Online Dating Site Hit with Anti-Spam Law Fine

On the heels of issuing its first Notice of Violation under Canada’s Anti-spam Legislation (CASL) earlier this month, the Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Plentyoffish Media Inc., the company behind the online dating website PlentyofFish.com, has entered into an undertaking with the agency and paid a $48,000 fine for alleged violations of CASL.

Complaints alleging that the company sent emails regarding PlentyofFish.com services to registered users that did not include a clear and prominent unsubscribe mechanism that could be readily performed prompted an investigation by the CRTC.

In contrast to the scenario in the CRTC’s most recent public CASL enforcement effort against an alleged spammer that “flagrantly violated” CASL and resulted in a Notice of Violation and a fine of $1.1 million, upon being notified of the investigation, Plentyoffish sought to cooperate and comply with CASL. In response to the investigation, Plentyoffish brought its unsubscribe practices in line with CASL requirements (thus saving users from one frustration in the already exasperating world of online dating).

The company has also entered into a voluntary undertaking with the CRTC. This involves the payment of the $48,000 fine and the development and implementation of a CASL compliance program including policies and procedures, as well as employee training and education.

In our CASL update earlier this month, we had noted that there are likely more enforcement actions on the horizon. This CASL enforcement announcement just weeks later indicates that the CRTC is getting plenty of bites.

Android hijacking bug may allow attackers to install password-stealers

Roughly half of all Android handsets are vulnerable to a newly discovered hack that in some cases allows attackers to surreptitiously modify or replace seemingly benign apps with malicious ones that steal passwords and other sensitive data.

The "Android installer hijacking" vulnerability, as it has been dubbed by researchers from Palo Alto Networks, works only when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library. Technically, it's based on what's known as a Time-of-check to time-of-use vulnerability. Affected devices fail to verify that the app being installed at the time of use was the one the end user approved during the time of check, which occurs when a user approves app permissions such as network access or access to the contacts database. The bug involves the way the system application called PackageInstaller installs app files known as APKs.

"A vulnerability exists in this process because while the user is reviewing this information, the attacker can modify or replace the package in the background," Palo Alto Networks researcher Zhi Xu wrote in a blog post published Tuesday. "Verified with Android OS source code posted in AOSP [Android Open Source Project], it shows that the PackageInstaller on affected versions does not verify the APK file at the 'time of use.' Thus, in the "time of use' (i.e., after clicking the 'install button), the PackageInstaller can actually install a different app with an entirely different set of permissions."

Read 2 remaining paragraphs | Comments