Microsoft Fined €60 Million Over Advertising Cookies
Read also: Okta’s source code stolen after GitHub hack, Android apps are leaking API keys, and more.
Thursday, December 22, 2022
Microsoft fined €60 million over advertising cookies
France’s National Commission for Technology and Freedoms (CNIL) has fined Microsoft Ireland €60 million for failing to implement a mechanism to allow people refuse cookies as easily as accepting them.
According to the CNIL, when users visited the website bing[.]com, “cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes.”
While Microsoft’s search engine offered a button to accept cookies immediately, it did not provide an option to refuse the cookies in the same way, instead, more complex refusal mechanism was present, which “actually discourages users from refusing cookies,” the watchdog said.
Hundreds of Android apps are leaking API keys, putting at risk millions of users
Hundreds of Android apps available on Google Play Store have been found leaking Application Programming Interface (API) keys, putting data of millions of users at risk. Out of 600 apps analyzed, 50% were leaking API keys of three popular transaction and email marketing service providers -Mailgun, MailChimp and SendGrid.
Using these keys threat actors could potentially perform a variety of malicious actions like sending emails, deleting the API keys, and modifying multi-factor authentication (MFA).
The affected apps have been downloaded by 54 million people, mostly in the US, UK, Spain, Russia, and India. All apps’ developers have been notified of the issue.
Ransomware actors devise a new method to bypass MS Exchange ProxyNotShell mitigations
Cybercriminals behind the Play ransomware have been observed using a new exploit chain to bypass ProxyNotShell mitigations and achieve remote code execution on vulnerable Microsoft Exchange servers.
The new exploit chain, dubbed “OWASSRF,” makes use of the CVE-2022-41082 vulnerability (one of the two bugs collectively referred to as “ProxyNotShell”) together with a privilege escalation bug, tracked as CVE-2022-41080 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell.
It appears that only Exchange servers using Microsoft’s mitigations are vulnerable, patched servers are not impacted.
Epic Games fined $275 million for violating children’s privacy law
Epic Games, a company behind the popular Fortnite video game, will pay a total of $520 million for privacy violations and engaging in deceptive practices.
Specifically, the US Federal Trade Commission (FTC) has fined the Fortnite maker $275 million for collecting personal data of children under the age of 13 without their parents’ consent, as it is required by the Children’s Online Privacy Protection Act (COPPA). The company has been ordered to adopt strong privacy default settings for children and teens, ensure that voice and text communications are turned off by default, and delete the unlawfully obtained data.
In addition, Epic Games will pay $245 million for tricking millions of players into making unwanted in-game purchases by using a deceptive practice known as “dark patterns.”
Okta source code stolen after its private GitHub repositories were hacked
Hackers compromised private GitHub repository belonging to US-based identity and access management firm Okta and stole the company’s source code.
According to a press release, the incident took place earlier this month and affected Okta Workforce Identity Cloud (WIC) code repositories. The breach was limited only to the source code theft, and did not impact the Okta service or customer data.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
