Cheers to a new year!

We have seen many cybersecurity issues in 2019 and we can't simply allow it to happen again. Even though organizations learned the importance of cybersecurity, they still find it difficult to take appropriate security measures. In order to keep your technology safe, it may take more than an antivirus software or password protection in the current environment. Wishing everybody a 'secure' year ahead :)

Let's move on to some vulnerability found in the first week of January:

Mozilla has released an update to patch critical vulnerability which affects Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler. A JIT compiler in Firefox converts javascript source code to an executable format so that the JavaScript runs directly inside Firefox as if it were a built-in part of the app.

Modern apps implement Data Execution Prevention (DEP) which means the data consumed by a program when it's running can't be turned to executable code, especially if it is from an untrusted source. But JIT compilers exempt themselves from DEP controls because the conversion of data to source code is their job. Therefore, any flaw in JIT compilers is a golden chance for attackers.

You need to update Firefox to version 72.0.1. Go to Help → About Firefox (or Firefox → About Firefox on a Mac), where you will see the current version number.

Video sharing apps were the trend of past years and TikTok is the most popular in it. This short-form video app was the third most downloaded in 2019. The latest research found critical vulnerabilities in Tiktok which affect user's privacy.

One of the vulnerabilities allows attackers to hijack a Tiktok account just by sending SMS to the user's phone number and this is generated from an insecure SMS system that TikTok offers on its website to let users send a message to their phone number with a link to download the video-sharing application. When a user with the TikTok app in their phone clicks this URL, a javascript is executed and it allows the hacker to modify the user's TikTok account.

Once they get access, attackers can upload unwanted videos to the user's profile, delete current videos, leak private videos in TikTok, etc. All users need to update TikTok to the latest version which will patch this vulnerability.

Google Assistant is an artificial intelligence-powered virtual assistant developed by Google that is primarily available on mobile and smart home devices. Users primarily interact with the Google Assistant through natural voice, though keyboard input is also supported.

The Assistant activates for English speakers when it hears the commands, “Hey Google,” or “Ok Google” but the problem is that the Assistant may start recording when it hears similar sounds or words and the user may not know what it might be recording. This affects the user's privacy.

Soon, users can tell Google to erase recordings by saying “Hey Google, that wasn’t for you.” Manual deletion is already there, but now it's possible by using the command "Hey Google, delete everything I said to you this week.”

Other commands include, “Hey Google, are you saving my audio data?” (which brings up a privacy FAQ on a screen) and “How do you keep my information private?”

These commands are useful for a user who happened to know about Google Assistant's unwanted recording. But this is not the best solution to privacy issues, because users need to tell Google Assistant not to do it and many people don't realize it could be done in the first place!