Security News This Week: The 'Twinning' Site Leaked Selfies
You know what they say, the first hacks of January set the tone for the rest of year. (Wait, no one has ever said that.) But with that in mind, we tried to bring you mostly good news this week.
First up, we explained why Tor, that wondrous anonymizer, is now easier to use than ever. As the world descends further into digital authoritarianism, anonymity networks like Tor become even more important. And thanks to a slew of improvements last year, Tor has become accessible for just about everyone.
We also introduced you to the elite Intel hacking group trying to wrangle two huge internet vulnerabilities known as Spectre and Meltdown. Called STORM, the small team spent most of last year poking at and prototyping all the ways the vulnerabilities could cause real-world harm.
It couldn’t all be fun and games though. Hackers leaked very personal information of German lawmakers, and we explained why 2019 will see a major privacy law showdown in Washington, DC.
In case you’re not emotionally ready for 2019, you can catch up on year-in-review stories from December. We laid out the worst hacks of 2018, and the most dangerous people on the internet last year. 2018 was the year people realized just how powerful, and vulnerable, personal data is. It was also the year of cryptojacking.
But, despite our best wishes, hackers didn’t take the holidays off. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Viral 'Twinning' Site Leaks Photos
The website PopSugar created a fun site to match your photo with the celebrity you most look like. Called Twinning, it was viral catnip for people over the holidays. If you were online at all at the end of December, you saw people sharing pictures of their face next to the celeb they maybe kinda sorta resemble. It was sort of cute, and harmless—except that is turns out the site was leaking all the selfies people uploaded, leaving them in an Amazon Web Services bucket for anyone to see, TechCrunch reports. The site’s code included the address for said bucket, so TechCrunch was able to watch in real time as people uploaded their faces. After TechCrunch reached out to PopSugar, the media company locked down the AWS bucket.
PewDiePie Fan Hacks Smart TVs Imagine getting a brand new smart TV for Christmas, only for some diehard PewDiePie devotee to hack into it, begin playing videos about PewDiePie, and insist you subscribe to the popular far-right YouTuber’s channel before you can enjoy it. That’s exactly what happened recently to around 4,000 people with Chromecasts and smart TVs exposed to the open internet. The same hacker who broke into printers last year to spread PewDiePie propaganda this time exploited internet-connected TVs. The hackers couched the attacks as a way to “help” the owners of the devices by alerting them to the vulnerabilities in their new gadgets. According to a website the hackers put together, people affected can reset their routers to fix the problem.
That Big Marriott Hack Exposed 5 Million Unencrypted Passport Numbers
In late November of 2018, Marriott revealed than up to 500 million Starwood customers were the victims of a massive hack against the hotel chain. Now the company is reviewing that number down to 383 million customers. It also confirmed that its Starwood hotels hadn’t encrypted the passport information for around five million customers. Those numbers were taken in the breach. Outside experts have pointed at Chinese state hackers as the likely perpetrator here.
The Weather Channel App Is Being Sued for Secretly Mining User Data
Los Angeles Country is suing the IBM-owned company behind one of the most popular weather apps around, alleging that the Weather Channel app surreptitiously “collected, shared, and profited” from the location of Los Angeles residents who were using the app. The New York Times reports that the city attorney for the county filed suit on Thursday. The lawsuit says the company manipulated users into turning on location services without letting them know that the app would use and share that information to turn a profit unrelated to the services of the app. In a statement, IBM said the app had appropriate disclosures.
- Going dumb: my year with a flip phone
- Tor is easier than ever. It's time to give it a try
- The future of crime fighting is family tree forensics
- We're all starting to realize the power of personal data
- This helmet collapses a common bike-sharing problem
- 👀 Looking for the latest gadgets? Check out our picks, gift guides, and best deals all year round
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
But between the company's increasingly dismal track record on third-party access limits and a recent incident in which a bug exposed 6.8 million users' photos to third-party developers, it's hard to feel like things are going as well as they could on the user privacy and data management front.Atlanta RansomwareIn March, a ransomware attack locked down the City of Atlanta's digital systems, destabilizing municipal operations.