Data Stolen From Thousands of Popular Mobile Apps: Cyber Security Today for January 13th, 2025

Share post:

Massive location data harvesting steals data using thousands of popular mobile apps, hackers find new ways of breaching Apple’s defenses, and Facebook caught with a critical vulnerability. These are today’s top cybersecurity stories.

This is Cyber Security Today, I’m your host, Jim Love.

Massive Data Leakage On Thousands of Mobile Apps

A massive breach has exposed how thousands of popular mobile apps on Android and iOS were used to track users’ precise locations without their knowledge. 

Files from Gravy Analytics, a major location data broker, and its subsidiary Venntel were leaked, revealing that real-time bidding systems are a key weak spot in the digital advertising world. 

Here’s how it works: Companies bid to place ads inside mobile apps, and during that process, data brokers can intercept and harvest user location information without users or app developers knowing. 

The hacked data includes tens of millions of phone coordinates from users worldwide. Among the affected apps are social networks, fitness trackers, and even religious apps, like Muslim Pro. 

Privacy experts warn that the data collected includes sensitive locations such as health clinics and places of worship. 

Gravy Analytics reportedly has sold this data to U.S. government agencies, including the FBI, ICE, and the IRS.

This breach raises critical privacy concerns and exposes a significant flaw in how digital advertising systems handle user data. Zach Edwards, a cybersecurity researcher, called it a “nightmare scenario for privacy” and warned that other data brokers may be using similar methods. 

The Federal Trade Commission has taken action against similar practices in the past, but this breach shows that the problem persists, highlighting the urgent need for stricter controls in the ad tech industry.

Hacker increasingly Attacking Apple Devices

Hackers are increasingly targeting Apple devices, signaling the end of Mac’s long-standing “security by obscurity” reputation. 

For years, Apple products were seen as safer than Windows PCs and Android devices due to their smaller market share and closed ecosystem. 

But that perception is changing as Apple’s popularity grows, making its ecosystem a prime target for cybercriminals. We’ve done stories last week about how North Korean hackers were going after MacOS. 

Now a recent breakthrough hack of the iPhone 15’s custom ACE3 USB-C controller shows another new attack vector, this time aimed at the iOS devices. It turns out that the new USB C connections are not blindly transporting data and power – they are sophisticated systems and, it turns out, vulnerable to attacks.

At the 38th Chaos Communication Congress in Hamburg, Germany, security researcher Thomas Roth, also known as “stacksmashing,” demonstrated how he exploited the controller to achieve code execution. 

The ACE3 controller manages power delivery and internal communication in Apple devices, and Roth used techniques like reverse engineering and electromagnetic fault injection to unlock the firmware. 

While Apple’s hardware remains more secure than many alternatives, Roth’s hack shows that even custom components can be vulnerable. 

He warned that this discovery could pave the way for future attacks, with bad actors potentially finding more exploits in Apple’s ecosystem. 

Roth reported his findings to Apple, but the company’s response was cautious. In a similar case involving the ACE2 controller, Apple initially pledged to fix the issue but later decided it was a hardware problem they wouldn’t address. As Apple’s presence in personal and enterprise computing grows, security experts say the company will need to prioritize more proactive security measures.

Facebook’s Ad Platform Vulnerability May Affect Other Platforms

A security researcher recently discovered a critical vulnerability in Meta’s Facebook ad platform, raising alarms about the security of online ad systems. 

Ben Sadeghipour found that a server used for creating and delivering Facebook ads was vulnerable to a previously patched Chrome browser flaw. 

Here’s what happened: Facebook’s infrastructure still relied on a headless version of Chrome that hadn’t been updated. By exploiting this flaw, Sadeghipour was able to run commands on an internal server, effectively giving him control of it. 

The flaw, known as remote code execution, could have been used to access sensitive data or other servers within Facebook’s network. 

After reporting the issue to Meta in October 2024, the company fixed it within an hour and awarded him a $100,000 bug bounty. Sadeghipour said the vulnerability highlights a broader risk in online ad platforms, which process vast amounts of user data through server-side operations. He warned that other companies might be at risk if they’re using similar technologies without proper patching. 

“There’s so much that happens in the background of making ads — whether video, text, or images — and these processes open the door to vulnerabilities,” he explained. The takeaway? Ad tech companies need to ensure their systems are up-to-date to prevent cybercriminals from exploiting server-side flaws.

 

That’s our show for today. You can reach me with tips, comments, and even some constructive criticism.

 

I’m your host Jim Love. Thanks for listening.

 

SUBSCRIBE NOW

Related articles

North Korean Hackers Trick Employees With New Social Engineering

North Korean Hackers Trick Employees With New Social Engineering, New Prompt Injection Attack Compromises Gemini's Long-Term Memorym Canada's...

Canada’s Tech Sector Faces Continuing Talent Crunch: Hashtag Trending

Report Says Canada's Tech Sector Faces Continuing Talent Crunch Amid Rapid AI Advancements, Study Reveals reCAPTCHA's Lousy At...

homson Reuters Wins Landmark AI Copyright Case: Hashtag Trending for Thursday, February 13, 2025

Thomson Reuters Wins Landmark AI Copyright Case, Tumblr joins the fediverse and converts to WordPress, The US and...

Scammers Exploit DeepSeek Hype: Cyber Security Today

Scammers Exploit DeepSeek Hype with Fake Websites and Crypto Schemes, A Researcher Jailbreaks OpenAI’s o3-mini Model, Bypassing Safety...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways