The IT Privacy and Security Weekly Update Plumb the Dumb for the week ending November 29th., 2022


This week you might be forgiven for laughing at some of the coverage until you realize how close it hits to home.

We start with an issue reported back in 2020 that got no response, but could be set to beat the third-largest fine issued so far under GDPR (both to the same company), and end with something done in the name of security so curious, you’ll have to decide what to call it.

From there we pull the covers off a TikTok-related scam that gets its hands on something more tangible than an #invisiblefilter and a popular new app that has unseated TikTok as the most downloaded where it is available.

We have an update on Amazon from the most unlikely of sources, a slap in the chops for Microsoft, and the kneecapping that Apple gave the protesters in China recently.


Some of this week’s update is just really dumb and we are not making excuses. Grab a pipe wrench, and some hot water, and let’s try to figure it out.

Global: That WhatsApp data leak: 500 million user records for sale

On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.

The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.

Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.

So what’s the upshot for you? Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users.

“but it was not a hack.” Until this came to light you would just script a query that you could run through Google to check What’s App details externally.

This “privacy lapse” means that phone numbers appeared in Google search results if someone looked via the “”.

This is because the ‘’ URL does not have a robots.txt file in its server root, which means Google and other search engine bots can not be prevented from crawling and indexing the links.

The Google listings didn’t reveal any other personal information. However, there are claims it was possible to view the pictures and names of people who hadn’t made their data private through WhatsApp’s security options.

In 2020 the issue was reported to WhatsApp owner Facebook through its bug-bounty scheme. The company said the disclosure did not qualify for a reward… or a fix.

IR: The Facebook Fine.

Meta Platforms was slapped with a $277 million fine for failing to prevent the leak of the personal data of more than half a billion users of its Facebook service.

The Irish Data Protection Commission, the main privacy watchdog for Meta in the European Union, levied the fine following a probe that found the social-media company had failed to apply strict safeguards required under the bloc’s sweeping General Data Protection Regulation.

On top of the fine – the third-biggest under GDPR – the watchdog ordered Meta’s Irish unit to make sure its processing complies with the law, according to an emailed statement on Monday.

The Irish authority is the lead watchdog for some of Silicon Valley’s biggest tech firms that have set up an EU base in the country, including Meta.

It opened its probe following revelations that “a collated dataset of Facebook personal data” had been published on the internet.

Personal information on 533 million Facebook users worldwide reemerged on a hacker website last year, including their phone numbers and email addresses.

So what’s the upshot for you? If Facebook data scraping was as easy as for WhatsApp up until a few weeks ago, we wonder if Meta may soon be breaking its own record for largest fines.

Global: TikTok “Invisible Challenge”

From time to time, there is a new dangerous trending challenge on social media.

If you remember the “Tide Pods Challenge” or the “Milk Crate Challenge” you know exactly what we’re talking about.

This time, the latest trending challenge is called the “Invisible Challenge,” where the person filming poses naked while using a special video effect called “Invisible Body.”

This effect removes the character’s body from the video, making a blurred contour image of it.

This challenge is quite popular on TikTok and currently has over 25 million views for the #invisiblefilter tag.

Then TikTok users @learncyber and @kodibtc posted videos on TikTok (over 1,000,000 views combined) to promote a software app able to “remove filter invisible body“ with an invite link to join a Discord server “” to get it.

Yes… those wanting to see the individual in the video without the “Invisible filter” click on links to fake software called “unfilter” that claims to be able to remove TikTok filters on videos shot while the actor was undressed.

And then… Follow the instructions to get the “unfilter” software deploy of WASP stealer malware hiding inside malicious Python packages installed on their computers.

So what’s the upshot for you? “It seems this attack is ongoing, and whenever the security team at Python deletes his PyPi packages, he quickly improvises and creates a new identity or simply uses a different name”.

The crazy component of this story is how he got a million views in the first place. The strategy initially required everyone downloading the software to leave a 5-star review… apparently, that got this particular ball rolling.

US: Gas social media app overtakes TikTok in App Store. But is it safe?

A new Sheriff in town, Gas, has dethroned TikTok by capturing the attention of high schoolers across the US.

…And parents are concerned because it requests the location and school data of their kids.

Gas is the brainchild of former Facebook manager Nikita Bier who previously created a similar app called “TBH” back in 2017, only for it to be acquired by Facebook and shut down the following year.

Once again, users are encouraged to use the platform to raise self-esteem and spread positivity.

Ultimately, the app is used to Gas someone up by sending a compliment and cheering each other on.

The anonymous poll-based social app challenges users to answer questions about their friends, with only positive replies allowed on the platform.

If you have not heard of the Gas app yet, it’s not because you are too old or out of touch.

It’s only currently available in 12 states in the US as it gradually increases server capacity.

The app promises not to allow strangers into the circle of trust.

Instead, it only enables friends, contacts, or classmates to vote on each other.

The polls on the platform can only ever be positive or uplifting, and rule-breakers are immediately removed.

Upon signing up for Gas, the app prompts high schoolers to import the contacts from their smartphone.

This will enable teens to see a variety of users in anonymous polls.

So what’s the upshot for you? A solution with the aim of making social media less toxic and encouraging young users to boost each other up is undoubtedly a step in the right direction. Forgive us if we see clouds on the horizon.

UK: Now the UK bans Chinese cameras on government sites

Agencies have also been advised that no such equipment should be connected to the core networks. They should consider removing and replacing such devices as soon as possible, without waiting for scheduled upgrades.

The House of Commons Foreign Affairs Committee previously urged to prohibit the Hikvision-manufactured equipment since “cameras made by the Chinese firm Hikvision have been deployed throughout Xinjiang, and provide the primary camera technology used in the internment camps.”

Experts shared a common concern that cameras by companies like Hikvision in the UK collect facial recognition data and “can then be used by the Chinese government.”

So what’s the upshot for you? Makes sense.

Global: It’s not your imagination: Shopping on Amazon has gotten worse

The first page of most Amazon search results includes an average of about nine sponsored listings, according to a study of 70 search terms conducted in 2020 and 2021 by data firm Profitero.

That was twice as many ads as Walmart displayed, and four times as many as Target.

Amazon might feel unbeatable for service, fast shipping, and easy returns.

But as a place to find products, it’s becoming a tacky strip mall filled with neon signs pointing you in all the wrong directions.

Amazon has turned shill results into its next big thing.

After selling $31 billion in ads last year, Amazon became the third-largest online ad company in the United States, trailing only Google and Facebook.

Some brands and sellers love Amazon ads because they show up right at the moment you’re making a purchase — though others tell me ads have become an extra Amazon tax they have to pass on to customers.

The Amazon we experience today is pretty much the opposite of how Amazon used to work.

Even as recently as 2015, Amazon’s results pages were filled with actual results, ranked by relevance to your search.

Amazon’s focus has shifted from “trying to find ways to delight consumers with great recommendations, personalization, and discovery to building better advertising technology.”

Amazon also now uses search results to push its own in-house products. An investigation from The Markup exposed how Amazon results list its own brand and exclusive products ahead of others with higher ratings.

Amazon lets advertisers do what’s called brand “conquesting.” Off-brands can pay to advertise under a major brand’s name. When I search for a KitchenAid mixer, my first screen of results is brands called Kuppet and Kuccu.

So what’s the upshot for you? So how do you fight back? Start your search on a search engine and let it take you to the products on Amazon.

Also, we loved that this article was featured in the Washington Post, the newspaper and website that Jeff Bezos owns.

DE: Germany Forces a Microsoft 365 Ban Due to Privacy Concerns

The central German state of Hesse’s local Data Protection Authority (DPA) has banned the use of Microsoft 365 in its schools, citing concerns over privacy violations.

According to the authority, the program’s settings gather data from within the users’ programs. This clearly violates the EU’s General Data Protection Regulation (GDPR) policies.

Three major issues now confront Microsoft 365 in the EU:

  • EU authorities are calling for local-only servers
  • Under a newly promulgated act, US agencies can access user data stored on US companies’ servers, even the data of non-US citizens
  • Microsoft fails to guarantee minors’ data protection

Under the GDPR, those under 18 years old can’t consent for their data to be collected.

Even on the platforms that do store such data, customers should be able to request the purging of records.

So what’s the upshot for you? The solution for Germany is local servers/clouds and to comply with GDPR. Done.

CA: Major Canadian Crypto Exchange Coinsquare Says Client Data Breached

Coinsquare, one of Canada’s largest cryptocurrency exchanges, may have been breached, but the company claims customer assets are “secure in cold storage and are not at risk.”

The exchange, which touts itself as “Canada’s trusted platform to securely buy, sell and trade Bitcoin, Ethereum, and more,” emailed customers Friday to report a “data incident” in which an unauthorized third party accessed a customer database containing personal information.

According to the email, the breach exposed “customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances.”

Although the email was sent Friday, Coinsquare discovered the breach last week and notified customers via Twitter. “No passwords were exposed. We have no evidence any of this information was viewed by the bad actor,” the email stated.

Coinsquare suspended activities on its platform after detecting the vulnerability last week, triggering speculation of possible liquidity issues, given the momentous implosion of the multi-billion-dollar crypto exchange, FTX, earlier this month.

So what’s the upshot for you? Full service was restored on Friday, according to a tweet. “We want to reiterate that 100% of client funds are safely held in cold storage and are not used for business activities,” the company tweeted.

CA: No Privacy in the Electronics Repair Industry

Researchers at the University of Guelph in Ontario, Canada, left laptops overnight at 12 computer repair shops — and then recovered logs after receiving their repairs:

The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device…

The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021.

In all, the researchers took the laptops to 16 shops in the greater Ontario region.

Logs on devices from two of those visits weren’t recoverable.

Two of the repairs were performed on the spot and in the customer’s presence, so the technician had no opportunity to surreptitiously view personal data.

In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks…

The vast majority of repair shops provide no privacy policy and those that do have no means of enforcing them. Even worse, repair technicians required a customer to surrender their login password even when it wasn’t necessary for the repair needed.

These findings came from a separate part of the study, in which the researchers brought an Asus UX330U laptop into 11 shops for a battery replacement.

This repair doesn’t require a technician to log in to the machine, since the removal of the back of the device and access to the device BIOS (for checking battery health) is all that’s needed.

Despite this, all but one of the repair service providers asked for the credentials to the device OS anyway.

When the customer asked if they could get the repair without providing the password, three refused to take the device without it, four agreed to take it but warned they wouldn’t be able to verify their work or be responsible for it, one asked the customer to remove the password, and one said they would reset the device if it was required.

So what’s the upshot for you? Probably we should not be surprised by this.

Global: Apple kneecaps Protesters’ Tool in China Weeks Before the Current Protests

“China’s control of the internet has become so strong that dissidents must cling to any crack in the so-called Great Firewall,” writes Qz.

As anti-government protests sprung up on campuses and cities in China over the weekend, Qz reminds us that “the country’s most widespread show of public dissent in decades will have to manage without a crucial communication tool, because Apple restricted its use in China earlier this month.”

AirDrop, the file-sharing feature on iPhones and other Apple devices, has helped protestors in many authoritarian countries evade censorship.

That’s because AirDrop relies on direct connections between phones, forming a local network of devices that don’t need the internet to communicate.

People can opt into receiving AirDrops from anyone else with an iPhone nearby.

That changed on Nov. 9, when Apple released a new version of its mobile operating system, iOS 16.1.1, to customers worldwide.

Rather than listing new features, as it often does, the company simply said, “This update includes bug fixes and security updates and is recommended for all users.”

Hidden in the update was a change that only applies to iPhones sold in mainland China: AirDrop can only be set to receive messages from everyone for 10 minutes, before switching off.

There’s no longer a way to keep the “everyone” setting on permanently on Chinese iPhones.

The change, first noticed by Chinese readers of 9to5Mac, doesn’t apply anywhere else.

So what’s the upshot for you? It plans to make the “Everyone for 10 Minutes” feature a global standard next year, according to Bloomberg.

Global: Dropbox Utilizes Boxcryptor Assets To Bring Zero-Knowledge Encryption To File Storage

Dropbox has announced plans to bring end-to-end encryption to its business users, and it’s doing so through acquiring “key assets” from Germany-based cloud security company Boxcryptor.

The terms of the deal were not disclosed.

Dropbox is well-known for its cloud-based file backup and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through.

What Boxcryptor brings to the table is an extra layer of security via so-called “zero knowledge” encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority.

But for small and medium-sized businesses end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud – it’s encrypted before it even arrives.

Moving forward, Dropbox said that it plans to bake Boxcryptor’s features natively into Dropbox for business users.

So what’s the upshot for you? End-to-end encryption where the vendor does not have access certainly is a good differentiator.

Global: Linux Kernel Gets More Infrastructure for Rust

One of the benefits of Rust over C as a programming language is that it provides security without sacrificing the performance and speed that C provides, the current language for the Linux kernel.

One of the key points of the language that people love is that it is memory safe.

Linux 6.1 (released last month) included what Linus Torvalds described as “initial Rust scaffolding,” But now, “work has already been done since the 6.1 release to add more infrastructure for Rust in the kernel, though still none of the code interacts with any C code.”

And there’s still no actual Rust code in Linux.

“You need to get all those things that can make sure that Rust can compile, and you can do the debugging and all these things,” explained Joel Marcey, director of advocacy and operations for the Rust Foundation, "and make sure that the memory safety is there and all that sort of stuff.

And that has to happen first before you can actually write any real code in Rust for the Linux kernel itself."

Marcey explained that Linux is going to be doing this inclusion very piecemeal, with lots of little integrations here and there over time so they can see how it is working.

“I would imagine that over the next year, you’re going to see more small incremental changes to the kernel with Rust, but as people are seeing that it’s actually kind of working out, you’ll be able to maybe, for example, write Linux drivers or whatever with Rust,” said Marcey…

According to Bec Rumbul, executive director of the Rust Foundation, Rust being added to the kernel is an “enormous vote of confidence in the Rust programming language.”

She explained that in the past other languages have been planned to make it into the kernel and ended up not getting put in.

“I think having someone with the kind of intellectual gravity of Linus Torvalds saying ‘No, it’s going in there,’ that kind of says an awful lot about how reliable Rust already is and how much potential there is for the future as well,” she said.

So what’s the upshot for you? Apparently, in this year’s Stack Overflow Developer Survey, 86.73% of developers said they loved Rust. Sounds like a wild survey.

US: US Census Bureau Head Fends Off Critics of ‘Differential Privacy’ Tool

The US Census Bureau’s chief Robert Santos has openly highlighted the benefits of a tool called ‘differential privacy’ created to protect participants’ data in the statistical agency’s questionnaires.

The solution essentially anonymizes participants’ survey results data by adding intentional errors to prevent third-party companies from effectively piecing together identities.


Apparently, this is particularly effective in the smallest geographies, such as census blocks.

But it also means that thousands of small jurisdictions throughout the US will not get usable data because of the algorithms applied to the numbers to protect confidentiality.

And critics point out that the incomplete identification of this data could lead to delays and inaccuracies, potentially also resulting in incorrect determination of political power.

So what’s the upshot for you? The Bureau replied that, despite leaving the data now essentially incorrect, the operation had served to improve its overall cybersecurity posture.


And our quote of the week - “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein

That’s it for this week. Stay safe, stay secure, look smart, and see you in se7en.

1 Like