Daily Archives: September 15, 2022

California signs social media terms of service disclosure law

Posted on by

[…] AB 587 requires social media companies to post their terms of service online, as well as submit a twice-yearly report to the state attorney general. The report must include details about whether the platform defines and moderates several categories of content, including “hate speech or racism,” “extremism or radicalization,” “disinformation or misinformation,” harassment, and “foreign political interference.” It must also offer details about automated content moderation, how many times people viewed content that was flagged for removal, and how the flagged content was handled. It’s one of several recent California plans to regulate social media, also including AB 2273, which is intended to tighten regulations for children’s social media use.

[…]

Courts haven’t necessarily concluded that the First Amendment blocks social media transparency rules. But the rules still raise red flags. Depending on how they’re defined, they could require companies to disclose unpublished rules that help bad actors game the system. And the bill singles out specific categories of “awful but lawful” content — like racism and misinformation — that’s harmful but often constitutionally protected, potentially putting a thumb on the speech scale.

[…]

Source: California Governor Gavin Newsom signs social media transparency law – The Verge

This is important because not only on social media but also on email or marketplace sites, individuals are at the mercy of the system. If you have no idea what the rules are of the system (and notice – this law has no mention of forcing a platform to publish their recourse rules) then you enter a Kafka-esque experience if you are booted. You don’t know the reason or if the reason is arbitrary or you are being targetted. This is a start on transparency and fairness. Considering much of our lives is lived on social media nowadays and a huge amount of trade is done online, you can’t trust a corporation to play fair, especially if you don’t know their rulebook.

S.Korea fines Google, Meta billions of won for privacy violations

Posted on by

[…] In a statement, the Personal Information Protection Commission said it fined Google 69.2 billion won ($50 million) and Meta 30.8 billion won ($22 million).

The privacy panel said the firms did not clearly inform service users and obtain their prior consent when collecting and analysing behavioural information to infer their interests or use them for customised advertisements.

[…]

Source: S.Korea fines Google, Meta billions of won for privacy violations | Reuters

Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs – wait isn’t it 2022?

Posted on by

[…]

The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them.

An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.

[…]

Microsoft Teams is an Electron app, meaning that it runs in a browser window, complete with all the elements required by a regular web page (cookies, session strings, logs, etc.).

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

Vectra analyzed Microsoft Teams while trying to find a way to remove deactivated accounts from client apps, and found an ldb file with access tokens in clear text.

“Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs.” – Vectra

Additionally, the analysts discovered that the “Cookies” folder also contained valid authentication tokens, along with account information, session data, and marketing tags.

Authentication token on the Cookies directory
Authentication token on the Cookies directory (Vectra)

Finally, Vectra developed an exploit by abusing an API call that allows sending messages to oneself. Using SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

Token received as text in the attacker's personal chat
Token received as text in the attacker’s personal chat (Vectra)

[…]

Using this type of malware, threat actors will be able to steal Microsoft Teams authentication tokens and remotely login as the user, bypassing MFA and gaining full access to the account.

[…]

With a patch unlikely to be released, Vectra’s recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks.

[…]

Source: Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs