Daily Archives: July 21, 2022

Atlassian reveals critical flaws in most of their products

Posted on by

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.

The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.”

One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.

The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn’t have a definitive list of apps that could be impacted.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.

Atlassian explains it as follows: “Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”

Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

Source: Atlassian reveals critical flaws across its product line • The Register

Google forced to allow some Android apps to use third-party payments in the EU

Posted on by

Android developers who distribute apps on the Google Play store can now use third-party payment systems in many European countries. The measure applies to the European Economic Area (EEA), which comprises European Union states as well as Iceland, Liechtenstein and Norway. However, the policy will not apply to gaming apps, which still need to use Google Play’s own billing system for the time being.

Google is making the move after the EU’s legislative arm, the European Commission, passed the Digital Markets Act (DMA) this month. Along with the Digital Services Act, the law is designed to rein in the power of big tech by, for instance, prohibiting major platform holders from giving their own systems preferable treatment.

The DMA isn’t expected to come into effect until sometime in 2024. However, Google’s director of EU government affairs and public policy, Estelle Werth, wrote in a blog post that the company is “launching this program now to allow us to work closely with our developer partners and ensure our compliance plans serve the needs of our shared users and the broader ecosystem.”

The move partially reverses a policy that required all in-app payments to be processed through the Play Store’s billing system. Developers who opt for a different billing system won’t be able to avoid Google’s fees entirely. However, Google will lower the service fees it charges them by three percent.

Google says that 99 percent of developers qualify for a fee of 15 percent or less. The others typically pay 30 percent. The fees Google charges would drop to 12 percent (or lower) or 27 percent, respectively, if they select a third-party billing system.

[….]

Source: Google allows Android apps to use third-party payments in the EU | Engadget

Russia fines Google $374M over Ukraine invasion portrayal

Posted on by

A Russian court fined Google $374 million on Monday for its failure to remove prohibited content, according to the country’s internet watchdog Roskomnadzor.

The Tagansky District Court of Moscow took exception to YouTube content it claimed contained “fakes about the course of a special military operation in Ukraine” and discredited Russia’s armed forces. The court also claimed some material promoted extremism and/or terrorism. Google also stands convicted an “indifferent attitude to the life and health of minors” that the court feels are worthy of protest by Russian citizens.

The court also alleged Google systemically violated Russian law.

As punishment, Google users will receive warnings of the company’s alleged misdeeds, and won’t be permitted to buy ads tied to Google Search results or on YouTube.

[…]

Source: Russia fines Google $374M over Ukraine invasion portrayal • The Register

Wouldn’t it be nice if they fined Putin for making the video’s a possibility

UK court okays $1.1b Play Store lawsuit against Google

Posted on by

A London court on Tuesday authorized a lawsuit that seeks to have Google pay £920 million ($1.1 billion) for overcharging customers for app store purchases.

Filed as a class action on behalf of 19.5 million UK citizens, the suit alleges Google charged commission fees up to 30 percent on app sales. Consumer rights advocate Liz Coll, who previously served as digital policy manager at consumer rights organization Citizens Advice, brought the lawsuit, alleging Google has violated both EU and UK competition laws.

Representatives for the claimant group told Reuters that a detailed judgment has yet to be published, but the initial filing made in July 2021 specifies that Google violated multiple sections of the Competition Act 1998.

For incidents happening before the UK left the EU, the suit also alleged violations of Article 102 of the Treaty on the Functioning of the EU, which covers abuse of dominant market positions.

Source: UK court okays $1.1b Play Store gouging suit against Google