In this week’s Cyber Blurbs Roundup, we take a look at some loopholes in Apple’s App Tracking Transparency and a security problem with Microsoft Outlook.
The Loopholes in Apple’s App Tracking Transparency
Midway through 2020, Apple promised to revolutionize the mobile advertising industry by announcing plans for greater transparency into the sort of user data companies were collecting. The company colored itself a champion of privacy, arming its users with the ability to deny an app’s request to track their habits across their Apple device.
Now just several months after the company rolled out its controversial, yet celebrated feature, we’re getting a better idea on just how well it works. The verdict? In spite of users requesting not to be tracked, App Tracking Transparency won’t stop apps from collecting your data — it’ll just stop them from using the more traditional methods.
An investigation conducted by The Washington Post and privacy software company Lockdown revealed that some apps are still gathering valuable user data in spite of Apple’s attempt to prevent them from doing so. WaPo reports that apps are still capable of harvesting key user details, such as IP addresses, a device’s available storage, a device’s current volume level, and a device’s battery life. Those data points, according to the report, are capable of providing third-party with the sort of insight necessary to identify a user’s iPhone… which, in turn, could allow them to provide targeted advertisements.
Privacy experts refer to this technique as “fingerprinting” — a concept that Apple says has been banned from its developers policy.
The report notes that only the app makers can determine what the data is being used for. When contacting Vungle, a third-party ad company receiving user data, a company representative told WaPo that the data cannot be used to identify users. According to Vungle, the data is merely used for “practical purpose[s]” of providing ads compatible with “the right device in the right language for the right country and app.”
WaPo says it contacted Apple about its findings, to which the iPhone maker responded by claiming it would look into the sort of information that companies are still collecting. The publication says Apple has yet to make any changes to its policy.
“When it comes to stopping third-party trackers, App Tracking Transparency is a dud,” former Apple iCloud engineer turned Lockdown co-founder Johnny Lin told WaPo. “Worse, giving users the option to tap an ‘Ask App Not To Track’ button may even give users a false sense of privacy.”
You can read the WaPo report in its entirety here.
Outlook Vulnerability Exposes 100,000 Email Passwords
Microsoft’s Autodiscover, a service designed to reduce user burden when configuring accounts, has been found capable of exposing email passwords. A study conducted by security researcher Amit Serper of Guardicore, and originally reported by ArsTechnica, highlights the security flaw which allows hackers to purchase domains named “autodiscover” to intercept login credentials in clear text.
ArsTechnica reports that Guardicore developed a proof-of-concept for the vulnerability, purchasing several domains and monitoring the activity over four months from April 16 – Aug. 25, resulting in more than 100,000 exposed email credentials. Guardicore says the credentials belonged to users working for publicly traded companies, manufacturers, banks, and power companies, among other industries.
Worse yet, users who are impacted by the flaw have no way of knowing anything is off.
The flaw has been presented to Microsoft, but has yet to be patched. According to ArsTechnica, there appears to be no way for companies to mitigate the issue. Not unless companies suddenly decide to task their employees with the sometimes intricate procedures involved in properly configuring an account’s details. But there’s a reason a service like Autodiscover exists — the average user panics at the sight of acronyms like POP, IMAP, TLS, SSL, and TCP.
You can read Guardicore’s original write-up here.