Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 21 hours 41 min ago

Over 50 Organizations Ask Google To Take a Stand Against Android Bloatware

Fri, 01/10/2020 - 08:10
In an open letter published yesterday, more than 50 organizations have asked Google to take action against Android smartphone vendors who ship devices with unremovable pre-installed apps, also known as bloatware. From a report: The letter, signed by 53 organizations, was addressed to Google CEO Sundar Pichai. Signees say Android bloatware has a detrimental effect on user privacy. They say many bloatware apps cannot be deleted and leave users exposed to having their data collected by unscrupulous phone vendors and app makers without their knowledge or consent. "These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the open letter reads. "This means permissions can be defined by the app - including access to the microphone, camera and location - without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions." The signees cite research from March 2018 that found that the Android ecosystem of pre-installed apps is a privacy and security mess. According to the research, 91% of all tested pre-installed apps weren't available on the official Google Play Store.

Mozilla Says a New Firefox Security Bug is Under Active Attack

Fri, 01/10/2020 - 07:30
Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Skype Audio Graded by Workers in China With 'No Security Measures'

Fri, 01/10/2020 - 06:42
A Microsoft program to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with "no security measures," according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company. From a report: The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google's Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor. Workers had no cybersecurity help to protect the data from criminal or state interference, and were even instructed to do the work using new Microsoft accounts all with the same password, for ease of management, the former contractor said. Employee vetting was practically nonexistent, he added. "There were no security measures, I don't even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details," he told the Guardian. While the grader began by working in an office, he said the contractor that employed him "after a while allowed me to do it from home in Beijing. I judged British English (because I'm British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login." Both username and password were emailed to new contractors in plaintext, he said, with the former following a simple schema and the latter being the same for every employee who joined in any given year.

Amazon Warned Holiday Shopper That Honey, a Popular Browser Extension, Was a 'Security Risk'

Thu, 01/09/2020 - 17:25
In an apparent swipe at PayPal's recent $4 billion acquisition of Honey, a popular browser extension that tracks prices and discount codes, Amazon labeled the service as "a security risk" for shoppers over the holidays. Wired reports: "Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit," the message read. "To keep your data private and secure, uninstall this extension immediately." It was followed by a hyperlink where users could learn how to do so. Screenshots of the warning were posted to forums and social media by Honey users, like Ryan Hutchins, an editor at Politico. Honey isn't some obscure browser extension from an unknown developer. Founded in 2012, the Los Angeles-based startup now boasts over 17 million users. It finds discount codes to save shoppers money at tens of thousands of online retailers, including Amazon. Amazon's warning, which began appearing on December 20, confused and angered many of Honey's users, some of whom complained on its official social media channels. The browser extension has been compatible with Amazon since it was founded, and it is a significant part of Honey's appeal. Amazon declined to explain why it decided to label Honey a security risk so suddenly last month. "Our goal is to warn customers about browser extensions that collect personal shopping data without their knowledge or consent," a spokesperson for the company said in a statement. They declined to answer follow-up questions about the basis for that claim. Honey says in its privacy policy that it doesn't "track your search engine history, emails, or your browsing on any site that is not a retail website." "We're aware that Droplist and other Honey features were not available on Amazon for a period of time. We know these are tools that people love and worked quickly to restore the functionality. Our extension is not -- and has never been -- a security risk and is safe to use," a Honey spokesperson said.

Unremovable Malware Found Preinstalled on Low-End Smartphone Sold in the US

Thu, 01/09/2020 - 10:40
Low-end smartphones sold to Americans with low-income via a government-subsidized program contain unremovable malware, security firm Malware bytes said today in a report. From a report: The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless, a cell phone service provider part of the Virgin Mobile group. The telco sells cell phones part of Lifeline, a government program that subsidizes phone service for low-income Americans. "In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious," Malwarebytes said in a report published today. The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.

Unpatched VPN Makes Travelex Latest Victim of 'REvil' Ransomware

Wed, 01/08/2020 - 14:40
An anonymous reader quotes a report from Ars Technica: In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software -- a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware. Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6 million. They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data -- including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base." Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.

Ring Fired Employees for Watching Customer Videos

Wed, 01/08/2020 - 13:21
Amazon-owned home security camera company Ring has fired employees for improperly accessing Ring users' video data, Motherboard reported Wednesday, citing a letter the company wrote to Senators. From the report: The news highlights a risk across many different tech companies: employees may abuse access granted as part of their jobs to look at customer data or information. In Ring's case this data can be particularly sensitive though, as customers often put the cameras inside their home. "We are aware of incidents discussed below where employees violated our policies," the letter from Ring, dated January 6th, reads. "Over the last four years, Ring has received four complaints or inquiries regarding a team member's access to Ring video data," it continues. Ring explains that although each of these people were authorized to view video data, their attempted access went beyond what they needed to access for their job.

Apple Says Its Software Business is Booming

Wed, 01/08/2020 - 10:01
Apple on Wednesday said that its services business, which includes software for things like news, gaming, apps, music and video, had its best ever year in 2019. From a report: "2019 was the biggest year for Services in Apple's history. We introduced several exciting new experiences for our customers, all while setting the standard for user privacy and security," said Eddy Cue, Apple's senior vice president of Internet Software and Services in a statement. In an effort to showcase its growth to investors, Apple released a slew of engagement numbers for several of its services products. It says: Apple News has over 100 million monthly active users in the U.S., U.K., Australia and Canada. Apple Music now offers over 60 million songs in 115 countries. Apple Podcasts offers over 800,000 shows in 155 countries. Apple Card and Apple Pay are accepted in more than 150 stadiums, ballparks, arenas and entertainment venues.

Foreign Exchange Company Travelex Being Held To Ransom By Hackers

Wed, 01/08/2020 - 09:21
Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper. From a report: On New Year's Eve, hackers launched their attack on the Travelex network. As a result, the company took down its websites across 30 countries to contain "the virus and protect data." A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6 million. The gang, also known as REvil, claims to have gained access to the company's computer network six months ago and to have downloaded 5GB of sensitive customer data. Dates of birth, credit card information and national insurance numbers are all in their possession, they say. The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."

Half of the Websites Using WebAssembly Use it for Malicious Purposes

Wed, 01/08/2020 - 06:40
Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year. From a report: WebAssembly is a low-level bytecode language that was created after a joint collaboration between all major browser vendors. It introduces a new binary file format for transmitting code from a web server to a browser. Once it reaches the browser, WebAssembly code (Wasm) executes with near-native speed, similar to compiled C, C++, or Rust code. WebAssembly was created for both speed and performance. Due to its binary machine-friendly format, Wasm code is smaller than its equivalent JavaScript form, but also many times faster when executing. This has made WebAssembly the next incarnation of Adobe Flash, allowing websites to run complex CPU-intensive code without freezing a browser, a task for which JavaScript was never designed or optimized for.

FBI Asks Apple To Help Unlock Two iPhones

Wed, 01/08/2020 - 05:00
An anonymous reader quotes a report from The New York Times: The encryption debate between Apple and the F.B.I. might have found its new test case. The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement's access to smartphones. Dana Boente, the F.B.I.'s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. The F.B.I. has a search warrant for the devices and is seeking Apple's assistance executing it, the people said. Apple said in a statement that it had given the F.B.I. all the data "in our possession" related to the Pensacola case when it was asked a month ago. "We will continue to support them with the data we have available," the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone. Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices -- but they did not, according to one of the people familiar with the investigation. "The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government," the report adds. "Instead, the government is seeking the data that is on the two phones, the official said." "Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity." Apple did not comment on the request.

Self-Sovereign ID Tech Is Being Advanced By Security Failures, Privacy Breaches

Mon, 01/06/2020 - 15:40
Lucas123 writes: There is a growing movement among fintech companies, banks, healthcare services, universities and others toward disintermediating the control of online user identities in favor of supporting end-user controlled decentralized digital wallets based on P2P blockchain. Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without intervening administrative authorities. The wallets would carry encryption keys provided by third parties and could be used to digitally sign transactions or provide access to verifying information, everything from bank-issued credit lines to diplomas -- all of which are controlled by the user through public key infrastructure (PKI). The blockchain ledger and PKI technology is hidden behind user-friendly mobile applications. Currently, there are more proof-of-concept projects than production systems involving a small number of organizations. The pilots, being trialed in government, financial services, insurance, healthcare, energy and manufacturing, don't yet amount to an entire ecosystem, but they will grow over the next few years, according to Gartner.

Unpatched US Government Website Gets Pwned By Pro-Iran Script Kiddie

Mon, 01/06/2020 - 12:20
An anonymous reader quotes a report from Ars Technica: On the heels of the killing of Iranian Revolutionary Guard Corps General Qassem Soleimani by a U.S. MQ-9 Reaper strike on January 2, the U.S. Department of Homeland Security warned of potential cyberattacks against critical infrastructure by Iran. That warning probably didn't apply to the website of the Federal Deposit Library Program, operated by the U.S. Government Printing Office -- which was defaced on January 4 with a pro-Iranian message and an image of a bloodied President Donald Trump being punched by an Iranian fist. The FDLP website is no stranger to defacement attacks. As a brief analysis of the attack by a security researcher with the Twitter username @sshell_ noted, the site has been defaced twice in the last 10 years -- most recently in 2014, when it was replaced with an electronic dance music video featuring a dancing cat. Based on a fingerprint of the site's files, the site -- based on the Joomla content management system -- had not had its code updated since 2012. And the site had modules that used a version of Joomla's RSForm that had been flagged 11 months ago as being vulnerable to a SQL Injection attack. While the image depicting Trump had no metadata attached to it, another image with text had Exchangeable Image File Format (EXIF) data indicating it had been created with Adobe Photoshop CS 6 for Windows in 2015. As sshell_ noted, the image was used in a defacement reported to the "cybercrime archive" Zone-H by a user identifying themselves as IRAN-CYBER on December 2, 2015. A DHS spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said that "there is no confirmation that this was the action of Iranian state-sponsored actors."

The UK Health System Tries Spending Millions To Reduce The Time Spent Logging In To Things

Mon, 01/06/2020 - 03:34
The UK's National Health System is getting £40m (about $52.3 million) to try reducing login times on its IT systems, "a move the government says could free up thousands of staffing hours a day as the saved seconds add up," according to the Guardian. They note estimates that switching to a "single sign-on" system reduced login times from 105 seconds to just 10 at one hospital, ultimately saving them 130 staffing hours a day. TheNinjaCoder shared their report: In a typical hospital, staff need to log in to as many as 15 systems when tending to a patient. As well as taking up time, the proliferation of logins requires staff either to remember multiple complex passwords or, more likely, compromise security by reusing the same one on every system. The health secretary, Matt Hancock, said: "It is frankly ridiculous how much time our doctors and nurses waste logging on to multiple systems. As I visit hospitals and GP practices around the country, I've lost count of the amount of times staff complain about this. It's no good in the 21st century having 20th-century technology at work. "This investment is committed to driving forward the most basic frontline technology upgrades, so treatment can be delivered more effectively and we can keep pace with the growing demand on the NHS."

The US Government Begins Limiting Some Exports of AI Software

Sun, 01/05/2020 - 15:59
"The Trump administration will make it more difficult to export artificial intelligence software as of next week, part of a bid to keep sensitive technologies out of the hands of rival powers like China," reports Reuters. The Verge has more details: The ban, which comes into force on Monday, is the first to be applied under a 2018 law known as the Export Control Reform Act or ECRA. This requires the government to examine how it can restrict the export of "emerging" technologies "essential to the national security of the United States" -- including AI... When ECRA was announced in 2018, some in the tech industry feared it would harm the field of artificial intelligence, which benefits greatly from the exchange of research and commercial programs across borders. Although the U.S. is generally considered to be the world leader in AI, China is a strong second place and gaining fast. But the new export ban is extremely narrow. It applies only to software that uses neural networks (a key component in machine learning) to discover "points of interest" in geospatial imagery; things like houses or vehicles... [S]uch software is of growing importance to military intelligence, too. The U.S., for example, is developing an AI analysis tool named Sentinel, which is supposed to highlight "anomalies" in satellite imagery. It might flag troop and missile movements, for example, or suggest areas that human analysts should examine in detail. The rule only applies in America, reports Reuters, "but U.S. authorities could later submit it to international bodies to try to create a level playing field globally."

Massive New Cambridge Analytica Leak Will Show Global Voter Manipulation on 'Industrial Scale'

Sun, 01/05/2020 - 09:34
A new leak of more than 100,000 documents from Cambridge Analytica's work in 68 different countries "will lay bare the global infrastructure of an operation used to manipulate voters on 'an industrial scale,'" writes the Guardian. Long-time Slashdot reader Freshly Exhumed shares their report: The release of documents began on New Year's Day on an anonymous Twitter account, @HindsightFiles, with links to material on elections in Malaysia, Kenya and Brazil. The documents were revealed to have come from Brittany Kaiser, an ex-Cambridge Analytica employee turned whistleblower, and to be the same ones subpoenaed by Robert Mueller's investigation into Russian interference in the 2016 presidential election. Kaiser, who starred in the Oscar-shortlisted Netflix documentary The Great Hack, decided to go public after last month's election in Britain. "It's so abundantly clear our electoral systems are wide open to abuse," she said. "I'm very fearful about what is going to happen in the US election later this year, and I think one of the few ways of protecting ourselves is to get as much information out there as possible." The documents were retrieved from her email accounts and hard drives, and though she handed over some material to parliament in April 2018, she said there were thousands and thousands more pages which showed a "breadth and depth of the work" that went "way beyond what people think they know about 'the Cambridge Analytica scandal....'" Kaiser said the Facebook data scandal was part of a much bigger global operation that worked with governments, intelligence agencies, commercial companies and political campaigns to manipulate and influence people, and that raised huge national security implications.

Starbucks Devs Leave API Key in GitHub Public Repo

Sat, 01/04/2020 - 12:34
"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems. Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

'Police Tracked a Terror Suspect on WhatsApp -- Until His Phone Went Dark After a Warning From Facebook'

Sat, 01/04/2020 - 11:34
"A team of European law-enforcement officials was hot on the trail of a potential terror plot in October, fearing an attack during Christmas season, when their keyhole into a suspect's phone went dark," reports the Wall Street Journal: WhatsApp, Facebook Inc.'s popular messaging tool, had just notified about 1,400 users -- among them the suspected terrorist -- that their phones had been hacked by an "advanced cyber actor." An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation. A judge in the Western European country had authorized investigators to deploy all means available to get into the suspect's phone, for which the team used its government's existing contract with NSO. The country's use of NSO's spyware wasn't known to Facebook... WhatsApp's Oct. 29 message to users warned journalists, activists and government officials that their phones had been compromised, Facebook said. But it also had the unintended consequence of potentially jeopardizing multiple national-security investigations in Western Europe about which Facebook hadn't been alerted -- and about which government agencies can't formally complain, given their secret nature... NSO has faced criticism for selling its products to government agencies in the Middle East, Mexico and India, which Facebook and human-rights research group Citizen Lab, among others, allege used them to spy on dissidents, religious leaders, journalists and political opponents. Among the 1,400 WhatsApp users notified in October, more than 100 fell into these categories, Citizen Lab said. The group, which is based at the University of Toronto's Munk School of Global Affairs and Public Policy, worked with Facebook on identifying these people... Citizen Lab has issued reports for several years linking NSO's spyware to governments with a history of human-rights abuses, and said that record should put NSO out of the running for government contracts from Western agencies, said Ronald Deibert, Citizen Lab's director. "What we have been trying to do with our research is to raise alarm bells...." On the day WhatsApp sent its alert, the official overseeing the terror investigation in Western Europe said, he was stuck in traffic on his way to work when a call came in from Israel. "Have you seen the news? We've got a problem," he said he was told. WhatsApp was notifying suspects whom his team was tracking that their phones had been hacked. "No, that can't be right. Why would they do that?" the official said he asked his contact, thinking it a joke. The most immediate concern was a suspected terrorist investigators linked to Islamic State. They had received a tip he was part of a group plotting an attack around Christmas. Once they saw the suspect's phone receive WhatsApp's alert, the phone went dark, the official said. The sleuths soon lost access to the suspect's messages, the official said, indicating he had discarded or disabled the phone. "We only had that one phone," the official said. Though that suspect was still under traditional surveillance, "He's not the only suspect we have to follow..." the official complained to the Wall Street Journal, adding that their counterparts in other Western European countries told him more than 10 other investigations "may have been" compromised by WhatsApp's alert. The Journal also notes that tech companies "have come under growing pressure in the U.S. and Europe to give law enforcement a back door into encrypted messages. But they are also under fire for not doing enough to protect the privacy of their users and, in some jurisdictions, they have legal obligations to disclose security breaches."

Will Iran Launch a Cyberattack Against the U.S.?

Sat, 01/04/2020 - 07:34
"Iranian officials are likely considering a cyber-attack against the U.S. in the wake of an airstrike that killed one of its top military officials," reports Bloomberg: In a tweet after the airstrike on Thursday, Christopher Krebs, director of the U.S. Cybersecurity and Infrastructure Security Agency, repeated a warning from the summer about Iranian malicious cyber-attacks, and urged the public to brush up on Iranian tactics and to pay attention to critical systems, particularly industrial control infrastructure... John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye Inc., said Iran has largely resisted carrying out attacks in the U.S. so far. But "given the gravity of this event, we are concerned any restraint they may have demonstrated could be replaced by a resolve to strike closer to home." Iranian cyber-attacks have included U.S. universities and companies, operators of industrial control systems and banks. Iranian hackers tried to infiltrate the Trump campaign, and they have launched attacks against current and former U.S. government officials and journalists. The U.S., meanwhile, has employed cyberweapons to attack Iran's nuclear capabilities and computer systems used to plot attacks against oil tankers, according to the New York Times.... James Lewis, senior vice president at the Center for Strategic & International Studies, said Iranian retaliation may include the use of force, but the government is also likely asking hackers for a list of options. "Cyber-attacks may be tempting if they can find the right American target," Lewis said. "The Iranians are pretty capable and our defenses are uneven, so they could successfully attack poorly defensed targets in the U.S. There are thousands, but they would want something dramatic." Mother Jones shares another perspective: There's little reason to think that Iran could pull off a truly spectacular attack, such as disabling major electric grids or other big utilities, said Robert M. Lee, an expert in industrial control systems security and the CEO of Dragos. "People should not be worried about large scale attacks and impacts that they can largely think about in movies and books like an electric grid going down." Instead, Iran might choose targets that are less prominent and less secure. "The average citizen should not be concerned," he said, "but security teams at [U.S.] companies should be on a heightened sense of awareness."

Google Disables All Xiaomi Device Integrations Pending Security Review

Fri, 01/03/2020 - 23:00
New submitter jasonbuechler writes: Related to the Xiaomi post the other day, Google has entirely disabled Google Assistant/Home integration with Xiaomi devices pending further testing. Google issued the following statement: Hi everyone, Late night on January 1st, we were made aware of an issue where a Reddit user posted that their Nest Hub was able to access other people's Xiaomi camera feeds. We've been working with Xiaomi and we're comfortable that the issue was limited to their camera technology platform. While we worked on this issue with Xiaomi, we made the decision to disable all Xiaomi integrations on our devices. We understand this had a significant impact on users of Xiaomi devices but the security and privacy of our users is our priority and we felt this was the appropriate action. We're re-enabling Xiaomi device integrations for everything but camera streaming after necessary testing has been completed. We will not reinstate camera functionality for Xiaomi devices until we are confident that the issue has been fully resolved. We'll keep you updated with information as more becomes available to share. UPDATE: Speaking to Engadget, Xiaomi says that the issue occurred due to a cache update, which made the stills pop up if a user had that camera and that display under poor network conditions. According to the company, only 1,044 users had this setup with a "few" experiencing the poor network connection that would make it appear, and they have fixed the issue on their end. The full statement is available on Engadget's report.