Google settles location tracking lawsuit for only $39.9M

Also, more OEM Android malware, Google's bug reports (mostly) ditch CVEs, and this week's critical vulns

in brief Google has settled another location tracking lawsuit, yet again being fined a relative pittance.

Washington State Attorney General Bob Ferguson's office announced the $39.9 million fine last week, along with news that Google will have to implement several state-ordered tracking reforms that clarify what data is being gathered and for what purposes. 

"Today's resolution holds one of the most powerful corporations accountable for its unethical and unlawful tactics," Ferguson said in a statement. 

The lawsuit is similar to others filed across the country last year, with attorneys general in Indiana, Texas and Washington, DC joining Washington state in suing Google over claims it used "dark patterns" to trick users into allowing location tracking and data collection, while also making it difficult to opt out. 

In January, Washington DC and Indiana announced a joint settlement with Google that netted the pair $9.5 million and $20 million respectively, which the Washington state AG's office said it chose not to sign onto in a bid to earn more money for state coffers. 

"Instead of joining a multistate settlement, Ferguson's office independently filed its own lawsuit and obtained this resolution. The Attorney General's Office estimates Washington received more than double the amount it would have received under the wider multistate settlement," the Ferguson's office said. 

While it's true that Washington state earned itself considerably more than DC or Indiana, it's worth noting, as we so often have to do at El Reg, that even a $40m settlement is unlikely to make Alphabet accountants take pause.

In Q1 of this year, Google's parent company announced [PDF] it had made $15.05 billion in net profit.

Ferguson's office said it intends to use its Google fine to continue enforcing the Consumer Protection Act. Its enforcement body, the Consumer Protection Division, receives minimal cash from the government and is largely funded by recoveries in cases like this one.

Critical vulnerabilities of the week: KeePass edition

Users of password manager KeePass, beware: it contains a nasty vulnerability that could be used to retrieve all but the first character of a user's master password in plaintext from any number of different memory dump files on a target system. Per the researcher that found it, there's no mitigation available until KeePass version 2.54 is released next month. 

In active exploit news, a pair of seven-year old vulnerabilities tied to Java Management Extensions, or JMX are worth mentioning: They're widespread, dangerous and CISA said they're being actively exploited. 

CVE-2016-3427, the first of the pair, involves an unspecified vulnerability in Oracle Java SE versions 6u113, 7u99 and 8u77; Java SE Embedded 8u77 and JRockit R28.3.9 that could allow a remote attacker to "affect confidentiality, integrity, and availability via vectors related to JMX," according to NIST. Couple that with an RCE vulnerability in multiple versions of Apache Tomcat that requires an attacker to have access to JMX ports, and you have a recipe for disaster.

In unrelated KEV news, Ruckus Wireless Admin up to version 10.4 allows RCE via an unauthenticated HTTP Get request; patches are available so install now. 

In ICS news, there's three issues to be aware of this week: 

  • CVSS 10.0 - Multiple CVEs: Johnson Controls OpenBlue Enterprise Manager Data Collector firmware prior to contains an improper authorization issue that an attacker could exploit to make API calls
  • CVSS 9.8 - CVE-2020-6967: Rockwell Automation FactoryTalk Diagnostics software between versions 2.00 and 6.11 contain a deserialization flaw that an attacker could exploit to execute code with system level privileges.
  • CVSS 8.6 - Multiple CVEs: Snap One's OvrC Pro software prior to version 7.3 contains a number of vulnerabilities that could allow an attacker to claim devices, execute arbitrary code and disclose device info. 

Non-phone Android devices still shipping with malware, too

We reported recently that Trend Micro security researchers at Black Hat Asia discovered millions of Android handsets built by budget OEMs were laced with malware, now new reports this week point to popular Android TV boxes sold on Amazon having similar problems.

According to security researcher Daniel Milisic, who bought an infected set-top Android box from Amazon manufactured by Chinese company AllWinner, several popular models from AllWinner and fellow Chinese firm RockChip are shipping with malware that immediately reaches out to a C2 server once powered up. 

As with other similar malware, much of it comes with budget hardware manufactured by companies with poor supply chain security practices, and the bug could have been slipped in at any stage in production by any number of supply partners. 

Milisic claims to have found expired certificates on his device that pointed to mobile advertising platform Dotinapp, a mobile advertising platform that appears defunct. Just add this to the long list of similar issues that budget Android devices have dealt with over the years - consider this a lesson in "you get what you pay for" when it comes to computing hardware.

Google ditches CVEs for all but the most serious vulnerabilities

Google said it had plans to add a quality rating system to security vulnerability reports - yay - while also saying it plans to stop assigning CVEs to most reported issues - boo. 

Few would argue that vulnerability reports could benefit from quality ratings based on details, analysis, the inclusion of proof of concepts and the like. Not attaching CVE numbers "to most moderate severity issues," however, seems less like an attempt to incentivise the discovery of and high-quality reporting on vulnerabilities and more a way to reduce what gets cataloged in a bid to look better.

CISA describes assigning a CVE ID as step one in cataloging known exploited vulnerabilities. Without data on medium- and low-severity vulnerabilities in Google products only one company will benefit: Google, by obfuscating the bulk of its vulnerabilities. ®

Send us news

Google to push ahead with Chrome's ad-blocker extension overhaul in earnest

Starting Monday, users will gradually be warned the end is near

UK tribunal greenlights $17.4B advertising monopoly case against Google

Chocolate Factory entangled in yet another anti-competitive claim

Google’s in-house docs about search ranking leak online, sparking SEO frenzy

GitHub trove details API features that 'contradict' Big G’s public statements about how its engine works

NIST turns to IT consultants to clear National Vulnerability Database backlog

Aims to get CVE logjam cleared by the end of FY 24

An attorney says she saw her library reading habits reflected in mobile ads. That's not supposed to happen

Follow us down this deep rabbit hole of privacy policy after privacy policy

Contrary to its fine print, Google says it won't confiscate repair returns that have unapproved parts

'We are updating our terms to clarify this' Pixel giant tells The Reg

Not even Chromebooks can escape AI PC craze: Google to inject Plus laptops with LLM juice

New models will come with a year of Gemini Advanced, too

Google finally addresses those bizarre AI search results

Suggesting people eat rocks or put glue on pizza? Yeah, that's some artificial intelligence right there

Microsoft Research chief scientist has no issue with Windows Recall

As tool emerges to probe OS feature's SQLite-based store of user activities

Cybercrooks get cozy with BoxedApp to dodge detection

Some of the biggest names in the game are hopping on the trend

Google goes shopping for Indian e-commerce dominance … at Walmart

Invests $350 million in Flipkart

Quantinuum inches closer to fault-tolerant quantum with a 56 qubit machine

This one only produces errors 65 percent of the time. Woo-hoo!