FlagThis - #meta

Meta has been fined €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC) for violations of the General Data Protection Regulation (GDPR). The fine is a result of a 2018 data breach that compromised the personal information of 29 million Facebook accounts globally, around 3 million of those being EU based users. The breach occurred due to a vulnerability in Facebook's "View As" feature which allowed hackers to gain access to user accounts. This vulnerability was present since July 2017 and was exploited in September 2018, with malicious actors using scripts to steal access tokens to users’ accounts. The hackers were able to obtain sensitive information such as names, dates of birth, and other personal data.

The DPC imposed the fine due to Meta's failure to adequately protect user data as required by GDPR and its failure to fully disclose the breach details. The fine includes penalties for not implementing sufficient data protection principles in its systems and for storing more user data than necessary. Additionally, the regulator determined that Meta failed to document the breach and its remediation efforts, and that the notifications sent to the regulatory body were insufficient. This penalty highlights the importance of adhering to data protection laws and ensuring user data is secure.


References :

• SiliconANGLE: Ireland’s privacy regulator fines Meta €251M over 2018 cyberattack
• TechCrunch: Meta fined $263M over 2018 security breach that affected ~3M EU users
• www.bleepingcomputer.com: The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
• jbz: Meta fined $263M over 2018 security breach that affected ~3M EU users | TechCrunch
• BleepingComputer: The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
• Calishat: An Irish regulator helping police European Union data privacy on Tuesday said it had fined Facebook-owner Meta 251 million euros ($263 million) for a data protection failure that saw users' accounts hacked.
• The Hacker News: Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts

Classification:

• HashTags: #GDPR #DataBreach #Privacy
• Company: Meta
• Target: Facebook Users
• Product: Facebook
• Feature: data breach
• Type: DataBreach
• Severity: Major

A critical vulnerability has been discovered in Meta's Llama framework, a popular open-source tool for developing generative AI applications. This flaw, identified as CVE-2024-50050, allows remote attackers to execute arbitrary code on servers running the Llama-stack framework. The vulnerability arises from the unsafe deserialization of Python objects via the 'pickle' module, which is used in the framework's default Python inference server method 'recv_pyobj'. This method handles serialized data received over network sockets, and due to the inherent insecurity of 'pickle' with untrusted sources, malicious data can be crafted to trigger arbitrary code execution during deserialization. This risk is compounded by the framework's rapidly growing popularity, with thousands of stars on GitHub.

The exploitation of this vulnerability could lead to various severe consequences, including resource theft, data breaches, and manipulation of the hosted AI models. Attackers can potentially gain full control over the server by sending malicious code through the network. The pyzmq library, which Llama uses for messaging, is a root cause as its 'recv_pyobj' method is known to be vulnerable when used with untrusted data. While some sources have given the flaw a CVSS score of 9.3, others have given it scores as low as 6.3 out of 10.


References :

• ciso2ciso.com: Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com
• gbhackers.com: Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code
• ciso2ciso.com: Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com
• : Critical Vulnerability in Meta Llama Framework Let Remote Attackers Execute Arbitrary Code /vulnerability
• : Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks – Source:thehackernews.com
• ciso2ciso.com: A pickle in Meta’s LLM code could allow RCE attacks – Source: www.csoonline.com
• gbhackers.com: Further details and analysis of CVE-2024-50050
• ciso2ciso.com: A pickle in Meta’s LLM code could allow RCE attacks

Classification:

• HashTags: #MetaLlama #RCE #AIsecurity
• Company: Meta
• Target: Llama Framework Users
• Product: Llama
• Feature: deserialization
• Type: Vulnerability
• Severity: Major