to social media following events like terror attacks and protests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turkey)

Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook.

The flaw resides in a component used by the parent company Meta for confirming a phone number and email address. The researchers noticed that the software did not implement a rate-limiting protection mechanism that allowed him to bypass two-factor authentication on Facebook by confirming the targeted user’s already-confirmed Facebook mobile number using the Meta Accounts Center.

Manoz reported the flaw to Meta in September 2022, the IT giant addressed it in October 2022.

“2FA Bypass – We also fixed a bug reported by Gtm Mänôz of Nepal, which could have allowed an attacker to bypass SMS-based 2FA by exploiting a rate-limiting issue to brute force the verification pin required to confirm someone’s phone number. We awarded a $27,200 bounty for this report.” reads the bug bounty program report published by Meta.

The researcher noticed a personal details section in the Meta Accounts Center that allowed users to add an email and phone number to both Instagram and linked Facebook account, which can be verified by providing a 6-digits code received in email/phone. Mänôz noticed the lack of rate-limit protection, allowing anyone to confirm unknown/known email and phone number both in instagram and linked facebook accounts.

The issue allows the attacker with the knowledge of the victim’s phone number associated with his Instagram and Facebook account to conduct a bruteforce attack on the 6-digits code, then use the code to assign the victim’s phone number to an account under his control.

“While adding contact points (email/phone), it will make post request to /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.add.async/ endpoint to request the server to send 6 digits code for verification.” reads the post published by the researcher.

“Now, enter any random 6 digits code and intercept the request using web proxy such as Burp Suite.”

Then, send the above request to the intruder and insert $$ placeholder in the pin_code value in order to brute force the confirmation code.

Since, there was no rate-limit protection at all in this /api/v1/bloks/apps/com.bloks.www.fx.settings.contact_point.verify.async/endpoint, anyone could bypass the contact points verification.”

Unlinking the phone number of the victim from his Facebook and Instagram account the 2FA is disabled due to security reasons.

“And, if the phone number was partially confirmed that means only used for 2FA, it will revoke the 2FA and also the phone number will be removed from victim’s account.” concludes the report. “Since, the endpoint verifying both the contact points (email/phone) in instagram and linked facebook accounts was same , I was able to bypass both unknown and already registered contact points (email/phone) verification in instagram and facebook (unable to add already existed email in fb).

Meta awarded $27,000 bounty for this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

Meta Platforms expands features for EE2E on Messenger App

Meta Platforms announced the implementation of more features into its end-to-end encrypted Messanger App.

Meta Platforms started gradually expanding testing default end-to-end encryption for Messenger.

The company announced that over the next few months, its users will continue to see some of their chats gradually being upgraded with end-to-end encryption. 

“We will notify people in these individual chat threads as they are upgraded. We know people will have questions about how we select and upgrade individual threads, so we wanted to make clear that this is a random process.” reads the announcement.

Meta Platforms pointed out that the process of choosing the users and upgrading the conversations to support E2EE is random to prevent a negative impact on company infrastructure and people’s chat experience.

The IT giant also announced it has introduced some features in Messenger to end-to-end encrypted chats, including support for themes, custom emojis and reactions, group profile photos, link previews, active status, and bubbles on Android.

“Building a secure and resilient end-to-end encrypted service for the billions of messages that are sent on Messenger every day requires careful testing. We’ll provide updates as we continue to make progress towards this goal over the course of 2023.” concludes the announcement.

The announcement of expanding features for EE2E on Messenger App is good news for the users, however, it is important to understand how the company manages metadata.

Metadata includes a lot of information that can be used to track habits of users, and more, for this reason it is essential to extend the encryption also to them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

The Irish DPC fined WhatsApp €5.5M for violating GDPR

The Irish Data Protection Commission (DPC) fined Meta’s WhatsApp €5.5 million for violating data protection laws.

The popular messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).

The DPC has given six months to the Meta-owned company to bring its data processing operations in compliance with the privacy regulation.

“The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service).” reads the DPC’s announcement. “WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.”

On May 2018, ahead of the adoption of the GDPR, WhatsApp updated the Terms of Service imposing users to agree to the revised terms in order to continue using the messaging app.

The inquiry concerned a complaint filed by the non-profit organization NOYB – European Center for Digital Rights on 25 May, 2018.

The Irish regulator pointed out that by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland forced them to consent to the processing of their personal data. The company claimed that the updates aimed at improving the security end the service, but it clearly breached the GDPR.

The company was not transparent about what processing operations were being carried out on the users personal data. According to the DPC, the lack of transparency contravened Articles 12 and 13(1)(c) of the GDPR. 

“The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above.” continues the announcement. “Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.”

WhatsApp announced that it will appeal the fine.

“We strongly believe that the way the service operates is both technically and legally compliant,” a WhatsApp spokesperson said. “We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.”

In a post published by NOYB, the organization claims that WhatsApp doesn’t encrypt metadata and share it with Facebook and Instagram, which use this information to customize ads.

The organization pointed out that metadata can be used to acquire knowledge of the communication behaviour of users,  including who communicates with whom and when, who uses the app when, for how long and how often.

“While the communication itself is encrypted, the phone numbers and associated Facebook or Instagram accounts of people are collected. Such information can then be used to personalize ads for users on other Meta platforms like Facebook and Instagram. The DPC seems to have refused to investigate this core matter of the complaints.” reads the post published by Noyb.

The bad news is that the DPC doesn’t plan to open an investigation whether WhatsApp processes user metadata for advertising.

“WhatsApp says it’s encrypted, but this is only true for the content of chats – not the metadata. WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you.” explained NOYB founder, Max Schrems. “Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations.”

Early this year, the Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

The DPC has now imposed fines of more than €1.3bn on Meta, Instagram and WhatsApp.

November 2022 – Irish data protection commission (DPC) fined Meta $414 million for not protecting Facebook’s users’ data from scraping.

September 2022 – The Irish Data Protection Commission has fined Instagram €405 million for violations of the General Data Protection Regulation.

September 2021 – The Irish Data Protection Commission has fined WhatsApp €225 million over data sharing transparency for European Union users’ data with Facebook.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]

Twitter: 200M dataset was not obtained through the exploitation of flaws in its systems

Twitter said that its investigation revealed that users’ data offered for sale online was not obtained from its systems.

Twitter provided an update on its investigation launched after data of 200 Million users were offered for sale online. The company has found “no evidence” that the data were obtained by hacking into its systems.

Below are the key findings that emerged from the investigation:

  • 5.4 million user accounts reported in November were the same exposed in August 2022.
  • The 400 million records exposed in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
  • 200 million dataset could not be correlated with the previously reported incident, the data are not obtained through the exploitation of flaws in Twitter systems.
  • 400 million and 200 million datasets were the same, the second one was obtained from the first one by removing duplicated entries.
  • None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.

The company pointed out that the huge trove of data is likely part of a publicly available dataset originating from different sources. 

“Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems,” reads the update provided by the company. “The data is likely a collection of data already publicly available online through different sources.”

Alon Gal, Co-Founder & CTO at Hudson Rock, doesn’t agree with Twitter’s statement and confirmed the authenticity of the leak.

“Yesterday Twitter posted a statement on the recent 200,000,000 data breach. Having discussed it with other security professionals and conducting my own research around it, I believe that my previous assessment is still valid.” said Gal. “For example, the authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter)

[adrotate banner=”5″]

[adrotate banner=”13″]

Irish Data Protection Commission fined Meta $414 Million

The Irish Data Protection Commission (DPC) fined Meta Platforms €390 million over data processing operations for the delivery of its services

The Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

“Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).” reads the announcement published by DPC. “Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.”

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

Meta Ireland considered that, by accepting the updated Terms of Service, the users gave the company the consent to process their data to deliver its Facebook and Instagram services, including the provision of personalised services and behavioural advertising

“Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).” continues the DPC. “The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.”

The fine will have a severe impact on the ad revenue of the social media giant, Meta believes its approach is compliant with the EU GDPR and announced it will appeal the DPC’s findings.

“It’s important to note that these decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.” states Meta. “The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing.”

“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision.” Meta added.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

Facebook (Meta) to settle Cambridge Analytica data leak for $725M

Facebook (Meta) has agreed to pay $725 million to settle the class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

Facebook (Meta) has agreed to pay $725 million to settle a class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

According to Reuters, the lawyers for the plaintiffs defined the proposed settlement as the largest to ever be achieved in a U.S. data privacy class action.

“This historic settlement will provide meaningful relief to the class in this complex and novel privacy case,” the lead lawyers for the plaintiffs, Derek Loeser and Lesley Weaver, said in a joint statement.

The proposed settlement has to be approved by a federal judge in the San Francisco division of the U.S. District Court.

“Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program,” reads a statement issued by Meta.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

The way Facebook managed user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. An FTC settlement obliged the company to review its privacy practices. In 2019, Facebook agreed to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal

In March 2018, it was publicly revealed that a team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica, which was a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed it to collect data from over 87 million users.

Back to the $725 million settlement, the Reuters reported that the plaintiffs plan to ask the judge to award them up to 25% of the settlement as attorneys’ fees, roughly $181 million.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

Facebook (Meta) to settle Cambridge Analytica data leak for $725M

Facebook (Meta) has agreed to pay $725 million to settle the class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

Facebook (Meta) has agreed to pay $725 million to settle a class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

According to Reuters, the lawyers for the plaintiffs defined the proposed settlement as the largest to ever be achieved in a U.S. data privacy class action.

“This historic settlement will provide meaningful relief to the class in this complex and novel privacy case,” the lead lawyers for the plaintiffs, Derek Loeser and Lesley Weaver, said in a joint statement.

The proposed settlement has to be approved by a federal judge in the San Francisco division of the U.S. District Court.

“Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program,” reads a statement issued by Meta.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

The way Facebook managed user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. An FTC settlement obliged the company to review its privacy practices. In 2019, Facebook agreed to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal

In March 2018, it was publicly revealed that a team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica, which was a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed it to collect data from over 87 million users.

Back to the $725 million settlement, the Reuters reported that the plaintiffs plan to ask the judge to award them up to 25% of the settlement as attorneys’ fees, roughly $181 million.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

TikTok parent company ByteDance revealed the use of TikTok data to track journalists

ByteDance admitted that its employees accessed TikTok data to track journalists to identify the source of leaks to the media.

TikTok parent company ByteDance revealed that several employees accessed the TikTok data of two journalists to investigate leaks of company information to the media. 

According to an email from ByteDance’s general counsel Erich Andersen which was seen by the AFP news agency, the Chinese company was attempting to discover who shared company information with a Financial Times reporter and a former BuzzFeed journalist.

The company fired an undisclosed number of employees who were involved in the data leak because they violated the company’s Code of Conduct, but it did not reveal their names.

In an attempt to discover the location of the unfaithful employees, the Chinese personnel analyzed their IP addresses, but this method was approximate.

“Employees had obtained the IP addresses of the journalists in a bid to determine whether they were in the same location as ByteDance colleagues suspected of disclosing confidential information, a company review of the scheme led by its compliance team and an external law firm found, according to Andersen.” reported the AFP.

Source: Messagero

TikTok is going to be banned from most U.S. government devices under a spending bill Congress unveiled early Tuesday, the latest push by American lawmakers against the Chinese-owned social media app.

TikTok would be banned from most U.S. government devices under a spending bill Congress that was announced this week.

CIA Director William Burns said that the Chinese government can “insist upon extracting the private data of a lot of TikTok users in this country and also to shape the content of what goes on to TikTok as well to suit the interests of the Chinese leadership.”

Brooke Oberwetter, a spokesperson for TikTok, said that the ban is a political gesture that will do nothing to advance national security interests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

[adrotate banner=”5″]

[adrotate banner=”13″]