Notices by Avoid the Hack! :donor: (avoidthehack@infosec.exchange)

AI #search engines cite incorrect sources at an alarming 60% rate, study says

Misinformation has always been present on the internet, but #AI certainly isn't helping here.

Additionally, many AI tools ignored Robot Exclusion Protocol settings. AKA they said that robots.txt doesn't apply to them.

(Grok 3's error rate is 94%, lol.)

#misinformation

https://arstechnica.com/ai/2025/03/ai-search-engines-give-incorrect-answers-at-an-alarming-60-rate-study-says/

@jcast You can block ads beyond the browser. Ads can also be blocked on the device and network levels.

There is no universal protection against fingerprinting, but you can certainly resist it. There's a nuance to it and part of it is reliant on user threat model.

@jcast @hyde This is actually beyond browser fingerprinting. The change "permits" fingerprinting devices, which would presumably extend to apps using Google's advertising ecosystem in particular. So, you'll see devices like Smart TVs, gaming consoles, etc far more susceptible.

Additionally, Tor is not a viable daily driver primarily because logging into personal accounts while using Tor is bad opsec. If that level of fingerprinting protection is needed, I recommend the Mullvad browser (it is a Tor fork configured to run off the Tor network.)

#Google Starts Tracking All Your Devices In 6 Weeks—Forget Chrome And #Android

Long story short is that Google has made updates to its advertising ecosystem essentially _permitting_ the fingerprinting of devices for use in targeted advertising. In their words they are going to be “less prescriptive with partners in how they target and measure ads.”

Doesn’t mean fingerprinting wasn’t happening before, just that Google is giving the green signal to the rest of the ecosystem to do so… and will likely use this to maybe replace third-party cookies.

Use an adblocker. Seriously.

#privacy #ads #privacymatters #useadblockers

https://www.forbes.com/sites/zakdoffman/2025/01/11/google-starts-tracking-all-your-devices-in-6-weeks-forget-chrome-and-android/

:beber:

#useadblockers #privacy #meme

Pregnancy Tracking #App ‘What to Expect’ Refuses to Fix Issue that Allows Full Account Takeover

What to Expect is a popular pregnancy tracking app available for #ios and #android.

An exposed API endpoint handling password reset requests for the app does not require authentication or enforce rate limits and is vulnerable to brute force attacks.

#privacy #security #cybersecurity

https://www.404media.co/pregnancy-tracking-app-what-to-expect-refuses-to-fix-issue-that-allows-full-account-takeover-2/

Researcher reveals ‘catastrophic’ #security flaw in the Arc browser

(CVE-2024-45489)

The Arc Browser is a fork of #chromium with a lot of built-in features and integrations... and requires an account to use.

Arc Browser uses Firebase to store user information for features like Arc Boosts. Arc Boosts can contain arbitrary javascript... with knowing the CreatorID, an attacker could inject code into other users' browsing sessions.

Crazy to me because this implementation appeared to rely solely on user-provided identities (the CreatorID) without implementing any checks.

This has been patched in the newest version of the Arc browser.

#browsers #cybersecurity #cve

https://www.theverge.com/2024/9/20/24249919/arc-browser-boost-firebase-vulnerability-patched

Skiff Privacy has been acquired, will be shutting down

Skiff @skiff has “joined” (read: been acquired) by Notion.

Skiff privacy is (was?) an #opensource and #privacy friendly product suite, featuring email, pages, drive and calendar.

According to their blog post and an email mirroring that blog post, Skiff will be “sunsetting” in the next 6 months. In plainspeak, in about 6 months (no definitive date as of writing this post) Skiff’s services will no longer work. Users will not be automatically migrated to Notion.

Users must migrate/download their data, including migrating skiff domains and redirecting emails. From what I currently understand, email aliases must be handled by hand - so the redirect only works for the primary address.

@alternativeto @BleepingComputer @arstechnica @itsfoss

I will be pulling the recommendation for Skiff on Avoidthehack.com ASAP.

#privacy #privacymatters #skiff #skiffprivaacy

https://skiff.com/data-migration

@tillshadeisgone

Sure do. I am really enjoying 2FAS, but there’s also Aegis (which is Android only).

If you need/want desktop+mobile compatibility, Bitwarden Premium is great.

More recs (all #opensource):

https://avoidthehack.com/best-mfa-2fa

#Authy is shutting down its #desktop app

Authy is a a #2fa / #MFA authentication app, though one that is not recommended in the #privacy space primarily because it does not offer easy export of codes (making it difficult to switch apps) and is closed source.

However, many people used it because it was one of the only apps not integrated into a password manager that allowed easy syncing across different devices.

I am urging any Authy users/holdouts to switch to an #opensource alternative that allows exporting 2FA secrets.

https://www.theverge.com/2024/1/8/24030477/authy-desktop-app-shutting-down

Malicious Notepad++ #Google ads evade detection for months

Otherwise known as the "Sponsored" results section, which is conveniently right at the top of Google SERPs.

The domains in this particular campaign drop malicious scripts when users download the "Notepad++" files on these deceptive sites.

Use an adblocker.

#cybersecurity #infosec #adblock

https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-google-ads-evade-detection-for-months/