This is a news item roundup of privacy or privacy-related news items for 19 JAN 2025 – 25 JAN 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.

Some traditionally “non-privacy-respecting” services – especially those that try to force account creation – can be used with alternative frontends. These frontends can be beneficial for users wanting to use these services with JavaScript disabled.

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds

404Media

GeoSpy is an AI tool that can reliably predict the location of photos based on features inside the image itself. This is different than a tool reading metadata inside an image (which can include GPS location and device information); GeoSpy can still accurately predict a photo location without reading or using metadata in the image.

Face Scans to Estimate Our Age: Harmful and Creepy AF

EFF

This is predominately related to the age verification issue, where users must use identity verification (often furnishing documents and selfies) to prove their age. This is dependent on jurisdiction.

Enter “age estimation” technology designed to capture images of users’ faces and then use an algorithm to guess their age. This technology is inaccurate and as it is privacy invasive and may be abused to try to infer other things — such as honesty, emotions, and demographics.

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Access Your Bitwarden Vault Without a Password

Bitwarden

Bitwarden adds support for using another device to approve a login to your Bitwarden vault – without typing the master password.

Introducing Rerank: a fast, easy way for users to customize Brave Search rankings

Brave

Brave introduces “Rerank” to Brave search. Rerank allows users to reorganize results according to their own preferences.

Proton Drive for iOS Adds Burst Photo Support

AlternativeTo

Proton adds support for Burst Photos on iOS.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now

Bleeping Computer

This vulnerability is tracked as CVE-2024-38213. If a user downloads a crafted archive with the Mark of the Web, 7-zip doesn’t extend the MoTW to the extracted files. This flaw can be exploited to execute arbitrary code.

This was fixed in a 30 NOV 2024 update to &-zip. However, &-zip doesn’t auto updated, so users should double check their installed versions and update if needed.

Subaru security vulnerability exposed millions of cars to tracking risks

Fast Company

Due to a vulnerability in Subaru Starlink, an attacker who knew the Subaru owner’s last name and ZIP code, email address, phone number, or license plate could remotely start, stop, lock, and/or retrieve the vehicle’s location history for at least the past year. The location data is precise and sometimes recorded several times in one day.

Cloudflare Issue Can Leak Chat App Users’ Broad Location

404media

Technically, this isn’t classified as a vulnerability in Cloudflare’s CDN service; instead, it is feature abuse by threat actors.

By sending an image to a target on a messaging service using Cloudflare’s CDN, a threat actor could learn which part of Cloudflare’s infrastructure cached the image. Due to CDNs’ tendency (this is intended as it makes loading content faster) to serve content from servers close to a user’s approximate location, by seeing what data center (and where) served the image, the threat actor could get a general idea of where a user is located.

Hackers use Windows RID hijacking to create hidden admin account

Bleeping Computer

The Andariel threat group, linked to North Korea’s Lazarus APT group, use Relative Identifier (RID) hijacking to create accounts with administrator privileges. Prior to executing this attack, the threat actor must first have SYSTEM access on the host.

QNAP fixes six Rsync vulnerabilities in NAS backup, recovery app

Bleeping Computer

QNAP fixes numerous CVEs in its latest update for Hybrid Backup Sync, commonly found on NAS devices. When these vulnerabilities are exploited, attackers could gain remote code execution privileges on unpatched devices.

Employees of failed startups are at special risk of stolen personal data through old Google logins

TechCrunch

Former employees of failed Startups could have their information accessed by threat actors re-registering domains and abusing Google OAuth features.

Malicious extensions circumvent Google’s remote code ban

Almost Secure

Even with Google’s rollout and enforcement of manifestv3, which tried to curb extensions’ ability of running code downloaded from remote web servers, malicious extensions circumvent this change.

Malicious extensions uncovered in these research appeared to have different goals, ranging from injecting ads into web pages to spying on users’ browsing. Most of these extensions abuse the permission to access all visited websites and downloading its configuration from a web server.

Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai

Qualys

Murdoc botnet is another Mirai variant. This botnet has been targeting vulnerable…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/privacy-week4-2025