An anonymous reader shares a report: The Federal Communications Commission is planning a review of the US emergency alert systems. Both the Emergency Alert System (EAS) and the Wireless Emergency Alerts (WAS) will be subject to a "re-examination" by the agency. "We want to ensure that these programs deliver the results that Americans want and need," FCC Chairman Brendan Carr posted on X.

The announcement of this plan notes that the infrastructure underlying the EAS -- which includes radio, television, satellite and cable systems -- is 31 years old, while the framework underpinning the WAS mobile device alerts is 13 years old. The FCC review will also assess what entities should be able to send alerts on those systems, as well as topics such as geographic targeting and security.

Intel's chief executive Lip-Bu Tan has hit out at "misinformation" over his career after U.S. President Donald Trump alleged the semiconductor industry veteran was "highly conflicted" and should resign. From a report: In a letter to Intel staff published late on Thursday, Tan said that Intel was "engaging" with the Trump administration "to address the matters that have been raised and ensure they have the facts."

"There has been a lot of misinformation circulating about my past roles...I want to be absolutely clear: Over 40+ years in the industry, I've built relationships around the world and across our diverse ecosystem -- and I have always operated within the highest legal and ethical standards," Tan wrote.

Tan's move to reassure staff at Intel, the only US-headquartered company capable of manufacturing advanced chips, came hours after Trump had demanded his resignation in a post on Truth Social. Trump did not detail Tan's alleged conflicts of interest but the U.S. president's broadside followed a letter from Tom Cotton, the Republican head of the Senate intelligence committee, to Intel's chair expressing "concern about the security and integrity of Intel's operations" and Tan's ties to China.

An anonymous reader quotes a report from Wired: Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure -- as well as police, intelligence agencies, and military forces around the world -- that made any communication secured with the algorithm vulnerable to eavesdropping. When the researchers publicly disclosed the issue in 2023, the European Telecommunications Standards Institute (ETSI), which developed the algorithm, advised anyone using it for sensitive communication to deploy an end-to-end encryption solution on top of the flawed algorithm to bolster the security of their communications. But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It's not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them. Wired notes that the end-to-end encryption the researchers examined is most commonly used by law enforcement and national security teams. "But ETSI's endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time."

Microsoft's $30 Extended Security Updates license for Windows 10 will cover up to 10 devices under a single Microsoft Account, the company confirmed in updated support documentation. The ESU program, which provides security updates through October 13, 2026, requires a Microsoft Account for all three enrollment options: the $30 one-time purchase, redemption of 1,000 Microsoft Reward points, or free enrollment for users who sync their PC settings to OneDrive. Windows 10's support ends October 14, 2025.

President Trump on Thursday called on Intel's CEO to resign because of his past ties to China, the latest challenge for the troubled chip maker. From a report: "The CEO of INTEL is highly CONFLICTED and must resign, immediately. There is no other solution to this problem," Trump wrote in a post on Truth Social Thursday. The president appeared to be referencing Intel CEO Lip-Bu Tan's past business dealings in China, which Sen. Tom Cotton (R., Ark.) called out in a letter to the company's board earlier this week.

On Tuesday, Cotton wrote an open letter to Intel's board questioning Tan's ties to the Chinese government, including apparent connections to the country's military and investments in other semiconductor companies. "The new CEO of @intel reportedly has deep ties to the Chinese Communists," Cotton wrote in a post on X accompanying the letter. "U.S. companies who receive government grants should be responsible stewards of taxpayer dollars and adhere to strict security regulations. The board of @Intel owes Congress an explanation."

An anonymous reader quotes a report from TechCrunch: Ron Deibert, the director of Citizen Lab, one of the most prominent organizations investigating government spyware abuses, is sounding the alarm to the cybersecurity community and asking them to step up and join the fight against authoritarianism. On Wednesday, Deibert will deliver a keynote at the Black Hat cybersecurity conference in Las Vegas, one of the largest gatherings of information security professionals of the year. Ahead of his talk, Deibert told TechCrunch that he plans to speak about what he describes as a "descent into a kind of fusion of tech and fascism," and the role that the Big Tech platforms are playing, and "propelling forward a really frightening type of collective insecurity that isn't typically addressed by this crowd, this community, as a cybersecurity problem."

Deibert described the recent political events in the United States as a "dramatic descent into authoritarianism," but one that the cybersecurity community can help defend against. "I think alarm bells need to be rung for this community that, at the very least, they should be aware of what's going on and hopefully they can not contribute to it, if not help reverse it," Deibert told TechCrunch. [...] "I think that there comes a point at which you have to recognize that the landscape is changing around you, and the security problems you set out for yourselves are maybe trivial in light of the broader context and the insecurities that are being propelled forward in the absence of proper checks and balances and oversight, which are deteriorating," said Deibert.

Deibert is also concerned that big companies like Meta, Google, and Apple could take a step back in their efforts to fight against government spyware -- sometimes referred to as "commercial" or "mercenary" spyware -- by gutting their threat intelligence teams. [...] Deibert believes there is a "huge market failure when it comes to cybersecurity for global civil society," a part of the population that generally cannot afford to get help from big security companies that typically serve governments and corporate clients. "This market failure is going to get more acute as supporting institutions evaporate and attacks on civil society amplify," he said. "Whatever they can do to contribute to offset this market failure (e.g., pro bono work) will be essential to the future of liberal democracy worldwide," he said. Deibert is concerned that these threat intelligence teams could be cut or at least reduced, given that the same companies have cut their moderation and safety teams. He told TechCrunch that threat intelligence teams, like the ones at Meta, are doing "amazing work," in part by staying siloed and separate from the commercial arms of their wider organizations. "But the question is how long will that last?" said Deibert.

Activision will require PC players of Call of Duty: Black Ops 7 to enable Trusted Platform Module 2.0 and Windows Secure Boot when the game launches later this year. The company begins testing these anti-cheat measures with Black Ops 6's Season 5 on Thursday without enforcement.

TPM 2.0 verifies untampered boot processes while Secure Boot ensures Windows loads only trusted software at startup. Both features perform checks during system and game startup but remain inactive during gameplay. Activision has also pursued legal action against 22 individuals who developed and sold cheats.

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group. BleepingComputer: In June, Google warned that a threat actor they classify as 'UNC6040' is targeting companies' employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen. "In June, one of Google's corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations," reads Google's update.

Nvidia's chief security officer has published a blog post insisting that its GPUs "do not and should not have kill switches and backdoors." From a report: It comes amid pressure from both sides of the Pacific, with some US lawmakers pushing Nvidia to grant the government backdoors to AI chips, while Chinese officials have alleged that they already exist.

David Reber Jr.'s post seems pointedly directed at US lawmakers. In May a bipartisan group introduced the Chip Security Act, a bill that would require Nvidia and other manufacturers to include tracking technology to identify when chips are illegally transported internationally, and leaves the door open for further security measures including remote kill switches. While Nvidia is expecting to be granted permits to once again sell certain AI chips in China, its most powerful hardware is still under strict US export controls there and elsewhere.

An anonymous reader quotes a report from the New York Times: China's automakers have teamed up with software companies togo global with their driverless cars, which are poised to claim a big share of a growing market as Western manufacturers are still preparing to compete. The industry in China is expanding despite tariffs imposed last year by the European Union on electric cars, and despite some worries in Europe about the security implications of relying on Chinese suppliers. Baidu, one of China's biggest software companies, said on Monday that it would supply Lyft, an American ride-hailing service, with self-driving cars assembled by Jiangling Motors of China (source paywalled; alternative source). Lyft is expected to begin operating them next year in Germany and Britain, subject to regulatory approval, the companies said.

The announcement comes three months after Uber and Momenta, a Chinese autonomous driving company, announced their own plans to begin offering self-driving cars in an unspecified European city early next year. Momenta will soon provide assisted driving technology to the Chinese company IM Motors for its cars sold in Britain. While Momenta has not specified the model that Uber will be using, it has already signaled it will choose a Chinese model. In China, "the pace of development and the pressure to deliver at scale push companies to improve quickly," said Gerhard Steiger, the chairman of Momenta Europe. China's state-controlled banking system has been lending money at low interest rates to the country's electric car industry in a bid for global leadership. [...]

Expanding robotaxi services to new cities, not to mention new countries, is not easy. While the individual cars do not have drivers, they typically require one controller for every several cars to handle difficulties and answer questions from users. And the cars often need to be specially programmed for traffic conditions unique to each city. Lyft and Baidu nonetheless said that they had plans for "the fleet scaling to thousands of vehicles across Europe in the following years."

Sweden's Prime Minister Ulf Kristersson has come under fire after admitting that he frequently uses AI tools like ChatGPT for second opinions on political matters. The Guardian reports: ... Kristersson, whose Moderate party leads Sweden's center-right coalition government, said he used tools including ChatGPT and the French service LeChat. His colleagues also used AI in their daily work, he said. Kristersson told the Swedish business newspaper Dagens industri: "I use it myself quite often. If for nothing else than for a second opinion. What have others done? And should we think the complete opposite? Those types of questions."

Tech experts, however, have raised concerns about politicians using AI tools in such a way, and the Aftonbladet newspaper accused Kristersson in a editorial of having "fallen for the oligarchs' AI psychosis." Kristersson's spokesperson, Tom Samuelsson, later said the prime minister did not take risks in his use of AI. "Naturally it is not security sensitive information that ends up there. It is used more as a ballpark," he said.

But Virginia Dignum, a professor of responsible artificial intelligence at Umea University, said AI was not capable of giving a meaningful opinion on political ideas, and that it simply reflects the views of those who built it. "The more he relies on AI for simple things, the bigger the risk of an overconfidence in the system. It is a slippery slope," she told the Dagens Nyheter newspaper. "We must demand that reliability can be guaranteed. We didn't vote for ChatGPT."

The Government Accountability Office has issued reports criticizing the Department of Homeland Security, Environmental Protection Agency, and General Services Administration for failing to implement critical IT and cybersecurity recommendations.

DHS leads with 43 unresolved recommendations dating to 2018, including seven priority matters. The EPA has 11 outstanding items, including failures to submit FedRAMP documentation and conduct organization-wide cybersecurity risk assessments. GSA has four pending recommendations.

All three agencies failed to properly log cybersecurity events and conduct required annual IT portfolio reviews. The DHS' HART biometric program remains behind schedule without proper cost accounting or privacy controls, with all nine 2023 recommendations still open.

An anonymous reader shares a report: Microsoft has published a new video that appears to be the first in an upcoming series of videos dubbed "Windows 2030 Vision," where the company outlines its vision for the future of Windows over the next five years. It curiously makes references to some potentially major changes on the horizon, in the wake of AI.

This first episode features David Weston, Microsoft's Corporate Vice President of Enterprise & Security, who opens the video by saying "the world of mousing and keyboarding around will feel as alien as it does to Gen Z [using] MS-DOS."

Right out of the gate, it sounds like he's teasing the potential for a radical new desktop UX made possible by agentic AI. Weston later continues, "I truly believe the future version of Windows and other Microsoft operating systems will interact in a multimodal way. The computer will be able to see what we see, hear what we hear, and we can talk to it and ask it to do much more sophisticated things."

An anonymous reader quotes a report from CyberScoop: North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday. "We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity," Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report. "We see them almost every day now," he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe.

CrowdStrike's threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process. "They use generative AI across all stages of their operation," Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found. CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs -- sometimes three to four -- they worked simultaneously.

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions -- 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. "We're up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters," otherwise unnamed threat groups or individuals under development, Meyers said.

Microsoft announced last month that Chinese state-sponsored hackers exploited vulnerabilities in SharePoint to breach hundreds of companies and government agencies, including the National Nuclear Security Administration and Department of Homeland Security. The company omitted that SharePoint support is handled by China-based engineers who have maintained the software for years.

ProPublica reviewed screenshots of Microsoft's internal systems showing China-based employees recently fixing bugs for SharePoint "OnPrem," the version targeted in the attacks. Microsoft told the publication that the China-based team operates under U.S. supervision and the company is relocating this work.

Disney "cloned" Dwayne Johnson when filming a live-action Moana, reports the Wall Street Journal, using an AI process that they were ultimately afraid to use: Under the plan they devised, Johnson's similarly buff cousin Tanoai Reed — who is 6-foot-3 and 250 pounds — would fill in as a body double for a small number of shots. Disney would work with AI company Metaphysic to create deepfakes of Johnson's face that could be layered on top of Reed's performance in the footage — a "digital double" that effectively allowed Johnson to be in two places at once... Johnson approved the plan, but the use of a new technology had Disney attorneys hammering out details over how it could be deployed, what security precautions would protect the data and a host of other concerns. They also worried that the studio ultimately couldn't claim ownership over every element of the film if AI generated parts of it, people involved in the negotiations said. Disney and Metaphysic spent 18 months negotiating on and off over the terms of the contract and work on the digital double. But none of the footage will be in the final film when it's released next summer...

Interviews with more than 20 current and former employees and partners present an entertainment giant torn between the inevitability of AI's advance and concerns about how to use it. Progress has at times been slowed by bureaucracy and hand-wringing over the company's social contract with its fans, not to mention its legal contract with unions representing actors, writers and other creative partners... For Disney, protecting its characters and stories while also embracing new AI technology is key. "We have been around for 100 years and we intend to be around for the next 100 years," said the company's legal chief, Horacio Gutierrez, in an interview. "AI will be transformative, but it doesn't need to be lawless...." [As recently as June, a Disney/Comcast Universal lawsuit had argued that Midjourney "is the quintessential copyright free-rider and a bottomless pit of plagiarism."]

Concerns about bad publicity were a big reason that Disney scrapped a plan to use AI in Tron: Ares — a movie set for release in October about an AI-generated soldier entering the real world. Since the movie is about artificial intelligence, executives pitched the idea of actually incorporating AI into one of the characters... as a buzzy marketing strategy, according to people familiar with the matter. A writer would provide context on the animated character — a sidekick to Jeff Bridges' lead role named Bit — to a generative AI program. Then on screen, the AI program, voiced by an actor, would respond to questions as Bit as cameras rolled. But with negotiations with unions representing writers and actors over contracts happening at the same time, Disney dismissed the idea, and executives internally were told that the company couldn't risk the bad publicity, the people said...

Disney's own history speaks to how studios have navigated technological crossroads before. When Disney hired Pixar to produce a handful of graphic images for its 1989 hit The Little Mermaid, executives kept the incorporation a secret, fearing backlash from fans if they learned that not every frame of the animated film had been hand-drawn. Such knowledge, executives feared, might "take away the magic."
Disney invested $1.5 billion in Fortnite creator Epic Games, acccording to the article, and is planning a world in Fortnite where gamers can interact with Marvel superheroes and creatures from Avatar. But "an experiment to allow gamers to interact with an AI-generated Darth Vader was fraught. Within minutes of launching the AI bot, gamers had figured out a way to make it curse in James Earl Jones's signature baritone." (Though Epic patched the workaround within 30 minutes.)

But the article spells out another concern for Disney executives. "If a Fortnite gamer creates a Darth Vader and Spider-Man dance that goes viral on YouTube, who owns that dance?

Established in 1943 to coordinate America's building of the first atomic bomb, the Los Alamos National Lab in New Mexico is still "one of the world's largest and most advanced scientific institutions" notes Wikipedia.

And it now has a "National Security AI Office," where senior director Jason Pruet is working to help "prepare for a future in which AI will reshape the landscape of science and security," according to the lab's science and technology magazine 1663. "This year, the Lab invested more in AI-related work than at any point in history..." Pruet: AI is starting to feel like the next great foundation for scientific progress. Big companies are spending billions on large machines, but the buy-in costs of working at the frontiers of AI are so high that no university has the exascale-class machines needed to run the latest AI models. We're at a place now where we, meaning the government, can revitalize that pact by investing in the infrastructure to study AI for the public good... Part of what we're doing with the Lab's machines, like Venado — which has 2500 GPUs — is giving universities access to that scale of computing. The scale is just completely different. A typical university might have 50 or 100 GPUs.

Right now, for example, we have partnerships with the University of California, the University of Michigan, and many other universities where researchers can tap into this infrastructure. That's something we want to expand on. Having university collaboration will be critical if the Department of Energy is going to have a comprehensive AI program at scale that is focused on national security and energy dominance...

There was a time when I wouldn't have advocated for government investment in AI at the scale we're seeing now. But the weight of the evidence has become overwhelming. Large models — "frontier models" — have shown such extraordinary capabilities with recent advances in areas as diverse as hypothesis generation, mathematics, biological design, and complex multiphysics simulations. The potential for transformative impact is too significant to ignore.
"He no longer views the technology as just a tool, but as a fundamental shift in how scientists approach problems and make discoveries," the article concludes.

"The global race humanity is now in... is about how to harness the technology's potential while mitigating its harms."

Thanks to Slashdot reader rabbitface25 — also a Los Alamo Lab science writer — for sharing his article.

The women-only app Tea now "faces two class action lawsuits filed in California" in response to a recent breach," reports NPR — even as the company is now boasting it has more than 6.2 million users.

A spokesperson for Tea told the CBC it's "working to identify any users whose personal information was involved" in a breach of 72,000 images (including 13,000 verification photos and images of government IDs) and a later breach of 1.1 million private messages. Tea said they will be offering those users "free identity protection services." The company said it removed the ID requirement in 2023, but data that was stored before February 2024, when Tea migrated to a more secure system, was accessed in the breach... [Several sites have pointed out Tea's current privacy policy is telling users selfies are "deleted immediately."]

Tea was reportedly intended to launch in Canada on Friday, according to information previously posted on the App Store, but as of this week the launch date is now in February 2026. Tea didn't respond to CBC's questions about the apparent delay. Yet even amid the current turmoil, Tea's waitlist has ballooned to 1.5 million women, all eager to join, the company posted on Wednesday. A day later, Tea posted in its Instagram stories that it had approved "well over" 800,000 women into the app that day alone.

So, why is it so popular, despite the drama and risks?
Tea tapped into a perceived weakness of ther dating apps, according to an associate health studies professor at Ontario's Western University interviewed by the CBC, who thinks users should avoid Tea, at least until its security is restored.

Tech blogger John Gruber called the incident "yet another data point for the argument that any 'private messaging' feature that doesn't use E2EE isn't actually private at all." (And later Gruber notes Tea's apparent absence at the top of the charts in Google's Play Store. "I strongly suspect that, although Google hasn't removed Tea from the Play Store, they've delisted it from discovery other than by searching for it by name or following a direct link to its listing.")

Besides anonymous discussions about specific men, Tea also allows its users to perform background and criminal record checks, according to NPR, as well as reverse image searches. But the recent breach, besides threatening the safety of its users, also "laid bare the anonymous, one-sided accusations against the men in their dating pools." The CBC points out there's a men's rights group on Reddit now urging civil lawsuits against tea as part of a plan to get the app shut down. And "Cleveland lawyer Aaron Minc, who specializes in cases involving online defamation and harassment, told The Associated Press that his firm has received hundreds of calls from people upset about what's been posted about them on Tea."

Yet in response to Tea's latest Instagram post, "The comments were almost entirely from people asking Tea to approve them, so they could join the app."

In Shanghai at the World Artificial Intelligence Conference (which ran until Tuesday), the Chinese government "announced an international organization for AI regulation and a 13-point action plan aimed at fostering global cooperation to ensure the technology's beneficial and responsible development," reports the Washington Post.

The theme of the conference was "Global Solidarity in the AI Era," the article notes, and "the expo is one part of Beijing's bid to establish itself as a responsible AI leader for the international community."

CNN points out that China's announcement comes "just days after the United States unveiled its own plan to promote U.S. dominance." Chinese Premier Li Qiang unveiled China's vision for future AI oversight at the World AI Conference, an annual gathering in Shanghai of tech titans from more than 40 countries... While Li did not directly refer to the U.S. in his speech, he alluded to the ongoing trade tensions between the two superpowers, which include American restrictions on advanced semiconductor exports — a component vital for powering and training AI, which is currently causing a shortage in China. "Key resources and capabilities are concentrated in a few countries and a few enterprises," said Li in his speech on Saturday. "If we engage in technological monopoly, controls and restrictions, AI will become an exclusive game for a small number of countries and enterprises...."

Secretary-General of the Association of Southeast Asian Nations, Dr. Kao Kim Hourn, also called for "robust governance" of artificial intelligence to mitigate potential threats, including misinformation, deepfakes, and cybersecurity threats... Former Google CEO Eric Schmidt reiterated the call for international collaboration, explicitly calling on the U.S. and China to work together... "We have a vested interest to keep the world stable, keep the world not at war, to keep things peaceful, to make sure we have human control of these tools."
China's plan "called for establishing an international open-source community," reports the Wall Street Journal, "through which AI models can be freely deployed and improved by users." Industry participants said that plan "showed China's ambition to set global standards for AI and could undermine the U.S., whose leading models aren't open-source... While the world's best large language model is still American, the best model that everyone can use free is now Chinese."

"The U.S. should commit to ensuring that powerful models remain openly available," argues an opinion piece in The Hill by Stability AI's former head of public policy. Ubiquity is a matter of national security: retreating behind paywalls will leave a vacuum filled by strategic adversaries. Washington should treat open technology not as a vector for Chinese Communist Party propaganda but as a vessel to transmit U.S. influence abroad, molding the global ecosystem around U.S. industry. If DeepSeek is China's open-source "Sputnik moment," we need a legislative environment that supports — not criminalizes — an American open-source Moon landing.

An anonymous reader quotes a report from Wired: An airline leaving all of its passengers' travel records vulnerable to hackers would make an attractive target for espionage. Less obvious, but perhaps even more useful for those spies, would be access to a premium travel service that spans 10 different airlines, left its own detailed flight information accessible to data thieves, and seems to be favored by international diplomats. That's what one team of cybersecurity researchers found in the form of Airportr, a UK-based luggage service that partners with airlines to let its largely UK- and Europe-based users pay to have their bags picked up, checked, and delivered to their destination. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

Airportr's CEO Randel Darby confirmed CyberX9's findings in a written statement provided to WIRED but noted that Airportr had disabled the vulnerable part of its site's backend very shortly after the researchers made the company aware of the issues last April and fixed the problems within a few day. "The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr's security, and our prompt response and mitigation ensured no further risk," Darby wrote in a statement. "We take our responsibilities to protect customer data very seriously." CyberX9's researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there's no guarantee other hackers didn't access Airportr's data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user's email address -- and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers' names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures.

By gaining access to an administrator account, CyberX9's researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr's data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users and claims on its website that it has handled more than 800,000 bags for customers. [...] The researchers found that they could monitor their browser's communications as they signed up for Airportr and created a new password, and then reuse an API key intercepted from those communications to instead change another user's password to anything they chose. The site also lacked a "rate limiting" security measure that would prevent automated guesses of email addresses to rapidly change the password of every user's account. And the researchers were also able to find email addresses of Airportr administrators that allowed them to take over their accounts and gain their privileges over the company's data and operations. "Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company," says Himanshu Pathak, CyberX9's founder and CEO. "The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything."