CyberWire Daily - Behind the lock lies a flaw.
Episode Date: August 21, 2025Zero-day clickjacking flaws affect major password managers. The FBI warns that Russian state-backed hackers are exploiting a long-known Cisco flaw. Apple releases emergency patches for a zero-day flaw... in the Image I/O framework. Home Depot faces a proposed class action lawsuit accusing it of secretly using facial recognition at self-checkout kiosks. A VPN browser extension has been exposed for secretly spying on users. Browser fingerprinting overtakes cookies as the dominant method of online tracking. Agentic AI browsers prove easily scammed. A Scattered Spider member earns 10 years in federal prison. Ron Zayas, CEO of Ironwall by Incogni, to discuss the massive data sharing and privacy risks in the leading Buy Now Pay Later apps. An Australian bank’s AI cutbacks are put on permanent hold. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ron Zayas, CEO of Ironwall by Incogni, to discuss the massive data sharing and privacy risks in the leading Buy Now Pay Later apps. Tune in to hear the full conversation on Caveat. Selected Reading Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers (Socket) FBI warns of Russian hackers exploiting 7-year-old Cisco flaw (Bleeping Computer) Apple fixes new zero-day flaw exploited in targeted attacks (Bleeping Computer) Home Depot Sued for 'Secretly' Using Facial Recognition Technology on Self-Checkout Cameras (PetaPixel) SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen (Koi Blog) Beyond cookies: browser fingerprinting in 2025 (PITG Network) "Scamlexity": When Agentic AI Browsers Get Scammed (Guardio) SIM-Swapper, Scattered Spider Hacker Gets 10 Years (Krebs on Security) Commonwealth Bank backtracks on AI job cuts, apologises for 'error' as call volumes rise (ABC News) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMV.Rising.com to secure your spot.
And now a word from our sponsor. The Johns Hopkins University
the Information Security Institute is seeking qualified applicants for its innovative Master of Science
and Security Informatics degree program. Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security
and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber
Service Academy program, which covers tuition, textbooks, and a laptop.
as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
Zero-day click-jacking flaws affect major password managers.
The FBI warns that Russian state-backed hackers are exploiting a long-known Cisco flaw.
Apple releases emergency patches for a zero-day flaw.
Home Depot phases a proposed class action lawsuit accusing it of secretly using facial recognition.
A VPN browser extension has been exposed for secretly spying on users.
Browser fingerprinting overtakes cookies as the dominant method of online tracking.
Agentic AI browsers prove easily scammed.
A scattered spider member earns 10 years in federal prison.
Ron Zayas, CEO of Ironwall, joins us to discuss the massive data sharing and privacy risks
in the leading Buy Now Pay Later apps.
And in Australian banks, AI cutbacks are put on permanent hold.
It's Thursday, August 21st, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
At DefCon, Czech researcher Marrienne.
Toth revealed zero-day click-jacking flaws affecting major password managers, including One-Pass
Bitwarden, Last Pass, I-Cloud passwords, and others. These vulnerabilities allow attackers to trick
users into leaking sensitive data, like passwords, 2FA codes, credit card details, and personal information
by overlaying malicious elements on legitimate sites. Despite disclosure, several vendors remain
unpatched, with one-password and last pass, dismissing the issue as informative, and
Log Me Once, not responding at all. While Bitwarden has since released a fix, other managers
are still vulnerable. Attendees at DefCon expressed concern, given how easily trusted
tools could be subverted. Security experts urge password-manager vendors to implement stronger
defenses such as confirmation prompts, though this adds usability tradeoffs.
The FBI has issued a warning that Russian state-backed hackers tied to the FSB, tracked as
berserk bear, are exploiting a long-known Cisco flaw to target critical infrastructure worldwide.
The vulnerability found in Cisco iOS smart install allows attackers to crash devices or execute
arbitrary code remotely.
The FBI reports that hackers collected configuration files from thousands of devices linked
to U.S. critical sectors, modified settings for backdoor access, and conducted reconnaissance
into industrial control systems.
Cisco first flagged active exploitation in 2021 and has again urged admins to patch immediately.
Cisco Talos confirmed the campaign, noting that compromised telecom, education, and
and manufacturing networks span multiple continents.
Attackers are also deploying persistence tools and implants,
making urgent patching essential.
Apple has released emergency patches for a zero-day flaw in the Image I.O. framework
exploited in a sophisticated attack against targeted individuals.
The vulnerability, caused by an out-of-bounds right,
could enable memory corruption, crashes, or remote code execution
when processing malicious image files.
Apple fixed the issue with improved bounds checking across iOS, iPadOS, and MacOS,
affecting a wide range of their products.
Though likely used in limited attacks, Apple urges all users to update immediately to stay protected.
Home Depot is facing a proposed class action lawsuit,
accusing it of secretly using facial recognition at self-checkout kiosks.
Plaintiff Benjamin Jenkowski claims cameras scanned and recorded his face during a visit to a Chicago store where a green box appeared around his face on screen.
He alleges the company introduced computer vision in 2024 to reduce theft, but failed to disclose data collection or obtain consent, violating Illinois's Biometric Information Privacy Act.
That law requires notice, explanation, and written consent before collecting biometric data.
Jankowski seeks to represent customers at 76 Illinois stores, asking for damages of $1,000 per negligent violation and $5,000 per willful violation.
The case follows a federal ban on right-aids use of facial recognition after similar misuse.
researchers at Koi Security report a VPN extension promoted as free VPN1 with over 100,000 installs and even featured on Google, which has been exposed for secretly spying on users.
Instead of protecting privacy, recent versions silently capture screenshots of every website visited, including banking sessions, work documents, and personal photos, then upload them to external search.
servers. The extension masks the surveillance under an AI threat detection feature, but hidden
scripts trigger constant background captures. Updates in mid-20205 expanded permissions, injected
content scripts across all sites, and later added encryption to evade detection. Researchers confirmed
it also gathers device data and location details. Despite its verified Chrome Web Store status,
Google's safeguards failed to catch the malicious behavior.
The developer denied wrongdoing but stopped responding to inquiries,
leaving users at serious privacy risk.
In 2025, browser fingerprinting has overtaken cookies as the dominant method of online tracking.
Unlike cookies, fingerprints rely on inherent traits, screen size, fonts, and GPU quirks
that form a unique identifier nearly impossible to erase.
According to a report from the Public Interest Technology Group,
advertisers, fraud detection firms, and even governments
use these techniques to track users across the web.
Fingerprinting is stealthy, persistent, and harder to regulate than cookies.
While some browsers, like Brave and Safari,
add randomization or block lists to disrupt tracking, Chrome lags behind.
Users can protect themselves.
by enabling anti-fing
settings, blocking trackers
with tools like U-block origin,
and masking IP addresses
with VPNs, ICloud Private Relay, or Tor.
Testing tools like
cover your tracks help measure vulnerability.
Ultimately, privacy requires active defense
since fingerprinting is now the
web's invisible surveillance layer.
AI-powered browsers are no
longer theoretical.
Microsoft Edge now embeds co-pilot, OpenA.I. is testing agent mode, and perplexity's Comet
fully automates browsing tasks. These agentic AI tools don't just assist. They act on our behalf,
searching, shopping, and clicking. But convenience brings new risks. Researchers at Guardio Labs found
Comet could be tricked into buying from fake stores or handling fishing emails, bypassing the human's
natural skepticism. Even worse, prompt injection attacks can secretly steer AI into downloading malware
or sharing sensitive data. This scamlexity era means scammers only need to fool the AI,
not the human, and exploits can scale massively. Without built-in guardrails like fishing detection,
URL checks, and anomaly monitoring, AI browsers risk becoming blind, over-trusting intermediaries.
Security must be integral, not optional, as AI browsing goes mainstream.
A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison
and ordered to pay $13 million in restitution for his role in the cybercrime group Scattered Spider.
Urban, known online as King Bob and Sosa, pleaded guilty to conspiracy and wire fraud charges
tied to sim swapping and SMS fishing campaigns that compromised more than 130 companies,
including Twilio, Last Pass, and DoorDash.
Prosecutors say Urban and co-conspirators stole cryptocurrency, company data, and customer information.
Urban was also active in the notorious Star Fraud Sim Swapping Group,
linked to attacks on MGM Resorts and Caesar's Entertainment.
Despite his age, the judge imposed the maximum sent.
after noting security breaches connected to Urban's associates even during his prosecution.
Urban called the ruling unjust.
Coming up after the break, my conversation with Ron Zayas.
We're discussing the massive data sharing and privacy risks in the leading Buy Now Pay Later apps
and in Australian banks' AI cutbacks are put on permanent hold.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring,
Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's sponsored jobs helps you stand out and hire fast.
Your post jumps to the top of search results,
so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit
to get your jobs more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Pesos and CIOs know machine identities now outnumber humans by more than 80 to 1,
and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity,
certificates, secrets, and workloads across all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises secure their machine future.
Visit cyberarch.com slash machines to see how.
Ron Zayas is CEO of Ironwall by Incogni.
I recently caught up with him on the caveat podcast
to discuss the massive data sharing and privacy risks
in leading Buy Now Pay Later apps.
So when you go to Buy Now, you have a couple of different options where you could buy,
for example, on credit, you could buy on cash, but there's something in the middle there,
which is Buy Now, Pay Later, which they give you the option to pay over time.
They don't ask a lot about your credit.
They break up payments into something in a very short period of time.
there may or may not be interest involved,
but it allows you to look at something
and instead of spending $250 to buy a pair of shoes,
it's, you know, $50 a week or $50 a month
for a short period of time,
and it seems a lot more palatable to be able to do that.
So who are these folks targeting here?
Is this folks who may not have a credit card?
It's not so much people who may not have a credit card,
or maybe more people who have maxed out their credit card,
it is definitely tending to go to a younger demographic.
It's also looking for, and that would be somebody in their 20s,
it's looking for people who are doing a lot of impulse buys,
so they're usually not buying emergencies,
and they're really directed from the retailers are pushing this out
because it does two things.
Number one, it tends to encourage people to spend more.
And two, when you buy now, pay later, and you're buying over time, you can't return the product.
So it makes the refund rates a lot higher or, you know, a lot lower so that retailers are more confident about the sales that they did.
Ah, that's an aspect I had not considered. That's fascinating.
So you and your team looked into some of these apps, and what are some of the things that you all found?
So first of all, as you can imagine with a lot of apps nowadays, they collect a lot of
information. They tend to know, you know, they tend to know a lot of what's out there.
They tend to not just make their money and what their business is, but they make their money
and productizing the people who use the product. So what we looked at was, okay, how much information
are they collecting? What are they using it for? And then what are your rights under the product?
And which ones of these are the most, what we call leaky? Which are the ones that are collecting
a lot of information that really doesn't have anything to do with the transaction?
And what sort of things did you find? It's not surprising. They're very leaky. You know,
you have top ones like Mama and a firm and afterpay. And they tend to collect. They're very popular.
tend to collect not only a lot of information just from the transaction part, what's your name,
what's your address, what's your phone number because it's a mobile app, you know, all stuff
that can be monetized very, very well. But on top of that, what they're doing is some of them
are collecting where you are all the time. Some of them are collecting, you know, so they're looking
at your GPS information. They're looking at cookies from other websites and maybe even information
from other mobile apps that you may be using.
They're looking at your contacts information.
So they're collecting a lot of information
that has nothing to do with the transaction
and really what they're doing is they're monetizing you
as part of their business model.
I feel as though I already know the answer to this question,
but I'll ask it anyway.
To what degree are they informing their users
that this information is being collected and shared?
Well, if you're willing to read through a very oblique,
and long privacy statement
to a degree they're telling you that
but even when you go through the privacy statements
and we're experts we do this all the time
a lot of times you sit there going
huh
the privacy statement will tell you that they
collect information as part of doing business
it'll say that sometimes they share that
information they give you a better experience
and it'll say
and some of the places that
or some of the types of information we could collect
are A, B, and C
none of them
go into all the detail of everything they're collecting. None of them are very specific in what
they do. And the important thing to remember with everybody's privacy statement, especially in the
US, they're guidelines. They're not, it's not a contract. They can change it at any time and they
often do. So they're not giving you a lot of insight into what they're doing with it. And you should
know that, you know, some like afterplay, they collect, they have 17 different
data types, so categories of information that they collect and that they share with third
parties, including your credit scores, although this is supposed to be a replacement for having
to do something in credit.
You know, it's hard for me to decide, I guess, for myself the degree to which these
buy now, pay later apps are just providing a legal, legitimate service and the degree to which
they're kind of predatory here.
And I mean, is that a fair thing to wonder about?
That's a very fair question to wonder about.
You know, and again, when you look at things like this,
the first thing you look at is the convenience.
Is it convenient for me to be able to buy something
and pay it off over time?
I mean, obviously, that's the underpinning of a lot of the capitalist system.
The ability to buy on credit leverages what we can buy
and what kind of wealth we can have.
It also has a lot of downside that we can get in over our heads.
Then you go from traditional credit, like a credit card or a bank loan, to being something like this.
And it could be a payday loan.
It could be these type of buy now, pay later, where they're really encouraging and they're really getting you to act upon those impulse lies.
Again, the majority of purchases that are being done here, they're not being done for a refrigerator that breaks down.
They're not being done for a part that you need for your car.
They're impulse buys.
They're shopping buys.
So they're encouraging you to spend more.
And on top of that, they're pulling in information from you and they're monetizing it again.
So you're kind of paying twice.
Even if you don't think you're paying for interest and some of them do have very hefty fees
if you don't pay, but that's outside of the scope of what our research was.
Really, though, even if you're paying on time,
and you're getting the benefit of it,
they're also taking your information
and you're paying for it again
because when your information gets leaked,
when it gets hacked, when it gets shared,
oftentimes you're going to pay money.
You're going to pay money to companies like ours
that go out and take all that information and remove it.
You're going to pay in identity theft.
You're going to pay in other ways
because of information that other companies have taken from you
without really being up front
and saying, we're going to steal your information,
and, you know, we're going to use it for these things
and we're going to sell it to these people.
So I don't think you feel,
I don't think you're wrong in feeling
that there's a little bit of victimization
that's going on here.
That's Ron Zias from Ironwall by Incogni.
You can hear our complete conversation
over on the caveat podcast
wherever you get your favorite podcasts.
and now a word from our sponsor threat locker the powerful zero trust enterprise solution
that stops ransomware in its tracks allow listing is a deny by default software that makes
application control simple and fast ring fencing is an application containment strategy
ensuring apps can only access the files registry keys network resources and
and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, the Commonwealth Bank of Australia has performed a neat corporate backflip,
reinstating 45 jobs it had proudly declared obsolete thanks to its shiny new AI voice box.
At the time, CBA insisted the bot would lighten workloads and trim calls.
In reality, call volumes spiked, managers were yanked onto phones, and overtime became the hottest
item on the menu.
The finance sector union promptly hauled the bank before the Fair Work Commission, declaring
victory after CBA admitted it had made a, shall we say, miscalculation.
Affected staff can now keep their jobs, redeployed.
or leave altogether, although the union dryly noted the damage was done.
Critics say CBA tried to rebrand job cuts as innovation, even as the bank reported a record
$10.25 billion profit.
Meanwhile, CEO Matt Komen mused on AI's long-term potential, while also acknowledging the
bank had recently hired thousands, mostly in India.
Evidently, the future is automated, just not evenly.
distributed.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about
our listeners. We are collecting your insights through the end of August. There's a link in the show
notes. Please take a minute and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire
producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow.
You know what I'm going to be.