Category: Security & Privacy

0-click attack promises to narrow down a user’s location geographically

Posted on by Martin Brinkmann

Internet users have a few weapons in their arsenal when it comes to disguising their location. Some have good reasons for wanting to do that, from making sure that activity cannot be traced back to them to watching streaming content that is available only in other regions, or paying less for certain goods and services.

Deanonymization attacks try to locate a user through various means. A simple one uses a device’s IP address to find out information about a user.

Deanonymization using Cloudflare

A security research has discovered a new method, one that does not require any user interaction at all. It relies on Cloudflare, which operates one of the largest content distribution networks and certain services, that use Cloudflare for caching.

The main idea behind the attack is this: Cloudflare caches content and there is a way to check cached content on Cloudflare. All you have to do is send a unique file to a user before checking Cloudflare caches for hits. Cloudflare does not cache the unique file in all datacenters, if it is accessed only by a single user.

As a result, you get a hit in a datacenter that is close to the user. Usually, it is the nearest datacenter. Cloudflare operates hundreds of data centers in the world. While that still means that you get a radius of a few hundred kilometers or more, you can still narrow down a user’s location, provided that no other means of disguising the location are used.

The researcher describes the attack using Signal and Discord. In Signal, there are two options. The first sends an image to a user, which requires that the target opens the conversation. If the target has push notifications enabled, this one-click attack turns into a 0-click attack, as the attachment is shown already as part of the notification. All it takes afterwards is to check CloudFlare datacenters to find the one that has cached it (first).

On Discord, users can use custom emojis if they have a Nitro subscription. They can show the custom emoji in their status, which means that anyone opening the profile of the user may have their approximate location checked using Cloudflare.

Combined with GeoGuesser, which is a private Discord bot, it could be used to narrow down a user’s location.

Closing Words

While the attack still means that a radius of several hundred kilometers is returned, it may be possible to combine this attack with others, or use it regularly.. The attack may provide important information on its own, but if done regularly, it could help identify a user who is moving around a lot (e.g. for work).

There is little that users can do to prevent this kind of attack. One option is to disable the auto-accepting of attachments and media, another the use of VPN servers or other means of disguise.

Google Search

Google Search: mobile results get simplified URL views

Posted on by Martin Brinkmann

The URL, which is the site address of webpages, offers essential information to Internet users. It allows Internet users to verify that they are on the right website or verify links before they are visited.

The details: Google announced that it is stripping the address of results on Google Search on mobile so that only the domain name is shown.

Here is how this looks like on mobile now:

Google Search on mobile shows the domain name only.

Google Search displays the domain name only from now on. Google reasons that the full URL is not that useful on mobile devices anyway, as it is cut off usually because of limited space on the screen.

The change applies to mobile search only. Desktop users continue to see the full address using breadcrumbs.

Notably, this comes just a week after security researchers uncovered a malvertising campaign on Google Search that allowed threat actors to display fake source domains in Google ads.

Can you still check the address in Google Search on mobile?

Google Search on mobile: display address

Google has not implemented a straightforward option to display the address of a linked resource before visiting it.

A tap on the menu icon next to a result displays various information about the source that Google collected, but not the full address. It is only displayed when you activate the “more about this page” link.

The page that is loaded then displayed the linked URL, but often cut off.

Two workarounds remain at this point:

  • Long-press on a result to display to display various options. These differ from browser to browser, but they may display the address fully or at least partially.
  • Use share functionality by long pressing on a link in the search results. You can then share the link or use other options, such as copying the link.

The better option, if you want full addresses shown on mobile, is to switch to another search engine. Most display the full address.

Closing Words

It is true that the full address is usually not displayed on mobiles. While the new results page looks more pleasing to the eye, it strips users of a way to verify the target of a link displayed on Google Search.

Google could at least have added the full address to the summary page that users can open when they tap on the three dots next to a result. It would even be possible to display it on multiple lines, so that it is visible in full.

Alas, no such option has been implemented.

What is your take on this? Do you mind the removal off the information on Google Search? Feel free to leave a comment down below.

European Consumer Organization renews criticism of Meta’s “pay-or-consent” policy

Posted on by Martin Brinkmann

Meta’s attempt to appease consumer rights organizations in Europe continues to draw sharp criticism from consumer protection groups.

The company introduced a pay-or-consent policy on its main platforms as a response to the European Union’s Digital Markets Act.

The policy gives users of its platforms two options: give Meta consent for advertising and tracking, or pay a monthly subscription fee to avoid that.

The European Data Protection Board rejected Meta’s initial model. Meta launched a second version of its policy in late 2024. While Meta made some adjustments, the underlying principle remained the same. Users still had to choose between ads and being tracked, or a paid subscription.

According to the European Consumer Organization, the second version of Meta’s pay-or-consent model falls short again.

Key Criticisms:

  • The subscription model appears to be a superficial compliance attempt
  • Users are not provided a genuine choice about data usage
  • Meta continues to collect excessive user data
  • Alternative service options remain fundamentally unequal

The new version of Meta’s pay-or-consent policy fails to address the fundamental problems consumer groups identified in the tech giant’s pay-or-consent initial approach.

Agustín Reyna, Director General of the European Consumer Organisation (BEUC), describes the changes as cosmetic only and that the revised version is not giving users “a fair choice” either.

The new policy breaches EU law in “numerous counts” according to the BEUC.

  • Using misleading practices and unclear terms and confusing interface design to steer users towards Meta’s preferred option;
  • Not giving to users the possibility to consent fully freely to their data being processed, while the tech giant does not minimise the data it collects from users;
  • Meta degrades the service to users who do not consent to the use of their personal data.

BEUC calls on several European Institutions and organizations, including the Irish Data Protection Commission, the PCC-Network and the European Commission, to take action against Meta.

The full report is available here.

Google Needs to Strengthen Ad Security After Latest Malvertising Incident

Posted on by Martin Brinkmann

A recent incident has shown another security vulnerability in Google’s advertising platform: advertisers can display URLs of legitimate websites in their ads while redirecting clicks to malicious destinations.

This deceptive practice has recently been exploited in a concerning incident. Here is what happened.

The popular macOS package manager Homebrew became the target of cybercriminals in a sophisticated phishing campaign. Developer Ryan Chenkie discovered a fraudulent website being promoted through Google Ads that impersonated the official Homebrew platform.

The attackers employed a classic typosquatting technique, registering the domain “brewe.sh” to mimic Homebrew’s legitimate domain “brew.sh.”.

The cybercriminals booked ads on Google’s advertising platform to lure unsuspecting users into their trap. While the target URL was different, the ad on Google Search showed the address of the legitimate website to searches.

In other words: A glance at the address would show the correct address to searchers. A click on the ad, however, would load the malicious website instead.

The fraudulent site was professionally designed to appear identical to Homebrew’s official website. However, instead of providing legitimate software, it distributed malware through compromised cURL downloads. According to reports, the malware specifically targeted user passwords.

The main takeaway for users: do not trust the address, title, or ad text that Google displays on Google Search. Better yet, use a content blocker to get rid of these ads entirely.

Google has apparently reacted to this particular ad and plans to “stop similar patterns in the future”.

Closing Words

One of the main problems of advertisement on the Internet is that it is regularly abused by cybercriminals. Even Google, with all its money that it earns from advertising, seems uncapable of putting an end to this abuse.

It is a trust issue and the only way of protection is to use content blockers. The added benefit of this is that users save potentially gigabytes of data each month,, speed up browsing on the Internet and improve your privacy.

This is why my website does not have any ads. You can still support me though, for instance by subscribing to my newsletter here.

Mullvad

Mullvad VPN: quantum-resistant tunnels enabled by default

Posted on by Martin Brinkmann

Mullvad announced this week that it has enabled quantum-resistant tunnels in the VPN’s Windows client. The company plans to enable the feature on its mobile clients for Android and iOS in the future as well.

This comes just a few months after Mullvad added protections against AI traffic analysis to its VPN.

What are quantum-resistant tunnels? Put simply, it is hardening the connection to the VPN with stronger protections against attacks.

Mullvad notes that the previously used system has no weaknesses, but that more powerful computer systems could attack it successfully. The company mentions quantum computers specifically.

The updated security protects the connections against potential future attacks that could utilize computer systems that are more powerful than those available today.

Here is the paragraph that describes the improvement in technical terms:

The feature prevents such a future attack using post-quantum secure key encapsulation mechanisms for exchanging a pre-shared key for WireGuard. The algorithms currently used are Classic McEliece and ML-KEM.

With this new app release we switched to the NIST standard ML-KEM from the earlier Kyber standard, but this is essentially a minor revision of that standard.

Windows users can check Settings > VPN settings > WireGuard settings > Quantum-resistant tunnel to configure the feature. It should be enabled on Windows by default, provided that the latest VPN client update has been installed already.

Mullvad VPN should highlight the use of the feature with a quantum-resistance feature indicator.

Closing Words

Mullvad continues to improve the security of its VPN. The latest addition should future-proof connections of customers against potential quantum-computer-based attacks.

Now it is your turn. Do you use a VPN? If so, which and why that one? Feel free to leave a comment down below.

Mozilla removes Do Not Track from Firefox and suggests alternative, but there is a better one

Posted on by Martin Brinkmann

Mozilla plans to remove the Do Not Track feature from Firefox. The idea behind it was simple: inform websites that the user of the browser does not want to be tracked.

What looked good on paper did not work well in the real world. Many sites ignored the header, which made it ineffective as a privacy tool.

Related:

Mozilla removes Adjust marketing integration from Firefox Mobile

Mozilla confirmed the removal of Do Not Track on its bug tracking website.

Global Privacy Control is the alternative

Global Privacy Control was created by several companies in 2020 as a successor to Do Not Track. The core difference to Do Not Track is that it is designed to be mandatory instead of optional, at least in some regions where consumer laws are in place.

Firefox users may enable the feature in the following way:

  1. Select the Menu button and then Settings.
  2. Switch to Privacy & Security.
  3. Check “Tell websites not to sell or share my data” under Website Privacy Preferences.

Is there a better alternative?

Whether advertisers, Internet sites, marketing companies, or other companies and services that track users honor the new Global Privacy Control feature is not in the control of the individual user.

Yes, some companies may get sued if they do not, but there is a good chance that this won’t reach mass adoption in the coming years and that tracking continues to take place.

That leaves taking care of tracking as good as you can by yourself. In fact, installing a content blocker and disabling third-party cookies are two of the best options in that regard.

While you could do more, these methods alone will block the bulk of tracking that you would otherwise be subject to on today’s Internet.

So, pick uBlock Origin and install it in a browser that is not operated by a multi-billion Dollar company. Then, open the Settings of the browser and disable third-party cookies.

Note: in some rare, very rare, instances, third-party cookies may prevent functionality on a low number of websites. If that is the case, you may still set exceptions for these sites while keeping third-party cookies blocked for every other site.

Now it is your turn. Do you enable privacy features such as Do Not Track or Global Privacy Control? What do you to block tracking on the Internet?

Patch

New 0-Day Windows vulnerability steals credentials in the simplest way possible

Posted on by Martin Brinkmann

Micro-patching service 0Patch have disclosed a new 0-day vulnerability that affects all recent client and server versions of the Windows operating system.

A successful exploit gives the attacker access to a user’s credentials. All that is required for that is that the user opens a folder on Windows that contains a malicious file.

0Patch releases micro-patches for security issues. It supports various Windows and Office clients, even after Microsoft ended support for them officially.

The company released a patch in February for a vulnerability that Microsoft did not consider worthy of a patch.

0Patch reveals in a blog post that the issue affects Windows 7 to Windows 11 version 24H2, and Windows Server 2008 R2 to Server 2022. Windows Server 2025 is likely also affected, but it is still under testing since its release in November 2024.

The company writes:

Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page.

Good to know: NTML, which stands for New Technology Lan Manager, is a set of security protocols used by Microsoft in all recent versions of Windows.

0Patch says that it has reported the vulnerability to Microsoft and that it is withholding information about the issue until it is fixed by Microsoft.

It is the third 0-day vulnerability that 0Patch reported to Microsoft recently. The previous two, a Windows theme file issue and a Mark of the Web issue, have not been fixed by Microsoft according to 0Patch.

Micro-patches are available for all three 0-Day vulnerability. 0Patch subscribers should get these automatically, provided that they run the 0Patch application on their Windows devices.

As per the usual terms, the company is providing free users with the micro-patches as well, as Microsoft has not yet created an official patch to protect devices against potential attacks.

Additional information about the issue is available on the linked website.

5 Takeaways from NSA’s Best Practices for Mobile Devices

Posted on by Martin Brinkmann

Mobile devices are seemingly everywhere. Many people carry them around all day. This makes them a valuable target for attacks.

The NSA published a document earlier this year in which it highlights best practices for mobile devices. It is a simple document, that divides suggestions into the labels avoid, disable, do, and don’t.

Some suggestions appear very basic for experienced users. Like, making sure that the operating system and apps are up to date, not opening attachments or links from untrusted sources, or not having sensitive conversations on personal devices..

Related content:

Nord Security launches File Checker online tool

A few of the suggestions may be new advice, even for experienced users. Or, it may be known but not practiced.

Here are five takeaways that I found interesting

  • You should reboot the device at least once a week.
  • Do not have sensitive conversations in the vicinity of the mobile device.
  • Use a protective case that “drowns the microphone” and block the camera when it is not used.
  • Disable Bluetooth, Location, and Wi-Fi when it is not used. Never connect to public Wi-Fi networks.
  • Use a protective case that “drowns the microphone”. Also block the camera when it is not in use.

Some of these make using mobile devices cumbersome and that is likely one of the main reasons why most mobile users are probably not restarting their device once a week or turning of Wi-Fi.

You can check out the full list of suggestions here.

What is your take on this? Do you restart your device regularly or follow some or all of the other suggestions? Feel free to leave a comment down below.

Mullvad

Mullvad VPN adds protections against AI traffic analysis

Posted on by Martin Brinkmann

One of the best things you can do to protect your data and privacy while online is to use a good VPN. Not all VPNs offer equally good protections; some even collect and sell user data.

Mullvad VPN is already offering some of the strongest privacy protections in the industry. This begins with options to buy access anonymously, but does not end there. You may also run Mullvad Browser, a hardened fork of the Firefox web browser.

Also great:

DNS Forge Review: privacy-friendly censorship-free DNS with ad-blocking

Mullvad announced a new protective feature against AI-based traffic analysis in May of this year. Defense against AI-guided Traffic Analysis (DAITA) is designed to protect user data against the growing thread of the use of AI to analyze traffic to identify patterns and users, even when VPNs are used.

This form of traffic analysis works in the following way according to Mullvad:

  • Whenever you visit a website or use a service on the Internet, network packets are transferred.
  • While ISPs and network listeners do not know the content of these packages, they do know a) the size of the packets, b) when and how often they are sent.
  • AI may identify websites, services, and even people you message based on network packages.

DAITA

DAITA is designed to protect against any form of network packet analysis to determine visited websites, services, or communication.

This is achieved in the following way (again according to Mullvad):

  • DAITA changes the size of all packets send over the VPN to be the same size.
  • Random background traffic is added to the communication.
  • Data pattern distortion by sending cover traffic between the client and the VPN server.

DAITA is available in Mullvad VPN for Android already. You need to enable ti manually under Settings > VPN Settings > DAITA.

Note that DAITA works with select servers, Mullvad lists Amsterdam, London, Los Angeles, and New York, at the time.

Do you use a VPN service? If so, which and why this one? What is your take on Mullvad’s new privacy feature? Feel free to leave a comment down below.

KeePass 2.57.1

KeePass 2.57.1 Security Update is now available after a code analysis

Posted on by Martin Brinkmann

Good news for everyone who is using the password manager KeePass. A new update is now available that fixes two minor security issues in the client. These have come to light during a code analysis that was sponsored and run by the German Federal Office for Information Security and MGM Security Partners.

The new is good, because no medium, high, or critical issues were discovered during the audit. Note that the audit focused on the actual KeePass application and not third-party forks or plugins.

Also good to know:

Should you save passwords in a browser?

The full report will be published on this (German) website later on. Previous reports have been in German, and it is likely that the KeePass report will also be available in German only.

KeePass users may want to upgrade the password manager to the new version as soon as possible. The two discovered security issues have a low severity rating.

The official release notes go through the findings and provide notes on the discovered issues. It is unfortunately difficult to understand at this point as the report is not quoted.

Closing Words

The results of the code audit should instill confidence in the password manager. I’m keeping an eye on the download page of the report to read it once it is published.

Which password manager do you use? Is it KeePass or something else? Leave a comment down below to let us all know!