Security News This Week: Netflix’s Password-Sharing Crackdown Has Hit the US

TikTok user data is exposed to Chinese ByteDance employees, a screen recording app goes rogue in Google Play, and privacy groups want Slack to expand encryption.
Television remote on a table in dramatic lighting
Photograph: Michael Kai/Getty Images

Officials in Spain want to ban end-to-end encryption in the European Union, according to a leaked government document obtained by WIRED. The stance emerged as part of a survey of EU member states related to legislative proposals to scan private messages for child sexual abuse material. Meanwhile, Meta faced a record $1.3 billion GDPR fine this week over data transfers to the US. And a consortium of researchers say that for the first time, they see evidence of sophisticated spyware being used in a war zone, with findings that NSO Group's Pegasus was used to target Armenian government workers, journalists, and at least one United Nations official in the Nagorno-Karabakh territory disputed by Armenia and Azerbaijan.

US and international intelligence officials said on Wednesday, May 24, along with researchers at Microsoft, that a Chinese-government-backed hacking group attacked critical infrastructure networks in some US states and Guam. The activity was particularly significant because the group's behavior indicated that it may have been laying groundwork for disruptive attacks in addition to carrying out espionage. We also took a look at the notorious history of a Russian state hacking group known as Turla, which has a 25-year track record targeting satellites, developing ingenious computer worms, and earning itself the designation “adversary number one.”

The ubiquitous password hashing function bcrypt was celebrating a very different kind of 25th anniversary this week, and its co-creators talked to WIRED about why the password scrambling protection has had such longevity—along with their disappointment that the state of password security has not progressed more in a quarter-century. Researchers are warning that manipulations known as indirect prompt-injection attacks could facilitate scams and data theft in generative AI systems. And new top-level domains offered by Google, including “.zip” and “.mov,” stirred controversy this month for their overlap with common file extensions and the potential that they could be abused to fuel phishing attacks.

Analysis released this week showed that Chinese labs are selling fentanyl precursor ingredients wholesale online and that 90 percent of the firms accept cryptocurrency payments for the chemicals. Elsewhere, an internal security review from the hacked cryptocurrency exchange Bitfinex shows how attackers exploited weaknesses in the platform's systems to steal millions of dollars worth of bitcoin.

In slightly more hopeful news, though, researchers from the software supply chain company Chainguard released a new approach on Tuesday to securing a crucial yet overlooked piece of cloud infrastructure known as “container registries.”

And there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

The video streaming giant Netflix has been piloting an initiative around the world to cut down on account sharing outside of individual households. Now, the crackdown is finally coming to the US. This week, the company said that it will start emailing users who appear to be sharing their accounts with people who don't live in the same residence to warn them that these users will be shut out. 

In the US, if you have a Standard plan, you can add one extra user outside your home to the account for $7.99 per month. If you have a Premium plan with 4K streaming, you can add two extra members for $7.99 each. Netflix offers a Transfer Profile tool that people can use to set up their own accounts if they can no longer access the account they used to share.

“We use information such as IP addresses, device IDs, and account activity to determine whether a device signed into your account is part of your Netflix Household,” Netflix has said. “We do not collect GPS data to try to determine the precise physical location of your devices.”

TikTok employees have been sharing sensitive user data on an internal productivity and communication platform known as Lark. Documents obtained by The New York Times show that thousands of Chinese employees of TikTok's parent company ByteDance have access to and use Lark each day. User data shared on Lark mostly shows up in group chats, but the documents show that TikTok employees have raised concerns about the fact that ByteDance employees in China could potentially access users' personal details on the platform, like US driver's license data and even child sexual abuse material. Employees have reportedly been warning ByteDance and TikTok executives about the exposure since at least July 2021. Both TikTok and ByteDance have maintained over the years that there are barriers in place to prevent TikTok user's data from being accessed in China.

An Android app known as iRecorder Screen Recorder that has been downloaded more than 50,000 times on Google Play was a legitimate app when it emerged in September 2021. But researchers from the security firm ESET found that in August 2022, the app received an update and started displaying malicious behavior. It now abuses its device microphone access to record audio every 15 minutes and send the data to a malicious server.

“Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research … it isn’t clear if a specific group of people was targeted or not,” ESET researcher Lukas Stefanko wrote. “It seems very unusual.”

Dozens of digital rights, pro-privacy, and civil liberties groups including Mozilla, the Tor Project, Fight for the Future, Derechos Digitales, and Abortion Access Front signed a letter calling for the workplace communication platform Slack to implement end-to-end encryption on its platform. Slack has long been criticized for failing to provide an end-to-end encryption option, which would cut down on governments' ability to access and surveil Slack messages, but the letter is the most organized commentary yet. “For many of these groups and individuals, Slack is an absolutely vital communication tool, but it could also become the basis of government targeting, repression, censorship,” the organizations wrote. “Default end-to-end encrypted messaging [is] a first and best step companies can take to protect targeted communities.”