Security Friday: Apple’s New App, Sneaky Browser Hacks, and Lots More

Hi Readers, Cullen here. Apple just dropped a new party invite app called Apple Invites. Like many, I've left Meta's social media technologies. But Facebook was serving as my main tool for event organization, from birthdays to movie outings.

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   February 14, 2025 Editor's Note Hi Readers, Cullen here. Apple just dropped a new party invite app called Apple Invites. Like many, I've left Meta's social media technologies. But Facebook was serving as my main tool for event organization, from birthdays to movie outings. Without it, I'm left making a new text message thread for each event, which isn't efficient. Apple's new app will fill exactly my need, and in a more privacy-focused way. How do you see yourself using Apple Invites? This week also had a few interesting new innovations in malware, including a malicious app that made it onto Apple's iOS App Store and uses a novel technique I expect to see more of. Scroll down to read more! Stay safe out there! Cullen Thomas, Senior Instructor at iPhone Life IN THIS NEWSLETTER 📰 Your Weekly Security Update 🗒️✅ Your Security Checklist 🏆🎖️ Test Your Security Skills 🤨 This Should Be on Your Radar 📡 🍎📱 Security Updates from Apple 🍎   Apple Launches Apple Invites, a More Private Alternative to Facebook Events Apple launched a new app, Apple Invites, on February 4. Apple Invites provides a service to send invitations to parties and events, a more private alternative to Facebook events. You'll need a paid iCloud+ account to send invitations, but anyone (even Android users) can receive them. It's also available on the web. In our initial tests, Apple Invites is extremely user friendly and intuitive. You can download it from the iOS App Store and try it out yourself. The Bottom Line: If you've been looking for a way to send event invites without using Facebook, try Apple Invites.   🗒️✅ Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: When creating passwords for an account, always let your password manager generate the password for you. Set up a Recovery Key now so that in the unlikely event you find yourself locked out of your Apple account in the future, you'll have a way to retrieve your data. Apps will sometimes ask for your permission to track your activity even when you're not using the app. There is seldom any good reason to allow this, so you can disable app tracking altogether. For a rundown of our top security tips, attend our free intro class on cybersecurity for Apple enthusiasts on Tuesday, February 18, at 4:30 p.m. ET. In partnership with Robinhood Boost Your Retirement Accelerate towards your retirement with Robinhood. Max out your IRA for 2024 by April 15 and for 2025 to claim a $420 boost with Robinhood Gold. Claim an uncapped 2% boost on transfers and rollovers with Robinhood Gold until April 30. Unlimited match potential. Subscription and terms may apply.     🏆🎖️ Test Your Security Skills What should you do in the following scenario? Would turning off location tracking under Settings > Privacy & Security > Location Services be a good thing for you? 🤔 Yes No Sometimes For some apps Scroll to the bottom to see how you did!   🤨 This Should Be on Your Radar 📡 Warning! macOS Infostealer Malware Is on the Rise: How It Works Infostealer malware is malicious software that wants to steal your secret records, especially passwords and cryptocurrency. Palo Alto Networks published a guide to three top strains of macOS Infostealer malware: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malicious programs can be smuggled onto your computer in various ways, usually disguised as something safe like a PDF reader. Once installed, they are all capable of stealing anything stored in Chrome, Firefox, or Microsoft Edge, including passwords and browsing history and much more. They also share common tricks, like making fake system popups that ask for your administrator password to install the program. The Bottom Line: Check out the guide to learn to identify potentially risky behavior from a suspicious app! It's pretty technical but you don't have to understand everything. Even just the screenshots can be helpful in learning to identify potentially risky behavior from a suspicious app. Boost Your Retirement (sponsored) Clever New iOS Malware Strategy Searches Your Screenshots for Secrets Researchers at Kaspersky found a malware app had made it onto the iOS and Android app stores. The app, which was disguised as a food delivery app, employs a novel technique: it asks users for permission to access their photo library. Once it has access, it uses an AI model to scan screenshots or photos of text, looking for secrets—especially recovery phrases used to regain access to a cryptocurrency wallet. The Bottom Line: Exercise caution when new apps ask for permission to access your photos, camera, and microphone. You can review and control how much access apps have to your photos in Settings > Privacy & Security > Photos > Select an app > set to Limited Access (a popup will ask which photos you want to share every time you try to share photos in that app) or None. How Secure Is Your Web Browser? New Technique Uses Chrome Extension to Take Over Your Whole Device You know how you can log in to your Chrome web browser just once with your Google account and stay logged in to your Google Drive, Gmail, etc? The researchers at SquareX discovered a new hack where a mere malicious browser extension can log in to a second web browser profile, then use that to change settings on the browser to lower its security, then use that to install keystroke loggers or other malware that can lead to a complete takeover of the device. The Bottom Line: Practice extreme caution when installing browser extensions. Treat unexpected profiles in your browser as highly suspicious. Never save your passwords in your web browser. Viral AI Chatbot DeepSeek Was Deeply Leaking Your Data Unsurprisingly, the genAI chatbot DeepSeek, which experienced an overnight explosion of success, was not really planning for that much success that quickly, and didn't take security as seriously as they maybe should have. Security researchers at Wiz Research have the story. The Bottom Line: Be cautious what you tell genAI chatbots, and what you ask. In partnership with Incogni Keep Your Data out of the Wrong Hands Data brokers buy and sell your information with just a few clicks of the mouse. Incogni gets you off those lists to cut down on spam calls, security risks, and more.   Yet Another Healthcare Provider Has Its Data Stolen Community Health Center, a healthcare provider based in Connecticut, sent out a letter to its customers at the end of January to alert them of a data breach of more than a million people in October 2024. The breach includes data such as patient names, addresses, phone numbers, social security numbers, treatment plans, and more. According to Newsweek, the cyberattack may have only lasted a few hours. CHC is offering its customers 24 months of credit monitoring, a $1 million insurance reimbursement policy, and assistance with recovering their identity if it's stolen. The Bottom Line: We recommend freezing your credit. This is true regardless of whether you're a customer of CHC or not. You can always unfreeze it whenever you need. If not freezing your credit, at least employ some form of credit monitoring, possibly the free monitoring offered to customers of CHC. This data breach serves as a good reminder to always use a secure password so that if you're subjected to a breach like this, your other accounts will be safe. But, as always, remain vigilant against scammers using their knowledge of you to convince you they are legitimate authorities. Teen Mental Health Resource Caught Sharing Data with Social Media Companies The Parent Coalition for Student Privacy, AI for Families, and the New York Civil Liberties Union discovered tracking pixels on the landing page for Teenspace, an online therapy service for teens. Tracking pixels are hidden lines of code that essentially track the user's behavior, and the trackers on Teenspace were sharing their data with companies such as Meta, Google, X, and TikTok. Gizmodo reports that Teenspace collected the visitors' IP addresses but did not share any medical data with these companies. Regardless, the website has, thankfully, been scrubbed of trackers at this time. The Bottom Line: While it's almost impossible to avoid trackers completely while browsing the web, you can limit tracking by using features like an ad blocker, a VPN, or iCloud Private Relay. Related: Keep Your Web Browsing Activity Private Keep Your Data out of the Wrong Hands (sponsored) Asking Google a Tech Question? Beware of Liars and Fakes Scammers are pushing thousands of malicious websites designed to look like Reddit or the file transfer service WeTransfer to try to trick googlers into thinking they've found an easy answer to a tech question. The Bottom Line: Always double-check the website URL before initiating a download. Be wary of sponsored results on Google. Reddit posts have long been a fairly reliable source of answers to especially obscure tech questions, but make sure you're really on Reddit, not Reddit's evil clone with a goatee. Even on Reddit, be cautious: links may redirect to malicious sites. Lawmakers Allege DOGE Employees Accessed and Altered National Databases without Oversight, Clearance Members of the Senate Intelligence Committee wrote: "No information has been provided to Congress or the public as to who has been formally hired under DOGE, under what authority or regulations DOGE is operating, or how DOGE is vetting and monitoring its staff and representatives before providing them seemingly unfettered access to classified materials and Americans' personal information." Then, a US district judge issued a block on DOGE's access to federal payment systems until its employees go through the normal vetting and security clearance process. The Bottom Line: With trillions of dollars in government spending at stake and every US citizen's personal information contained in these databases, the risks associated with a potential data leak are enormous, and the consequences could not be more serious. Nothing you do in your personal cybersecurity practice can protect you if government databases are leaked, penetrated, or mismanaged. In partnership with NordVPN Nord Birthday Sale: Up to 72% Off & Up to 1 Year Free A VPN is an important part of any online security toolkit, and NordVPN gets our vote. Right now, you can get up to 72% off a 2-year plan, and up to 1 year free with their Prime plan (U.S. only).     🍎📱 Security Updates from Apple 🍎 Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.3.1 The most recent macOS is 15.3.1 The most recent tvOS is 18.3 The most recent watchOS is 11.3.1 The most recent visionOS is 2.3.1 Apple says that iOS 18.3.1 patches a dangerous bug that has been exploited in "an extremely sophisticated attack against specific targeted individuals." This bug would allow an attacker to disable USB Restricted Mode on a locked device, which would potentially allow the attacker access to the memory of a device they physically possess.   Security Skills Answer The correct answer is D. For some apps. The answer depends somewhat on your personal defense plan. For more on personal defense plans, see our free lesson on Cybersecurity for Apple Enthusiasts (linked below). Turning off your location services will disable the Find My app. The Find My app is important not only to find a lost iPhone, but to freeze or wipe a lost iPhone so that thieves can't access the private records stored on it. So it is not usually a good idea to turn off Location Services wholesale, including Find My. On the other hand, Location Services can leak your real-time location through third-party apps, which can give away intimate details of your life to information brokers, advertisers, and potentially scammers, stalkers, or other malicious parties. Fortunately, you can disable Location Services on an app-by-app basis in that same menu at Settings > Privacy & Security > Location Services. This lets you turn it off for everything except Find My. Nord Birthday Sale: Up to 72% Off & Up to 1 Year Free (sponsored)   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.   Next Steps For a rundown of our top security tips, attend our free intro class on cybersecurity for Apple enthusiasts on Tuesday, February 18, at 4:30 p.m. ET. Interested in learning more about Apple's Messages app? Check out: Everything to Know About the New RCS Messages on iPhone How to Hide Messages on iPhone How to Retrieve Deleted Text Messages on iPhone   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful