Introduction
This Month in Cybersecurity - October news roundup is here. October has been busy, with new vulnerabilities, privacy violations, and encryption weaknesses coming to light. As always, our aim is to keep you up-to-date on the latest risks and trends affecting your privacy and security. So let’s dive in!
1. Hackers targeted Android users by exploiting zero-day bug in Qualcomm chips
Hackers exploited a zero-day vulnerability in Qualcomm chipsets used in many Android devices, potentially affecting millions of users. The vulnerability, designated CVE-2024-43047, was under limited, targeted exploitation, as confirmed by Google’s Threat Analysis Group and Amnesty International. While details on who was targeted remain unclear, Qualcomm has issued fixes to affected customers as of September 2024, but it’s up to Android device manufacturers to release the patch to users. The flaw impacts 64 Qualcomm chipsets, including the Snapdragon 8 (Gen 1) platform used in popular Android phones.
| Date: | Oct 9, 2024 |
|---|---|
| Source: | Tech Crunch |
| Author: | Lorenzo Franceschi-Bicchierai |
2. Microsoft reveals macOS vulnerability that bypasses privacy controls in Safari Browser
Microsoft disclosed a now-patched vulnerability in Apple’s macOS Transparency, Consent, and Control (TCC) framework, tracked as CVE-2024-44133 and codenamed HM Surf. The flaw allowed attackers to bypass user privacy preferences and access sensitive data like camera, microphone, and location through Safari by modifying configuration files. While Apple fixed the issue in macOS Sequoia 15, Microsoft noted that the exploit was likely tied to known macOS adware activity. The vulnerability impacted Safari, but other third-party browsers remain unaffected due to different entitlements.
| Date: | Oct 18, 2024 |
|---|---|
| Source: | The Hacker News |
| Author: | Ravie Lakshmanan |
3. Researchers discover severe security flaws in major E2EE cloud storage providers
Researchers from ETH Zurich discovered critical cryptographic vulnerabilities in multiple end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit. These flaws, which allow for data tampering, file injection, and plaintext access, could be exploited by a malicious server controlled by an adversary. While some attacks, such as password brute-forcing and metadata tampering, were found across different providers, not all issues have been resolved. Icedrive has opted not to address the flaws, while other providers, including Sync and Tresorit, have taken action to mitigate the vulnerabilities.
| Date: | Oct 21, 2024 |
|---|---|
| Source: | The Hacker News |
| Author: | Ravie Lakshmanan |
4. Here’s an idea, Pinterest: Ask users for their consent before tracking them
noyb has filed a complaint against Pinterest for unlawfully tracking European users for personalized advertising without their consent, in violation of GDPR. Pinterest falsely claims a “legitimate interest” as the legal basis for processing user data, despite a CJEU ruling that prohibits this practice. The platform tracks users by default, requiring an opt-out rather than obtaining explicit opt-in consent. Additionally, Pinterest failed to provide adequate responses to a user’s data access requests, violating GDPR. noyb is calling for Pinterest to erase the data and face fines from France’s data protection authority, CNIL.
| Date: | Oct 22, 2024 |
|---|---|
| Source: | noyb |
| Author: | noyb |
5. AWS, Azure auth keys found in Android and iOS apps used by millions
Symantec has discovered that numerous popular iOS and Android apps contain hardcoded, unencrypted credentials for cloud services like AWS and Microsoft Azure, putting sensitive user data at risk. These security flaws stem from poor development practices, allowing unauthorized access to storage buckets and databases. Popular apps like Pic Stitch, Meru Cabs, and Crumbl are among those affected. The hardcoded keys could allow attackers to manipulate or steal data. Symantec advises developers to follow best practices such as using secrets management tools and conducting regular code audits to avoid such vulnerabilities.
| Date: | Oct 22, 2024 |
|---|---|
| Source: | Bleeping Computer |
| Author: | Bill Toulas |
6. Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575)
Fortinet has disclosed CVE-2024-47575, a critical vulnerability in FortiManager exploited as a zero-day. The flaw allows remote attackers to execute commands via unauthenticated requests, affecting multiple FortiManager and FortiAnalyzer versions. Attackers have used it to exfiltrate sensitive data, including IPs and credentials. Fortinet advises updating to patched versions and provides mitigations. The vulnerability has been linked to a threat actor, UNC5820, active since June 2024. While no malware installations were detected, further compromises are possible.
| Date: | Oct 24, 2024 |
|---|---|
| Source: | Helpnet Security |
| Author: | Zeljka Zorz |
7. Apple offers $1 Million bug bounty to anyone who can hack its AI Servers
Apple is offering up to $1 million for security researchers to hack its AI-focused Private Cloud Compute servers, which process complex AI tasks off-device. The servers are designed with privacy in mind, using end-to-end encryption and deleting user data after processing. Researchers are invited to test these claims, with Apple providing access to key code and tools. Rewards include $250,000 for exposing user data and $1 million for executing rogue code. Apple aims to build trust in its system through this initiative.
| Date: | Oct 24, 2024 |
|---|---|
| Source: | PC Mag |
| Author: | Michael Kan |
Conclusion
That concludes ‘This Month in Cybersecurity - October 2024.’ 
Thanks for tuning in! We hope these short stories are helpful to stay up-to-date with some of the important developments of the month.
If any story stood out to you or sparked ideas, feel free to jump into the conversation in the Passbolt community forum. 
In the news - Passbolt community forum