Security Newsletter

17 June 2019

LaLiga facing €250k fine for GDPR violations in app used to spy on users

Spanish soccer league LaLiga is facing a fine of €250,000 (approximately $283,000) for GDPR violations resulting from a convoluted wiretap in their smartphone app intended to curb piracy of soccer match broadcasts. The Spanish Agency for Data Protection (La Agencia de Protección de Datos, or AEPD) levied the fine this week due to the league's violation of consent-related clauses in the GDPR, as LaLiga did not properly disclose the nature of the microphone usage.

LaLiga introduced a feature in the official Android app last year that activates the microphone and GPS functions when matches are being played, under the pretense of using the features to identify venues such as bars or restaurants that are broadcasting soccer games illegally.This functionality is not happening surreptitiously, as the app requests access to the microphone and geolocation service—it does not rely on a vulnerability to access these components without explicit permission—as TechRepublic reported a year ago. Despite this, users were not explicitly informed of the intended use of the microphone and geolocation permissions, which is central to the decision by AEPD to levy fines against LaLiga.

According to the ABC report, LaLiga intends to appeal, stating that AEPD "has not made the necessary effort to understand how technology works." (Quote software translated.) Despite this, LaLiga will disable the listening function on June 30, the end of the season.

 

Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed. Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser.

According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue.

Since Chrome Browser periodically, usually after every 5 hours, checks for new versions of installed extensions and updates them without requiring user intervention, you need to make sure your browser is running the latest Evernote version 7.11.1 or later.

 

More #News

 

#Patch Time!

 

#Tech and #Tools

Kindred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us:

• You like to break things, then explain how to fix it? Be part of our Cyber Security team
• You prefer the blue team side? Check out our Security analyst position
• Interested in Governance, Risk and Compliance? Apply for our Information Security Specialist role

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.