Meta | Breaking Cybersecurity News | The Hacker News

Meta on Tuesday announced LlamaFirewall , an open-source framework designed to secure artificial intelligence (AI) systems against emerging cyber risks such as prompt injection, jailbreaks, and insecure code, among others. The framework , the company said, incorporates three guardrails, including PromptGuard 2, Agent Alignment Checks, and CodeShield. PromptGuard 2 is designed to detect direct jailbreak and prompt injection attempts in real-time, while Agent Alignment Checks is capable of inspecting agent reasoning for possible goal hijacking and indirect prompt injection scenarios. CodeShield refers to an online static analysis engine that seeks to prevent the generation of insecure or dangerous code by AI agents. "LlamaFirewall is built to serve as a flexible, real-time guardrail framework for securing LLM-powered applications," the company said in a GitHub description of the project. "Its architecture is modular, enabling security teams and developers to com...

WhatsApp has introduced an extra layer of privacy called Advanced Chat Privacy that allows users to block participants from sharing the contents of a conversation in traditional chats and groups. "This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy," WhatsApp said in a statement. The optional feature, when enabled, prevents others from exporting chats, auto-downloading media to their phone, and using messages for artificial intelligence (AI) features. However, it's worth noting users can still take individual screenshots, or manually download the media. The popular messaging service said the feature is "best used" when engaging in sensitive conversations with groups where it's possible that users may not know everyone closely. The feature, WhatsApp said, is rolling to all users who are on the latest version of the application. The disclosure comes as the ...

Meta has announced that it will begin to train its artificial intelligence (AI) models using public data shared by adults across its platforms in the European Union, nearly a year after it paused its efforts due to data protection concerns from Irish regulators. "This training will better support millions of people and businesses in Europe, by teaching our generative AI models to better understand and reflect their cultures, languages, and history," the company said . To that end, users' posts and comments, as well as their interactions with Meta AI, are expected to be used for training and improving the models. It does not cover private messages sent between friends and family and data from accounts below the age of 18. Users in the region will start receiving notifications this week, both in the apps and via email, that detail the kinds of data the company will be using for this purpose and why it matters in the context of improving AI and the overall user experie...

Meta-owned WhatsApp on Friday said it disrupted a campaign that involved the use of spyware to target journalists and civil society members. The campaign, which targeted around 90 members, involved the use of spyware from an Israeli company known as Paragon Solutions. The attackers were neutralized in December 2024. In a statement to The Guardian, the encrypted messaging app said it has reached out to affected users, stating it had "high confidence" that the users were targeted and "possibly compromised." It's currently not known who is behind the campaign and for how long it took place. The attack chain is said to be zero-click, meaning the deployment of the spyware occurs without requiring any user interaction. It's suspected to involve the distribution of a specially-crafted PDF file sent to individuals who were added to group chats on WhatsApp. The company noted the targets were spread across over two dozen countries, including several in Europe, ...

The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations. The development marks the first time the Commission has been held liable for infringing stringent data protection laws in the region. The court determined that a "sufficiently serious breach" was committed by transferring a German citizen's personal data, including their IP address and web browser metadata, to Meta's servers in the United States when visiting the now-inactive futureu.europa[.]eu website in March 2022. The individual registered for one of the events on the site by using the Commission's login service, which included an option to sign in using a Facebook account. "By means of the 'Sign in with Facebook' hyperlink displayed on the E.U. Login webpage, the Commission created the conditions for t...

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what's the latest financial hit the company has taken for flouting stringent privacy laws. The Irish Data Protection Commission (DPC) said the data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the European Union and European Economic Area (EEA). It's worth noting that initial estimates from the tech giant had pegged the total number of affected accounts at 50 million. The incident, which the social media company disclosed back in September 2018, arose from a bug that was introduced to Facebook's systems in July 2017, allowing unknown threat actors to exploit the "View As" feature that lets a user see their own profile as someone else. This ultimately made it possible to obtain account ac...

Meta Platforms, Microsoft, and the U.S. Department of Justice (DoJ) have announced independent actions to tackle cybercrime and disrupt services that enable scams, fraud, and phishing attacks. To that end, Microsoft's Digital Crimes Unit (DCU) said it seized 240 fraudulent websites associated with an Egypt-based cybercrime facilitator named Abanoub Nady (aka MRxC0DER and mrxc0derii), who advertised for sale a phishing kit called ONNX. Nady's criminal operation is said to date as far back as 2017. "Numerous cybercriminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts," Microsoft DCU's Steven Masada said . "While all sectors are at risk, the financial services industry has been heavily targeted given the sensitive data and transactions they handle. In these instances, a successful phish can have devastating real-world consequences...

Europe's top court has ruled that Meta Platforms must restrict the use of personal data harvested from Facebook for serving targeted ads even when users consent to their information being used for advertising purposes, a move that could have serious consequences for ad-driven companies operating in the region. "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data," the Court of Justice of the European Union (CJEU) said in a ruling on Friday. In other words, social networks, such as Facebook, cannot keep using users' personal data for ad targeting indefinitely, the court said, adding limits must be set in place in order to comply with the bloc's General Data Protection Regulation (GDPR) data minimization requirements. It's worth noting that Article 5(1)(c) of GDPR necessitates that companies limit the process...

The Irish Data Protection Commission (DPC) has fined Meta €91 million ($101.56 million) as part of a probe into a security lapse in March 2019, when the company disclosed that it had mistakenly stored users' passwords in plaintext in its systems. The investigation, launched by the DPC the next month, found that the social media giant violated four different articles under the European Union's General Data Protection Regulation (GDPR). To that end, the DPC faulted Meta for failing to promptly notify the DPC of the data breach, document personal data breaches concerning the storage of user passwords in plaintext, and utilize proper technical measures to ensure the confidentiality of users' passwords. Meta originally revealed that the privacy transgression led to the exposure of a subset of users' Facebook passwords in plaintext, although it noted that there was no evidence it was improperly accessed or abused internally. According to Krebs on Security , some of ...

Meta has announced that it will begin training its artificial intelligence (AI) systems using public content shared by adult users across Facebook and Instagram in the U.K. in the coming months. "This means that our generative AI models will reflect British culture, history, and idiom, and that U.K. companies and institutions will be able to utilize the latest technology," the social media behemoth said . As part of the process, users aged 18 and above are expected to receive in-app notifications starting this week on both Facebook and Instagram, explaining its modus operandi and how they can readily access an objection form to deny their data being used to train the company's generative AI models. The company said it will honor users' choices and that it won't contact users who have already objected to their data being used for their purpose. It also noted that it will not include private messages with friends and family, as well as information from accounts...

Google has revealed that it took down 1,320 YouTube channels and 1,177 Blogger blogs as part of a coordinated influence operation connected to the People's Republic of China (PRC). "The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs," Google Threat Analysis Group (TAG) researcher Billy Leonard said in the company's quarterly bulletin released last week. The tech giant said it also terminated Ads, AdSense, and Blogger accounts linked to two coordinated influence operations with ties to Indonesia that shared content supportive of the ruling party in the country. Another big cluster dismantled by Google involved a network of 378 YouTube channels that it said originated from a Russian consulting firm and disseminated content that projected Russia in a favorable light and denigrated Ukraine and the West. The company further terminated one AdSense account and blocked 10 domains from showing up in Google News an...

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner. The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools. To that end, apps that generate content using AI must ensure they don't create Restricted Content , have a mechanism for users to report or flag offensive information , and market them in a manner that accurately represents the app's capabilities. App developers are also being recommended to rigorously test their AI models to ensure they respect user safety and privacy. "Be sure to test your apps across various user scenarios and safeguard them against prompts that could manipulate your generative AI feature to create harmful or offensive content," Prabhat Sharma, director of trust and safety for Google Play, Android, and Chrome, said . The development com...

European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). They called on the industry and governments to take urgent action to ensure public safety across social media platforms. "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol  said . "It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses." The idea that E2EE protections could stymie law enforcement is often referred to as the  "going dark" problem , triggering concerns it could create  new obstacles  to gather evidence of nefarious activity. ...

In June 2017, a  study  of more than 3,000 Massachusetts Institute of Technology (MIT) students  published  by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends' email addresses in exchange for free pizza. "Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so," the research said, pointing out a what's called the privacy paradox. Now, nearly seven years later, Telegram has introduced a new feature that gives some users a free  premium membership  in exchange for allowing the popular messaging app to use their phone numbers as a relay for sending one-time passwords (OTPs) to other users who are attempting to sign in to the platform. The feature, called Peer-to-Peer Login (P2PL), is currently being tested in selected countries for Android users of Telegram. It was first spotted by  tginfo  in February 2024 (via...

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union. "This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated by the European Commission (EC) as being required to independently provide interoperability to third-party messaging services," Meta's Dick Brouwer  said . DMA, which officially  became enforceable  on March 7, 2024, requires companies in gatekeeper positions – Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance – to meet certain obligations as part of the European Commission's efforts to clamp down on anti-competitive practices from tech players, level the playing field, as well as compel them to open some of their services to competitors. As part of its efforts to compl...

A U.S. judge has ordered NSO Group to hand over its source code for  Pegasus  and other remote access trojans to Meta as part of the social media giant's ongoing litigation against the Israeli spyware vendor. The decision marks a major legal victory for Meta, which  filed the lawsuit  in October 2019 for using its infrastructure to  distribute the spyware  to approximately 1,400 mobile devices between April and May. This also  included  two dozen Indian activists and journalists. These attacks leveraged a then zero-day flaw in the instant messaging app ( CVE-2019-3568 , CVSS score: 9.8), a critical  buffer overflow bug  in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered. In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection. Court documents released late last month show t...

Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry. The findings are part of its  Adversarial Threat Report  for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices. "Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality," the company said. The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries. These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, R...