Security Now (Audio) SN 1071: Bucketsquatting - Meta and TikTok's Tracking Pixels
11 snips
Mar 25, 2026 They dissect a tax software that installs a persistent root certificate and how an exposed private key enables spoofing. They explore pixels from major platforms that harvest PII and bypass consent. They explain bucket squatting risks when cloud names are reused and how attackers can hijack update flows. They cover critical device and router flaws, phishing that targets developers, and crypto-wallet dangers.
AI Snips
Chapters
Transcript
Episode notes
H&R Block Installed A Dangerous Root CA
- H&R Block Business 2025 installed a root CA named "WK ATX Server Host 2024" with a private key bundled in a DLL, creating a long-lived trusted CA on users' machines.
- Researcher Yifan Liu used that private key to sign a TLS certificate and prove any site could be trusted by affected PCs, enabling universal spoofing and code-signing risks.
Use Ephemeral Local CA For Trusted Local Web UIs
- Do generate ephemeral, per-installation root keys and delete the CA private key after signing a short-lived local site certificate to avoid reusable trust keys on user machines.
- Use constrained certificates (short lifetime, TLS-only EKU) and add hosts-file mapping like hrblock.localhost to limit abuse and remove the root on uninstall.
Breathalyzer Calibration Outage Grounded Drivers
- Intoxalock's calibration cloud outage (March 14) prevented court-mandated drivers from recalibrating breathalyzers, grounding vehicles until systems were restored.
- The outage highlighted physical-world impacts of cyberattacks and potential extortion risk if calibration/driver data were exfiltrated.