AmbiguousProps

A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.

The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.

Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.

In teaching materials it released last week, a module titled adolescents and intimate relationships for Secondary Year 3, suggested that teenagers who wanted to have sex with each other could "go out to play badminton together" instead.

The materials also include a form called "My Commitment" aimed at getting "young lovers" to attest that they would exercise "self-discipline, self-control, and resistance to pornography".

The new materials have raised eyebrows and attracted criticism for being "out of touch". But officials have defended the decision.

Meanwhile social media has been flooded with jokes centered around "playing badminton".

"FWB [Friends with benefits]?? Friends with badminton," read one comment on Instagram that had more than 1,000 likes.

"In English: Netflix and chill? In Cantonese, play badminton together?" read another Facebook post which was shared more than 500 times.

Even Olympics badminton player Tse Ying Suet could not resist from commenting.

"Everyone is making an appointment to play badminton. Is everyone really into badminton?" she asked on Threads with a smirky face emoji.

According to the documents, Cellebrite could not unlock any iPhones running iOS 17.4 or newer as of April 2024, labeling them as “In Research.” For iOS versions 17.1 to 17.3.1, the company could unlock the iPhone XR and iPhone 11 series using their “Supersonic BF” (brute force) capability. However, iPhone 12 and newer models running these iOS versions were listed as “Coming soon.”

The Android support matrix showed broader coverage for locked Android devices, though some limitations remained. Notably, Cellebrite could not brute force Google Pixel 6, 7, or 8 devices that had been powered off. The document also specifically mentioned GrapheneOS, a privacy-focused Android variant reportedly gaining popularity among security-conscious users.

Links to the docs:

iPhone

Android

GrapheneOS has a thread about this on Mastodon, which adds a bit more detail:

Cellebrite was a few months behind on supporting the latest iOS versions. It's common for them to fall a few months behind for the latest iOS and quarterly/yearly Android releases. They've had April, May, June and July to advance further. It's wrong to assume it didn't change.

404media published an article about the leaked documentation this week but it doesn't go into depth analyzing the leaked information as we did, but it didn't make any major errors. Many news publications are now writing highly inaccurate articles about it following that coverage.

The detailed Android table showing the same info as iPhones for Pixels wasn't included in the article. Other news publications appear to be ignoring the leaked docs and our thread linked by 404media with more detail. They're only paraphrasing that article and making assumptions.

We received Cellebrite's April 2024 Android and iOS support documents in April and from another source in May before publishing it. Someone else shared those and more documents on our forum. It didn't help us improve GrapheneOS, but it's good to know what we're doing is working.

It would be a lot more helpful if people leaked the current code for Cellebrite, Graykey and XRY to us. We'll report all of the Android vulnerabilities they use whether or not they can be used against GrapheneOS. We can also make suggestions on how to fix vulnerability classes.

In April, Pixels added a reset attack mitigation feature based on our proposal ruling out the class of vulnerability being used by XRY.

In June, Pixels added support for wipe-without-reboot based on our proposal to prevent device admin app wiping bypass being used by XRY.

In Cellebrite's docs, they show they can extract the iOS lock method from memory on an After First Unlock device after exploiting it, so the opt-in data classes for keeping data at rest when locked don't really work. XRY used a similar issue in their now blocked Android exploit.

GrapheneOS zero-on-free features appear to stop that data from being kept around after unlock. However, it would be nice to know what's being kept around. It's not the password since they have to brute force so it must be the initial scrypt-derived key or one of the hashes of it.

The Supreme Court on Tuesday refused to block a Texas law requiring pornographic websites to verify the age of their users.

The justices rejected an emergency appeal filed by the Free Speech Coalition, a trade association for the adult entertainment industry. The provision of House Bill 1181, signed into law by Gov. Greg Abbott, remains in effect even as the association’s full appeal is weighed by the Supreme Court.

There were no noted dissents from the court’s one-sentence order.

Similar age verification laws have passed in other states, including Arkansas, Indiana, Kansas, Louisiana, Mississippi, Montana, Oklahoma, Utah and Virginia.

The Texas law carries fines of up to $10,000 per violation that could be raised to up to $250,000 per violation by a minor.

The China National Space Administration (CNSA) has released a video of its concept for a lunar base to be developed across the next couple of decades.

CNSA unveiled the video on Wednesday (April 24) as part of the country's annual space day celebrations. The project is known as the International Lunar Research Station (ILRS) and was jointly announced in 2021 by China and Russia.

China is now leading the moon base initiative and attempting to attract international partners for the endeavor. So far, alongside China, Russia, Venezuela, Pakistan, Azerbaijan, Belarus, South Africa, Egypt, Thailand and Nicaragua have joined the initiative, according to Space News.

One curious detail of the video is the presence of a retired NASA Space Shuttle appearing to lift off from a launch pad in the background.

Russia has arrested two Russian journalists on “extremism” charges in recent days, the latest moves in a continuing crackdown targeting independent reporters and media outlets. A third Russian journalist, with Forbes Russia, was charged with publishing what authorities called “fake news.”

The increasing use of anti-extremism laws to prosecute reporters — one piece of a larger campaign to stifle domestic dissent during Russia’s war in Ukraine — is likely to have a further chilling effect on the few independent journalists still operating in Russia, many of them freelancers or employees of small outlets with few legal protections.

The Associated Press on Saturday reported that video journalist Sergey Karelin, who has worked with the AP, Deutsche Welle and other international outlets had been arrested Friday in the Murmansk region in northern Russia and charged with extremism. He was placed in custody pending trial.

Protests are roiling college campuses across the U.S. as upcoming graduation ceremonies are threatened by disruptive demonstrators, with students and others sparring over Israel’s military offensive in Gaza and its mounting death toll.

Many campuses were largely quiet over the weekend as demonstrators stayed by tents erected as protest headquarters, although a few colleges saw forced removals and arrests. Many students are demanding their universities cut financial ties with Israel over the large-scale operation in Gaza it says was launched to stamp out the militant Palestinian group Hamas.

Protesters on both sides of the rancourous debate shouted and shoved each other during dueling demonstrations Sunday at the University of California, Los Angeles. The university stepped up security after “some physical altercations broke out among demonstrators,” Mary Osako, vice chancellor for UCLA Strategic Communications, said in a statement. There were no reports of arrests or injuries.

About 275 people were arrested on Saturday at various campuses including Indiana University at Bloomington, Arizona State University and Washington University in St. Louis. The number of arrests nationwide approached 900 since New York police removed a pro-Palestinian protest encampment at Columbia University and arrested more than 100 demonstrators on April 18.

Tesla has seen its profits more than halve this year, and says it will bring forward the launch of new models after announcing thousands of job cuts to try to reverse its fortunes.

Despite plans to bring forward new models originally planned for next year the firm is cutting its workforce.

Tesla said it would lose 3,332 jobs in California and 2,688 positions in Texas, starting mid-June.

The cuts in Texas represent 12% of Tesla's total workforce of almost 23,000 in the area where its gigafactory and headquarters are located.

A 56-year-old Snohomish man had set his Tesla Model S on Autopilot and was looking at his cellphone on Friday when he struck and killed a motorcyclist in front of him in Monroe, court records show.

A Washington State Patrol trooper arrested the Tesla driver at the crash site on Highway 522 at Fales Road shortly before 4 p.m. on suspicion of vehicular manslaughter, according to a probable cause affidavit.

The motorcyclist, Jeffrey Nissen, 28, of Stanwood, died at the scene, records show.

The Tesla driver told a state trooper he was driving home from having lunch in Bothell and was looking at his phone when he heard a bang and felt his car lurch forward, accelerate and hit the motorcyclist, according to the affidavit.

The man told the trooper his Tesla got stuck on top of the motorcyclist and couldn’t be moved in time to save him, the affidavit states.

The trooper cited the driver’s “inattention to driving, while on autopilot mode, and the distraction of the cell phone while moving forward,” and trusting “the machine to drive for him” as probable cause for a charge of vehicular manslaughter, according to the affidavit.

The man was booked into the Snohomish County Jail and was released Sunday after posting bond on his $100,000 bail, jail records show.

Google fired 28 employees in connection with sit-in protests at two of its offices this week, according to an internal memo obtained by The Verge. The firings come after 9 employees were suspended and then arrested in New York and California on Tuesday.

In a memo sent to all employees on Wednesday, Chris Rackow, Google’s head of global security, said that “behavior like this has no place in our workplace and we will not tolerate it.”

He also warned that the company would take more action if needed: “The overwhelming majority of our employees do the right thing. If you’re one of the few who are tempted to think we’re going to overlook conduct that violates our policies, think again. The company takes this extremely seriously, and we will continue to apply our longstanding policies to take action against disruptive behavior — up to and including termination.”

Restaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names.

OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency.

"At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer.

"We've heard from you, our diners, that trust and transparency are important when looking at reviews."

"To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews.

When leaving reviews on OpenTable, members specify a "Review display name" that will be shown in the review, allowing feedback to be left anonymously.

Under this new policy change, a member's first name and profile picture will now be displayed in new and past reviews.