IT News

Security researcher Evan Connelly discovered an enormous flaw affecting one of the largest telecommunications companies in the world that could allow any single person to view the recent incoming call log for potentially any Verizon phone number.

“In short, anyone could lookup data for anyone,” Connelly said.

A vulnerability in the Verizon Call Filter iOS app allowed anyone to request the call logs of millions of US Verizon customers. The Verizon Call Filter app for iOS allows customers to view a log of their recent calls. This log will show them the phone numbers and an associated timestamp.

To request such a log the app sends a request to a server to fetch the data belonging to the phone number in question.  The network request to the server contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps.

But, as it turns out, there were no checks to make sure that the number the information was requested about and the number that sent the request matched.

So, the researcher was able to craft requests for any given phone number and get the call logs for that number, without the ownership of that number. The consequence: anyone could look up data for any Verizon Wireless customer.

The researcher did not check whether every Verizon Wireless customer was affected by this flaw.

“The issue I discovered impacted at least those who have the Verizon Call Filter service enabled (I did not test a number which had it disabled; I can’t rule out whether or not all Verizon numbers could have been impacted).”

But it looks as if the Verizon Call Filter is enabled by default, so at least a great many Verizon Wireless customers would be impacted.

This is not just a privacy concern. For some people this could be a security hazard. For people in a domestic abuse situation, public figures, or those of interest to resourceful cyberattackers, a history of calls and frequent callers falling in the wrong hands can put people at physical risk or even compromise national security.

An attacker with access to someone’s call history could figure out their daily habits, see who they talk to most often, and guess their personal relationships. There is no available information whether this flaw was ever actively abused.

Thankfully, Verizon took the issue seriously and fixed it promptly.

Timeline:

• 2/22/2025 – Issue discovered and reported to Verizon
• 2/24/2025 – Acknowledgment from Verizon of the report
• 3/23/2025 – Researcher requested an update as the issue appeared fixed
• 3/25/2025 – Confirmation from Verizon that the issue is resolved

Verizon call filter

The Verizon Call Filter is a useful tool against robocalls, since it’s a screening and filtering tool that helps you manage nuisance calls. Verizon uses a Know Your Customer (KYC) scoring system to identify spam call networks and block their calls before they reach your phone. Based on your settings, blocked calls will either go to voicemail or stopped altogether.

If you no longer want to use Call Filter, it’s easy to turn it off. Here’s how:

On iPhone:

1. Open the Call Filter app.
2. Go to Settings.
3. Tap Manage Plan and select Turn Off Call Filter.

Alternatively, you can disable it from your iPhone’s settings by going to Settings > Phone > Call Blocking & Identification and toggling off the Call Filter option.

On Android:

1. Open the Call Filter app (it might already be installed on your device).
2. Tap Account, then Manage Plan.
3. Follow the steps to disable Call Filter.

As an alternative you can use Malwarebytes Mobile Security for iOS or Malwarebytes Mobile Security for Android to block scam calls.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Up to one in five of the most popular mobile VPNs for iOS last year are owned by Chinese companies that do their best to hide the fact. In at least one case, the owner is on a US blacklist.

That’s according to a report from the non-profit Tech Transparency Project (TTP), who investigated the top 100 mobile VPN apps downloaded from Apple’s App Store as documented by mobile intelligence company AppMagic.

Mobile VPNs are apps that connect your smartphone to the internet via different computers around the world. People use them to make it look as though they’re connecting from elsewhere, often to dodge local censorship or to access commercial content not available in their region, or just because they’re concerned about privacy.

The downside is that you must be able to trust the company that operates those computers. After all, they get to see all of your traffic as it passes through those channels.

The TTP warns that a large proportion of the most popular mobile VPN apps in the Apple App Store are owned by Chinese companies. These include Qihoo 360, which is classified as a Chinese military company by the US Department of Defense.

Several mobile VPNs linked to Chinese military

According to the TTP report, Qihoo acquired an app development company called Guangzhou Quanyong. The company developed several mobile apps for Innovative Connecting Pte. Ltd, a Singapore-registered company owned by another company called Lemon Seed, registered in the Cayman Islands.

Innovative Connecting developed an app called Turbo VPN, which was marketed to Spanish-speaking people in the US as a way to circumvent proposed restrictions when accessing Chinese-owned social network TikTok. The company developed several other VPNs in the top 100, including VPN Proxy Master and Thunder VPN. It is also responsible for others that didn’t make it into the top 100: Snap VPN, and Signal Secure VPN.

Chinese company 360 Security Technology, also known as Qihoo 360, purchased Lemon Seed, according to its 2019 annual report.

Not only is Qihoo 360 classified as a Chinese military company in the US, in June 2025 the US government also placed Qihoo 360 on its Entity List, which is a list of companies maintained under the US government’s Export Administration Regulations (EAR).

The Entity List identifies entities that the US believes pose a risk to its national security. It added Qihoo 360 and others to the list citing “reasonable cause to believe that these entities pose a significant risk of becoming involved in activities — the procurement of commodities and technologies for military end-use in China—that are contrary to the national security interests of the United States.”

Three months later, Qihoo 360 sold a package of assets under the banner ‘Project L’, which the TTP investigation believes contained Lemon Seed based on the description of its acquisition date in the public filing.

In spite of the sale, TTP suggests an ongoing link between the two companies after the sale, based on March 2025 filings that list its sole director as Chen Ningyi, who shows up on a Qihoo 360 patent in 2017 and who appears to be a general manager for Qihoo’s mobile security app 360 Mobile Guard.

Shell companies and proxy ownership

Apps developed by Innovative Connecting aren’t the only with possible links to China, according to the report. It traced several back to companies in Hong Kong. The island city has come under increasingly strict Chinese control lately with the passage a year ago of Article 23, a bill applying strict penalties for a broad array of activities deemed anti-Chinese.

The report found several VPN apps registered to Hong Kong companies, often owned by people or entities on the mainland. These included X-VPN, VPNIFY, VPN Bucks, LinkWorldVPN, VPN Proxy OvpnSpider, and Best VPN Proxy AppVPN.

It also found some registered in other parts of the world that appeared to be Chinese products operating through proxies. One, WireVPN – Fast VPN & Proxy, was registered in the UK but is controlled by a single Chinese national via a shell company. It shares a privacy policy with another similarly-named product registered in Belize called Wirevpn – Secure & Fast VPN. Both use language lifted directly from Chinese privacy regulations.

While VPNs are a useful way to achieve some privacy online, this report highlights the importance of due diligence when choosing a technology provider. Not all VPNs are created equal – and just because they’re in Apple’s App Store doesn’t mean that they’re automatically above board.

How to find a VPN you can trust

Consider the jurisdiction:

• As evidenced by the TTP report, the VPN provider’s location matters. Be wary of VPNs based in countries that require intelligence-sharing with their governments

Look for these security features:

• Strong encryption protocols (like 256-bit ChaCha20) are vital.
• A “kill switch” is important; it disconnects your internet connection if the VPN drops, preventing data leaks.
• Look for VPNs that support secure protocols like WireGuard

Read the privacy policy:

• A “no-log” policy is essential. This means the VPN provider should not track, store, or share your browsing history, IP address, or any of your network data
• Carefully read the privacy policy to understand what data is collected and how it’s used.

Consider Malwarebytes Privacy VPN:

Of course we’d say that. But with a 256-bit ChaCha20 encryption, lightning-fast Wireguard protocols, and a strict no-log policy, you can be sure that Malwarebytes Privacy VPN will never track, store, or share any network data.

Recently we’ve been seeing quite a few phishing campaigns using QR codes in email attachments.

The lure and the targets are varied, but the use of a QR code to get someone to visit the phishing site is fast becoming a preferred method for cybercriminals.

There are several reasons why cybercriminals might want to use QR codes:

• The QR code is likely to be scanned with a phone, which are often less well protected against malicious websites or even completely unprotected.
• Phones are also likely personal devices which provide attackers with a direct path to sensitive personal accounts. For example, banking apps will be often be installed on the same device.
• QR codes are impossible for humans to identify as malicious at first glance.
• Links in emails are usually analyzed by email filters, whereas QR codes can be embedded as an image which many email filters will ignore.
• The use of QR codes in other applications like banking apps, may invoke a certain level of trust.

Combined with other known phishing techniques, QR codes provide criminals with a potent tool for collecting usernames and passwords, distributing malware, and other malicious activities.

Since any QR code scanner should show you the URL before following the link, the phishers often combine the use of QR codes with that of URL shorteners to further hide the real destination.

The attackers can even embed the QR codes in professionally designed documents mimicking HR portals, payroll updates, tax reviews, or e-signature services (e.g. DocuSign, Adobe), which increases the perceived legitimacy of the phish. Here’s one example we’ve seen:

“To conveniently access and navigate the contents of the updated Employee Handbook, please scan the QR code provided below. This will direct you to the digital version of the handbook for easy reference and exploration.

{QR code}

Should you have any questions, Please do not hesitate to contact the HR department.”

The employee handbook example above comes from a four-page document showing a handbook which has been allegedly changed, and ends with specific instructions to open the QR code with the camera app of the smartphone:

“Step-by-step guide

1. Open your camera app:

Launch the camera app on your smartphone

2. Point at the QR code:

Align your camera lens with the QR code, ensuring it is fully visible within the frame.

3. Wait for recognition:

Your phone will automatically detect the QR code and display a notification or link on the screen.

4. Access the content:

Tap on the notification or link to open the information associated with the QR code.”

The QR code in this example took anyone that followed the link to a website that redirected based on the email address. Personal email addresses would see generic advertising, but corporate email addresses would be prompted to log in with their Microsoft account.

So, this one was clearly looking to compromise a corporate account, but you can easily imagine how a phisher with another goal in mind could use a list of email addresses obtained in a breach, and with such a list run a targeted campaign.

Malwarebytes customers were protected against this phishing site.

What can you do to avoid QR code phishing?

Keep your device up to date

Many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You’ll get notifications when updates are available for you, but you can also check for them yourself. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link, and look for another way to get the information or download you want.

Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable features like these.

Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes protects devices with Malwarebytes for Android and Malwarebytes for iOS.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Not one but several worried parents that tracked their children by using T-Mobile tracking devices suddenly found that they were looking at the location of random other children. And could not locate their own.

T-Mobile sells a small GPS tracker called SyncUP, which can be used to track, among others, the locations of young children who don’t have cell phones yet. SyncUP uses a combination of GPS technology, Wi-Fi, and T-Mobile’s LTE nationwide network to locate registered devices and comes in the form of a small tag, a car tracker or a kids watch.

According to our friends at 404 Media, several users reported receiving information that came from another tracker, not their own. And from some of the statements it’s very clear that the disclosed locations belonged to other children because of the names and pictures associated with the accounts.

One woman who spoke to 404 Media could see the location address where the random children were, as well as their name and the last time the location was updated. In many cases, the time said “just now” or “one minute ago.”

“I was probably shown more than eight children. I would log in and I couldn’t see my children but I could see a kid in California. I refreshed and then I had no trackers, and then I refreshed again and would see a different child.” 

Car owners using SyncUP Drive, the car tracking device, reported similar problems.

Here are some of the potential issues that this mix up could bring up:

• A big concern about tracking devices is their vulnerability to hacking, potentially exposing personal data. No hacking was needed here. Every time some of the users tried they would get the location of a different tracker.
• Without consent, tracking devices can infringe on individuals’ privacy rights. While you may say this is mainly about tracking without consent, nobody consented to strangers tracking their children.
• GPS tracking must comply with privacy laws like the Electronic Communications Privacy Act (ECPA) and the Driver’s Privacy Protection Act (DPPA) to prevent unauthorized surveillance. Did T-Mobile fail to comply, even if only for a short time?
• Inaccurate tracking, or not being able to track, can compromise personal safety if devices are used for emergency services or monitoring vulnerable individuals.
• Repeated problems can erode the trust in the underlying GPS tracking technology.

This raises the question for parents to ask themselves: What’s worse, not knowing where your child is exactly or running the risk of exposing their location to other people?

Privacy concerns surrounding tracking devices are multifaceted. On one hand, these devices are designed to give users a sense of safety and security by providing accurate location information. However, they also pose risks if not properly secured.

We have reported multiple times about stalkerware users getting exposed by security flaws in the apps they used. While SyncUP may be more secure than some of the stalkerware apps we wrote about, this incident shows it’s not watertight either.

T-Mobile did not disclose the exact problem, but told 404 Media the incident is now resolved:

“Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience.”

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Yesterday, we told you about how millions of pictures from specialized dating apps had been stored online without any kind of password protection.

Now it’s the turn of an AI “nudify” service.

A researcher, famous for finding unprotected cloud storage buckets, has uncovered an unprotected AWS bucket belonging to the nudify service.

The rising popularity of these nudify services apparently has caused a selection of companies without any security awareness to hop on the money train. Millions of people use these services to turn normal pictures into nude images, and it only takes a few minutes.

South Korean AI company GenNomis by AI-NOMIS or somebody acting at their behalf stored 93,485 images and json files with a total size of 47.8 GB in a non-password-protected nor encrypted, but publicly exposed database.

Looking at the service, GenNomis is an AI-powered image generation platform that allows users to transform text descriptions into images, create AI personas, turn images to videos, face-swap images, remove backgrounds, etc., and all that without restrictions. It also provides a marketplace, where users can buy and sell these images as “artwork.”

The researcher saw numerous pornographic images, including what appeared to be disturbing AI-generated portrayals of very young people. Even though the GenNomis guidelines prohibit explicit images of children and any other illegal activities, the researcher found many of them. That doesn’t mean they were available to buy on the platform, but they were at least created.

Some of the deepfakes are hard to discern from real images, and as such may lead to serious privacy, ethical, and legal risks. Not to mention the humiliation for the owners of those images or parts thereof who didn’t consent. Sadly, there are many examples where young people have taken their own lives over sextortion attempts.

The researcher contacted the company about what he had found. He told The Register:

“They took it down immediately with no reply.”

Keep your children safe from nudify services

We’ve seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

In this case, it’s at the extreme end of what the content could be used for.

• Deepfakes: Users of this generative AI could have used the nudify service on publicly available pictures to create explicit deepfakes without consent. AI generated content, like deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
• Metadata: Users often forget that the images they upload to social media also contain metadata, such as where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
• Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
• Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
• Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
• Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

Tax season is in full force, and with the filing deadline fast approaching on April 15, scammers are happy to use that sense of urgency to coax us into handing them our cash.

In one example, one of our customers recently received an email with an attachment titled “Urgent reminder.” The attachment was a PDF file with a QR code in it.

“Tax Services Department

Important Tax Review and Update Required by

2025-03-16!

Dear receiver,

As part of our ongoing efforts to ensure compliance with the latest tax regulations, we

are conducting a mandatory review and update of your tax records. This update must

be completed by 2025-03-16 to avoid any potential penalties or disruptions to your

account.

To proceed with the update, please scan the QR code below with your mobile device or

click the link provided to access the secure tax portal. Once logged in, follow the

prompts to review and confirm your tax information.

Thank you for your prompt attention to this matter.

Tax Services Team

This is an automated message. Please do not reply to this email.”

If the receiver were to scan the QR code, they would be sent to a phishing site. The destination is hidden through a clever use of doubleclick.net redirects.

Lucky for our customer, Malwarebytes had already blocked the real destination.

When we disabled our protection to see where the QR code led, we first had to pass the bot protection:

And then we were asked for our Microsoft credentials with the email address already filled out.

Entering your password will send your credentials to a Russian receiver, who will decide what the most profitable way to use them is. Perhaps they’ll sell the details on the dark web, or use them for themselves to get access to your Microsoft accounts.

But that’s just one example of a tax scam.

The IRS’s annual Dirty Dozen list of tax scams shows common schemes that threaten your tax and financial information. And, although these scams do appear year-round, tax season is when they reach their peak level.

One of the pitfalls the IRS warns about is bad tax advice provided on social media, as submitting false information to the IRS could land you in serious trouble. An example is the so-called “self-employment tax credit” which does exist in some countries, but the US is not one of them. Last year the misinformation was so rampant that the IRS issued a warning about it.

The other big type of scams are phishing emails, like we saw above. Even though scammers can use Artificial Intelligence to create convincing emails that appear to come from the IRS, there are often some tell-tale signs of social engineering attempts:

• Too good to be true: Huge, unexpected tax returns are usually just an incentive to get you to surrender private information in the hopes of obtaining that sum.
• Urgency is always implied, because the scammers do not want you to think things through.
• The IRS rarely contacts people by email. And when it does, it is only to send general information and in an ongoing case with an assigned IRS employee. So receiving an email should be an immediate pause for thought.

Avoiding scams

These days it has become increasingly difficult to navigate your way online without being exposed to a scam. People have become accustomed to trusting their search engine and naturally follow the different paths laid in front of them.

While some websites look obviously fake to someone, they may fool someone else. At the same time, the tools to build convincing schemes are readily available to anyone for free.

• Before calling a number, ensure that it is legitimate by visiting the official site directly.
• Beware of unsolicited phone calls or emails, especially those that ask you to act immediately.
• Beware of impersonators who may hide behind sponsored results and instead click on organic search results.
• Always check the website you visit by looking at the address bar. If in doubt, close the page and open a new one.
• If a website asks you for a small fee upfront it likely is trying to get your credit card information to sell you more expensive services.
• Never send sensitive personal information such as your bank account, charge card, or Social Security number by email. Instead use a secure method such as your online account or another application on IRS.gov.
• Use security software that blocks phishing domains and other scam sites. Malwarebytes Premium does this, leaving your computer and financial assets protected.

The IRS has a specific page dedicated to helping you identify if it’s really them reaching out to you or a scammer. Study that guide before making any rash decisions.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and so we get how hard it is to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

How to protect yourself from scams 

• Watch out for a false sense of urgency. Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

• Is it too good to be true? Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, too good to be true and should be avoided at all costs. 

• Have a family code word. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

• Check via another way. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

• Use a different password for every account. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

• Set up multi-factor authentication on every account you can. It’s not foolproof, but it does make it considerably harder for scammers. 

Last week on Malwarebytes Labs:

• Vulnerability in most browsers abused in targeted attacks
• “This fraud destroyed my life.” Man ends up with criminal record after ID was stolen
• Moving from WhatsApp to Signal: A good idea?
• Security expert Troy Hunt hit by phishing attack
• Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware
• DeepSeek users targeted with fake sponsored Google ads that deliver malware
• 23andMe bankruptcy: How to delete your data and stay safe from the 2023 breach
• Oops! Google accidentally deletes some users’ Maps Timeline data

Last week on ThreatDown:

• Why YOUR software is the new malware

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Researchers found a vulnerability in Chrome that was abused in the wild against organizations in Russia.

Google has released an update for its Chrome browser which includes patches for this vulnerability.

The update brings the Stable channel to versions 134.0.6998.178 for Windows. Other operatings sytems are not vulnerable.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

The vulnerability exists in Windows for all Chromium based browsers, including Edge, Brave, Vivaldi, and Opera. These browsers can all be updated in more or less the same way.

But it doesn’t stop there. After studying the vulnerability, Mozilla concluded that Firefox and the Tor browser are also vulnerable. So, it released updates to patch them.

Technical details

The vulnerability, tracked as CVE-2025-2783 lies in Mojo for Windows. Mojo is a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).

An incorrect handle provided under certain circumstances allows an attacker to escape the browser sandbox. Which means that due to a logical error on the level where the sandbox and the Windows operating system meet it allows an attacker to execute code on the actual operating system just by getting the target to visit a malicious site. This is something that the sandbox is supposed to prevent.

According to the researchers:

“Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”

The researchers did mention that there has to be an additional vulnerability to allow the attacker to enable remote code execution, which they have been unable to find.

All in all, it seems imperative that you update your browser(s) at your earliest convenience.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.