Welcome to the “This Month in Cybersecurity - March 2024” edition. 
As we navigate through the evolving digital landscape, March has unveiled crucial insights and developments that underline the critical role of vigilance in cybersecurity and data privacy. From groundbreaking regulatory compliance to emerging vulnerabilities and sophisticated cyber threats, this month’s news underscores the dynamic nature of our digital ecosystem and the constant need for proactive security measures. Let’s dive in!
1. Meta details WhatsApp and Messenger Interoperability to comply with EU’s DMA regulations
Meta plans to allow interoperability between WhatsApp, Messenger, and third-party messaging services in response to the EU’s Digital Markets Act. This integration requires third-party services to adopt Signal Protocol for encryption and XML for messaging, aiming for secure and open communication. A “plug-and-play” model is proposed for easy connection to Meta’s infrastructure. However, there are concerns about losing direct connection signals important for security, such as preventing spam and scams, and the potential exposure of chat metadata through proxy servers.
| Date: | Mar 8, 2024 |
|---|---|
| Source: | The Hacker News |
| Author: | Newsroom |
2. Third-Party ChatGPT Plugins could lead to account takeovers
Cybersecurity researchers have identified vulnerabilities in ChatGPT plugins that could serve as a new attack surface for unauthorized access to sensitive data. These flaws allow for the installation of malicious plugins and account hijackings on platforms like GitHub. Salt Labs highlighted issues like OAuth workflow exploitation and PluginLab vulnerabilities that could enable zero-click account takeovers. Furthermore, new research has demonstrated a side-channel attack on AI assistants that leverages token-length to extract encrypted responses, posing significant security risks.
| Date: | Mar 15, 2024 |
|---|---|
| Source: | The Hacker News |
| Author: | Newsroom |
3. “Pay or Okay”: 1,500 € a year for your online privacy?
The European Data Protection Board (EDPB) is reviewing Meta’s “Pay or Okay” system, which charges users to avoid personalized ad tracking, potentially setting a precedent affecting free consent online. This model, already impacting privacy costs in countries like Germany, Spain, and France, threatens the fundamental right to privacy, with costs to avoid tracking potentially exceeding €1,500 annually. The GDPR mandates freely given consent, but the “Pay or Okay” system effectively forces user agreement to tracking, challenging the essence of free consent and privacy rights.
| Date: | Mar 19, 2024 |
|---|---|
| Source: | NOYB |
| Author: | NOYB |
4. Recent ‘MFA Bombing’ attacks targeting Apple users
Apple users have reported sophisticated phishing attacks, exploiting what seems to be a flaw in Apple’s password reset feature. Victims face a barrage of system-level prompts on their devices, making them unusable until they respond. The attackers also spoof Apple support calls to obtain a one-time code for resetting the Apple ID password, locking the user out. A significant aspect of the attacks is the exploitation of the phone number associated with the Apple account, indicating that changing this number might mitigate the risk.
| Date: | Mar 26, 2024 |
|---|---|
| Source: | KrebsonSecurity |
| Author: | Brian Krebs |
5. Thousands of servers hacked in ongoing attack targeting Ray AI framework
Thousands of servers have been compromised in an ongoing attack targeting a vulnerability in Ray, a computing framework used by companies like OpenAI, Uber, and Amazon. The attackers have tampered with AI models, stolen network credentials, installed cryptocurrency miners, and set up reverse shells for remote server control. Despite Ray’s open-source nature intended for scaling AI applications, its default configuration lacks authentication, making it susceptible to these attacks. Anyscale, Ray’s maintainer, has faced criticism for not addressing this vulnerability adequately, although plans to introduce authentication features are underway.
| Date: | Mar 27, 2024 |
|---|---|
| Source: | ArsTECHNICA |
| Author: | Dan Goodin |
Conclusion
And that wraps up our March 2024 edition of “This Month in Cybersecurity.” We’ve navigated through a landscape brimming with both challenges and advancements in cybersecurity and data privacy, each story shedding light on the critical importance of staying ahead in our digital defense strategies.
We encourage you to share any valuable insights or news article you come across in the “In the News” section of the passbolt community forum: In the news - Passbolt community forum
Stay safe! Stay secure!