FOXTROT/ALFA: Duck Duck Go Browser Leaks URLs, Facebook Leaks More Data, Video Games Becoming More Expensive

Good evening, everyone! I’m back with issue 132 of FOXTROT/ALFA for Thursday, 2 July 2020 – this time actually delivered on the correct day! What a concept, eh? Seems to be somewhat of a slow news day today, but I dug up some stuff anyway. Let’s do this!

Vulnerability in Cisco Small Business Routers

Cisco has fixed a security issue in two of its small business routers.

The software update addresses CVE-2020-3431, a bug present in the Cisco Small Business RV042 Dual WAN VPN Router and Cisco Small Business RV042G Dual Gigabit WAN VPN Router. We’re told this flaw can be exploited by “an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.”

In other words, if someone tricks you into clicking on a specially crafted link in a browser, for instance, they can potentially access your equipment’s management interface as you, changing or snooping on your configuration settings to gain further access or cause mischief. This requires the web-based interface to be enabled. By default, the management feature is disabled for remote users, though it is enabled for people on the same LAN.

“A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information,” Cisco explained in its advisory yesterday.

The Duck Duck Go Privacy Browser is Sending Every URL You Visited Back to the Mothership

It looks like the “Privacy Browser” app of the (allegedly) privacy-oriented search engine Duck Duck Go sends every domain a user visits to the Duck Duck Go servers. They’re saying they need to do this to get favicons to work correctly. This prioritisation seems kind of weird for a service that shouts PRIVACY ÜBER ALLES at every possible opportunity…

The purpose of the request you observed is to retrieve a website’s favicon so that it can be displayed in certain places within the app or on the results page. We use an internal favicon service because it can be complicated to locate a favicon for a website. They can be stored in a variety of locations and in a variety of formats. The service understands these edge cases and simplifies retrieval within our apps and our search engine.

As has been pointed out in this thread, the problem is that this explanation doesn’t really hold up.

I understand that there are different favicon standards and that in some cases it can be difficult to locate it. I believe that those are edge cases though and for a vast majority of websites a simple host/favicon.ico should work. My suggestion for an increased privacy here is:

  1. Attempt to load favicon directly from website by simply appending /favicon.ico to hostname (should be the most easy and most common case anyway)
  2. In case of no success fallback to use omniscient ddg favicon endpoint

Duck Duck Go does this for every single URL visited in their Privacy Browser, too.

If it was just search results, I wouldn’t care. But this appears to be in use for rendering tabs that you’re visiting, regardless of how you got there.

I never really liked Duck Duck Go. I always thought there was something fishy about their service for some reason. And this isn’t helping me change that view, I can tell you that much.

Facebook Leaks Data to Devs …AGAIN

Ooops! Facebook has been leaking data again. Completely by accident, of course…

In 2014, we introduced more granular controls for people to decide which non-public information – such as their email address or their birthdate – to share when they used Facebook to sign into apps. Later, in 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.

But recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days. For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.

From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information — for example, language or gender – beyond 90 days of inactivity as recognized by our systems. We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.

We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates.

Facebook is so leaky, they’ve got to be really lucky they’re not running a ship…

German Regulators Criticise Smart TVs

Smart TVs are a privacy nightmare. A study commissioned by the German Bundeskartellamt (the federal antitrust regulator) concludes that almost all of the manufacturers selling devices in Germany violate the GDPR in major ways . According to the study, smart TVs regularly collect personally identifiable information (including biometric data like voice profiles) and track the user’s behaviour. This is then used to personalise ads shown within the device’s user interface.

The Bundeskartellamt criticises that the terms of services are hard to get to, hard to understand and that in most cases it isn’t made clear to users how they can opt out of the tracking and data collection. The regulator is now calling on legislators to force manufacturers to comply with current laws of the land.

Video Games are Becoming More Expensive

With massive amounts of lockdown-induced inflation hitting almost all aspects of daily lives, it seems that video games are no exception.

A new generation of video game consoles may come with a new standard price point for big-budget games. That’s the impression 2K Games is giving, at least, with today’s announcement that the Xbox Series X and PlayStation 5 versions of NBA 2K21 will come in at an MSRP of $69.99. That price point is $10 higher than the $59.99 asking price for the Xbox One and PS4 versions of the same game, which are due to launch September 4. And an NBA 2K spokesperson confirmed to Ars Technica that the premium pricing is based on what it sees as the increased value represented by the power of new consoles.

When asked whether the $69.99 price point represented a new standard for 2K’s console games, the representative kept the focus squarely on today’s pricing decision. “2K’s suggested retail prices for its games are meant to represent the value being offered,” the rep said. “With nearly endless replay value and many new additions and improvements only possible on next-generation consoles, we believe our updated suggested retail price fairly represents the value of NBA 2K21.”

The last time the game industry saw a generalized price increase for big-budget, high-end games was the mid-‘00s. Back then, the $40 to $50 asking prices for PS2 games increased to a $59.99 standard for games on the PS3 and Xbox 360. Major publishers have been reluctant to break through that ceiling for the last 15 years, through two entire console generations (two and a half if you count recent mid-generation console upgrades). Meanwhile, inflation has slowly eaten away at the “real” value of that price ceiling—a $59.99 game in November 2006 was worth the equivalent of $76.33 in today’s dollars, according to the BLS inflation calculator. In fact, thanks to inflation, high-end games are now cheaper than they’ve ever been in real-money terms (especially when compared with the ‘90s era of $70 to $80 cartridge-based games).

Also Noteworthy

Some other stories I’ve been reading:


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.