In a recent news article from The Guardian, it was revealed that US national security adviser Mike Waltz inadvertently saved journalist Jeffrey Goldberg’s phone number into the contact file of a campaign staffer during the 2024 US election campaign. The chain of events that led to Goldberg’s phone number ending up in a Signal group chat tied to sensitive government discussions sheds light on the potential risks of using personal communication channels for official business.
According to sources familiar with a White House investigation, Goldberg had emailed the Trump campaign with questions for a story, which reached campaign staffer Brian Hughes. Hughes, wanting Waltz to be informed of Goldberg’s inquiries, passed along the journalist’s phone number to Waltz. Waltz, in turn, saved Goldberg’s number in his contact file for Hughes, mistakenly associating it with the campaign staffer.
Months later, when Hughes transitioned to a role at the National Security Council, Waltz included him in a Signal group chat used to discuss important matters like planned attacks on Houthi rebels in Yemen. Due to the mix-up in saving Goldberg’s phone number, the journalist found himself unexpectedly invited to the group, leading to the exposure of sensitive information and potential violations of government records-keeping regulations.
The use of Signal instead of secure government communication channels, as highlighted by Goldberg’s presence in the group chat, raised concerns about the security of information being shared by Trump administration officials. The revelation that Waltz may have set up multiple chats discussing topics like Ukraine, China, and Gaza on the app further underscored the risks posed by using non-official platforms for official discussions.
In a separate incident, Google faced scrutiny after botching a fix for vulnerabilities in its Quick Share data transfer software on Windows machines. Researchers at SafeBreach discovered that the initial patch issued by Google for remote code execution flaws in Quick Share was insufficient, allowing for continued exploitation of the vulnerabilities. After identifying shortcomings in the fix, Google released another update addressing the issues to prevent unauthorized access and file writes through Quick Share.
The news roundup also highlighted critical vulnerabilities affecting popular software products, such as Apache’s Parquet file format and Cisco’s Smart Licensing Utility. Both companies issued patches to address security concerns, emphasizing the importance of prompt updates to prevent exploitation by threat actors.
Furthermore, a bug bounty program was announced for security researchers interested in identifying vulnerabilities in open-source projects within the Fediverse, offering monetary rewards for discovering critical flaws. The initiative aims to enhance the security of decentralized social media services like Mastodon, Lemy, and PeerTube by incentivizing researchers to report and patch security issues.
In a separate development, the city government of Baltimore, Maryland fell victim to a sophisticated vendor fraud scheme, losing nearly a million dollars to scammers posing as legitimate vendors. The incident highlighted the need for heightened vigilance and security measures to prevent financial losses due to impersonation tactics and fraudulent activities.
Finally, WordPress plugin vulnerabilities, including arbitrary file upload and deletion flaws in the WP Ultimate CSV Importer plugin, were disclosed by security researchers. Users were urged to update their plugins to the latest version to mitigate the risks of exploitation by malicious actors.
Overall, the series of events and vulnerabilities highlighted in the news reflect the ongoing challenges and risks faced in the realm of information security, underscoring the importance of robust security practices and continual vigilance in safeguarding sensitive data and systems.