ShinyHunters Claims 350GB Data Breach at European Commission

ShinyHunters claims it breached European Commission systems, leaking 350GB of data. Officials are investigating, with no independent verification yet...

Cyber Attack Hits European Commission Staff Mobile Systems

The European Commission reports a cyber attack on its central mobile infrastructure that may have exposed staff names and phone numbers...

Porn sites probed for allegedly failing to prevent minors from accessing content

Four porn sites are being investigated by the European Commission under its Digital Services Act DSA for allegedly failing to verify its users' ages properly. The Commission, which drafts and enforces the European Union's laws, is focusing the lens on Pornhub, Stripchat, XNXX, and XVideos with th...

CVE-2019-18632

European Commission eIDAS-Node Integration Package before 2.3.1 allows Certificate Faking because an attacker can sign a manipulated SAML response with a forged certificate...

E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations. The development marks the first time the Commission has bee...

Temu must respect consumer protection laws, says EU

Temu has been accused of a number of infringements on its platform against European Union EU consumer law. The Consumer Protection Cooperation CPC Network of national consumer authorities and the European Commission teamed up for a coordinated ongoing investigation into Temu and its practices. Th...

Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model

Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions. The European Commission said the Consumer Protection Cooperation CPC Network has notified...

JupyterLab vulnerable to potential authentication and CSRF tokens leak

Impact Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. Patches JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched. Workarounds No workaround has been identified, however users...

JupyterLab vulnerable to SXSS in Markdown Preview

Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user...

GHSA-R726-VMFQ-J9J3 Open Redirect Vulnerability in jupyter-server

Impact Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. Patches Upgrade to Jupyter Server 2.7.2 Workaround...

GHSA-64X5-55RW-9974 cross-site inclusion (XSSI) of files in jupyter-server

Impact Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". Patches Jupyter Server 2.7.2 Workarounds Use lower performance...

40% of online shops tricking users with “dark patterns”

The European Commission has been looking at retail websites to see if they're misleading consumers with "dark patterns". Spoiler: Yes, they are. The Commission, along with the national consumer protection authorities of 23 EU member states, plus Norway and Iceland, have released the results of...

WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws

The Irish Data Protection Commission DPC on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information. At the heart of the ruling is an update to the messaging platform's Terms of Service that was imposed in...

Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity

The European Parliament announced a "provisional agreement" aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union. The revised directive, called "NIS2" short for network and information systems, is expected to replace the existing...

State-backed hacking group from China is targeting the Russian military

In an unexpected turn of events, research has surfaced about a Chinese APT advanced persistent threat group targeting the Russian military in recent cyberattacks. Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more...

Rapid7 Statement on the New Standard Contractual Clauses for International Transfers of Personal Data

Context: On June 4, 2021, the European Commission published new standard contractual clauses “New SCCs". Under the General Data Protection Regulation “GDPR", transfers of personal data to countries outside of the European Economic Area EEA must meet certain conditions. The New SCCs are an approve...

Artificial Intelligence ban slammed for failing to address “vast abuse potential”

A written proposal to ban several uses of artificial intelligence AI and to place new oversight on other “high-risk” AI applications—published by the European Commission this week—met fierce opposition from several digital rights advocates in Europe. Portrayed as a missed opportunity by privacy...

How NOT to fail at PDF redaction

The heated spat between Europe and AstraZeneca over a contract has segued into an unexpected blunder that left many of us chuckling and surprised at the same time. Perhaps even feeling a bit awkward. Recently, the European Commission published a PDF version of the contract it had with AstraZeneca...

A week in security (February 3 – 9)

Last week on Malwarebytes Labs, we looked at Washington state’s latest efforts in providing better data privacy rights for their residents, and we dove into some of the many questions regarding fintech: What is it? How secure is it? And what are some of the problems in the space? We also detailed...

CVE-2019-18632

European Commission eIDAS-Node Integration Package before 2.3.1 allows Certificate Faking because an attacker can sign a manipulated SAML response with a forged certificate...