Cybersecurity researchers in Germany published findings this week that mailto links can be abused to covertly steal local files from victims and email them to the attacker. “Mailto” links use a special protocol that opens up a new email “compose” window when clicked. The researchers learned that attackers can use mailto links to command their victims’ systems to fill the new “compose” window with predetermined content, including the addition of attachments, as long as attackers know the file path to their targeted documents. 

Not all email clients are vulnerable to the attack. Testing 20 clients, the researchers found only 4 that were susceptible – Evolution, KMail, IBM/HCL Notes, and older versions of Thunderbird. Each email provider was notified of the vulnerability, and all four have been patched.

“This is not a threat that most users should be concerned about,” commented Avast Security Evangelist Luis Corrons. “In general, people tend to use cloud email providers such as Google or Microsoft. However, this could be used in a targeted attack, where cybercriminals research the victim to take advantage of the software they use in their computers. In any case, having your programs updated will do the trick.” Read more on this story at ZDNet. 

Carnival Cruises reports ransomware attack

In a filing with the U.S. Securities and Exchange Commission (SEC) this week, the CFO for Carnival Corp reported that on August 15, the company was hit with a ransomware attack that involved files being stolen. The filing states that upon discovery of the attack, the company called the police, started an investigation, and implemented measures to mitigate further infection. The attack included unauthorized access to the personal data of guests and employees, which Carnival expects will result in forthcoming claims from guests, employees, shareholders, and regulatory agencies. More at TechRepublic. 

Instagram integrates Facebook Messenger

Parent company Facebook is combining the Instagram direct message function to Facebook Messenger, as some Instagram users learned over the weekend from an alert that popped up on the app. Forbes reported that Facebook has talked for over a year about unifying Messenger, WhatsApp, and Instagram in a way so that users can message each other across the various apps. One major complication with the plan is figuring out the security, as the three platforms currently hold different levels of encryption. Facebook told Forbes the company is committed to encrypting all its messaging functions end-to-end eventually. 

Trump spreads disinformation about mail-in voting

While U.S. President Donald Trump continues to insist that mail-in voting will lead to substantial voter fraud this November, election officials and security experts maintain that it is nearly impossible to commit voter fraud by mail. According to CNET, Trump’s attempts to plant doubt in Americans’ minds about the efficiency of mail-in voting may be working on some voters, but the information he is providing is so misleading and false that it should be classified as “disinformation.” Critics of Trump believe the incumbent candidate is trying to discredit and dismantle the mail-in voting procedure because he fears losing the presidential election this November if most of the country votes. 

Apple grants third-party repair shops proprietary access

This week, Apple announced that it would begin providing certain third-party Mac repair shops with parts, tools, and training to repair Mac computers. Apple launched the program last year, but only in relation to iPhone repair and iPhone parts. This week’s announcement expands the program to cover Mac computers, with Apple stating that it has updated its materials and training based on feedback from independent repair shops and other interested parties. Read more on this story at Reuters. 

This week’s ‘must-read’ on The Avast Blog

For families and educators preparing for the upcoming school year, we've put together a batch of useful tips to support online and/or distance learning.