This is a news item roundup of privacy or privacy-related news items for 9 FEB 2025 – 15 FEB 2025. Information and summaries provided here are as-is for warranty purposes. Note: You may see some traditional “security” content mixed-in here due to the close relationship between online privacy and cybersecurity – many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user’s devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed. Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or “popular” stories.
Privacy Tip of the Week
Try to remember deleting accounts you no longer need or use. The more accounts you have, the bigger your attack surface and potential exposure to data breaches. Tips for finding old accounts.
Surveillance Tech in the News
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy. Google’s reCAPTCHA is not only useless, it’s also basically spyware Techspot This study demonstrates Google’s reCAPTCHA v2 and v3 are flawed and don’t actually keep out bots. The research also shows that reCAPTCHA relies on fingerprinting (collecting “user agent data and other identifying information”) and shares this data with advertisers. The Murky Ad-Tech World Powering Surveillance of US Military Personnel WIRED This is mostly a continuation of another WIRED article where they detailed how Ad-Tech got the personal information and location data of US military members stationed in Germany. This article reveals that a Lithuania-based business acquired this information but would not disclose how they obtained it specifically. Revealed: gambling firms secretly sharing users’ data with Facebook without permission The Guardian The Meta Pixel strikes again. Gambling sites – that users visit – have the Meta Pixel embedded in their code, sending data on users to Meta, who then displays targeted ads to users. The users claimed to have never opted into tracking; but the Meta Pixel automatically captured their information and pushed it to Meta.
This primarily centers on the UK. However, given the prevalence of the Meta Pixel on many of the world’s most popular websites, it’s relevant enough to include here.
Privacy Tools and Services
Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools
Proton Wallet brings safe Bitcoin self-custody to everyone Proton Proton has publicly released its self-custody Bitcoin wallet. Introducing Bitwarden Cupid Vault to securely share (and unshare) passwords with loved ones Bitwarden Bitwarden has already had the ability to securely share passwords. The Cupid Vault Configuration follows a similar approach.
Privacy Services
Mullvad has partnered with Obscura VPN Mullvad Mullvad announces its partnership with ObscuraVPN; Mullvad WireGuard VPN servers can be used as the exit hop for the two-party VPN service offered by ObscuraVPN. Single sign-on (SSO) and password generator rules are now available for Proton Pass Proton Proton Pass now supports single sign-on and allows setting of password generator rules. Kagi Search introduces Privacy Pass and Tor onion service for enhanced privacy & anonymity AlternativeTo Kagi launched a Tor onion service. Kagi also introduces Privacy Pass, which allows users to authenticate to servers (like Kagi’s) without revealing their identity; this should ensure searches are unlinkable to accounts.
Vulnerabilities and Malware
Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user. This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
Vulnerabilities
Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391) Tenable This week was a Patch Tuesday (11 FEB) from Microsoft. According to Tenable, Microsoft patched 55 CVEs. CVE-2025-21418. Escalation of privilege in the Ancillary Function Driver for WinSock on Windows. When exploited, an authenticated attacker could elevate to SYSTEM level privileges. This has been exploited in the wild as a zero-day. CVE-2025-21391. Another privilege escalation vulnerability, but in Windows Storage. When exploited, a local authenticated attacker could delete (but not necessarily read) files from a system, which could result in data loss. This has been exploited in the wild as a zero-day. CVE-2025-21194. Publicly disclosed security feature bypass affecting the Microsoft Surface. Successful exploitation requires an attacker getting access to the same network as the device and convincing the user to reboot their device. Apple Patches ‘Extremely Sophisticated Attack’ That Can Hit iPhones PCMag Apple released an emergency update (18.3.1) to iOS. This patch fixes a vulnerability where USB Restricted Mode can be disabled on iPhones; this vulnerability has reportedly been exploited by law enforcement to access a locked iPhone. Tracked as CVE-2025-24200. Apple describes the zero-day as a highly sophisticated attack against a targeted individual. New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale GreyNoise Threat actors are attempting to exploit a local file inclusion vulnerability (tracked as CVE-2022-47945) in ThinkPHP and an information disclosure vulnerability (tracked as CVE-2023-49103) in ownCloud. While these are “old” vulnerabilities, there has been a recent notable wave of active exploitation looking to exploit vulnerable instances. Google fixes flaw that could unmask YouTube users’ email addresses Bleeping Computer A vulnerability in internal APIs; specifically, the API leaked a user’s “Gaia ID,” which is meant for internal-to-Google use only for identification between Google’s services and sites. This could be use to identify users on YouTube.
Malware
Valve removes Steam game that contained malware TechCrunch A game (PirateFi) on Steam was actually malware in disguise. It was removed by Valve; Valve sent a message to users who downloaded the game, telling them to “consider fully reformatting your operating system” and to “run a full-system scan using an antivirus product…” Magecart Attackers Abuse…
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/02/privacy-roundup-week-7-of-year-2025/
