Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a 'Show Password' button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure.

Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed 'spell-jacking'. What's most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.

An anonymous reader quotes a report from Axios: Some users of Figma's design software reacted with dismay on Thursday when they found out the company was going to be acquired by Adobe, the unloved giant in the space. Other observers immediately concluded that the acquisition looks downright illegal under antitrust laws.

Why it matters: The Biden administration is on the record as wanting to beef up antitrust enforcement. The Figma deal, at $20 billion, is certainly large enough to grab the attention of regulators. The big question is whether they'll conclude that suing to block it is a case they can win. Either the Department of Justice or the Federal Trade Commission could review the merger; both have taken a renewed interest in software and digital mergers.

Between the lines: The Clayton Antitrust Act says any acquisition that would reduce competition in an industry is illegal. Figma was founded as an Adobe competitor and has grown impressively by doing exactly that -- implying there's a case to be made that this acquisition is anti-competitive. Insofar as Adobe is already the dominant player in the space, any acquisition, let alone a $20 billion one, will be looked at carefully. "The fact that Adobe is not typically identified as a Big Tech platform should provide [Adobe and Figma] with little if any comfort," Charles Rule, a partner at the Rule Garza Howley law firm and former DOJ antitrust official, tells Axios. "This deal appears to raise straightforward, traditional antitrust issues," he says.

"There's enough here to get a close look, and maybe a complaint," adds a former FTC antitrust official. Another former FTC attorney tells Axios to expect a thorough initial investigation into possible overlaps.

A Maryland judge has overturned the murder conviction of Adnan Syed, in the latest twist to the case at the center of the hit podcast series Serial. From a report: Baltimore City Circuit Judge Melissa Phinn vacated the 41-year-old's conviction and granted him a new trial on Monday, ordering his release after more than 23 years behind bars. The move came after prosecutors made a request for his release on Wednesday saying that "the state no longer has confidence in the integrity of the conviction." Prosecutors said that an almost year-long investigation had cast doubts about the validity of cellphone tower data and uncovered new information about the possible involvement of two alternate unnamed suspects.

Syed was convicted in 2000 of first-degree murder, robbery, kidnapping and imprisonment of his ex-girlfriend Hae Min Lee. Lee, 18, vanished after leaving her high school on 13 January 1999. Her strangled body was found in a shallow grave in a Baltimore park around a month later. Syed has always maintained his innocence. In a tweet shortly after the ruling was made, Serial tweeted: "Sarah was at the courthouse when Adnan was released, a new episode is coming tomorrow morning."

ArsTechnica reports: The head of Kiwi Farms said the site experienced a breach that allowed hackers to access his administrator account and possibly the accounts of all other users. On the site, creator Joshua Moon wrote: "The forum was hacked. You should assume the following. Assume your password for the Kiwi Farms has been stolen. Assume your email has been leaked. Assume any IP you've used on your Kiwi Farms account in the last month has been leaked."

Moon said that the unknown individual or individuals behind the hack gained access to his admin account by using a technique known as session hijacking, in which an attacker obtains the authentication cookies a site sets after an account holder enters valid credentials and successfully completes any two-factor authentication requirements. The session hijacking was made possible after uploading malicious content to XenForo, a site Kiwi Farms uses to power its user forums.

After a Florida man was accused of vehicular homicide, his lawyer used Clearview AI's facial recognition software to prove his innocence. But other defense lawyers say Clearview's offer rings hollow. From a report: It was the scariest night of Andrew Grantt Conlyn's life. He sat in the passenger seat of a two-door 1997 Ford Mustang, clutching his seatbelt, as his friend drove approximately 100 miles per hour down a palm tree-lined avenue in Fort Myers, Fla. His friend, inebriated and distraught, occasionally swerved onto the wrong side of the road to pass cars that were complying with the 35 mile-an-hour speed limit. "Someone is going to die tonight," Mr. Conlyn thought. And then his friend hit a curb and lost control of the car. The Mustang began spinning wildly, hitting a light pole and three palm trees before coming to a stop, the passenger's side against a tree. At some point, Mr. Conlyn blacked out. When he came to, his friend was gone, the car was on fire and his seatbelt buckle was jammed. Luckily, a good Samaritan intervened, prying open the driver's side door and pulling Mr. Conlyn out of the burning vehicle.

Mr. Conlyn didn't learn his savior's name that Wednesday night in March 2017, nor did the police, who came to the scene and found the body of his friend, Colton Hassut, in the bushes near the crash; he'd been ejected from the car and had died. In the years that followed, the inability to track down that good Samaritan derailed Mr. Conlyn's life. If Clearview AI, which is based in New York, hadn't granted his lawyer special access to a facial recognition database of 20 billion faces, Mr. Conlyn might have spent up to 15 years in prison because the police believed he had been the one driving the car. For the last few years, Clearview AI's tool has been largely restricted to law enforcement, but the company now plans to offer access to public defenders. Hoan Ton-That, the chief executive, said this would help "balance the scales of justice," but critics of the company are skeptical given the legal and ethical concerns that swirl around Clearview AI's groundbreaking technology. The company scraped billions of faces from social media sites, such as Facebook, LinkedIn and Instagram, and other parts of the web in order to build an app that seeks to unearth every public photo of a person that exists online.

South Korean prosecutors have refuted Do Kwon's claim from over the weekend that he is not on the run and asked Interpol to issue a red notice against the Terraform Labs' co-founder, escalating the publicly playing out drama following the $40 billion wipeout on his cryptocurrency startup in May this year. From a report: The Seoul Southern District Prosecutor's Office said that Kwon was not cooperating with the investigation and had told them (through his lawyer last month) that he had no intention to appear for questioning, according to official statements cited by local media Yonhap. The prosecutors have asked Seoul's foreign ministry to revoke Kwon's passport and said they have "circumstantial evidence" that Kwon is attempting to escape. An Interpol red notice, which is a call to law enforcement worldwide, can prevent individuals from being issues visas, restrict their cross border travels, and "provisionally arrest a person pending extradition, surrender or similar legal action." Over the weekend, Kwon claimed he was not on the run from any government agency that had "shown interest to communication." He added in a tweet: "We are in full cooperation and we don't have anything to hide."

Some news Friday from the Associated Press. "The Biden administration is moving one step closer to developing a central bank digital currency, known as the digital dollar, saying it would help reinforce the U.S. role as a leader in the world financial system." The White House said on Friday that after President Joe Biden issued an executive order in March calling on a variety of agencies to look at ways to regulate digital assets, the agencies came up with nine reports, covering cryptocurrency impacts on financial markets, the environment, innovation and other elements of the economic system.

Treasury Secretary Janet Yellen said one Treasury recommendation is that the U.S. "advance policy and technical work on a potential central bank digital currency, or CBDC, so that the United States is prepared if CBDC is determined to be in the national interest.... Right now, some aspects of our current payment system are too slow or too expensive," Yellen said on a Thursday call with reporters laying out some of the findings of the reports....

According to the Atlantic Council nonpartisan think tank, 105 countries representing more than 95% of global gross domestic product already are exploring or have created a central bank digital currency. The council found that the U.S. and the U.K. are far behind in creating a digital dollar or its equivalent.... Several [U.S. agency] reports will come out in the next weeks and months.

Eswar Prasad, a trade professor at Cornell who studies the digitization of currencies, said Treasury's report "takes a positive view about how a digital dollar might play a useful role in increasing payment options for individuals and businesses" while acknowledging the risks of its development. He said the report sets the stage for the creation of agency regulations and legislation "that can improve the benefit-risk tradeoff associated with cryptocurrencies and related technologies."
A statement from the U.S. White House cautions that the report does not make any decisions "regarding particular design choices for a potential U.S. CBDC system." Instead, the 58-page document analyzes 18 different choices for technical designs, and according to its introductory paragraph, "makes recommendations on how to prepare the U.S. Government for a U.S. CBDC system."

But "it does no make an assessment or recommendation about whether a U.S. CBDC system should be pursued."

The world's freight-carrying trucks and ships use GPS-based satellite tracking and navigation systems, reports ZDNet. But "Criminals are turning to cheap GPS jamming devices to ransack the cargo on roads and at sea, a problem that's getting worse...." Jammers work by overpowering GPS signals by emitting a signal at the same frequency, just a bit more powerful than the original. The typical jammers used for cargo hijackings are able to jam frequencies from up to 5 miles away rendering GPS tracking and security apparatuses, such as those used by trucking syndicates, totally useless. In Mexico, jammers are used in some 85% of cargo truck thefts. Statistics are harder to come by in the United States, but there can be little doubt the devices are prevalent and widely used. Russia is currently availing itself of the technology to jam commercial planes in Ukraine.

As we've covered, the proliferating commercial drone sector is also prey to attack.... During a light show in Hong Kong in 2018, a jamming device caused 46 drones to fall out of the sky, raising public awareness of the issue.
While the problem is getting worse, the article also notes that companies are developing anti-jamming solutions for drone receivers, "providing protection and increasing the resiliency of GPS devices against jamming attacks.

"By identifying and preventing instances of jamming, fleet operators are able to prevent cargo theft."

The short answers are "yes" and "no." America's Constitution prohibits government intervention into public expression, reports the business-news radio show Marketplace, "protecting free speech and expression "through, for example.... writing, protesting and coding languages like JavaScript, HTML, Python and Perl."

Specifically protecting code started with the 1995 case of cryptographer Daniel Bernstein, who challenged America's "export controls" on encryption (which regulated it like a weapon). But they also spoke to technology lawyer Kendra Albert, a clinical instructor at Harvard Law School's Cyberlaw Clinic, about the specific parameters of how America protects code as a form of expression: Albert: I think that the reality was that the position that code was a form of expression is in fact supported by a long history of First Amendment law. And that it, you know, is very consistent with how we see the First Amendment interpreted across a variety of contexts.... [O]ne of the questions courts ask is whether a regulation or legislation or a government action is specifically targeting speech, or whether the restrictions on speech are incidental, but not the overall intention. And that's actually one of the places you see kind of a lot of these difficulties around code as speech. The nature of many kinds of regulation may mean that they restrict code because of the things that particular forms of software code do in the world. But they weren't specifically meant to restrict the expressive conduct. And courts end up then having to sort of go through a test that was originally developed in the context of someone burning a draft card to figure out — OK, is this regulation, is the burden that it has on this form of expressive speech so significant that we can't regulate in this way? Or is this just not the focus, and the fact that there are some restrictions on speech as a result of the government attempting to regulate something else should not be the focus of the analysis?

Q: Congress and federal agencies as well as some states are looking to tighten regulations around cryptocurrencies and blockchain technology. What role do you think the idea of code as speech will play in this environment moving forward?

Albert: The reality is that the First Amendment is not a total bar to regulation of speech. It requires the government meet a higher standard for regulating certain kinds of speech. That runs, to some extent, in conflict with how people imagine what "code is speech" does as sort of a total restriction on the regulation of software, of code, because it has expressive content. It just means that we treat code similarly to how we treat other forms of expression, and that the government can regulate them under certain circumstances.

Long-time Slashdot reader n3hat writes: The BBC reports that a thief has been emptying gym patrons' accounts by stealing their bank card and mobile phone, registering the account to the thief's own mobile, and emptying the victims' bank accounts. The thief works around 2-factor authentication by taking advantage of the victim's phone having been configured to show notifications on the lock screen, so the thief can view the 2FA credential even though they don't have the unlock code.

The article gives instructions on how to disable notifications on the lock screen, for both iPhone and Android.

Reuters reports: Billionaire Elon Musk accused Twitter of fraud by concealing serious flaws in the social media company's data security, which the entrepreneur said should allow him to end his $44 billion deal for the company, according to a Thursday court filing. Musk, the world's richest person, amended his previously filed lawsuit by adopting allegations by a Twitter whistleblower, who told Congress on Tuesday of meddling on the influential social media platform by foreign agents.

The chief executive of electric vehicle maker Tesla also alleged that Twitter hid from him that it was not complying with a 2011 agreement with the Federal Trade Commission regarding user data.

"Needless to say, the newest revelations make undeniably clear that the Musk Parties have the full right to walk away from the Merger Agreement — for numerous independently sufficient reasons," said the amended countersuit.
Twitter's lawyers countered that the whistleblower claims weren't sufficient grounds for terminating the deal, according to the article. And they added that the whistleblower was in fact fired for poor performance, and that while they've investigated the whistleblower's allegations internally they were found to have no merit.

They also disagree with Musk's characterization of the allegations as proving "fraud" and "breach of contract."

LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted. BleepingComputer reports: In an update to the security incident notification published last month, Lastpass' CEO Karim Toubba also said that the company's investigation (carried out in partnership with cybersecurity firm Mandiant) found no evidence the threat actor accessed customer data or encrypted password vaults. "Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults," Toubba said.

While method through which the attacker was able to compromise a Lastpass developer's endpoint to access the Development environment, the investigation found that the threat actor was able to impersonate the developer after he "had successfully authenticated using multi-factor authentication." After analyzing source code and production builds, the company has also not found evidence that the attacker tried to inject malicious code. This is likely because only the Build Release team can push code from Development into Production, and even then, Toubba said the process involves code review, testing, and validation stages. Additionally, he added that the LastPass Development environment is "physically separated from, and has no direct connectivity to" Lastpass' Production environment. The company says it has since "deployed enhanced security controls including additional endpoint security controls and monitoring," as well as additional threat intelligence capabilities and enhanced detection and prevention technologies in both Development and Production environments.

Verizon Wireless, AT&T and Comcast were hit with copyright lawsuits accusing them of turning a blind eye to customers who illegally distribute and download pirated films. The production companies seek to force the internet providers to implement policies that provide for the termination of accounts held by repeat offenders and to block certain piracy websites. Hollywood Reporter: The trio of complaints filed throughout September, with the most recent filed Tuesday in Pennsylvania federal court, come from Voltage Pictures, After Productions and Ammo Entertainment, among others. Two law firms, Dovel & Luner and Culpepper IP, are representing the production labels. The internet providers knowingly contributed to copyright infringement by their customers, the lawsuits claim. Plaintiffs say they sent Verizon, AT&T and Comcast hundreds of thousands of notices about specific instances of infringement. They claim, for example, to have sent over 100,000 notices to Comcast concerning the illegal downloading of I Feel Pretty using its services. The lawsuit seeks to hold the internet providers liable for failing to investigate.

"Comcast did not take meaningful action to prevent ongoing infringements by these Comcast users," states the complaint. "Comcast failed to terminate the accounts associated with these IP addresses or otherwise take any meaningful action in response to these Notices. Comcast often failed to even forward the Notices to its internet service customers or otherwise inform them about the Notice or its contents." The internet providers, therefore, vicariously infringed on plaintiffs' movies since they had the right to terminate the accounts of customers who violate copyright law, the suit alleges. The Digital Millennium Copyright Act, passed in 1988, criminalizes services intended to circumvent measures that control access to copyrighted works. It provides protection from liability for services providers. But the production companies argue the internet providers don't have safe harbor under the law since it only shields companies if they've adopted and implemented policies that provide for the termination of accounts held by repeat offenders.

An anonymous reader shares a report: Here's a fun new feature for Chrome for Android: fingerprint-protected Incognito tabs. 9to5Google discovered the feature in the Chrome 105 stable channel, though you'll have to dig deep into the settings to enable it at the moment. If you want to add a little more protection to your private browsing sessions, type "chrome://flags/#incognito-reauthentication-for-android" into the address bar and hit enter. After enabling the flag and restarting Chrome, you should see an option to "Lock Incognito tabs when you leave Chrome." If you leave your Incognito session and come back, an "unlock Incognito" screen will appear instead of your tabs, and you'll be asked for a fingerprint scan.

Since the data of about roughly 1 billion Chinese citizens appeared for sale on a popular dark web forum in June, researchers have observed a surge in other kinds of personal records from China appearing on cybercriminal marketplaces. From a report: In the aftermath of that record leak, an estimated 290 million records about people in China surfaced on an underground bazaar known as Breach Forums in July, according to Group-IB, a cybersecurity firm based in Singapore. In August, one seller hawked personal information belonging to nearly 50 million users of Shanghai's mandatory health code system, used to enforce quarantine and testing orders. The alleged hoard included names, phone numbers, IDs and their Covid status -- for the price of $4,000.

"The forum has never seen such an influx of Chinese users and interest in Chinese data," said Feixiang He, a researcher at Group-IB. "The number of attacks on Chinese users may grow in the near future." Bloomberg was unable to confirm the authenticity of the datasets for sale on Breach Forums. The website, like other markets where illicit goods are sold, has been home to false advertisements meant to generate attention, as well as legitimate data apparently stolen in security incidents, including an instance where users marketed user information taken from Twitter.

SpzToid writes: U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they've compiled from cellphones, iPads and computers seized from travelers at the country's airports, seaports and border crossings, leaders of Customs and Border Protection told congressional staff in a briefing this summer. The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant -- two details not previously known about the database -- have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime. CBP officials told congressional staff the data is maintained for 15 years.

Details of the database were revealed Thursday in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-Ore.), who criticized the agency for "allowing indiscriminate rifling through Americans' private records" and called for stronger privacy protections. The revelations add new detail to what's known about the expanding ways that federal investigators use technology that many Americans may not understand or consent to. Agents from the FBI and Immigration and Customs Enforcement, another Department of Homeland Security agency, have run facial recognition searches on millions of Americans' driver's license photos. They have tapped private databases of people's financial and utility records to learn where they live. And they have gleaned location data from license-plate reader databases that can be used to track where people drive.

TikTok repeatedly declined to commit to US lawmakers on Wednesday that the short-form video app will cut off flows of US user data to China, instead promising that the outcome of its negotiations with the US government "will satisfy all national security concerns." From a report: Testifying before the Senate Homeland Security Committee, TikTok Chief Operating Officer Vanessa Pappas first sparred with Sen. Rob Portman over details of TikTok's corporate structure before being confronted -- twice -- with a specific request. "Will TikTok commit to cutting off all data and data flows to China, China-based TikTok employees, ByteDance employees, or any other party in China that might have the capability to access information on US users?" Portman asked.

The question reflects bipartisan concerns in Washington about the possibility that US user data could find its way to the Chinese government and be used to undermine US interests, thanks to a national security law in that country that compels companies located there to cooperate with data requests. US officials have expressed fears that China could use Americans' personal information to identify useful potential agents or intelligence targets, or to inform future mis- or disinformation campaigns. TikTok does not operate in China, Pappas said, though it does have an office in China. TikTok is owned by ByteDance, whose founder is Chinese and has offices in China. [...] Pappas affirmed in Wednesday's hearing that the company has said, on record, that its Chinese employees do have access to US user data. She also reiterated that TikTok has said it would "under no circumstances ... give that data to China" and denied that TikTok is in any way influenced by China. However, she avoided saying whether ByteDance would keep US user data from the Chinese government or whether ByteDance may be influenced by China.

An anonymous reader quotes a report from MIT Technology Review: There's a new text-to-image AI in town. With ERNIE-ViLG, a new AI developed by the Chinese tech company Baidu, you can generate images that capture the cultural specificity of China. It also makes better anime art than DALL-E 2 or other Western image-making AIs. But there are many things -- like Tiananmen Square, the country's second-largest city square and a symbolic political center -- that the AI refuses to show you. When a demo of the software was released in late August, users quickly found that certain words -- both explicit mentions of political leaders' names and words that are potentially controversial only in political contexts -- were labeled as "sensitive" and blocked from generating any result. China's sophisticated system of online censorship, it seems, has extended to the latest trend in AI. It's not rare for similar AIs to limit users from generating certain types of content. DALL-E 2 prohibits sexual content, faces of public figures, or medical treatment images. But the case of ERNIE-ViLG underlines the question of where exactly the line between moderation and political censorship lies.

The ERNIE-ViLG model is part of Wenxin, a large-scale project in natural-language processing from China's leading AI company, Baidu. It was trained on a data set of 145 million image-text pairs and contains 10 billion parameters -- the values that a neural network adjusts as it learns, which the AI uses to discern the subtle differences between concepts and art styles. That means ERNIE-ViLG has a smaller training data set than DALL-E 2 (650 million pairs) and Stable Diffusion (2.3 billion pairs) but more parameters than either one (DALL-E 2 has 3.5 billion parameters and Stable Diffusion has 890 million). Baidu released a demo version on its own platform in late August and then later on Hugging Face, the popular international AI community. The main difference between ERNIE-ViLG and Western models is that the Baidu-developed one understands prompts written in Chinese and is less likely to make mistakes when it comes to culturally specific words.

But ERNIE-ViLG will be defined, as the other models are, by what it allows. Unlike DALL-E 2 or Stable Diffusion, ERNIE-ViLG does not have a published explanation of its content moderation policy, and Baidu declined to comment for this story. When the ERNIE-ViLG demo was first released on Hugging Face, users inputting certain words would receive the message "Sensitive words found. Please enter again (...)," which was a surprisingly honest admission about the filtering mechanism. However, since at least September 12, the message has read "The content entered doesn't meet relevant rules. Please try again after adjusting it. (...)" In a test of the demo by MIT Technology Review, a number of Chinese words were blocked: names of high-profile Chinese political leaders like Xi Jinping and Mao Zedong; terms that can be considered politically sensitive, like "revolution" and "climb walls" (a metaphor for using a VPN service in China); and the name of Baidu's founder and CEO, Yanhong (Robin) Li. While words like "democracy" and "government" themselves are allowed, prompts that combine them with other words, like "democracy Middle East" or "British government," are blocked. Tiananmen Square in Beijing also can't be found in ERNIE-ViLG, likely because of its association with the Tiananmen Massacre, references to which are heavily censored in China. Giada Pistilli, a principal ethicist at Hugging Face, says it could be helpful for the developer of ERNIE-ViLG to release a document explaining the moderation decisions. "Is it censored because it's the law that's telling them to do so? Are they doing that because they believe it's wrong? It always helps to explain our arguments, our choices," says Pistilli.

"Despite the built-in censorship, ERNIE-ViLG will still be an important player in the development of large-scale text-to-image AIs," concludes the report. "The emergence of AI models trained on specific language data sets makes up for some of the limitations of English-based mainstream models. It will particularly help users who need an AI that understands the Chinese language and can generate accurate images accordingly."

"Just as Chinese social media platforms have thrived in spite of rigorous censorship, ERNIE-ViLG and other Chinese AI models may eventually experience the same: they're too useful to give up."

An anonymous reader quotes a report from Ars Technica: FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems. The unknown threat actors used their control of FishPig's systems to carry out a supply chain attack that infected customer systems using FishPig's fee-based Magento 2 modules with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by covert commands related to handling the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

"We are still investigating how the attacker accessed our systems and are not currently sure whether it was via a server exploit or an application exploit," Ben Tideswell, the lead developer at FishPig, wrote in an email. "As for the attack itself, we are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system. Once inside though, they must have taken a manual approach to select where and how to place their exploit."

FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces. The supply-chain attack only affects paid Magento 2 modules. Tideswell said the last software commit made to its servers that didn't include the malicious code was made on August 6, making that the earliest possible date the breach likely occurred. Sansec, the security firm that discovered the breach and first reported it, said the intrusion began on or before August 19. Tideswell said FishPig has already "sent emails to everyone who has downloaded anything from FishPig.co.uk in the last 12 weeks alerting them to what's happened." Tideswell declined to say how many active installations of its paid software there are. This post indicates that the software has received more than 200,000 downloads, but the number of paid customers is smaller. In a disclosure published after the Sansec advisory, FishPig describes how the intruders pulled off the intrusion and remained hidden for so long.

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: "This attack does not require special permissions or advanced malware to get away with major internal damage," Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking "control of critical seats -- like a company's Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization." Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn't meet the criteria for patching.

With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.