In this week’s security roundup: Truecaller under investigation in Nigeria for privacy breach, Bolt Nigeria (Taxify) hacked or not hacked? Cloudflare launches free mobile VPN service, Hackers infecting WordPress sites via Rich Reviews plug-in.
In a very surprising move, the Nigerian National Information Technology Development Agency (NITDA) are going after Truecaller, the Swedish-based phone number identification app, for “potential breach of privacy rights of Nigerians. “
The agency assured that it would continue to monitor the activities of service providers to ensure that the privacy rights of Nigerians are not violated. This appears to be the first time a Nigerian agency would be investigating a tech company for privacy breach. Although no official statement yet from Truecaller, nevertheless it would be interesting to know what the outcome of the investigation portends for the app and its users. Exciting times ahead!
During the week, the internet (especially social media) was abuzz with information about Bolt (formally Taxify), an Estonian-based transportation network company, being hacked. Nigerian users of the ride-hailing service reported receiving multiple debit alerts on their bank accounts for unauthorised Bolt rides. The most widespread version of the story is that the Bolt app has been hacked and users are advised to delink their bank cards from the app.
But in a swift reaction, Bolt Nigeria acknowledged the issue but publicly refuted claims that its systems were hacked or customer payment information compromised. The company stated that the problem emanates from glitches on the local acquirer bank’s side and not a case of hacking. It further stated that it is working with its payment processors and local acquirer bank to ensure that these issues are resolved as soon as possible. At the meantime, users are advised to email firstname.lastname@example.org with relevant details to facilitate investigations and a resolution of their concerns.
Cloudflare during week released a free VPN mobile app called Warp for all users, following the initial announcement back in April. Cloudflare is also launching a paid version, Warp Plus, which promises additional speed and security. According to Cloudflare, the goal for Warp is to make your mobile internet traffic more secure and faster. But guess what? You can’t use Warp to hide your IP address (change your location) as it were. You’ll have to look elsewhere if you need a VPN to watch your favorite show that’s not on the Nigerian version of Netflix. Cloudflare promises that it collects “as little data as possible” and that it won’t “sell, rent, share or otherwise disclose” personal information. Defunct
Finally, if your WordPress website is using a plug-in called Rich Reviews, you’ll want to uninstall it immediately. The now-obsolete plug-in has a major security loophole that allows cyber criminals to infect sites running WordPress and redirect visitors to other sites. The Wordfence Threat Intelligence team has been tracking this attack campaign since April of this year and estimates that 16,000 sites running the plugin are vulnerable.
The plugin’s developers discontinued active support and development of Rich Reviews. The discontinuation according to the developers stems from a change in Google’s guidelines that stopped merchants displaying review star ratings on their own URLs. The plugin disappeared from the WordPress marketplace in March this year. But the problem is, some sites who downloaded the plugin earlier on are still using it, and have been exposed to a vulnerability that allows attackers litter their sites with pop-up ads or redirecting them to other sites.
That’s it for this week’s security roundup. Check back next week for more security news update.