Security Newsletter
17 June 2019
LaLiga facing €250k fine for GDPR violations in app used to spy on users
Spanish soccer league LaLiga is facing a fine of €250,000 (approximately $283,000) for GDPR violations resulting from a convoluted wiretap in their smartphone app intended to curb piracy of soccer match broadcasts. The Spanish Agency for Data Protection (La Agencia de Protección de Datos, or AEPD) levied the fine this week due to the league's violation of consent-related clauses in the GDPR, as LaLiga did not properly disclose the nature of the microphone usage.
LaLiga introduced a feature in the official Android app last year that activates the microphone and GPS functions when matches are being played, under the pretense of using the features to identify venues such as bars or restaurants that are broadcasting soccer games illegally.This functionality is not happening surreptitiously, as the app requests access to the microphone and geolocation service—it does not rely on a vulnerability to access these components without explicit permission—as TechRepublic reported a year ago. Despite this, users were not explicitly informed of the intended use of the microphone and geolocation permissions, which is central to the decision by AEPD to levy fines against LaLiga.
According to the ABC report, LaLiga intends to appeal, stating that AEPD "has not made the necessary effort to understand how technology works." (Quote software translated.) Despite this, LaLiga will disable the listening function on June 30, the end of the season.
Read More on TechRepublic
 
Critical Flaw Reported in Popular Evernote Extension for Chrome Users
Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed. Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser.
According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue.
Since Chrome Browser periodically, usually after every 5 hours, checks for new versions of installed extensions and updates them without requiring user intervention, you need to make sure your browser is running the latest Evernote version 7.11.1 or later.
Read More on TheHackerNews
Even More on BleepingComputer
 
More #News
 
#Patch Time!
 
#Tech and #Tools
Kingred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us: Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.
This content was created by Kindred Group Security. Please share if you enjoyed!
Kindred Group in brief
Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.
You can access the previous newsletters at https://news.infosecgur.us
If you no longer wish to receive this newsletter, you can unsubscribe from this list.