Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Google pledges to destroy “Incognito Mode” browser data

Google has agreed to a major privacy settlement requiring them to destroy billions of data points collected during supposedly private browsing sessions using the Chrome browser. The settlement stems from a class-action lawsuit filed in 2020 alleging that Google misled users about the extent of data collection in Chrome's Incognito mode.

The lawsuit highlighted a discrepancy between Google's marketing of Incognito as "private" and the reality that user data was still being collected. The settlement requires Google to update its disclosures to more accurately reflect what data is collected and how it's used.

While the settlement doesn't provide individual financial compensation, it represents a significant shift in Google's data practices. Google will also be required to give users more control over their privacy by allowing them to block third-party cookies by default in Incognito mode for the next five years. This is notable because Google has separately announced plans to phase out third-party cookies entirely by the end of 2024.

However, individuals can still file claims against Google for damages. According to The Wall Street Journal, plaintiff attorneys have filed 50 claims in the California state court.

The settlement is a win for privacy advocates who argue that tech companies must be more transparent about data collection. The case also sheds light on internal debates at Google regarding user privacy, with executives acknowledging the limitations of Incognito mode.

Google maintains that the deleted data was never used for personalization and denies wrongdoing. However, the settlement requires them to delete this data and significantly change their privacy disclosures and functionalities.

Google spokesman José Castañeda said the company is “happy to delete old technical data.” The data was never associated with an individual or used for personalization, and he called the individual lawsuits “meritless.”

The ruling will likely have a ripple effect on the broader tech industry, forcing companies to be more mindful of user privacy.

Other browsers, such as Apple’s Safari, blocked third-party cookies for cross-site tracking four years ago.

GoFetch: Apple M-series silicon vulnerable to unpatchable side-channel attack

Academic cybersecurity researchers have discovered that Apple’s M-series of silicon chips–including the M1, M2, and M3 chip families–are vulnerable to leaking encryption keys that hackers could steal. The chips are used across the Apple product portfolio, including the MacBook Pro, iPad, iMac and Mac Mini.

The team of researchers have titled the side-channel attack “GoFetch.” Documentation on the methodologies used, and videos demonstrating the RSA 2048-bit key extraction on an Apple M1 silicon chip is available on the researchers’ website, GoFetch.

The encryption keys are leaked when the M-series chips perform widely used cryptographic calculations. The GoFetch attack is based on a CPU feature called data memory-dependent prefetcher (DMP), which all Apple M-series silicon chips contain.

Modern processors use caches to reduce a program's memory access latency. If data has been accessed before, it gets cached, making subsequent access faster. Since the cache is shared by processes running on the same machine, attackers co-located to the same machine can monitor the cache's state to deduce a victim's access pattern.

A hacker could weaponize the encryption key leak with a drive-by attack, allowing for the extraction of AES keys or the mining of cryptocurrencies as users browse the internet.

For further reading on this attack, we recommend reading coverage on The Hacker News and Ars Technica.

Cybersecurity Headlines

New from our favorite blogs and journalists:

• China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations (The Hacker News)

• Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement (The Hacker News)

• Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals (The Hacker News)

• Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware (The Hacker News)

• CISA, DC HSEMA and Regional Partners Conduct Exercise to Ensure National Capital Region Water Service Resilience (CISA)

• Nothing Scares the PRC More Than a Russian Defeat in Ukraine (CISA)

• CISA Announces New Efforts to Help Secure Open Source Ecosystem (CISA)

• FTC: Americans lost $1.1 billion to impersonation scams in 2023 (BleepingComputer)

• AT&T confirms data for 73 million customers leaked on hacker forum (BleepingComputer)

• Cisco warns of password-spraying attacks targeting VPN services (BleepingComputer)

Until next time…

Rob Waters
Founder, The Breach Report + Cybersecurity Careers Blog

Disclaimer: The author of this article is a current employee of Google. It does not represent the views or opinions of his employer and is not meant to be an official statement for Google or Google Cloud.