close

Security news

Microsoft is working on InPrivate Desktop sandbox feature for Windows 10

Microsoft is working on InPrivate Desktop sandbox feature for Windows 10

Windows 10 may get a new ‘InPrivate Desktop’ security feature

It seems like Microsoft is looking to add a new security feature in Windows 10 (Enterprise) that it calls “InPrivate Desktop”. This possible upcoming new security feature was initially discovered by Bleeping Computer who captured it with a screenshot that contained relevant details from the Microsoft Feedback Hub. However, it has now been removed from the Windows 10 Insider Feedback Hub quest.

Microsoft has described the InPrivate Desktop feature as a “throwaway sandbox for secure, one-time execution of untrusted software,” reports Bleeping Computer. The upcoming InPrivate Desktop feature has also been described as “an inbox, speedy VM (virtual machine) that is recycled when you close the app.”

For those unaware, Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading.  It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.

It appears that Microsoft is planning to strengthen the Windows Defender on Windows 10 with native sandbox support and it is looking to target Windows 10 Enterprise starting with build 17718 for all branches. The ‘InPrivate Desktop’ requires at least 4GB of RAM, 5GB of free disk space, 2 CPU cores, and CPU virtualization enabled in the BIOS, and hypervisor capabilities enabled in the BIOS. See the reproduced image below for more information.

Microsoft is yet to comment on the new feature. With Windows 10 “Redstone (RS5) expected to roll out to mainstream users in October 2018 or so, it is unlikely that the InPrivate Desktop feature will make into RS5. However, there may be chances of it getting featured in the next release for Windows 10, codenamed “19H1.”

read more

Snapchat Source Code Leaked, Posted Publicly On GitHub

Snapchat Source Code Leaked, Posted Publicly On GitHub

Snapchat Source Code Leaked Online, Posted On GitHub

In response to a DMCA (Digital Millennium Copyright Act) takedown notice, Microsoft-owned repository GitHub took down a leaked source code of the popular social messaging app SnapChat, after it was posted publicly on the world’s largest platform for developers.

The notice sent by Snap Inc., the parent company of Snapchat, targets the unauthorized publication and distribution of Snapchat’s source code.

“I am [redacted] at Snap inc., owner of the leaked source code,” the notice sent last week reads.

“[I]t was leaked and a user has put it in this Github repo. [T]here is no URL to point to [detailing the original content] because Snap Inc. doesn’t publish it publicly.”

According to Motherboard, an iOS update had exposed some of Snapchat’s source code earlier this year, which was archived on GitHub before Snap Inc. asked the site to remove the data.

“An iOS update in May exposed a small amount of our source code and we were able to identify the mistake and rectify it immediately,” a Snap Inc. representative told CNET. “We discovered that some of this code had been posted online and it has been subsequently removed. This did not compromise our application and had no impact on our community.”

The code was uploaded by a user who claims to be from Pakistan and had created a GitHub repository called Source-Snapchat. Investigation of this user’s account revealed that he is from Tando Bago in the Badin District of Sindh province in Pakistan who identifies himself as ‘i5xx’ on the development website. The user’s profile also links to a website which shares the same name as the user (https://i5xx.store).

Nothing more is known about the uploader of the code at present. According to GitHub, the source code will not be restored on the website unless a counter-claim is made by the owner of the source code. Currently, the listing page displays a notice that says Repository unavailable due to DMCA takedown’.

This is not the first time GitHub has been asked by a well-known technology giant to remove its leaked source from the site. Back in February, Apple used a DCMA request to remove source code for a core component of the iPhone’s operating system from GitHub.

read more

Apple’s chip supplier TSMC factories hit by computer virus

Apple’s chip supplier TSMC factories hit by computer virus

Computer virus attack cripples Apple’s iPhone supplier TSMC plants

Taiwan Semiconductor Manufacturing Company, Limited (TSMC), sole maker of the iPhone’s main processor, was hit by a computer virus on Friday night that halted several of its fabrication plants bringing the production to a stand-still. This has come at a time when Apple is trying to speed up manufacturing for its upcoming iPhones.

While 80 percent of the fabrication tools affected by the virus outbreak had been restored, TSMC said that it expects full recovery on Monday.

“TSMC has contained the problem and found a solution, and recovery of the tools is in progress,” the Taiwanese company said in a statement.

For those unaware, TSMC is the only manufacturer of Apple’s latest A-series SoC and is a critical supplier of Apple and Qualcomm Inc.

The company also added that the virus wasn’t introduced by a hacker. The cause of this particular attack is still unknown at this point in time.

“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” TSMC Chief Financial Officer Lora Ho said to Bloomberg on Sunday.

According to the company, the virus outbreak occurred due to “misoperation” during the software installation process for a new tool. Once the tool was connected to TSMC’s computer network, the virus started spreading through its network.

“Data integrity and confidential information were not compromised. TSMC has taken actions to close this security gap and further strengthen security measures,” Ho added.

While TSMC has not indicated which customers could be affected, such a virus could potentially slow Apple’s output of new devices, cutting into the number of units sold. The shutdown will also result in shipment delays and additional costs.

The company said in a statement: “We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in the third quarter will be recovered in the fourth quarter 2018 and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018.”

Source: Bloomberg

read more

CCleaner users annoyed over active monitoring, user data collection

CCleaner users annoyed over active monitoring, user data collection

Avast responds to CCleaner outburst; promises users will be able to individually control both Active Monitoring and heartbeat

Users of CCleaner, the much-loved system cleaning tool, have been complaining of the product sloping downward with ‘malware’, advertising and other things ever since its maker Piriform has been bought by anti-virus company Avast last year. CCleaner, available in both free and premium versions for Windows, Mac, and mobile devices.

For those unaware, CCleaner is a utility program used to clean potentially unwanted files (including temporary internet files, where malicious programs and code tend to reside) and invalid Windows Registry entries from a computer.

Now, with the release of the latest CCleaner version 5.45, it has created more storm due to the software changes spotted in the changelog note that highlights the change in indirect terms. According to the company, it has “added more detailed reporting for bug fixes and product improvements,” which has annoyed its users.

Apparently, users are not really pleased about the data collection changes, Ghacks points out. Back in May, CCleaner had made changes to their privacy options and had stated that it collected only anonymous data from free users and hence, the options were not displayed to free users.

Users can immediately notice two changes made to the latest update to v5.45 in the free version of the app, which is it is nearly impossible to close the monitoring part of CCleaner (Active Monitoring and heartbeat), and the privacy settings from options have been removed from the free version of the program. What is worrying is that through active monitoring, the company has added spyware to the application to check on anonymous usage analytics, as well as continuously scan systems in order to alert users when junk files are found and clean them regularly.

According to CCleaner, heartbeat sends “non-personal, absolutely non-identifiable usage information for the purpose of improving CCleaner.”

While the company says this information is anonymized and “through collecting it we can rapidly detect bugs, identify pain points in the UI design and also understand which areas of functionality we should be focusing our time on. Most modern software companies collect anonymous usage data as it is very helpful when prioritizing bug fixes and future improvements in the product experience.”

Although, one can go to Options > Monitoring to disable “Enable system monitoring” and “Enable Active Monitoring”, however, these data collection feature turns itself on again when you restart the program, or after a reboot.

Also, if you click on the corner X-icon to close CCleaner, it only minimizes the software and does not closes it. In order to terminate the software, it has to be forcefully shut down. In other words, since it is impossible to close CCleaner using interface controls, it keeps continuously running in the background for most users and sends back reporting regularly to Piriform/Avast.

The changes in the latest version of CCleaner software has resulted in a backlash from the users, to which Piriform has responded in an official forum blog post.

In CCleaner v5.45 we extended existing analytics functionality in the software in order to gain greater insight into how our users interact with the software.

This data is completely anonymous, and through collecting it we can rapidly detect bugs, identify pain points in the UI design and also understand which areas of functionality we should be focusing our time on. Most modern software companies collect anonymous usage data as it is very helpful when prioritizing bug fixes and future improvements in the product experience. For example, we can see that many of our users have upgraded to the Professional edition but have never switched on the ‘scheduled cleaning’, which is one of the main benefits of the paid product. From this, we know we need to work harder to make this paid-for feature more obvious in the CCleaner UI.

Since the release, you have shared your feedback and we have been listening. Some of you are concerned that CCleaner might be accessing and sharing your personal data. To be clear, CCleaner does not collect any personal data. Some of you told us that you do not want to share even anonymous usage data. After listening to your feedback we realize we need to provide you with a better level of control for anonymous data collection.

When it came to adding the new analytics, the simplest way to do so was to extend the ‘Active Monitoring’ feature. Active Monitoring has been in CCleaner for a number of years and is essentially just some intelligent triggers for alerting you to clean out junk data when a lot of it has accumulated, and also for keeping you updated with the latest (and safest) cleaning definitions. Scary name aside, these contextual cleaning alerts help to remind people that cleaning is more of a maintenance task than a one-shot solution. Over time junk files will continue to be generated and more tracking files added and these alerts help our users to stay on top of that.

Back to v5.45, and to what we have learned: combining the new analytics with the Active Monitoring feature was quick to implement, but it doesn’t offer a lot of flexibility in terms of controlling these distinct items separately. Lesson learned: simplest isn’t always best.

You spoke, we listened. Here’s what we’re doing:

  1. We will separate out Active Monitoring (junk cleaning alerts and browser cleaning alerts) and heartbeat (anonymous usage analytics) features in the UI and we will give you the ability to control these individually. You will have the options of enabling all, some or none of these functions, and this functionality will be uniquely controlled from the UI.
  1. We will take this opportunity to rename the Advanced Monitoring features in CCleaner to make their functions clearer.
  1. We will deliver these changes to the software in the coming weeks.

The next version of CCleaner is expected to arrive “in the coming weeks”; hence, users will have to use version 5.45 until then.

read more

Reddit hack: Users’ personal information compromised in a serious data breach

Reddit hack: User personal information compromised in a serious data breach

Reddit discloses hack, reveals hackers stole email addresses and old passwords

Reddit, the social discussion, and forum-hosting website, in a blog post on Wednesday, said that a security breach earlier this summer has compromised personal information of some users, including email addresses and private messages. However, the company did not disclose how many of its users have been affected.

According to Reddit, the hackers managed to break into its computer systems and obtained access to some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. This old 2007 database backup included very early Reddit user data that are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from the time of site’s launch in 2005 through May 2007.

The cyberattack took place between June 14 and June 18, when hackers “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” the company said, and its website administrators became aware of the hack on June 19.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company added.

Reddit uses the common SMS-based two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure. However, Reddit said hackers had intercepted SMS 2FA verification.

“We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit said in its warning post.

“We’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”

Reddit is messaging user accounts and has suggested people to check Reddit inboxes as well as emails to see if they were affected.

The company said in its post: “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password.

“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.

“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want to be associated back to that address.”

For more information on how to remove information from your account, you can visit this help page.

Reddit has recommended users to use a strong unique password and enabling 2FA (which is provided by the company via an authenticator app, not SMS). It has also asked its users to be alert for potential phishing or scams.

Source: Reddit

read more

HP to pay hackers up to $10,000 for finding security vulnerabilities in its printers

HP to pay hackers up to $10,000 for finding security vulnerabilities in its printers

HP launches bug bounty program to enhance printer security

HP became the first printer manufacturer company to launch a bug bounty program that wants hackers to break into its printers. According to HP, it’s a “first of its kind” bug bounty program for printers, with rewards of up to $10,000 for vulnerabilities discovered.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP Chief Technologist of Print Security on Tuesday. “HP is committed to engineering the most secure printers in the world.”

HP will carry out the bug hunt in collaboration with crowdsourcing security platform, Bugcrowd, that manages bug bounties, vulnerability disclosures, and more. This program is based on invite-only basis so that it can better manage incoming vulnerabilities.

“HP has offered a way for researchers to disclose bugs to our team for a long time now,” Albright said. “This is our first bug bounty program, and the world’s first Print specific bounty, to be managed by an external party.”

According to the program guidelines, researchers are required to report the vulnerabilities found in the private program directly to Bugcrowd. HP will evaluate any vulnerability that was previously discovered by the company and may reward the researcher “as a good faith payment.” In the meantime, Bugcrowd will verify all submitted bugs and reward researchers depending on the severity of the flaw. Researchers can earn anywhere between $500 and $10,000 per legitimate find under the terms of the program.

“For years, the conversation about cybersecurity has focused on software and networking,” said Albright. “Today, bad actors are targeting endpoint devices. Protecting connected devices, like printers, at the edge of the network has become paramount.”

According to research undertaken by Bugcrowd, “2018 State of Bug Bounty Report,” vulnerabilities in printers are an increasing threat with attackers focused on endpoint devices. During the past year, the total endpoint bugs across the industry have increased 21 percent.

HP said that the bug bounty program will run indefinitely. In due course, the company plans to extend the bug bounty to its PC lineup.

HP started this bug bounty program in May this year, CNET reports. The company has already given $10,000 prize to one researcher who pointed out a critical vulnerability. Currently, the program has 34 researchers on board.

read more

Google wants you to use its physical keys to secure your Gmail account

Google wants you to use its physical keys to secure your Gmail account

Google’s Titan Security Key To Strengthen Your Online Security

Google launched its own physical security keys for two-factor authentication at its ongoing Google Cloud Next event day before yesterday, in an attempt to stop customer’s accounts from being hacked.

Known as the Titan Security Key – a physical device – it works in a way similar to the products offered by companies like Yubico and it can be used to add an extra layer of security to protect data on the sites and services against phishing attacks.

In 2017, Google started giving out physical security keys to all 85,000 employees to login accounts. Following this implementation, no employee has experienced any account hacks and phishing attacks since then.

According to a Google spokesperson who spoke with KrebsOnSecurity said, “We have had no reported or confirmed account takeovers since implementing security keys at Google. Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

With the use of physical security keys, Google has removed the need for its employees to remember passwords or use one-time access codes.

“Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key,” Jennifer Lin, Product Management Director, Google Cloud said in a statement.

For those unaware, Physical Security Keys are simple USB-based devices that work as an alternate approach to the now universal two-factor authentication (2FA). They work on an open-authentication standard known as ‘Universal 2nd Factor (U2F)’ that removes the need to remember multiple passwords for various sites.

Google’s Titan Security Key, which is built on the FIDO specification, works just like other security keys and can be used over Bluetooth or USB. Titan Security Key can not only be used to secure the host of services offered by Google, but also with other non-Google services.

The keys will ship in two separate variants: a USB version for desktop or laptop platforms, and a Bluetooth-compatible version for mobile devices. It will come in a bundle with both the USB and Bluetooth versions for $50, or you can buy one or the other for about $20 to $25 each.

While the keys are now available for purchase to Google Cloud customers, they will be available for sale for regular customers in Google Store within the next few months, the search giant said.

read more

Nintendo wants GitHub to remove the popular Game Boy Advance emulator

Nintendo wants GitHub to remove the popular Game Boy Advance emulator

GitHub responds to Nintendo’s request by shutting down Game Boy Advance emulator

Last week, Nintendo, the Japanese gaming company behind the popular game like Nintendo Switch, filed and sent a DMCA notice to GitHub to shut down a JavaScript-based emulator hosted on the developer platform that allowed users to access Game Boy Advance (GBA) games, reports TorrentFreak.

For those unaware, Game Boy Advance games are required to be played through browser-based emulators. While dedicated gamers struggle to find a legitimate platform, there are a few websites that offer this option, although without permission.

GitHub, a platform for source-based code management, hosted a repository link on https://jsemu3.github.io/gba/, that allowed gamers access to multiple Nintendo titles including Advance Wars, Dragon Ball Z, Super Mario Advance, Pokémon Mystery Dungeon, and Legend of Zelda among others.

Nintendo who is well-known for going after emulators and fan-made games that are based on its intellectual property, stated that it does not permit unsanctioned projects that are a clear copyright infringement. Hence, it asked GitHub to remove the JavaScript-based emulator.

In a DCMA (Digital Millennium Copyright Act) notice, Nintendo writes: ” The files located at the repository link https://jsemu3.github.io/gba/ contain unauthorized copies of Nintendo’s video game software in violation of the law and GitHub’s Terms of Service.”

It further adds, “Please disable public access to the repository at https://jsemu3.github.io/gba/. The repository provides access to unauthorized copies of Nintendo’s copyright-protected video games in violation of Nintendo’s exclusive rights”.

GitHub complied with the request and removed the offending repository from its platform soon after. The emulator is no longer available through the site.

According to TorrentFreak, Nintendo is currently considering legal action against the owner of the infringing GitHub repository.

“We are considering action regarding those matters but are not including them in this notice,” Nintendo writes.

Apparently, Nintendo has already filed lawsuits against two ROM-hosting websites, LoveROMs  and LoveRETRO for copyright infringement. In response to Nintendo’s legal action, LoveROMs has closed down completely, with a message on the site informing visitors that “LoveROMs has been shut down”. While LoveRETRO initially responded by removed all Nintendo games, but it too has now “shut down until further notice”.

Source: TorrentFreak

read more

Microsoft wants the government to regulate use of facial recognition technology

Microsoft wants the government to regulate use of facial recognition technology

Microsoft asks Congress to regulate facial recognition technology to protect human rights

Facial recognition technology is commonly used as a method of authentication across devices and organizations. While the technology that recognizes a person’s face from a photo or through a camera offers a wealth of uses, it at the same time can be abused too.

Citing fears of misuse, Microsoft on Friday called upon U.S. Congress to regulate the use of facial recognition technology to protect human rights like privacy and freedom of expression. The Seattle-based software giant argued that regulation is necessary as it would lay down laws for governing acceptable uses of facial technology by the U.S. government and protect citizens against constant surveillance that the technology could facilitate.

While a lot of activist groups and smaller companies in the past have requested for similar regulation to avoid abuse of the tech, Microsoft is the first tech giant to do so.

Brad Smith, Microsoft’s president and chief legal officer, wrote in a blog post, “The only effective way to manage the use of technology by a government is for the government proactively to manage this use itself. If there are concerns about how a technology will be deployed more broadly across society, the only way to regulate this broad use is for the government to do so. This in fact is what we believe is needed today – a government initiative to regulate the proper use of facial recognition technology, informed first by a bipartisan and expert commission.”

To start with, Mr. Smith cited a number of positives that the technology can bring. “Imagine finding a young missing child by recognizing her as she is being walked down the street. Imagine helping the police to identify a terrorist bent on destruction as he walks into the arena where you’re attending a sporting event. Imagine a smartphone camera and app that tells a person who is blind the name of the individual who has just walked into a room to join a meeting.”

However, he also pointed the negatives of the facial recognition technology that raises significant human rights and privacy concerns.

“Imagine a government tracking everywhere you walked over the past month without your permission or knowledge. Imagine a database of everyone who attended a political rally that constitutes the very essence of free speech. Imagine the stores of a shopping mall using facial recognition to share information with each other about each shelf that you browse and product you buy, without asking you first. This has long been the stuff of science fiction and popular movies – like “Minority Report,” “Enemy of the State” and even “1984” – but now it’s on the verge of becoming possible,” he added.

Basically, Mr. Smith pointed that while the technology can be used for good, it can also be abused.

“We live in a nation of laws, and the government needs to play an important role in regulating facial-recognition technology,” Smith wrote, noting that “a world with vigorous regulation of products that are useful but potentially troubling is better than a world devoid of legal standards.”

“It may seem unusual for a company to ask for government regulation of its products, but there are many markets where thoughtful regulation contributes to a healthier dynamic for consumers and producers alike,” Mr. Smith said.

“It seems especially important to pursue thoughtful government regulation of facial recognition technology, given its broad societal ramifications and potential for abuse.”

According to Mr. Smith, fears about misuse prompted Microsoft to “move deliberately” with facial recognition consulting or contracting.

“This has led us to turn down some customer requests for deployments of this service where we’ve concluded that there are greater human rights risks,” he added.

Mr. Smith calls on governments to create a “common regulatory” framework for facial recognition and potentially create standards so that companies themselves wouldn’t have to be self-regulate. While acknowledging that tech companies have a role to play, it needs governments to enact regulations, as not all companies are likely to put in place their own ethics rules, mainly in a competitive environment.

Simultaneously, Microsoft will be talking with customers, academics and human rights groups that deal with facial recognition, Mr. Smith said.

“This work will take up to a few months, but we’re committed to completing it expeditiously,” he wrote.

Microsoft also used this blog post as an opportunity to defend the company’s contract with U.S. Immigration and Customs Enforcement that caused a huge public outcry, saying that it doesn’t involve face recognition as thought by many. It instead involves “legacy email, calendar, messaging and document management workloads.”

Mr. Smith said, “These issues are not going to go away. Facial recognition is the technology of the moment, but it’s apparent that other new technologies will raise similar issues in the future. This makes it even more important that we use this moment to get the direction right.”

read more

Google allows third-party app developers to read your emails

Google allows third-party app developers to read your emails

Gmail app developers might be reading your personal emails

The Facebook-Cambridge Analytica privacy data scandal had created an unrest when it was discovered that the latter illegally harvested up to 87 million Facebook users’ personal data without their knowledge and consent. Apparently, Facebook allowed thousands of app developers to harvest data through third-party online games and quizzes.

Now, a similar kind of accusation has been made against the search giant, Google for allowing third-party app developers access to user’s private messages in Gmail, according to a Wall Street Journal report.

Google “continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools,” the report said late Monday.

With nearly 1.4 billion users around the world, Gmail has more users than the next 25 largest email providers combined.

“Google does little to police those developers, who train their computers– and, in some cases, employees — to read their users’ emails,” the report further stated.

Last year, after receiving a lot of criticism for having computers scan every Gmail email to deliver targeted ads. Back then, Google assured Gmail users that it would stop reading emails and won’t display ads based on the content of the emails.

According to Google, it provides data only to those third-party apps and services that it has vetted and to whom users have explicitly granted access to check their inbox.

Google’s own employees read emails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse,” the report states.

“Email data collectors use software to scan millions of messages a day, looking for clues about consumers that they can sell to marketers, hedge funds and other businesses,” the report added, saying data miners basically have access to other email services besides Gmail.

Several app developers have termed accessing its users’ inboxes a “common practice”, which is done in order to build a new feature and to develop machine algorithms. Many software developers also said they go through inboxes to enhance the user experience.

They defended this action by saying, “The practice is specified in their user agreements and they have implemented strict rules for employees regarding the handling of emails.”

Commenting on the issue through a blog post, written by Suzanne Frey, the director of the company’s Security, Trust, & Privacy division of Google Cloud, the company said, “A vibrant ecosystem of non-Google apps gives you choice and helps you get the most out of your email. However, before a published, non-Google app can access your Gmail messages, it goes through a multi-step review process that includes automated and manual review of the developer, assessment of the app’s privacy policy and homepage to ensure it is a legitimate app, and in-app testing to ensure the app works as it says it does.”

Further, while calming controversy over app developers having access to your Gmail, Frey reiterates in the blog post that, “The practice of automatic processing has caused some to speculate mistakenly that Google ‘reads’ your emails. To be absolutely clear: no one at Google reads your Gmail, except in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.”

If you do not wish third-party apps scan your emails, then it is suggested that you uninstall extensions that you don’t trust and use apps from reputed developers.

Source: WSJ

read more