Changelog: Spying via push notifications

Prateek Katyal / Unsplash

Welcome to Changelog for 12/7/2023, published by Synack! README senior editor Nathaniel Mott here under the watchful eye of an elf on a shelf with the week’s security news.

The payload

Ever wondered how push notifications work? I doubt most people have, but that’s changing now that Sen. Ron Wyden has revealed that various governments are forcing Apple and Google to share information about notifications sent to users of their iOS and Android operating systems, respectively.

“The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” Wyden said in a Dec. 6 letter to Attorney General Merrick Garland. “In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”

Wyden’s letter also notes that developers can’t bypass the systems Apple and Google use to enable these notifications. Instead they must rely on “a kind of digital post office” operated by these companies. And, because Apple and Google were reportedly forbidden from revealing this surveillance method to their users, law enforcement has been able to gather this information without anyone being the wiser. (Both companies have pledged to share more about these practices now that Wyden has made them public.)

It seems like push notifications were situated in a sweet spot for surveillance. They’re ubiquitous—I suspect more people receive too many notifications than too few—and they’re boring. Who cares how mobile apps inform us of new messages, headlines, delivery updates or whatever else they’re chiming on about? Now we have our answer: law enforcement organizations care. Now, as we seek more information about how these snooping capabilities have been used and by whom, more people than ever do as well.

The week, compiled

Reuters has pulled a special report titled “How an Indian startup hacked the world” in response to an Indian court order. “The order was issued amid a pending lawsuit brought against Reuters in November 2022,” the publication said in a statement. “As set forth in its court filings, Reuters disputes those claims.”

404 Media described the special report as “a blockbuster investigation into a specific Indian hacker-for-hire operation,” Appin, that “was based on a massive cache of documents including emails, financial records, photos, messages, and presentations from inside Appin, a cybersecurity startup-turned hacker-for-hire shop, as well as law enforcement files from multiple continents and interviews with hundreds of people, according to the investigation.” It’s a triumph of investigative cybersecurity reporting.


Adeolu Eletu / Unsplash

Reuters said in the statement that it “stands by its reporting and plans to appeal the decision.” In the meantime, India has offered a stark reminder of how important press freedoms are, especially where massive companies like Reuters are concerned. (The outlet’s website says it publishes in “over 16 languages” and reaches “billions of people worldwide every day.”) In the meantime, a copy of the special report is still available via the Wayback Machine and other websites that archive popular web pages.

Here are some other stories from around the web:

Ars Technica: Whoops! Ars Technica reported yesterday that “hundreds of Windows and Linux computer models from virtually all hardware makers are vulnerable to a new attack that executes malicious firmware early in the boot-up sequence,” which, as I noted in my report on firmware-based threats, “allows infections that are nearly impossible to detect or remove using current defense mechanisms.”

BleepingComputer: Researchers have “developed a new side-channel attack called SLAM that exploits hardware features designed to improve security in upcoming CPUs from Intel, AMD, and Arm to obtain the root password hash from the kernel memory,” BleepingComputer reported yesterday.

TechCrunch: Here’s some good news: TechCrunch reported yesterday that “after years of promises and limited tests, Meta has started rolling out default end-to-end encryption protection for Messenger,” at least for individual messages and calls. (Groups will still have to opt-in to the additional safeguards, apparently.)

A message from Synack

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

It’s hard to resist a good worm. Not the… bugs? No, the self-propagating malware that seemed to be a scourge a few decades ago but isn't nearly as frightening these days, like the hulking sandworm from Dune being reduced to a parasitic worm that does its best to get by without attracting too much attention.

One such example: ABC reported on Dec. 4, 2001 that a new worm called Goner was “slowing down the Internet and causing minor damage to thousands of users' computers.” It spread via malicious email attachments masquerading as a screensaver. (Remember those?) But instead of providing idle entertainment, it sought to disable security tools and spread to the infected user’s contacts.

It didn’t take long to catch Goner’s creators. Computerworld reported on Dec. 10, 2001 that “four Israeli secondary-school students” were arrested for creating “the worm as part of a competition with a rival group of hackers.” (Other reports indicated that five teens were arrested.) That was enough time to infect “hundreds of thousands” of computers—I wonder how many a similar worm would reach today.

Local files

Western People: Just to drive home the point that hackers seem to be increasingly targeting water treatment facilities, Western People reported that “cybercriminals caused upheaval for 180 homeowners on a private group water scheme in the Erris area last week as their equipment was targeted in a politically motivated cyber-attack” because they relied on equipment made by an Israeli company.

Bloomberg: It turns out a global pandemic isn’t enough to convince some groups not to be pests. Bloomberg reported yesterday that a nation-state-backed group brought down the network of the U.S. Department of Health and Human Services in March 2020—which is when COVID-19 really became a concern outside China—using the largest DDoS attack the U.S. government had seen to that point.

The Record: Schools continue to be another prime target for ransomware gangs, with The Record today reporting that “colleges and K-12 schools in several states,” including Georgia, Indiana and Maine—“are dealing with ransomware incidents causing outages and leaking sensitive data.” Probably exactly what these schools want to deal with heading into the holiday break at the end of the year.


December is a weird month for movies in the Mott household. My wife attempts to watch as many Hallmark movies as possible, but she also insists on watching “Die Hard,” which is a hell of a tonal shift. My son wants to watch “The Grinch” and “The Nightmare Before Christmas” and couldn’t be paid to watch the stop-motion classics I watched. (But, hey, at least it’s not “Olaf’s Frozen Adventure” ad infinitum.)


krakenimages / Unsplash

As for me? The one Christmas movie I’ve decided to watch this year is “Violent Night.” It was a blast—which shouldn’t be mistaken for me saying it’s a good movie. It’s not. But it’s a ridiculous take on a world-weary Santa Claus played by the same actor as Hop from “Stranger Things.” That’s pretty much all I want from a Christmas movie meant to be watched after the kids have finally gone to sleep.