Not the point, but I don't feel particularly solid about the security of a site with no discernible password policy or options for two-factor authentication. I just created a Gettr account with the password "password".
New: Peloton's leaky API let anyone pull members' private user account data, even with their profiles set to private. Worse, when the bug was privately reported earlier this year, Peloton ignored researchers past their 90-day deadline.
Leaky APIs have been the source of recent scraping attacks on Facebook, LinkedIn, and Clubhouse. But Peloton declined to say if it had logs to confirm or rule out any malicious exploitation. That's a question regulators will want to ask though.
New: In the latest #JamCOVID development, the Amber Group broke its silence to say absolutely nothing of value, and the Jamaican government continues to point fingers at everyone other than itself.
A quick refresher: Amber Group runs Jamaica's JamCOVID website and app, but it left thousands of travelers' private data on an unprotected and exposed cloud server. Then the government lied about when it first knew about the security lapse. (2/)
Some background on our story yesterday. TechCrunch discovered the exposed data as part of an investigation into COVID-19 apps, and worked to identify the source and notify them of the breach — as we've done before when we've found security issues. (1/)
We reached out Jamaica's Ministry of Health on Saturday (Feb 13) to make contact. We got a response on Sunday from spokesperson Stephen Davidson asking for more information. We sent details of the exposed server that evening. Davidson did not respond. Server remained open. (2/)
During this time we continued to investigate the breach, and on Tuesday (Feb 16) spoke to two Americans whose data was exposed on the server. They helped to narrow down the source of the breach and the owner of the server — a Jamaican government contractor, Amber Group. (3/)
New: Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demoed its new COVID-19 contact-tracing system, dubbed Fleming, to governments and journalists, researchers say. That data was exposed earlier this year. techcrunch.com/2020/12/30/nso…
The Fleming demo had an unprotected back-end database, exposing the location data. Researchers at @ForensicArchi examined that data and concluded that it was not dummy data as NSO claimed, "but rather reflects the movement of actual individuals.
You can read (and watch) @ForensicArchi's full technical report here, including the maps, graphs, and visualizations which explain their findings (while preserving the anonymity of the individuals whose location data was fed into NSO’s Fleming demo.)