Dark mode: ON

Infosec Decoded Season 5 #49: Meta Spying

With sambowne@infosec.exchange

Recorded Tue, June 24, 2025

Politics

California directed to remove 'disturbing gender ideology content' from sex ed program
California has to remove this content within 60 days. Among the specific examples noted by the federal agency include explanations about gender identity and transgender people.
US Army Appoints Palantir, Meta, OpenAI Execs As Lt. Colonels
Four ultra-wealthy executives from top tech companies were sworn in to the unit ahead of President Trump’s heavily promoted military parade, which was itself sponsored by Palantir:
  • Mumbai-born Palantir CTO Shyam Sankar
  • Kevin Weil, the chief product officer of OpenAI
  • Andrew “Boz” Bosworth, the chief technology officer of Meta
  • Bob McGrew, formerly the chief research officer of OpenAI and engineering director of Palantir Technologies
Texas governor signs bill requiring Ten Commandments to be displayed in classrooms
Texas will require all public school classrooms to display the Ten Commandments under a new law that will make the state the nation’s largest to attempt to impose such a mandate. A similar law in Louisiana was blocked when a federal appeals court ruled Friday that it was unconstitutional. Arkansas also has a similar law that has been challenged in federal court.
Outside groups organize to form unbiased, independent vaccine panel
Teens used encrypted chats to recruit for 'violence as a service' murder ring, Europol says
Teenagers being paid to pull the trigger — this is what organized crime looks like in 2025.
Telegram founder Pavel Durov says all his 100-plus children will receive share of his estate
His estate will be split between his six children from relationships and the scores of others whom he fathered through sperm donation.
Harvard hired a researcher to uncover its ties to slavery. He says the results cost him his job: ‘We found too many slaves’
Who is 'Jose Padilla'? Vice President calls Sen. Alex Padilla wrong name
There is a historically significant Jose Padilla. In 2002, Padilla, a U.S. citizen, was arrested for plotting to set off a radiological "dirty bomb" somewhere in the United States.

Infosec

Publishers facing existential threat from AI, Cloudflare CEO says
Ten years ago, Google crawled two pages for every visitor it sent a publisher. Now the ratio is 18:1. For AI companies, it's thousands to one and rapidly increasing. Publishers need to take action to make sure they are fairly compensated for their content. Cloudflare is working on a new tool that will stop content scraping.
Protect Yourself From Meta’s Latest Attack on Privacy
Researchers recently caught Meta using an egregious new tracking technique to spy on Android users. They used a listening port on the loopback address to circumvent the application sandbox and export tracking cookies (see next article). Using Web bugs, they spy on you, recording how visitors use a website and respond to ads, and siphoning potentially sensitive info like financial information from tax filing websites and medical information from hospital websites, all in service of the company’s creepy system of surveillance-based advertising. Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified.

Recommended defense measures include using a Privacy-Focused Browser, avoiding in-app browsers, and deleting unneeded apps.

Disclosure: Covert Web-to-App Tracking via Localhost on Android
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes. They also expose users' browsing histories. Both Facebook and Yandex removed this code after being notified that these practices were going to be published.
CoinMarketCap suffered a front-end breach involving malicious JavaScript
The breach involved the injection of malicious JavaScript code into the site’s rotating “Doodles” feature, asking users to “verify wallet,” a pop-up meant to steal their funds. Attackers appeared to have backend access and set an expiration time on the exploit, which could have been planned in advance.
Seven Things to Know About ProPublica’s Investigation of the FDA’s Secret Gamble on Generic Drugs
In 2022, the FDA placed an Indian factory on an import ban — prohibiting the company from shipping drugs to the United States. The agency, however, quietly gave the global manufacturer a special pass to continue sending more than a dozen drugs to Americans even though they were made at the same substandard factory that was officially banned from the U.S. market. All told, the FDA allowed into the United States at least 150 drugs or their ingredients from banned factories found to have mold, foul water, dirty labs or fraudulent testing protocols. Nearly all came from factories in India.

And a ProPublica analysis identified more than 600 complaints in the FDA’s files about the exempted drugs at three factories alone, each flagging concerns in the months or years after the medications were excluded from import bans. The reports cite about 70 hospitalizations and nine deaths.

Scoop: WhatsApp banned on House staffers' devices
The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use.

The chief administrative officer has in recent years set at least partial bans on DeepSeek, ByteDance apps and Microsoft Copilot. It has also heavily restricted staffers' use of ChatGPT, instructing offices to only use the paid version, ChatGPT Plus.

Cluely, a startup that helps ‘cheat on everything,’ raises $15M from a16z
Cluely helps users “cheat” on job interviews, exams, and sales calls. The startup was co-founded earlier this year by 21-year-old Roy Lee and Neel Shanmugam, who were suspended from Columbia University for developing an undetectable AI-powered tool called “Interview Coder” to help engineers cheat on technical interviews.
Russian hackers bypass Gmail MFA using stolen app passwords
Russian hackers bypass multi-factor authentication and access Gmail accounts by leveraging app-specific passwords in advanced social engineering attacks that impersonate U.S. Department of State officials.
Study: Meta AI model can reproduce almost half of Harry Potter book
The research could have big implications for generative AI copyright lawsuits.