Subject: WhatsApp closes loophole that let researchers collect data on 3.5B accounts
Source: Malwarebytes
https://www.malwarebytes.com/blog/news/2025/11/whatsapp-closes-loophole-that-let-researchers-collect-data-on-3-5b-accounts
Messaging giant WhatsApp has around three billion users in more than 180 countries. Researchers say they were able to identify around 3.5 billion registered WhatsApp accounts thanks to a flaw in the software. That higher number is possible because WhatsApp’s API returns all accounts registered to phone numbers, including inactive, recycled, or abandoned ones, not just active users.
If you’re going to message a WhatsApp user, first you need to be sure that they have an account with the service. WhatsApp lets apps do that by sending a person’s phone number to an application programming interface (API). The API checks whether each number is registered with WhatsApp and returns basic public information.
WhatsApp’s API will tell any program that asks it if a phone number has a WhatsApp account registered to it, because that’s how it identifies its users. But this is only supposed to process small numbers of requests at a time.
…
Data-palooza at WhatsApp – The data exposed goes beyond identification of active phone numbers. By checking the numbers against other publicly accessible WhatsApp endpoints, the researchers were able to collect:
- profile pictures (publicly visible ones)
- “about” profile text
- metadata tied to accounts
…
What can you do to protect yourself? – If someone has already scraped your data, you can’t undo it. But you can reduce what’s visible going forward:
- Avoid putting sensitive details in your WhatsApp “about” section, or in any social network profile.
- Set your profile photo and “about” information to be visible only to your contacts.
- Assume your phone number acts as a long-term identifier. Keep
Source: PCMag
https://www.bespacific.com/real-or-ai-the-7-telltale-signs-every-fake-image-still-cant-hide/
PCMag: “AI-generated images aren’t going away anytime soon. In fact, they continue to look increasingly realistic thanks to the likes of Gemini’s advanced Nano Banana Pro image model, among others. You might not be able to immediately tell what’s fake in every instance, but it’s still worth checking for a few telltale signs. Below are the seven easiest ways to spot AI images…”
—
Abstracted from beSpacific
Copyright © 2025 beSpacific, All rights reserved.
Subject: Does a VPN really slow down your internet? I measured it
Source: How to Geek
https://www.howtogeek.com/does-a-vpn-really-slow-down-your-internet-i-measured-it/
Are you using a VPN and wondering why your internet connection feels slower than it used to? I wondered the same thing, so I set out to measure just how much a VPN affected my internet speed at home. The results somewhat surprised me, though it made sense once I thought through it all. So, does a VPN slow down your internet connection? Yes. But, how much it slows down depends on a wide range of factors.
Subject: Google Starts Sharing All Your Text Messages With Your Employer
Source: Forbes
https://www.forbes.com/sites/zakdoffman/2025/12/03/google-starts-sharing-all-your-text-messages-with-your-employer
Microsoft triggered a viral furor when it revealed a Teams update to tell your company when you’re not at work. Now Google has done the same. Forget end-to-end encryption. A new Android update means your RCS and SMS texts are no longer private. As reported by Android Authority, “Google is rolling out Android RCS Archival on Pixel (and other Android) phones, allowing employers to intercept and archive RCS chats on work-managed devices. In simpler terms, your employer will now be able to read your RCS chats in Google Messages despite end-to-end encryption.” This applies to work-managed devices and doesn’t affect personal devices. And in certain regulated industries it just adds RCS archiving to existing SMS archiving. But employees in regular organizations view texting as different to emailing, especially given the expectations around end-to-end encryption. That’s no longer the case.
Sunject: Yep, Cloudflare died again. Here’s what happened. Oh boy, here we go again.
Source: Mashable via beSpacific comments
https://mashable.com/article/cloudflare-down-internal-server-error-dec-5
On December 5, 2025 Cloudflare was down, again….I knew this because I had been since the previous evening, researching, reading, and posting on the sister site to LLRX, my blog beSpacific. By 6 am on December 5 I was getting non stop error messages when I tried to access countless well known tech sites. Thankfully, my little but mighty sites where not hit by this outage, although both are on Cloudflare as there really is no alternative. Outages like this were until 2025, not a weekly event as they are now. I am now constantly aware of the fact that error messages are harbingers of wide scale outages, not just localized issues. This fact impacts workers enterprise wide in all sectors, and is a deeply troubling and under reported threat to the integrity of our national and global infrastructures. Yes, cybersecurity does matter to each one of us. This is at the fundamental level of a major organization we rely on (or work for) not patching or updating applications and software in real time, or doing so inaccurately or alternately, or as a the result of an obvious or surreptitious cyberattack.
Via Mashable: Cloudflare is down again, and the internet is affected — but unlike last time, this outage seems to have been quickly fixed. Users started reporting issues with Cloudflare early on Friday, with Downdetector showing a spike in outage reports for the service (Disclosure: Downdetector is owned by Ziff Davis, the same parent company as Mashable.) Cloudflare’s own system status dashboard says that the company is investigating “issues with Cloudflare Dashboard and related APIs.” A fix has already been implemented, Cloudflare says….
See also Cloudflare Has Blocked 416 Billion AI Bot Requests Since July 1. Cloudflare CEO Matthew Prince claims the internet infrastructure company’s efforts to block AI crawlers are already seeing big results.
Subject: Admins and defenders gird themselves against maximum-severity server vulnerability
Source: Ars Technica
https://arstechnica.com/security/2025/12/admins-and-defenders-gird-themselves-against-maximum-severity-server-vulnerability/
Open source React executes malicious code with malformed HTML—no authentication needed. Security defenders are girding themselves in response to the disclosure of a maximum-severity vulnerability disclosed Wednesday in React Server, an open-source package that’s widely used by websites and in cloud environments.The vulnerability is easy to exploit and allows hackers to execute malicious code on servers that run it. Exploit code is now publicly available. React is embedded into web apps running on servers so that remote devices render JavaScript and content more quickly and with fewer resources required. React is used by an estimated 6 percent of all websites and 39 percent of cloud environments. When end users reload a page, React allows servers to re-render only parts that have changed, a feature that drastically speeds up performance and lowers the computing resources required by the server.