Plus, Google unveils a new bug bounty platform and the Pegasus Project discovers spyware in widespread use
Social media app Clubhouse, for which member invitations were highly coveted throughout the pandemic, has ditched its invite-only exclusivity with a general release last week that makes the platform available to all users. After launching in the spring, invitations to the free, audio-only app were so in-demand that some sold for hundreds of dollars on eBay. But without the cloak of mystery, the platform seems to have lost its luster in the eyes of users.
In the five days following its release, Clubhouse installs increased only about 17%, with most of the new membership coming from outside the United States. According to Wired, a spokesperson for Clubhouse pointed to its international growth as proof that users still enjoy the app. “Globally, we’ve seen the number of rooms created daily rise from 300K in May to 400K in June to 500K+ in July, which indicates a growing number of engaged users,” the spokesperson wrote.
Avast Security Evangelist Luis Corrons reminds users that we pay for free social media sites with our privacy. “At the same time this has been happening,” he said, “a database containing 3.8 billion phone numbers of Clubhouse users went up for sale on the dark web. Remember, when you register for Clubhouse, it asks you to grant access to your phone book, and it uploads all your contact info. This was a bad idea, and now we see the consequences.” Clubhouse also faces more competition than it did before, with Facebook and Twitter releasing similar features and Discord widening its user base beyond gamers.
Google unveils new “bughunters” platform
To celebrate the 10th anniversary of its Vulnerability Rewards Program (VRP), Google has launched Google Bug Hunters, a new bug bounty platform that brings together Google’s various VRPs (Google, Android, Abuse, Chrome, and Play) and provides a single intake form for bug hunters, making the process simpler than it was before. The new site has a sleeker look and offers more features, including gamification, which encourages interaction and competition with per-country leaderboards. Since its inception, the program has led to 11,055 bugs found, 2,022 researchers rewarded, and nearly $30 million paid out. For more on this story, see ZDNet.
Pegasus Project finds widespread use of spyware
Amnesty International claims that the Pegasus Project, a collaborative investigation into Pegasus spyware, found evidence of “widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.” In the introduction to the Forensic Methodology Report prepared by Amnesty International’s Security Lab, the researcher states, “NSO Group claims that its Pegasus spyware is only used to ‘investigate terrorism and crime’ and ‘leaves no traces whatsoever.’ This Forensic Methodology Report shows that neither of these statements are true. For more, see Wired.
Attackers increase use of exotic programming languages
Blackberry researchers have identified a growing trend in 2021 to be the use of uncommon programming languages by malware authors “to evade detection and hinder analysis.” In a new Blackberry white paper, the researchers explore the trend and its potential impact by looking closer at 4 uncommon languages of interest: Go, D, Nim, and Rust, all of which have been observed being increasingly used with malicious intent. “Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” said VP of Threat Research at Blackberry Eric Milam. “It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase.”
Only 2.3% of Twitter users enabled 2FA
According to Twitter’s transparency report released this month, only 2.3% of the social media platform’s user base enabled 2-factor authentication (2FA), the security measure that requires a second verification step before letting someone into their account. Twitter offers 3 types of 2FA – sending a unique code to the phone number linked to the account (SMS), using a mobile app to generate a unique code (authentication app), and using a security key. Of these, the SMS method is the least secure, since it is susceptible to SIM-hijacking and phishing attacks, yet almost 80% of the Twitter users who employ 2FA use this method. For more, see Security Week.
This week’s ‘must-read’ on The Avast Blog
Crypto exchange scams are a new breed of scam gaining popularity, thanks to the wild swings in the cryptocurrency market. Here's what to look out for and how to keep both your money and personal information secure.