EUVD-2017-8075

Malware in sbrugna...

Google misled users about their privacy and now owes them $425m, says court

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy. In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its "Web & App Activity" setting. The settin...

A week in security (August 28 - September 3)

Last week on Malwarebytes Labs: 2.6 million DuoLingo users have scraped data released Google strengthens its Workplace suite protection Meal delivery service PurFoods announces major data breach Cisco VPNs without MFA are under attack by ransomware operator "An influx of Elons," a hospital visit,...

API Abuse – Lessons from the Duolingo Data Scraping Attack

It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. There’s a more technical explanation available here. While we talk a lot about the vulnerabilities in the OWASP API Top-10 a...

API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names

By Waqas Duolingo Investigates Data Leak as Hacker Shares Personal User Information on Hacker Forums and Telegram. This is a post from HackRead.com Read the original post: API Misuse: Hacker Exposes 2.6M Duolingo Users Emails & Names...

A week in security (January 23—29)

Last week on Malwarebytes Labs: T-Mobile reports data theft of 37 million customers in the US Ransomware revenue significantly down over 2022 Microsoft to end direct sale of Windows 10 licenses at the end of January TikTok CEO told to "step up efforts to comply" with digital laws 4 ways to protec...

"2.6 million DuoLingo account entries" up for sale

Not a week goes by where we dont see an example of data scraping causing concern for both business and folks at home. The latest target happens to be popular language platform DuoLingo, who is currently digging into a forum post concerning data related to its customer accounts. Scraping data for...

What Are the Top 10 Android Educational Apps That Collect Most User Data?

By Deeba Ahmed HelloTalk, GoogleClassroom, ClassDojo, and Duolingo turned out to be the top 3 educational apps that collect the most user data from Android devices. This is a post from HackRead.com Read the original post: What Are the Top 10 Android Educational Apps That Collect Most User Data?...

DuoLingo TinyCards application for Android Man-in-the-Middle Attack Vulnerability

DuoLingo TinyCards application for Android is a memory workout application based on the Android platform. A security vulnerability exists in versions of the DuoLingo TinyCards application for Android prior to version 1.0, which stems from the program's use of unencrypted HTTP, and can be exploite...

CVE-2017-16905

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack...

Remote code execution

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack...

CVE-2017-16905

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack...

CVE-2017-16905

DuoLingo TinyCards for Android (before 1.0) uses unencrypted HTTP, enabling a man‑in‑the‑middle to spoof content and potentially achieve remote code execution. Root cause: insecure network transport. Impact: content spoofing and possible RCE as stated. Remediation: upgrade to version 1.0 or later...

CVE-2017-16905

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack...

Duolingo: RCE in TinyCards for Android

We found and confirmed an RCE bug in TinyCards for Android. Is it in scope, and if not how do we report this security issue to DuoLingo...

Duolingo: Learn Languages Free - Customized SSL, Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Duolingo: Learn Languages Free published at the 'play' market has multiple vulnerabilities...

Duolingo Test Center - Customized SSL, Dynamic Code Loading, External URLs vulnerabilities

HackApp vulnerability scanner discovered that application Duolingo Test Center published at the 'play' market has multiple vulnerabilities...