The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today
Weekly News Digest #19
By Hacken
Grindr fined $10m for ‘grave’ GDPR violations by Norwegian privacy watchdog
Grindr, the popular LGBT dating app, has been fined €10 million ($12 million) for GDPR violations by Norway’s data privacy regulator because sensitive user data was apparently shared with third parties without valid consent.
The Norwegian Data Protection Authority (Datatilsynet) centres on the fact that users had to accept a blanket privacy policy to use the app and were not given a separate opportunity to grant or withhold consent to sharing their data with third parties.
The penalty amounts to around 10% of the company’s worldwide revenues and, if confirmed, will be the highest GDPR fine ever levied by the Datatilsynet.
European Authorities Disrupt Emotet — World’s Most Dangerous Malware
Law enforcement agencies from as many as eight countries dismantled the infrastructure of Emotet, a notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks.
The coordinated takedown of the botnet on Tuesday — called “Operation Ladybird” — is the result of a joint effort between authorities in the Netherlands, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine to take control of servers used to run and maintain the malware network.
“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomware, onto a victim’s computer,” Europol said.
Citrix’s $2.3 million settlement offer for employees impacted by data breach approved
Citrix employees impacted by a data breach that happened in the theft of their data have secured a $2.275 million settlement.
The class-action lawsuit, involving roughly 24,300 members, will be settled in return for Citrix providing the $2.275 million fund, usable for credit monitoring services, ID theft recovery, and up to $15,000 in reimbursement for expenses and loss per claimant.
Citrix disclosed the data breach in March 2019 after being alerted by the FBI of a possible network intrusion. Cyberattackers had infiltrated the software giant’s internal servers for a period of roughly five months between 2018 and 2019.
Apple fixes another three iOS zero-day exploited in the wild
This week, Apple has released security updates for iOS to patch three zero-day vulnerabilities exploited in the wild.
The first zero-day impacts the iOS operating system kernel (CVE-2021-1782), and the other two were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871).
The iOS kernel bug was described as a race condition bug that can allow attackers to elevate privileges for their attack code.
All three zero-days were reported to Apple by an anonymous researcher, and patches are available as part of iOS 14.4.
Potential remote code execution vulnerability uncovered in Node.js apps
A vulnerability in a Node.js web application framework could be exploited to achieve remote code execution (RCE).
Security researcher Shoeb ‘CaptainFreak’ Patel suggests that Express.js may be susceptible to local file read errors. When combined with an old version of the Handlebars engine, this flaw could also be exploited to remotely execute malicious code.
In a technical writeup, Patel said that last week, he “stumbled across” a critical local file read security issue which only required a payload of fewer than ten lines of code to turn it into a potential RCE exploit.
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.
