Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Zack Whittaker Profile picture
Zack Whittaker
@zackwhittaker
Security editor @TechCrunch • +1 646.755.8849 • zack.whittaker@techcrunch.com • https://t.co/X6GJDYwaBE
Oct 31, 2022 4 tweets 2 min read
Twitter's ongoing verification chaos is now a cybersecurity problem. It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials. Phishing emails are sent from a Gmail account and point to a Google Doc with a link to a Google Site. Yes, incredibly crude, but looks like this. Clearly capitalizing on the uncertainty around Twitter verification.

I forwarded details to Google to review/take down.
Feb 22, 2022 5 tweets 3 min read
NEW: A months-long @TechCrunch investigation uncovered a massive spyware operation exposing the call records, messages, photos, browsing history and precise location data of ~400k phones, including Americans.

techcrunch.com/2022/02/22/sta… Last October, we found a security bug that can be abused to access private data from thousands of unknowingly compromised phones. But efforts to disclose the bug went cold, and the bug remains active to this day. tcrn.ch/3jjrsYZ Image
Aug 24, 2021 4 tweets 3 min read
New: Citizen Lab has discovered a new NSO "zero-click" attack that circumvents Apple’s 'BlastDoor' security defenses in iOS 14. At least one activist's iPhone was hacked with Pegasus spyware. Apple said it's aware, but no word yet on a security fix.

techcrunch.com/2021/08/24/nso… The new exploit, called ForcedEntry, targeted a Bahraini human rights activist living in Bahrain, and likely hacked by the Bahraini government using an iOS 14 exploit to deploy Pegasus, said Citizen Lab. Eight other Bahrainis were also targeted, including @moosaakrawi in London.
Jul 19, 2021 6 tweets 2 min read
NSO issued a statement today, saying two things: 1) Pegasus wasn't involved in Jamal Khashoggi's murder, and 2) it doesn't have visibility into what customers do or who they target with Pegasus.

These two statement seem to be in conflict. Statement here: nsogroup.com/Newses/followi… Image I asked NSO for clarification (via Mercury, its London-based crisis communications PR firm). Note the key line here: "If we determine misuse." I asked how it determines that without visibility into its customers' data. NSO basically said, "go read our transparency report." Image
Jul 1, 2021 5 tweets 2 min read
Given how much data Gettr's API spits out, I can't say I would give it long before the entire site is scraped. For example, here's @alexstamos' post that he published earlier — gettr.com/post/peo9 — and what the API spits back.
May 5, 2021 4 tweets 2 min read
New: Peloton's leaky API let anyone pull members' private user account data, even with their profiles set to private. Worse, when the bug was privately reported earlier this year, Peloton ignored researchers past their 90-day deadline.

techcrunch.com/2021/05/05/pel… Great work by @FlyingPhishy who discovered the leaky API, who put up a blog post explaining the issues (now fixed) in more detail: pentestpartners.com/security-blog/…
Feb 21, 2021 10 tweets 4 min read
New: In the latest #JamCOVID development, the Amber Group broke its silence to say absolutely nothing of value, and the Jamaican government continues to point fingers at everyone other than itself.

A thread. (1/) A quick refresher: Amber Group runs Jamaica's JamCOVID website and app, but it left thousands of travelers' private data on an unprotected and exposed cloud server. Then the government lied about when it first knew about the security lapse. (2/)

Feb 18, 2021 7 tweets 3 min read
Some background on our story yesterday. TechCrunch discovered the exposed data as part of an investigation into COVID-19 apps, and worked to identify the source and notify them of the breach — as we've done before when we've found security issues. (1/)

techcrunch.com/2021/02/17/jam… We reached out Jamaica's Ministry of Health on Saturday (Feb 13) to make contact. We got a response on Sunday from spokesperson Stephen Davidson asking for more information. We sent details of the exposed server that evening. Davidson did not respond. Server remained open. (2/)
Dec 30, 2020 4 tweets 2 min read
New: Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demoed its new COVID-19 contact-tracing system, dubbed Fleming, to governments and journalists, researchers say. That data was exposed earlier this year. techcrunch.com/2020/12/30/nso… The Fleming demo had an unprotected back-end database, exposing the location data. Researchers at @ForensicArchi examined that data and concluded that it was not dummy data as NSO claimed, "but rather reflects the movement of actual individuals.

From May: techcrunch.com/2020/05/07/nso…