CyberWire Daily – "Behind the lock lies a flaw."
Date: August 21, 2025
Host: Dave Bittner (N2K Networks)
Guest Interview: Ron Zayas, CEO, Ironwall by Incogni
Episode Overview
This episode dives into the latest, often worrying, cybersecurity headlines: zero-day vulnerabilities in password managers, ongoing threats from state-backed hackers, privacy violations through consumer tech, and the emerging risks of AI-powered browsers. The show also features an in-depth interview with Ron Zayas discussing rampant data sharing and privacy issues within the fast-growing “Buy Now, Pay Later” financial apps. The host’s tone is factual, urgent, and sometimes wry, ensuring both clarity and engagement.
Key News Stories & Analysis
1. DEF CON: Zero-Day Clickjacking Flaws in Password Managers
- [02:12]
- Czech researcher Marek Toth revealed vulnerabilities in major password managers (1Password, Bitwarden, LastPass, iCloud Passwords, etc.) that exploit clickjacking.
- Attackers could overlay malicious elements on legitimate sites to trick users into revealing sensitive data (passwords, 2FA codes, credit cards, personal info).
- Response from vendors is mixed: 1Password and LastPass dismissed the issue as “informative,” Bitwarden issued a fix, others remain unpatched.
- DEF CON attendees voiced concerns about how “trusted tools could be so easily subverted.”
- Experts call for stronger defenses, like confirmation prompts—though at a cost to usability.
2. FBI Warning: Russian State-Backed Hackers Exploit Cisco Flaw
- [03:14]
- The FBI warns that Russian group Berserk Bear (FSB-linked) is targeting global critical infrastructure through a long-standing Cisco vulnerability (Smart Install protocol).
- Hackers have collected configuration files and even established persistent access/backdoors on thousands of devices, spanning telecom, education, and manufacturing sectors.
- Cisco has urged immediate patching amid ongoing, multi-year exploitation.
3. Apple Emergency Patches for Zero-Day in Image IO Framework
- [04:34]
- Apple fixed a dangerous out-of-bounds write error affecting iOS, iPadOS, and macOS.
- Attackers could crash devices or execute code via malicious images.
- Urgent call for users to update due to active, targeted exploitation.
4. Home Depot Sued for Undisclosed Facial Recognition
- [05:12]
- A class action lawsuit alleges that Home Depot used facial recognition at Chicago self-checkouts without informing or obtaining consent, likely breaching Illinois’ Biometric Information Privacy Act.
- Customers could seek considerable damages per incident; the case follows other recent facial recognition scandals.
5. VPN Extension Caught Secretly Spying on Users
- [06:07]
- Free “VPN1” Chrome extension (100,000+ users) found recording screenshots of everything users visit—including sensitive sessions—masquerading as “AI threat detection.”
- Despite "verified" Chrome Store status, Google failed to detect the malicious intent.
- The extension also gathered device data and location, with the developer going silent after the exposure.
6. Browser Fingerprinting Surpasses Cookies for Tracking
- [07:23]
- Fingerprinting now outpaces cookies by tracking users using unique device/browser traits (screen size, fonts, etc.), making it almost impossible to erase this digital “signature.”
- It’s stealthy and persistent, posing new challenges for privacy regulation.
- Some browsers (Brave, Safari) have mitigations, but Chrome lags behind; users are urged to use tools like uBlock Origin or Tor and “Cover Your Tracks” to assess privacy.
7. Agentic AI Browsers: Insecurity and Scams
- [08:32]
- Browsers like Microsoft Edge with Copilot and OpenAI’s agent mode carry new risks:
- AI can be tricked into shopping at fake stores or handling phishing emails.
- Prompt injection attacks can make AI download malware or leak sensitive data.
- “This scamlexity era means scammers only need to fool the AI, not the human.” [08:55]
- AI browsers risk “becoming blind, overtrusting intermediaries.” Security controls must be built-in, not optional.
8. Scattered Spider Hacker Sentenced to 10 Years
- [09:37]
- Noah Michael Urban (aka King Bob, Sosa), key member of Scattered Spider, received a 10-year sentence and $13M restitution for SIM swapping, wire fraud, and breaches involving companies like Twilio, LastPass, and DoorDash.
- Despite his age, the court applied the maximum penalty due to the vast damage.
Featured Interview: Ron Zayas (CEO, Ironwall by Incogni) on Privacy Risks in Buy Now, Pay Later Apps
Interview segment starts at [15:01]
Overview of Buy Now, Pay Later (BNPL) Apps
- BNPL sits “between” credit and cash—allowing short-term installment payments, usually with minimal credit checks.
- Appeals to users due to its simplicity—“Instead of spending $250 to buy a pair of shoes, it’s…$50 a week…” [15:01]
Who Uses BNPL?
- Not just for those without credit, but “more people who have maxed out their credit card…definitely tending to go to a younger demographic…people in their 20s…people doing a lot of impulse buys.” [15:50]
- Retailers push BNPL because it drives sales and lowers refund rates—buyers often can’t return products bought this way. [16:18]
Research Findings: Data Collection and Sharing
- BNPL apps are “very leaky.” Major apps (Klarna, Affirm, Afterpay) “collect not only a lot of information just from the transaction part…but on top of that…where you are all the time…cookies from other websites…and even information from other mobile apps that you may be using…your contacts information.” [17:35]
- They monetize users by packaging and selling this data well beyond what’s needed for the transaction.
Transparency and Privacy Policy Issues
- Disclosure is lacking:
- “If you’re willing to read through a very oblique and long privacy statement, to a degree, they’re telling you that. But…even when you go through the privacy statements…and we’re experts…a lot of times you sit there going, ‘huh?’” [18:41]
- “None of them go into all the detail of everything they’re collecting…especially in the US, they’re guidelines…it’s not a contract. They can change it at any time.” [19:02]
- Ex: Afterpay “have 17 different data types of categories of information that they collect and that they share with third parties, including your credit scores.” [19:22]
Are BNPL Apps Predatory?
- “That’s a very fair question to wonder about…they’re encouraging you to spend more…and on top of that, they’re pulling in information from you and they’re monetizing it again. So you’re kind of paying twice…even if you don’t think you’re paying for interest…when your information gets leaked, when it gets hacked…you’re going to pay money…you’re going to pay in identity theft, you’re going to pay in other ways…” [20:16]
- “I don’t think you’re wrong in feeling that there’s a little bit of victimization that’s going on here.” [21:53]
Quickfire: Other Notable Segments
Commonwealth Bank of Australia: AI Job Cuts Reversed
- [23:52]
- CBA cut 45 customer service jobs citing its new AI Voicebot, but after spiking call volumes and union pressure, reversed the cuts and rehired staff.
- Host’s wry observation: “Evidently the future is automated, just not evenly distributed.”
Memorable Quotes
- “Trusted tools could be so easily subverted.” (On password manager zero-days)
- “This scamlexity era means scammers only need to fool the AI, not the human.” [08:55]
- “You’re kind of paying twice…even if you don’t think you’re paying for interest…the real price is your personal information.” [20:47, paraphrased]
- “I don’t think you’re wrong in feeling that there’s a little bit of victimization that’s going on here.” (Ron Zayas, [21:53])
Timestamps for Key Segments
- [02:12] DEF CON password manager zero-days
- [03:14] FBI/Cisco flaw exploited by Russian hackers
- [04:34] Apple emergency zero-day patch
- [05:12] Home Depot facial recognition lawsuit
- [06:07] VPN extension caught spying
- [07:23] Browser fingerprinting vs. cookies
- [08:32] AI browsers and new security threats
- [09:37] Scattered Spider hacker sentencing
- [15:01] Interview with Ron Zayas on BNPL privacy risks
- [23:52] Commonwealth Bank of Australia AI mishap
Conclusion and Takeaways
This episode underscores a critical, recurring theme: technological progress—whether in tools, services, or automation—introduces new opportunities for exploitation and privacy erosion. From zero-day threats embedded in our most trusted security tools, to pervasive digital tracking, to financial apps selling our data, the need for user vigilance and transparent practices is more important than ever. The risks are seldom obvious, and as Zayas and Bittner highlight, the costs may be hidden until it’s too late.
For detailed links and continued updates, listeners are encouraged to visit The CyberWire’s daily briefing online.
