Encrypted mail service Proton hands suspect's personal info to local cops

Plus: Google patches another Chrome security hole, and more

Infosec in brief Encrypted email service Proton Mail is in hot water again from some quarters, and for the same thing that earned it flack before: Handing user data over to law enforcement. 

Proton, which offers several services it touts as being secure and safe, includes an end-to-end encrypted email product. Ostensibly designed for the privacy conscious, Proton say it is unable to read the content of email and attachments, be free of trackers and ads, and have the "highest standards of privacy." 

Be as that may, there is still user info Proton has access to and can be pressured to divulge. In 2021, the Switzerland-based vendor provided local police with the IP address and device details of a netizen the cops were trying to identify. That individual – a French climate activist who was already known to police – was later arrested. 

Shortly after that kerfuffle, Proton removed the claim that it didn't track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities. 

In this latest instance, Proton handed over an account's recovery email address information to Swiss police concerning a suspect believed to be supporting Catalonian separatists. Spanish cops handed the recovery address to Apple, which was reportedly able to identify the individual associated with the account. 

Proton told advocacy outfit Restore Privacy it was well aware of the case, but its hands were tied under Swiss laws against terrorism. 

"Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect," a Proton spokesperson protested. "Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method." 

When we reached out to Proton it directed us to a Twitter thread from its CEO Andy Yen, in which he says much the same.

Critical vulnerabilities: Time to polish that Chrome

We start this week of vulnerabilities with a Chrome stable channel update released last Thursday. This patch fixes CVE-2024-4671 – a use after free vulnerability in Visuals. What makes this one important to deal with is the fact that Google is aware of it being exploited in the wild, so check Chrome for updates and get them installed ASAP. 

Elsewhere:

  • CVSS 9.3 – CVE-2023-46604: Delta Electronics InfraSuite Device Master hardware monitoring software is running an older version of Apache ActiveMQ that makes it vulnerable to deserialization of untrusted data.
  • CVSS 9.2 – CVE-2024-3493: Several models of Rockwell Automation ControlLogix and GuardLogix PLCs are improperly validating input, opening them to a MNRF. 
  • CVSS 8.6 – CVE-2024-26024: Subnet Solutions Substation Server versions 2.23.10 and prior contain untrustworthy third-party components that could lead to RCE, DoS or other bad conditions.
  • CVSS 8.3 – CVE-2024-4622: Aliptronic Hypercharger EV charging units are using known default credentials in their web portals, opening them up to takeover. 

Patent office springs another leak

The US Patent and Trademark Office (USPTO) has admitted for the second time in as many years to publicly disclosing the private information of patent applicants online.

Last year the blame fell on a misconfigured API exposing domicile data. This time it's reportedly domicile data being exposed again – but the Patent Office claims the issue stems from an IT systems migration mistake.  

Approximately 14,000 patent applicants have had their private addresses exposed in bulk datasets published by the USPTO, the Office revealed. The data wasn't discoverable in regular searches during the period in which it was exposed (August 2023 to April 2024). 

"[USPTO] blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access," the agency explained of its recovery measures. 

It's just too bad for everyone caught up in the leak that it took around a year to spot the issue for the second time in a row. 

LockBit still strong enough to knock Wichita offline

Its operations may have been significantly curtailed and its leader may have been exposed, but that doesn't mean notorious ransomware group LockBit is giving up the game. New targets – like the government of the city of Whichita, Kansas – are still being attacked.

Wichita officials disclosed a ransomware attack that took several systems offline last week, forcing the city to take payment systems offline for its water utility, court and public transportation. Arrival and departure screens at Wichita's airport, and its public Wi-Fi, were offline as well.

LockBit posted the city to the ransom website it established after its original was seized by law enforcement earlier this year the day after Wichita disclosed the attack on its own.

Systems were still reported offline as of Friday, May 10, and Wichita officials still haven't provided a timetable for system restoration. ®

More about

TIP US OFF

Send us news


Other stories you might like