Security News

Telegram app can reveal your exact location

Avast Security News Team, 8 January 2021

Plus, iMessage is more private than WhatsApp and Donald Trump does time in Facebook and Twitter jail

A researcher named Ahmed Hassan has found what could be considered a security problem for users of the messenger app Telegram.

The vulnerability lies in the People Nearby feature, which shows users the proximity of other local users. Hassan first noted that it is common practice for scammers to spoof a location, which fools Telegram servers, in order to join a group of users to peddle fake bitcoin investments and other such scams. He then used readily available hacking tools to spoof three locations in one area. Using all three spoofed locations to triangulate the location of a local user in the People Nearby feature, he was able to find the precise location of that user. “This security problem enables an attacker to locate any Telegram user,” commented Avast Security Evangelist Luis Corrons. “While it is true that the People Nearby option is turned off by default, if Telegram disregards this issue, it shows that privacy is not really a priority for them.” For more on this story, see the article in Ars Technica

Beware of second stimulus check scams

As the United States Internal Revenue Service (IRS) sends out a second wave of financial support to citizens across the country, scammers are already trying to get in on the action. CNET listed the most common scams being launched, which includes scams that promise faster payment deliveries. An easy way to identify a scam is to remember that the IRS will never text, call, or email recipients to get them to verify information. Another way to identify a scam is the nomenclature – the IRS will only refer to these payments as “economic impact payments,” not “stimulus checks.” Some scams also try to trick the user into paying a fee up front in order to receive the check, but the IRS will never require such a thing.

Apple iMessage more private than WhatsApp

Users can now gain insight into how much data an app collects on them by looking at the new privacy labels Apple has added to its App Store, and one surprising revelation is that iMessage collects much less information than WhatsApp does, even though WhatsApp sends encrypted messages and claims “Privacy and security is in our DNA” in its FAQs. The problem stems from all the metadata WhatsApp collects, which is data about a user’s data, such as who is being messaged, when, and how often. According to Apple’s privacy labels, WhatsApp collects 16 categories of metadata while iMessage collects 6. For more information, see the article in Forbes.

Trump suspended from social media 

Twitter, Facebook, Snapchat, and Instagram each suspended President Donald Trump from posting on their sites Wednesday after he supported and encouraged the mob of rioters who stormed the U.S. Capitol. Twitter put Trump on a 12-hour suspension after he refused the site’s demand that he delete three incendiary and lie-filled tweets, including a video in which he professed love for the rioters and insisted he won the 2020 election in a landslide. That same video caused Facebook and Instagram to suspend him, and later Snapchat. YouTube also deleted the video from its site. Read more at Bloomberg.

Singapore police used Covid-19 tracing app data in murder investigation

A clause in the Singapore Criminal Procedure Code allows local police to order anyone to produce any data for the purpose of criminal investigations, and that data can include Singapore’s Covid-19 tracing program TraceTogether. A government official has confirmed that TraceTogether data has already been used in one murder investigation. For more, read the story at ZDNet. Privacy advocates have written about the possible associated risks of Covid-19 tracing apps ever since they were developed, and it was predicted they may be tapped for predatory surveillance at some point. But the Singapore government defends its decision to let police use the data, claiming it is “to protect the safety and security of all Singaporeans.”

This week’s ‘must-read’ on The Avast Blog

It's time for travelers to consider getting a so-called Covid-19 "vaccine passport". These documents could prove to be a solution when crossing borders, but they also come with their own set of challenges.