DEV Community

Cover image for Security news weekly round-up - 23rd February 2024
Habdul Hazeez
Habdul Hazeez

Posted on

Security news weekly round-up - 23rd February 2024


Hello, and welcome to this week's review. In this edition, we'll talk about prompt injection attacks, how people got scammed, some warnings from Meta, PQ3 protocol from Apple, and more. So, let's go!

Multi-modal prompt injection image attacks against GPT-4V

This article echoes the statement: tell a computer what to do and it will do it. It seems funny at first, but it's also scary. Nonetheless, it shows that despite measures put in place to misuse LLM models like GPT, humans can get clever and make them do what they want.

Here is a quick excerpt for you:

The fundamental problem here is this: Large Language Models are gullible. Their only source of information is their training data combined with the information that you feed them. If you feed them a prompt that includes malicious instructions—however those instructions are presented—they will follow those instructions.

Pluralistic: How I got scammed (05 Feb 2024)

This happened to Cory Doctorow, but it can happen to anyone, so be careful and double-check before you give out your card information. What's more, another person allegedly got scammed of $50K in cash and another, $600k in retirement savings.

The following is an excerpt from Cory's article:

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices

Am surprised and also not surprised, still it's worth knowing.

Here is more from the article:

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram...

Apple Unveils PQ3 Protocol - Post-Quantum Encryption for iMessage

It's a preemptive approach. Nonetheless, it's better to be safe than sorry.

A quick one from the article:

PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps

Everything you need to know about IP grabbers

Raise your hands if this is the first time you're reading about "IP grabbers". Anyone? Come on! Wait, check the excerpt and read the article for more.

An IP grabber is usually a link that, upon clicking, records your IP address and stores it. What can follow is that someone can use another tool to track that IP across the web, noting its interactions with various web pages around the net.

Researchers Detail Apple's Recent Zero-Click Shortcuts Vulnerability

Apple patched the bug, but it's a good thing if you know about it. Still, you can read more about the vulnerability in the excerpt below.

The method involves selecting any sensitive data (Photos, Contacts, Files, and clipboard data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server."

The exfiltrated data is then captured and saved as an image on the attacker's end using a Flask application, paving the way for follow-on exploitation.

Fraudsters tried to scam Apple out of 5,000 iPhones worth over $3 million

Long story short: They were arrested in September 2019 and they are awaiting sentencing on June 21, 2024. It seemed to work at first until they got caught.

Here is more from the article:

Throughout this multi-year scheme, they shipped counterfeit devices from Hong Kong to commercial mail receiving agency (CMRA) mailboxes in UPS stores, opened using their actual driver's licenses and university identification cards.

They then submitted the inauthentic iPhones with spoofed serial numbers and IMEI numbers to Apple retail stores and Apple Authorized Service Providers and received replacement iPhones from Apple, shipped via private and commercial interstate carriers, including FedEx, DLH, and UPS.


Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.

Top comments (0)