New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

android side channel attack

Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions.

The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels.

Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone’s loudspeakers without requiring any device permission.

Abusing Android Accelerometer to Capture Loudspeaker Data

Dubbed Spearphone, the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions.

An accelerometer is a motion sensor that lets apps monitor the movement of a device, such as tilt, shake, rotation, or swing, by measuring the time rate of change of velocity with respect to magnitude or direction.

android accelerometer speech reverberations

Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.

Discovered by a team of security researchers—Abhishek Anand, Chen Wang, Jian Liu, Nitesh Saxena, Yingying Chen—the attack can be triggered when the victim either places a phone or video call on the speaker mode, or attempts to listen to a media file, or interacts with the smartphone assistant.

As a proof-of-concept, researchers created an Android app, which mimics the behavior of a malicious attacker, designed to record speech reverberations using the accelerometer and send captured data back to an attacker-controlled server.

Researchers say the remote attacker could then examine the captured readings, in an offline manner, using signal processing along with “off-the-shelf” machine learning techniques to reconstruct spoken words and extract relevant information about the intended victim.

Spearphone Attack: Spy On Calls, Voice Notes, and Multimedia

According to the researchers, the Spearphone attack can be used to learn about the contents of the audio played by the victim—selected from the device gallery over the Internet, or voice notes received over the instant messaging applications like WhatsApp.

“The proposed attack can eavesdrop on voice calls to compromise the speech privacy of a remote end-user in the call,” the researchers explain.

“Personal information such as social security number, birthday, age, credit card details, banking account details, etc. consist mostly of numerical digits. So, we believe that the limitation of our dataset size should not downplay the perceived threat level of our attack.”

Researchers also tested their attack against phone’s smart voice assistants, including Google Assistant and Samsung Bixby, and successfully captured response (output results) to a user query over the phone’s loudspeaker.

android speaker hacking

The researchers believe that by using known techniques and tools, their Spearphone attack has “significant value as it can be created by low-profile attackers.”

Besides this, Spearphone attack can also be used to simply determine some other user’s speech characteristics, including gender classification, with over 90% accuracy, and speaker identification, with over 80% accuracy.

“For example, an attacker can learn if a particular individual (a person of interest under surveillance by law enforcement) was in contact with the phone owner at a given time,” the researchers say.

Nitesh Saxena also confirmed The Hacker News that the attack can not be used to capture targeted users’ voice or their surroundings because “that is not strong enough to affect the phone’s motion sensors, especially given the low sampling rates imposed by the OS,” and thus also doesn’t interfere with the accelerometer readings.

For more details, we encourage our readers to head onto the full research paper [PDF], titled “Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers.”

The paper also discussed some possible mitigation techniques that may help prevent such attacks, as well as a few limitations, including low sampling rate and variation in maximum volume and voice quality of different phone that could negatively impact the accelerometer readings.

In a previous report, we also explained how malware apps were found using motion-sensors of infected Android devices to avoid detection by monitoring if the device is running in a run emulator or belongs to a legitimate user with movements.

EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users

linux spyware

Security researchers have discovered a rare piece of Linux spyware that’s currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned.

It’s a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don’t even have a wide range of functionalities.

In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks.

Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers.

However, researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users.

EvilGnome: New Linux Spyware

Dubbed EvilGnome, the malware has been designed to take desktop screenshots, steal files, capture audio recording from the user’s microphone as well as download and execute further second-stage malicious modules.

According to a new report Intezer Labs shared with The Hacker News prior to its release, the sample of EvilGnome it discovered on VirusTotal also contains an unfinished keylogger functionality, which indicates that it was uploaded online mistakenly by its developer.

EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops.

According to the researchers, the implant is delivered in the form of a self-extracting archive shell script created with ‘makeself,’ a small shell script that generates a self-extractable compressed tar archive from a directory.

The Linux implant also gains persistence on a targeted system using crontab, similar to windows task scheduler, and sends stolen user data to a remote attacker-controlled server.

“Persistence is achieved by registering gnome-shell-ext.sh to run every minute in crontab. Finally, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext,” the researchers said.

EvilGnome’s Spyware Modules

The Spy Agent of EvilGnome contains five malicious modules called “Shooters,” as explained below:

  • ShooterSound — this module uses PulseAudio to capture audio from the user’s microphone and uploads the data to the operator’s command-and-control server.
  • ShooterImage — this module uses the Cairo open source library to captures screenshots and uploads them to the C&C server. It does so by opening a connection to the XOrg Display Server, which is the backend to the Gnome desktop.
  • ShooterFile — this module uses a filter list to scan the file system for newly created files and uploads them to the C&C server.
  • ShooterPing — the module receives new commands from the C&C server, like download and execute new files, set new filters for file scanning, download and set new runtime configuration, exfiltrate stored output to the C&C server, and stop any shooter module from running.
  • ShooterKey — this module is unimplemented and unused, which most likely is an unfinished keylogging module.

Notably, all the above modules encrypt their output data and decrypt commands received from the C&C server with RC5 key “sdg62_AS.sa$die3,” using a modified version of a Russian open source library.

Possible Connection b/w EvilGnome and Gamaredon Hacking Group

Furthermore, the researchers also found connections between EvilGnome and Gamaredon Group, an alleged Russian threat group that has been active since at least 2013 and has targeted individuals working with the Ukrainian government.

Here below, I have briefed some of the similarities between EvilGnome and Gamaredon Group:

  • EvilGnome uses a hosting provider that has been used by Gamaredon Group for years and continues to be used by it.
  • EvilGnome also found to be operating on an IP address that was controlled by the Gamaredon group two months ago.
  • EvilGnome attackers are also using ‘.space’ TTLD for their domains, just as the Gamaredon Group.
  • EvilGnome employs techniques and modules—like the use of SFX, persistence with task scheduler, and the deployment of information-stealing tools—that remind of Gamaredon Group’s Windows tools.

How to Detect EvilGnome Malware?

To check if your Linux system is infected with the EvilGnome spyware, you can look for the “gnome-shell-ext” executable in the “~/.cache/gnome-software/gnome-shell-extensions” directory.

“We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations,” researchers conclude.

Since security and antivirus products are currently failing to detect the EvilGnome malware, researchers recommend concerned Linux administrators to block the Command & Control IP addresses listed in the IOC section of Intezer’s blog post.

Breach at Bulgaria’s Tax Agency Exposed Data of Over 70% Citizens

Bulgaria NRA data breach

Eastern European country Bulgaria has suffered the biggest data breach in its history that compromised personal and financial information of 5 million adult citizens out of its total population of 7 million people.

According to multiple sources in local Bulgarian media, an unknown hacker earlier this week emailed them download links to 11GB of stolen data which included taxpayer’s personal identifiable numbers, addresses, and financial data.

In a brief statement released Monday, the National Revenue Agency (NRA) of Bulgaria said the stolen data originates from the country’s tax reporting service.

The NRA also indicated that the Ministry of the Interior and the State Agency for National Security (SANS) have started taking an assessment of the potential vulnerability in NRA’s systems that attackers might have exploited to breach into its databases.

It appears that until now, the hacker, who claimed to be a Russian man, has only released 57 out of a total of 110 compromised databases, which is about 21GB in total.

In a follow-up announcement, the NRA said almost 20 days ago, the attacker unauthorizedly accessed about 3 percent of the information contained in their databases.

“Currently, e-services for citizens and businesses are functioning normally, with the exception of the VAT refund service paid abroad, as well as by the revenue office. Unregulated access to sensitive information is limited,” the NRA said.

As consequences of the incident, Bulgaria’s NRA tax agency is now facing a fine of up to 20 million euros (nearly £18 million) or 4% of the agency’s annual turnover over the data breach, said Prof. Veselin Tselkov, a member of the Commission for Personal Data Protection.

Bulgarian police said they have also arrested a 20-year-old Bulgarian cybersecurity professional on Tuesday after authorities raided his home and office in the capital Sofia and seized his computers containing encrypted data, Reuters reports.

According to Yavor Kolev, head of the Bulgaria police’s cybersecurity unit, the arrested man allegedly tested security vulnerabilities in government-owned computer networks. Since the investigation is still ongoing, at this moment, it’s not clear if he is behind the NRA data breach.

Sofia city prosecutors said the arrested Bulgarian hacker had been charged with a computer crime and would be held for another three days.

Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu

zoom ringcentral video conferencing software

The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software.

Security researchers confirmed The Hacker News that RingCentral, used by over 350,000 businesses, and Zhumu, a Chinese version of Zoom, also runs a hidden local web server on users’ computers, just like Zoom for macOS.

The controversial local web server that has been designed to offer an automatic click-to-join feature was found vulnerable to remote command injection attacks through 3rd-party websites.

Security researcher Jonathan Leitschuh initially provided a proof-of-concept demonstrating how the vulnerable web server could eventually allow attackers to turn on users laptop’s webcam and microphone remotely.

The flaw was later escalated to remote code execution attack by another security researcher, Karan Lyons, who has now published a new video demonstration confirming the same RCE flaw in RingCentral and Zhumu for macOS users.

RingCentral has already released an updated version (v7.0.151508.0712) of its meeting app for macOS that patches both vulnerabilities by removing the vulnerable web server installed by the video conferencing software.

As explained in our previous article by Mohit Kumar, Apple released a silent update for its macOS users to remove the Zoom local web server (ZoomOpener daemon) for all users.

Therefore, users who are still using the RingCentral video conferencing software are highly recommended to update their systems to the latest patched version of the software.

“All users that have installed RingCentral Meetings on MacOS should accept the update. Please ensure that all RingCentral Meetings MacOS versions prior to v7.0.151508.0712 are removed,” the company says.

“RingCentral is continuing to work on addressing the General Concern related to ‘Video ON Concern’ for additional platforms. We will continue to provide updates.”

However, the software update could not protect former customers who are not using the software anymore but have the vulnerable web-server still activated on their systems unknowingly.

Those users are advised to remove the hidden web server manually by running commands provided by the researcher on GitHub.

However, the Chinese app Zhumu has not yet released a patch for their software, but users can still uninstall the server following the same terminal commands.

Update: Apple Update Removes Vulnerable Server Installed By 10 Zoom-Powered Software 

Security researcher Karan confirmed The Hacker News that there are a total of 10 rebranded versions of Zoom software, listed below, available in the market, including  RingCentral
Zhumu.

All these video conferencing software work in the way and contain the same vulnerabilities, leaving their users at risk of remote hacking as well.

  • RingCentral
  • Zhumu
  • Telus Meetings
  • BT Cloud Phone Meetings
  • Office Suite HD Meeting
  • AT&T Video Meetings
  • BizConf
  • Huihui
  • UMeeting
  • Zoom CN

Karan also confirmed that Apple’s latest silent MTR (Malware Removal Tool) update 1.46 removes the vulnerable web server installed on users’ Mac computers by any of the software as mentioned above.

Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

whatsapp-telegram

If you think that the media files you receive on your end-to-end encrypted secure messaging apps can not be tampered with, you need to think again.

Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could allow malicious actors to spread fake news or scam users into sending payments to wrong accounts.

Dubbed “Media File Jacking,” the attack leverages an already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device.

WhatsApp and Telegram allow users to choose if they want to save all incoming multimedia files on internal or external storage of their device.

However, WhatsApp for Android by default automatically stores media files in the external storage, while Telegram for Android uses internal storage to store users files that are not accessible to any other app.

But, many Telegram users manually change this setting to external storage, using “Save to Gallery” option in the settings, when they want to re-share received media files with their friends using other communication apps like Gmail, Facebook Messenger or WhatsApp.

It should be noted that the attack is not just limited to WhatsApp and Telegram, and affects the functionality and privacy of many other Android apps as well.

How Does “Media File Jacking” Attack Work?

media file jacking attack

Just like man-in-the-disk attacks, a malicious app installed on a recipient’s device can intercept and manipulate media files, such as private photos, documents, or videos, sent between users through the device’s external storage—all without the recipients’ knowledge and in real-time.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” researchers said in a blog post.

“Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or wreaking havoc.”

Researchers illustrated and demonstrated four attack scenarios, as explained below, where a malware app can instantaneously analyze and manipulate incoming files, leading to:

1.) Image manipulation

In this attack scenario, a seemingly innocent-looking, but actually malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp and “manipulate personal photos in near-real-time and without the victim knowing.”

2.) Payment manipulation

In this scenario, which researchers call “one of the most damaging Media File Jacking attacks,” a malicious actor can manipulate an invoice sent by a vendor to customers to trick them into making a payment to an account controlled by the attacker.

3.) Audio message spoofing

In this attack scenario, attackers can exploit the relations of trust between employees in an organization. They can use voice reconstruction via deep learning technology to alter an original audio message for their personal gain or to wreak havoc.

4.) Spread fake news

In Telegram, admins use the concept of “channels” in order to broadcast messages to an unlimited number of subscribers who consume the published content. Using Media File Jacking attacks, an attacker can change the media files that appear in a trusted channel feed in real-time to spread fake news.

How to Prevent Hackers from Hijacking Your Android Files

Symantec already notified Telegram and Facebook/WhatsApp about the Media File Jacking attacks, but it believes the issue will be addressed by Google with its upcoming Android Q update.

Android Q includes a new privacy feature called Scoped Storage that changes the way apps access files on a device’s external storage.

Scoped Storage gives each app an isolated storage sandbox into the device external storage where no other app can directly access data saved by other apps on your device.

Until then, users can mitigate the risk of such attacks by disabling the feature responsible for saving media files to the device’s external storage. To do so, Android users can head on to:

  • WhatsApp: Settings → Chats → Turn the toggle off for ‘Media Visibility’
  • Telegram: Settings → Chat Settings → Disable the toggle for ‘Save to Gallery’

Engage Your Management with the Definitive ‘Security for Management’ Presentation Template

In every organization, there is a person who’s directly accountable for cybersecurity. The name of the role varies per the organization’s size and maturity – CISO, CIO, and Director of IT are just a few common examples – but the responsibility is similar in all places.

They’re the person who understands the risk and exposure, knows how prepared the team and most important – what the gaps are and how they can be best addressed.

Apart from actually securing the organization – and losing some sleep over it – this individual has another equally important task: to communicate the security risk, needs, and status to the company’s management.

After all, the level of security rises in direct proportion to the amount of invested resources, and management people are the ones who decide and allocate them.

Since management people are not typically cybersecurity savvy, engaging them can be challenging – one must find the balance between high-level explanations, a direct connection between cyber risk and operational loss, and an accurate description of current status and challenges.

To address these needs, Cynet introduces the definitive ‘Security for Management’ PPT template. A first of its kind presentation that encloses all the key elements that are required to gain management mindshare and make them active partners.

It provides a concise presentation of the security issues that matter and are also easily understood by a non-technical audience.

The definitive ‘Security for Management‘ PPT template uses the NIST Cyber Security Framework as high-level guidelines to frame the discussion and includes open sections which are to be filled out with information speaking to the specific organization’s state.

Overall, the template assists in the following:

  • Turning cybersecurity from abstract risk to business mission – map a vague risk notion presentable to real people that occupy specific roles, with the goal of securing the organization against a clearly tangible loss.
  • Creating a common language, so security needs are easily understood – knowledge is power. Security knowledgeable management is instrumental in moving in the right direction. The NIST framework pillars – identify, protect, detect, respond, and recover – are easily understood and provide good ground for communication.
  • Taking cybersecurity from a mere budget request to a continuous strategic journey – you cannot underestimate the importance of this. Understanding that being secure is a continuous process is paramount to any long-term planning.
  • Introducing operational metrics to measure stature and progress – at the end of the day, everything has to translate into numbers. Either goals are achieved, or they are not. One way or the other, presenting results of the security products/security team brings transparency that creates trust.

The definitive ‘Security for Management’ presentation template is ideal for anyone who works hard to achieve organizational security and strives to communicate their work’s true value.

Download the definitive ‘Security for Management’ presentation template here.

This Flaw Could Have Allowed Hackers to Hack Any Instagram Account Within 10 Minutes

how to hack instagram password

Watch out! Facebook-owned photo-sharing service has recently patched a critical vulnerability that could have allowed hackers to compromise any Instagram account without requiring any interaction from the targeted users.

Instagram is growing quickly—and with the most popular social media network in the world after Facebook, the photo-sharing network absolutely dominates when it comes to user engagement and interactions.

Despite having advanced security mechanisms in place, bigger platforms like Facebook, Google, LinkedIn, and Instagram are not completely immune to hackers and contain severe vulnerabilities.

Some vulnerabilities have recently been patched, some are still under the process of being fixed, and many others most likely do exist, but haven’t been found just yet.

Details of one such critical vulnerability in Instagram surfaced today on the Internet that could have allowed a remote attacker to reset the password for any Instagram account and take complete control over it.

Discovered and responsibly reported by Indian bug bounty hunter Laxman Muthiyah, the vulnerability resided in the password recovery mechanism implemented by the mobile version of Instagram.

The “password reset” or “password recovery” is a feature that allows users to regain access to their account on a website in case they forgot their password.

On Instagram, users have to confirm a six-digit secret passcode (that expires after 10 minutes) sent to their associated mobile number or email account in order to prove their identity.

That means, one out of a million combinations can unlock any Instagram account using brute force attack, but it is not as simple as it sounds, because Instagram has rate-limiting enabled to prevent such attacks.

However, Laxman found that this rate limiting can be bypassed by sending brute force requests from different IP addresses and leveraging race condition, sending concurrent requests to process multiple attempts simultaneously.

“Race hazard (concurrent requests) and IP rotation allowed me to bypass it. Otherwise, it wouldn’t be possible. 10 minutes expiry time is the key to their rate limiting mechanism, that’s why they didn’t enforce permanent blocking of codes,” Laxman told The Hacker News.

As shown in the above video demonstration, Laxman successfully demonstrated the vulnerability to hijack an Instagram account by quickly attempting 200,000 different passcode combinations (20% of all) without getting blocked.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.”

Laxman has also released a proof-of-concept exploit for the vulnerability, which has now been patched by Instagram, and the company awarded Laxman with $30,000 reward as part of its bug bounty program.

To protect your accounts against several types of online attacks, as well to reduce your chances of being compromised where attackers directly target vulnerable applications, users are highly recommended to enable “two-factor authentication,” which could prevent hackers from accessing your accounts even if they somehow manage to steal your passwords.

iOS URL Scheme Could Let App-in-the-Middle Attackers Hijack Your Accounts

Apple ios custom url scheme

Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme.

By default on Apple’s iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other’s data.

However, Apple offers some methods that facilitate sending and receiving very limited data between applications.

One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime://, whatsapp://, fb-messenger://.

For example, when you click “Sign in with Facebook” within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication.

In the background, that e-commerce app actually triggers the URL Scheme for the Facebook app (fb://) and passes some context information required to process your login.

Researchers at Trend Micro noticed that since Apple does not explicitly define which app can use what keywords for their Custom URL Scheme, multiple apps on an iOS device can use single URL Scheme—which eventually could trigger and pass sensitive data to a completely different app unexpectedly or maliciously.

“This vulnerability is particularly critical if the login process of app A is associated with app B,” the researchers said.

To demonstrate this, researchers illustrated an attack scenario, as shown in the image above, using an example of a Chinese retailer app “Suning” and its implementation of “Login with WeChat” feature, explaining how it is susceptible to hacking.

In Short, when the Suning app users choose to access their e-commerce account using WeChat, it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. WeChat app then requests a secret login token from its server and sends it back to the Suning app for authentication.

Researchers found that since Suning always uses the same login-request query to request the secret token and WeChat does not authenticate the source of the login request, the implementation is vulnerable to the app-in-the-middle attack via the iOS URL Scheme, eventually allowing attackers gain unauthorized access to users’ accounts.

“With the legitimate WeChat URL Scheme, a fake-WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.

“WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

That means, a malicious app with the same Custom URL Scheme as a targeted application can trick other apps into sharing users’ sensitive data with it or can perform unauthorized actions, potentially resulting in the loss of privacy, bill fraud, or exposure to pop-up ads.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat://, line://, fb://, fb-messenger://, etc. We identified some of these malicious apps,” the researchers said.

Since the exploitability of this vulnerability totally depends upon the way a URL Scheme has been implemented, app developers and popular platforms are recommended to review their apps and validate fix for untrusted requests.

Facebook to Pay $5 Billion Fine to Settle FTC Privacy Investigation

facebook data privacy ftc investigation

After months of negotiations, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over its privacy investigation into the Cambridge Analytica scandal.

The settlement will put an end to a wide-ranging probe that began more than a year ago and centers around the violation of a 2011 agreement Facebook made with the FTC that required Facebook to gain explicit consent from users to share their personal data.

The FTC launched an investigation into the social media giant last year after it was revealed that the company allowed Cambridge Analytica access to the personal data of around 87 million Facebook users without their explicit consent.

Now, according to a new report published by the Wall Street Journal, the FTC commissioners this week finally voted to approve a $5 billion settlement, with three Republicans voting to approve the deal and two Democrats against it.

Facebook anticipated the fine to between $3 billion and $5 billion and already had set aside $3 billion for the fine this spring when the company released its first quarter 2019 financial earnings report.

Despite all criticisms Facebook recently faced over its mishandling of users’ data, the company’s earnings and user base are continually increasing, with Facebook bringing in over $15 billion in revenue for the first quarter of 2019 alone. The social media network also added 39 million daily active users to its platform.

Though the $5 billion fine amounts to just one month’s worth of Facebook’s revenue, it is the biggest fine imposed by FTC till the date, far bigger than the $22.5 million fine levied against Google in 2012 for allegedly violating an agreement to improve privacy practices.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” Representative David Cicilline, a Democrat and chair of a congressional antitrust panel said, calling the penalty “a Christmas present five months early” at Twitter.

“This reported $5 billion penalty is barely a tap on the wrist, not even a slap,” Senator Richard Blumenthal (D-Connecticut), a Democrat, said in a statement. “Such a financial punishment for purposeful, blatant illegality is chump change for a company that makes tens of billions of dollars every year.”

The FTC has not announced the settlement deal publicly, as the agreement still needs approval from the U.S. Department of Justice.

Not just FTC, UK’s Information Commissioner Office (ICO) has also imposed £500,000 (over $628,000) fine on Facebook over the Cambridge Analytica scandal.

Zoom Video Conferencing for macOS Also Vulnerable to Critical RCE Flaw

Zoom Video Conferencing Software hacking

The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet.

As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple’s Mac computer remotely.

Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page.

As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability (CVE-2019-13450) that resides in the way its click-to-join feature is implemented, which automatically turns on users’ webcam when they visit an invite link.

Both vulnerabilities stem from a controversial local web server—runs on port 19421—that Zoom client installs on users’ computers to offer the click-to-join feature.

There were primarily two issues that security researcher Jonathan Leitschuh highlighted—firstly, local server “insecurely” receives commands over HTTP, allowing any website to interact with it, and secondly, it doesn’t get uninstalled when users remove the Zoom client from their systems, leaving them vulnerable forever.

Immediately after receiving a high criticism from all sides, the company released an emergency update for its software to remove the vulnerable web server (ZoomOpener daemon) implementation altogether.

However, the software update could not protect former customers who are not using the software anymore but have the vulnerable web-server still activated on their systems unknowingly.

Worryingly, according to an advisory published by National Vulnerability Database (NVD), the newly discovered RCE flaw also works against users who have already uninstalled the conferencing software, but its web server is still activated and listens on port 19421.

Meanwhile, to help its users, Apple surprisingly yesterday stepped-in and silently pushed an update for all macOS users that automatically removes the Zoom web server without requiring any user interaction, doesn’t matter if you’re still using the conferencing software or not.

The technical details of the new remote code execution flaw in Zoom client for macOS are not yet available, but Jonathan and other researchers confirmed, and demonstrated the existence of a working proof-of-concept exploit, as shown in the video above.

We will share more details on this new RCE flaw with our readers through The Hacker News official Twitter account, as soon as they are available.

To protect against both vulnerabilities, Zoom users are highly recommended to install the latest system updates, as well as immediately upgrade to Zoom client version 4.4.53932.0709 or simply uninstall the software and only use the browser version of the meeting client.