Daily Archives: September 21, 2025

LaLiga’s Anti-Piracy Tactics Disrupt Major Sites in Spain. Again. Allowing company dragnets with no recourse, warning or anything is insanely stupid.

Posted on by

LaLiga, Spain’s top football league, is facing a firestorm of criticism after boasting about a staggering 142% increase in anti-piracy takedown notices in early 2025 while simultaneously causing extensive collateral damage across the internet.

As the 2025/2026 season began on August 15, LaLiga ramped up its enforcement strategy, triggering widespread outages for entirely lawful websites, services, and platforms.

These disruptions are tied to a controversial anti-piracy scheme operated in partnership with telecom giant Telefónica.

The initiative, which enjoys judicial backing in Spain, allows LaLiga to instruct major internet service providers, including Movistar, Vodafone, Orange, and DIGI, to block IP addresses suspected of hosting unauthorized streams.

The fallout is that entire chunks of the internet go dark for Spanish users, often during match broadcasts.

LaLiga doesn’t target specific infringing content. Instead, it flags entire IP ranges, many of which are shared by thousands of unrelated domains.

When one site is accused of hosting pirated material, everyone else sharing that IP address gets swept up in the block.

The result is a digital dragnet that has ensnared companies as diverse as Amazon, Cloudflare, GitHub, Twitch, and even Google Fonts.

TorrentFreak has documented repeated weekly blocks of platforms like Vercel since early 2025, while Catalonia’s own .cat domain registry has also reported service disruptions.

The issue became so disruptive that iXsystems, the team behind TrueNAS, a widely used open-source NAS operating system, was forced to shift its distribution model entirely. After its CDN IPs were repeatedly blocked in Spain, making critical security updates inaccessible to users, the developers resorted to distributing their software via BitTorrent.

[…]

LaLiga, meanwhile, continues to tout its enforcement record. A self-published report revealed that over 26 million takedown notices were sent in the first half of 2025 alone, more than doubling the total from all of 2024.

Source: LaLiga’s Anti-Piracy Tactics Disrupt Major Sites in Spain

Related: Massive expansion of Italy’s Piracy Shield underway despite growing criticism of its flaws and EU illegality

As site blocks pile up, European Commission issues subtle slapdown to Italy’s Piracy Shield

Why Italy’s Piracy Shield destroys huge internet companies and small businesses with no recourse (unless you are rich) and can lay out the entire internet in Italy to… protect against football streaming?!

Italy is losing its mind because of copyright: it just made its awful Piracy Shield even worse

Italy’s Piracy Shield Blocks Innocent Web Sites, Makes It Hard For Them To Appeal so ISPs are ignoring the law because it’s stupid

EU prepares to give new rights to live streaming sites, to the detriment of the Internet and its users

LaLiga Piracy Blocks Randomly Take Down huge innocent segments of internet with no recourse or warning, slammed as “Unaccountable Internet Censorship”

Now the copyright industry wants to apply deep, automated blocking to the Internet’s core routers

OpenAI plugs ShadowLeak bug in ChatGPT which allowed anybody access to everybodys gmail emails and any other integrations

Posted on by

ChatGPT’s research assistant sprung a leak – since patched – that let attackers steal Gmail secrets with just a single carefully crafted email.

Deep Research, a tool unveiled by OpenAI in February, enables users to ask ChatGPT to browse the internet or their personal email inbox and generate a detailed report on its findings. The tool can be integrated with apps like Gmail and GitHub, allowing people to do deep dives into their own documents and messages without ever leaving the chat window.

Cybersecurity outfit Radware this week disclosed a critical flaw in the feature, dubbed “ShadowLeak,” warning that it could allow attackers to siphon data from inboxes with no user interaction whatsoever. Researchers showed that simply sending a maliciously crafted email to a Deep Research user was enough to get the agent to exfiltrate sensitive data when it later summarized that inbox.

The attack relies on hiding instructions inside the HTML of an email using white-on-white text, CSS tricks, or metadata, which a human recipient would never notice. When Deep Research later crawls the mailbox, it dutifully follows the attacker’s hidden orders and sends the contents of messages, or other requested data, to a server controlled by the attacker.

Radware stressed that this isn’t just a prompt injection on the user’s machine. The malicious request is executed from OpenAI’s own infrastructure, making it effectively invisible to corporate security tooling.

That server-side element is what makes ShadowLeak particularly nasty. There’s no dodgy link for a user to click, and no suspicious outbound connection from the victim’s laptop. The entire operation happens in the cloud, and the only trace is a benign-looking query from the user to ChatGPT asking it to “summarize today’s emails”. […] The researchers argue that the risk isn’t limited to Gmail either. Any integration that lets ChatGPT hoover up private documents could be vulnerable to the same trick if input sanitization isn’t watertight.

[…]

Radware said it reported the ShadowLeak bug to OpenAI on June 18 and the company released a fix on September 3. The Register asked OpenAI what specific changes were made to mitigate this vulnerability and whether it had seen any evidence that the vulnerability had been exploited in the wild before disclosure, but did not receive a response.

Radware is urging organizations to treat AI agents as privileged users and to lock down what they can access. HTML sanitization, stricter control over which tools agents can use, and better logging of every action taken in the cloud are all on its list of recommendations. ®

Source: OpenAI plugs ShadowLeak bug in ChatGPT • The Register

Entra ID bug granted easy access to every tenant

Posted on by

A security researcher claims to have found a flaw that could have handed him the keys to almost every Entra ID tenant worldwide.

Dirk-jan Mollema reported the finding to the Microsoft Security Research Center (MSRC) in July. The issue was fixed and confirmed as mitigated, and a CVE was raised on September 4.

It is, however, an alarming vulnerability involving flawed token validation that can result in cross-tenant access. “If you are an Entra ID admin,” wrote Mollema, “that means complete access to your tenant.”

There are two main elements in the vulnerability. The first, according to Mollema, is undocumented impersonation tokens called “Actor tokens” that Microsoft uses for service-to-service communication. There was a flaw in the legacy Azure Active Directory Graph API that did not properly validate the originating tenant, allowing the tokens to be used for cross-tenant access.

“Effectively,” wrote Mollema, “this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant.”

The tokens allowed full access to the Azure AD Graph API in any tenant. Any hope that a log might save the day was also dashed – “requesting Actor tokens does not generate logs.”

“Even if it did, they would be generated in my tenant instead of in the victim tenant, which means there is no record of the existence of these tokens.”

The upshot of the flaw was a possible compromise for any service that uses Entra ID for authentication, such as SharePoint Online or Exchange Online. Mollema noted that access to resources hosted in Azure was also possible.

[…]

Source: Entra ID bug could have granted access to every tenant • The Register

Samsung confirms its $1,800+ fridges will start showing you ads

Posted on by

Samsung started rolling out an update to its refrigerators that brought ads to the display, whether you like it or not. The whole situation is rather surreal but not entirely unsurprising. There were some doubts that the changelog wasn’t real or that it belonged to a different product. Now, Samsung has confirmed to us that ads are indeed coming to its refrigerators.

We had reached out to Samsung for a statement, and this is what a Samsung spokesperson said:

Samsung is committed to innovation and enhancing every day value for our home appliance customers. As part of our ongoing efforts to strengthen that value, we are conducting a pilot program to offer promotions and curated advertisements on certain Samsung Family Hub refrigerator models in the U.S. market.
As a part of this pilot program, Family Hub refrigerators in the U.S. will receive an over-the-network (OTN) software update with Terms of Service (T&C) and Privacy Notice (PN). Advertising will appear on certain Family Hub refrigerator Cover Screens. The Cover Screen appears when a Family Hub screen is idle. Ad design format may change depending on Family Hub personalization options for the Cover Screen, and advertising will not appear when Cover Screen displays Art Mode or picture albums.
Advertisements can be dismissed on the Cover Screens where ads are shown, meaning that specific ads will not appear again during the campaign period.

As the statement notes, this is a pilot program for certain Samsung Family Hub refrigerator models sold in the US. As part of the program, these refrigerators will display “promotions and curated advertisements” on certain Cover Screens when the Family Hub screen (i.e., the door display) is idle.

The company notes that ads can be dismissed, and dismissed ads will not appear again. The ad design format will also change depending on the Cover Screen’s personalization options. Ads will not appear when the Cover Screen displays photos or art.

From the changelog, we know that ads will be displayed on the Cover Screen for the Weather, Color, and Daily Board themes, whereas the Cover Screen for the Art and Gallery themes will not display advertisements, in line with the company’s statement.

It’s still unclear which exact refrigerators are getting the ad infestation, but Samsung’s current Family Hub-equipped lineup in the US starts at $1,800 and goes all the way up to $3,500. It doesn’t seem like users can entirely turn off ads

Source: Samsung confirms its $1,800+ fridges will start showing you ads

Yay the good old US where this is legal. I am not sure this would go in the EU but then again, I am not sure what EU law would stop this either. Apparently you don’t own what you bought and you can’t stop “new features” if you don’t want them.