An anonymous reader quotes a report from The New York Times: An Israeli firm accused of supplying tools for spying on human-rights activists and journalists now faces claims that its technology can use a security hole in WhatsApp, the messaging app used by 1.5 billion people, to break into the digital communications of iPhone and Android phone users (Warning: source may be paywalled; alternative source). Security researchers said they had found so-called spyware -- designed to take advantage of the WhatsApp flaw -- that bears the characteristics of technology from the company, the NSO Group.

The spyware was used to break into the phone of a London lawyer who has been involved in lawsuits that accused the company of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. There may have been other targets, they said. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp's engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint. WhatsApp engineers patched the vulnerability on Monday.

"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the Facebook-owned company said in a statement.

Boost Mobile is informing customers of a data breach nearly two months after it happened. "Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code," said the notification. "The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity." TechCrunch reports: It's not known exactly how the hackers obtained customer PINs -- or how many Boost customers are affected. The company also notified the California attorney general, which companies are required to do if more than 500 people in the state are affected by the same security incident. Boost Mobile reportedly had 15 million customers in 2018.

The hackers used those phone numbers and account PINs to break into customer accounts using the company's website Boost.com, said the notification. These codes can be used to alter account settings. Hackers can automate account logins using lists of exposed usernames and passwords -- or in this case phone numbers and PIN codes -- in what's known as a credential stuffing attack. Boost said it has sent to affected customers a text with a temporary PIN.

An anonymous reader writes: "Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of the first-ever 'chosen-prefix collision attack,' a more practical version of the SHA-1 collision attack first carried out by Google two years ago," reports ZDNet. Google's original research allowed attackers to force duplicates for specific files, but this process was often at random. A new SHA-1 collision attack variation (a chosen-prefix attack) detailed last week allows attackers to choose what SHA-1-signed files or data streams they want to forge on demand, making SHA-1 an attack that is now practical in the real world, albeit at a price tag of $100,000 per collision.

Facebook revealed last Friday that it has filed a lawsuit alleging South Korean analytics firm Rankwave abused its developer platform's data, and has refused to cooperate with a mandatory compliance audit and request to delete the data. TechCrunch reports: Facebook's lawsuit centers around Rankwave offering to help businesses build a Facebook authorization step into their apps so they can pass all the user data to Rankwave, which then analyzes biographic and behavioral traits to supply user contact info and ad targeting assistance to the business. Rankwave also apparently misused data sucked in by its own consumer app for checking your social media "influencer score." That app could pull data about your Facebook activity such as location checkins, determine that you've checked into a baseball stadium, and then Rankwave could help its clients target you with ads for baseball tickets.

The use of a seemingly fun app to slurp up user data and repurpose it for other business goals is strikingly similar to how Cambridge Analytica's personality quiz app tempted millions of users to provide data about themselves and their friends. TechCrunch has attained a copy of the lawsuit that alleges that Rankwave misused Facebook data outside of the apps where it was collected, purposefully delayed responding to a cease-and-desist order, claimed it didn't violate Facebook policy, lied about not using its apps since 2018 when they were accessed in April 2019, and then refused to comply with a mandatory audit of its data practices. Facebook Platform data is not supposed to be repurposed for other business goals, only for the developer to improve their app's user experience.

Twitter today disclosed a bug in its platform that impacted the privacy of some its iOS app's users. From a report: "We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances," Twitter said. The company said the bug only occurred on its iOS app where users added a second Twitter account on their phones. If they allowed Twitter access to precise location data in one account, then that setting was applied to both accounts managed via the iOS app. This meant the app sent precise location data to Twitter, which then made it available to "a trusted partner during an advertising process known as real-time bidding," even for accounts users didn't agree to share such info.

Carl Malamud believes in open access to government records, and he has spent more than a decade putting them online. You might think states would welcome the help. From a report: But when Mr. Malamud's group posted the Official Code of Georgia Annotated, the state sued for copyright infringement. Providing public access to the state's laws and related legal materials, Georgia's lawyers said, was part of a "strategy of terrorism." A federal appeals court ruled against the state, which has asked the Supreme Court to step in. On Friday, in an unusual move, Mr. Malamud's group, Public.Resource.Org, also urged the court to hear the dispute, saying that the question of who owns the law is an urgent one, as about 20 other states have claimed that parts of similar annotated codes are copyrighted.

The issue, the group said, is whether citizens can have access to "the raw materials of our democracy." The case, Georgia v. Public.Resource.Org, No. 18-1150, concerns the 54 volumes of the Official Code of Georgia Annotated, which contain state statutes and related materials. The state, through a legal publisher, makes the statutes themselves available online, and it has said it does not object to Mr. Malamud doing the same thing. But people who want to see other materials in the books, the state says, must pay the publisher.

A group of iPhone owners accusing Apple of violating US antitrust rules because of its App Store monopoly can sue the company, the Supreme Court ruled Monday. From a report: The Supreme Court upheld the Ninth Circuit Court of Appeals' decision in Apple v. Pepper, agreeing in a 5-4 decision that Apple app buyers could sue the company for allegedly driving up prices. "Apple's line-drawing does not make a lot of sense, other than as a way to gerrymander Apple out of this and similar lawsuits," wrote Justice Brett Kavanaugh. Apple had claimed that iOS users were technically buying apps from developers, while developers themselves were Apple's App Store customers. According to an earlier legal doctrine known as Illinois Brick, "indirect purchasers" of a product don't have the standing to file antitrust cases. But in today's decision, the Supreme Court determined that this logic doesn't apply to Apple.