Cyber Security News: Tea App Breach, AI Flaws, and PDF Exploits

Tea App Data Breach Escalates

• ☕ A second major data breach at the dating app Tea exposed over 1.1 million private messages, including sensitive discussions about cheating and abortions.
• ⚠️ The vulnerability allowed access to a live database via API keys, and hackers could even send push notifications to all users.
• 🔒 T claims it's investigating with cybersecurity help and has contacted law enforcement, but the app reportedly has 1.6 million users.

Critical Vulnerabilities and Exploits

• 🚨 CISA added three vulnerabilities to its catalog: two critical flaws in Cisco Identity Services Engine (ISE) allowing root access, and a flaw in PaperCut print management software.
• 💡 Researchers found a critical flaw in Google's Gemini AI coding assistant that could allow silent remote code execution, which Google has since patched.
• 🍎 A Mac OS flaw called Sploitlight could bypass Apple's TCC framework, enabling attackers to steal sensitive data like Apple Intelligence cache data and geolocation information.
• 🖱️ Malware was embedded in a recent version of Endgame Gear's mouse configuration tool, infecting users who downloaded it from the official site between June 26th and July 9th.
• 🚪 The Oyster backdoor is being spread via Trojanized versions of IT tools like PuTTY and WinSCP through malvertising and SEO poisoning campaigns.
• 💰 The FBI seized over $2.4 million in Bitcoin from the Chaos Ransomware gang, alleging the funds are tied to cybercrime activities.

PDF Security and Data Broker Paradox

• 📄 PDFs are a ubiquitous file format, making them a common vector for phishing attacks, as attackers can embed malicious links or QR codes within the documents.
• 📞 Telephone-Oriented Attack Delivery (TOAD) is a growing tactic where attackers use phone numbers in emails, bypassing traditional URL scanning and exploiting the fact that phone numbers are not typically monitored as indicators of compromise.
• 📈 Organizations should combine technical defenses like brand impersonation detection with user education to combat these threats.
• 🕵️ A study revealed that a significant portion of registered data brokers ignore legally mandated requests for data disclosures, creating an unintended privacy paradox where users must provide more personal information to opt out of data collection.