Highlight

British Airways, the British airline, was recently hit by major technical problems, leading to the cancellation of all short-haul flights from Heathrow airport until Saturday. In a statement issued to Insider, British Airways said: "We very much regret that, due to the ongoing technical problems we are facing, we have unfortunately had to cancel all short-haul flights from Heathrow today until midday." The statement also said that the British airline "anticipates further disruptions during the day". The airline also confirmed to Reuters that the problem was not due to a cyber attack. Heathrow Airport also apologized for the situation via its official Twitter account. According to Sky News, the British Airways website and app were down for several hours last Friday, preventing customers from booking flights or checking in online. Nevertheless, British Airways said that long-haul services at Heathrow and all flights at Gatwick and London City Airport should operate as planned. Customers will be able to receive a full refund and can choose to rebook their flights at a later date, according to the airline. One passenger, Ed Hall, told The Press Association that he was stuck on a plane for more than an hour after landing at Heathrow Terminal 5. According to him, this was because the crew couldn't access any IT systems to find out where passengers could disembark from the plane. This systems disruption comes after British Airways itself canceled several flights in and out of London airports last week after Storm Eunice hit the UK. The original article via Insider can be read at:https://www.businessinsider.com/british-airways-cancels-flights-technical-issues-denies-cyber-attack-2022-2

A software bug at Apple has led to Siri, its virtual assistant feature, recording personal interactions with its users without their consent. Last week, Apple acknowledged this very serious problem in its most recent update, iOS 15. According to Apple, the AI-based virtual assistant recorded people's conversations, even though they had refused to do so: "The bug automatically activated the Improve Siri and Dictation setting that gives Apple permission to record, store and review personal conversations with Siri," reported ZDNet. Later, issuing an apology, the US company said it had fixed the bug for "many" users. There are still many unanswered questions: the company's statement does not clarify, for example, how many phones were affected, or even when. "Without transparency, there's no way of knowing who might have their conversations recorded and listened to by Apple employees, despite the user having acted in exactly the way to avoid that scenario," added the online portal The Verge. Technology and AI experts have previously argued in favor of these big tech companies listening to our requests - mainly in order to adjust the flaws in voice-based technology. This is what Amazon's Alexa FAQ says: "The more data we use to train these systems, the better Alexa works, and training Alexa with voice recordings from multiple customers helps ensure that Alexa works well for everyone." In other words, the only way to improve voice-based technology, according to some experts, is to make private interactions listenable. It is estimated that in 2020, more than 60% of Indian users used voice assistants on their smartphones for a multitude of tasks - from listening to music, to setting an alarm, or even asking questions. Florian Schaub, an assistant professor at the University of Michigan who has studied people's perceptions of privacy, argues that people tend to personify their devices, which makes them even more inattentive to these kinds of issues. In this sense, when they ask Alexa or Siri innocuous questions, they are not really thinking deeply about these actions, but when they realize that someone is listening to their conversations, they feel that it is intrusive and a violation of their privacy, and are therefore much more likely to disconnect from these systems. This is an issue that raises a number of concerns not only about users' privacy, but also about the extent to which their data is retained and how it is harnessed and used by these companies. "VAs work on the basis of users' voices - that's their main feature. All the VAs mentioned above are activated by listening to a specific activation keyword. Although some of the policies state that cloud servers do not store data/voice unless the activation word is detected, there is a constant exchange of voice and related data between your cloud servers and the VA device. This turns out to be particularly worrying in cases of false activation, when data can be stored without real knowledge," according to a report by the Internet Freedom Foundation (IFF). The original article via The Swaddle can be read at: https://theswaddle.com/apples-siri-was-accidentally-recording-conversations-without-peoples-consent/

Tesla will have to recall 817,143 vehicles to repair a defect in the software that prevents the audible message that warns that the seat belt is not fastened from being activated. In documents released by the US National Highway Traffic Safety Administration (NHTSA), the US company said that until January 31 it had no record of "accidents, injuries or deaths" caused by the defect. According to the same documents, it was a South Korean institute that notified Tesla of the defect on January 6. Following the warning from the Korea Automobile Testing and Research Institute (KATRI), Tesla technicians verified the problem. The defect affects models 3 2017-2022, S 2021-2022, X 2021-2022 and Y 2020-2022. The problem is centered on the software that controls the activation of the audible warning signal and occurs when the driver interrupts the audible message, for example by leaving the vehicle while it is activated. In these circumstances, the software registers that it has already warned the driver, but does not repeat the beep. Tesla also indicated that the beep is activated when the car exceeds 22 kilometers per hour and the driver's seat belt is not fastened. Elon Musk's company told the NHTSA that, in order to correct the problem, it will remotely update the software in all affected vehicles and will notify owners by mail on April 1. The original article via Expresso can be read at: https://expresso.pt/economia/tesla-recolhe-mais-de-800-mil-veiculos-devido-a-defeito-em-software/

In France, a vaccination certificate is required to enter the vast majority of public places, including restaurants, cinemas and museums, as well as public transport. All people over the age of 16 are obliged to wear the certificate in order to gain access to these spaces, and at the moment, in order to have a valid certificate you need to have received a booster dose. Vaccination certificates can be deactivated automatically if the holder has not received a booster dose within the required timeframe, however, a problem has been reported that would lead to the deactivation of these certificates, even though some of these people have been vaccinated with a booster dose. This is a problem that mainly affects people who have already been infected with the COVID-19 virus. France operates on a policy of "one infection corresponds to one dose of vaccine" - which means that if a person has been inoculated with a two-dose vaccine (AstraZeneca/Pfizer/Moderna) and is infected with Covid before or after the first dose, they don't need a second dose. However, the booster dose is indeed necessary. As an example, French President Emmanuel Macron became infected with the COVID virus in December 2020, when it came time to get vaccinated, he received a single dose, and as soon as the boosters opened for under 50s in November, he had his booster shot. In recent weeks, some people in a similar situation have received alerts via the TousAntiCovid app, warning that their vaccination certificate would be deactivated. This was mainly due to a software bug that incorrectly interpreted the two doses - and which has since been fixed. So far, the TousAntiCovid app has had surprisingly few software glitches, but there is one problem that has affected people vaccinated in the UK. As NHS (British National Health Service) vaccination codes only last 30 days, TousAntiCovid will be deactivated as soon as the code expires, which means that the user has to download a new QR code every 30 days from the NHS app, in order to scan for TousAntiCovid and keep it active. The original article via The Local can be read at: https://www.thelocal.fr/20220202/warning-over-deactivation-bug-in-frances-vaccine-pass/

Several iPhone 13 users have reported a problem that is, to say the least, random: The device's screen turns pink, making it impossible to use the phone without restarting it. One of the first cases to be reported dates back to October, on Apple's discussion forums. Although in this case the device in question was replaced, other users began to report the same problem in the following weeks and months. While some customers managed to get their iPhone 13 replaced, others were not so lucky, as Apple said it was just a software bug. Reading the reports, it's not possible to find a pattern that explains why this happens, although it does seem to be restricted to the iPhone 13 line. According to one user, in December: "I had the same problem when taking a photo and the screen not only froze but turned pink and restarted soon after. I called Apple support, they diagnosed it and said there was nothing wrong." Also on the social network Reddit, some users ended up reporting the same situation: "This happened to me the other day while I was in the car. It was preceded by my GPS giving me completely wrong directions, away from my destination, until I turned it off and on again. During this time the screen turned pink." Amongst all these complaints, the My Drivers blog discovered that Apple recently made a statement on the Chinese social network Weibo, precisely because the vast majority of cases appear to have arisen in China. According to the US company: "We have not detected any relevant hardware problems with the devices, as this situation [pink screen] is caused when the system is locked." According to the publication, Apple advises users to back up their data, and install the latest update available, in order to rule out incompatibility between an app version and the iOS version. Since then, iOS 15.3 RC doesn't mention fixing the pink screen bug, which also causes confusion among users, since some of these reports first appeared when the iPhone 13 was originally released. The original article via 9To5Mac can be read at: https://9to5mac.com/2022/01/23/some-iphone-13-users-report-pink-screen-issues-apple-says-its-a-software-bug/

The European Commission has launched a program that rewards the detection of bugs in its Open Source projects that underpin its public services. Bug bounty hunters will be able to receive up to €5,000 (the equivalent of 5,600 US dollars) for finding security vulnerabilities in open source software used throughout the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo and CryptPad. This program, led by the European bug bounty platform Intigriti, will also offer a bonus of 20% if a code fix for the bugs is provided by the researchers. In a statement released on January 19, the EC said it is looking for reports of security vulnerabilities such as the exposure of personal data, horizontal/vertical privilege escalation and SQL injection. The highest reward will be paid for the detection of "exceptional vulnerabilities". This latest program follows on from another program, called FOSSA, also run by the EU, which paid out more than 220,000 dollars in its 18 months of operation, and which was heralded as a "remarkable success". Speaking to The Daily Swig, Inti De Ceukelaire, head of hacking at Intigriti, said that the partnership came about last year when Intigriti led a program funded by the EC's ISA2 program. "We are committed to further nurturing the relationship with the open source communities that we have established over the last few years," said the Belgian tester. "Personally, I believe that all government bodies should have and encourage the use of vulnerability disclosure policies and introduce or adopt unambiguous laws to support vulnerability research. Bug bounties, among other crowdsourcing initiatives, are a great way to encourage this." De Ceukelaire added: "Virtually all organizations use open source projects in one way or another. Identifying and resolving security vulnerabilities in these projects has an impact at scale. The Log4j incident has shown us that supporting the security of widely used open source projects is an absolute necessity, so we can only applaud this initiative by the European Commission." The original article via The Daily Swig can be read at: https://portswigger.net/daily-swig/european-commission-launches-new-open-source-software-bug-bounty-program

A software bug introduced in Apple Safari 15's IndexedDB API implementation could be abused by a malicious website to track users' online activity in the web browser and, worse, even reveal their identity. This vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the problem to the iPhone manufacturer in November 2021. IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers to manage NoSQL databases of structured data such as files and blobs. "Like most web storage solutions, IndexedDB follows a same-origin policy," according to Mozilla's API documentation. "So while you can access data stored in a particular domain, you cannot access data in different domains." The same-origin policy is a fundamental security mechanism that ensures that resources retrieved from different origins - i.e. a combination of the scheme (protocol), host (domain) and port number of a URL - are isolated from each other. This means that "http[:]//example[.]com/" and "https[:]//example[.]com/" are not from the same source because they use different schemes. By restricting how a script loaded by one origin can interact with a resource from another origin, the idea is to hijack potentially malicious scripts and reduce possible attack vectors by preventing an unauthorized site from executing arbitrary JavaScript code to read data from another domain, i.e. an email service. However, this is not the case with how Safari handles the IndexedDB API on iOS, iPadOS and macOS. "In Safari 15, on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is in violation of the same-origin policy," said Martin Bajanik in an article. "Whenever a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows in the same browser session." One consequence of this privacy breach is that it allows websites to know which other websites a user is visiting, in different tabs or windows, specifically, to accurately identify users on Google services such as YouTube and Google Calendar, because these websites create IndexedDB databases that include authenticated Google user IDs - an internal identifier that uniquely identifies a single Google account. "This not only implies that untrusted or malicious sites can know a user's identity, but also allows them to link several separate accounts used by the same user," added Bajanik. To make matters worse, this leak also affects the private browsing mode in Safari 15, in case a user visits several different websites from the same tab in the browser window. "This is a huge bug," tweeted Jake Archibald, Google Chrome developer advocate. "In OSX, Safari users can (temporarily) switch to another browser to prevent their data from leaking between sources. iOS users don't have that choice, because Apple imposes a ban on other browser engines." The original article via The Hacker News can be read at: https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html

A new script malfunctioned and deleted 34 million files from the Japanese university's supercomputer, some of which cannot be recovered by backups. On December 16, Kyoto University began investigating a problem caused by a software update from Hewlett Packard Enterprise (HPE). It was discovered that approximately 77TB of files from 14 research groups had been deleted in the previous two days. Although the university has admitted that it will contact those affected, HPE itself took full responsibility and said that the update to the Japanese university's supercomputer system was originally designed to "improve visibility and readability" by deleting log files that were more than 10 days old. According to the statement issued, the US company admits that there was a "lack of consideration" in the procedure for releasing the new script, and that it was not aware of any potential side effects when it was applied. This caused a script to be overwritten while it was still running, "resulting in undefined variables" that caused the original log files on the supercomputer to be deleted "instead of deleting the [log] file saved in the directory". HPE added that measures will be taken to ensure that the problem does not reoccur in the future, including checking for updates before application and retraining the engineers responsible for preventing risks and human error. Kyoto University is Japan's second oldest university, founded in 1897. It is one of Japan's leading research-oriented institutions and has produced several Nobel Prize winners. Microsoft itself also faced a software problem earlier this year, when its Exchange servers stopped working properly when the clock struck midnight on New Year's Eve. The servers were unable to accommodate the year 2022, which led some to call it the Y2K22 bug. The original article via Silicon Republic can be read at: https://www.siliconrepublic.com/enterprise/software-error-causes-34m-research-files-to-be-lost-at-kyoto-university