Aggregator

It's in Waterfox too, and there it does what you'd expect

Whether it's running to catch the bus or getting into bed after a long day, those of us who have experienced back pain will know that even the most routine of movements can cause intense pain.

New submitter spazmonkey writes: From a hidden GPS tracker polling your location every 4.5 minutes to JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit, the new White House app seems to have a little bit of everything. A security researcher pulled the APK apart to discover the cybersecurity vulnerabilities. "The app is a React Native build using Expo SDK 54, with WordPress powering the backend through a custom REST API," reports Android Headlines. "That's pretty normal, as nearly 42% of all websites on the internet are powered by WordPress. But that's just the start; now the nightmare begins..." From the report: To start, the app has a full GPS tracking pipeline compiled in. Essentially, it's set to poll your location every 4.5 minutes in the foreground, and 9.5 minutes in the background. It's syncing latitude, longitude, accuracy, and timestamp data to OneSignal's servers. These location permissions aren't declared in the AndroidManifest, but they are hardcoded as runtime requests in the OneSignal SDK. Some have noted that the tracking only kicks in if the developer enables it server-side and the user grants permission, but it is there, ready to go. And it gets even stranger. Apparently, the app is loading JavaScript from a random person's GitHub site for YouTube embeds. Yes, you read that right, it's just loading JavaScript from a random GitHub site. So if that account ever gets compromised, arbitrary code could run inside the app's WebView. There's also no SSL certificate pinning, meaning that traffic can potentially be intercepted on compromised networks like sketchy public WiFi or corporate proxies. The app also injects JavaScript and CSS into every page you visit in the in-app browser. This strips away cookie consent dialogs, GDPR banners, login walls, and paywalls. There's also leftover dev artifacts in the production build, including a localhost URL to the Metro bundler.

Read more of this story at Slashdot.

British singer M.I.A has been kicked off Kid Cudi's tour in the U.S. following a controversial rant at one of his recent concerts.

Angela Rayner's appearance at Strangers bar has proven if she were elected Prime Minister it would be a disaster for her and for Britain.

Brokers are warning that mortgage rates could be about to rise again unless the conflict in the Middle East is resolved.

The Daily Mail unpacks 'seat snatchers' - the frustrating habit plaguing many train passengers across the country.

In his first comments since being followed, filmed and pestered by Islamic convert Thomas Abdullah Bourne, the Little Britain star said we 'have a duty' to educate people about antisemitism.

The Kremlin's Amur-class repair ship PM-82 is currently located around the Galloper wind farm off the coast of Suffolk.

PC Lydia Cope suffered cuts to her hand and hurt her eye after the stolen rubbish receptacle smashed through the windscreen of the marked car.

Paul Hughes, 59, has made a living ransacking lockers of bank cards and jewellery as his well-heeled victims worked out in London's square mile.

UK sex expert Tracey Cox has revealed the five signs that indicate a silent divorce has taken place.

A novel written by Ingersoll Lockwood more than 130 years ago has fueled conspiracy theories that President Donald Trump's youngest son, Barron Trump, is actually a time traveler.

There were queues all day to visit the popular local coffee shop, which opened its second location at Lakeside over the weekend

Seven official flavors offer alternatives to the default Wayland-only desktop – and Xfce looks like the leanest

New proposals could revoke a universal free-entry policy that would see international visitors charged to enter museums and galleries in the UK - one expert says they're a bad idea.

Joanne Shaw, 35, had left her violent ex-partner Ryan Kelly, 41, for her own safety and moved back in with her family, calling police over his behaviour multiple times.

Nearly 900 airport workers across Scotland are preparing for summer strike action - sparking disruption for passengers travelling through these hubs.

Footage shared widely online from the Alue-Do festival in Ozoro, southern Delta state, appeared to show groups of men chasing women through crowded streets before surrounding them.

Police discovered the 26-year-old's lifeless body at a rented house in Santa Margalida in the north of the holiday island at around 7.30am.