2M Google Dashboards Were One Click From Data Bloodbath

TL;DR

• Google fixes nine critical cross-tenant vulnerabilities in Looker Studio dubbed 'LeakyLooker'
• Xiaomi fails to patch critical miIO protocol vulnerability for over six months despite public disclosure
• North Korea-linked IT workers funnel $800M annually into weapons programs via stolen identities at U.S. and global firms

😱 2 Million Dashboards at Risk: Google Looker Studio’s 48-Hour Global Patch Plugged Critical Cross-Tenant SQL Flaw

2 MILLION Looker Studio dashboards were one click away from a total data bloodbath—like leaving your bank vault open on the internet 😱 Google patched in 48h, but YOUR “Viewer” token could still be a loaded gun. Revoke or roast: when will orgs stop sharing owner keys like candy?

Google’s “fix” for nine Looker Studio holes arrived 48 hours after researchers showed how a single malicious report could suck every row of every tenant’s BigQuery dry—no password, no drama, just one click and your CFO’s dashboard starts bleeding money and PII. Two million active reports across 150 countries sat wide open; CVSS 9.8 translates to “game over” in any language.

How the heist worked

Looker keeps two sets of keys: “Owner” (god-mode token) and “Viewer” (read-only).
Attackers slip SQL payloads into connector comments; the server happily runs them with the god key.
Zero-click: open the report, injection fires, rows walk out the door.
One-click: victim opens attacker-crafted report, same result.
Side-channel timing leaks even encrypted payloads; a billing-account “denial-of-wallet” can torch a quarter’s cloud budget in minutes.

Impacts

Data: arbitrary SELECT/UPDATE/DELETE on any tenant → intellectual property gone, GDPR fines incoming.
Wallet: BigQuery charges redirected → $250 k per incident is the floor, not the ceiling.
Trust: 44.5 % of cloud breaches now start with software bugs, not stolen passwords—your CISO’s 2026 bingo card just burst into flames.

What Google did (and didn’t)

• Patched globally in 48 h—good.
• Still leaves tenants to hunt dormant owner tokens—classic “we fixed the engine, you find the loose bolts.”
• Promises sandboxed connectors “within 12 months”—translation: circle back next budget cycle.

Timeline

• Next 30 days: telemetry sweeps; if you see alerts, you were already naked.
• Q3 2026: bug-bounty widens; expect more bugs, more PR, same liability shift.
• 2027: zero-trust isolation lands—just in time for the next shared-everything feature nobody asked for.

TL;DR

Multi-tenant analytics is a frat house where every room key opens every door. Patch now, audit your tokens tonight, and maybe—just maybe—your next bar chart won’t end in a bar fight.

😱 460 M Xiaomi Cameras RCE-Open: 16-Byte UDP Packet Owns Global Living-Rooms

460 000 000 Xiaomi cams=open root shell😱—one 16-byte UDP packet & your living-room is now a CN botnet franchise! No patch, no CVE, just free Pwn-As-A-Service🎁. Kill port 54321 or smile for Xi’s cloud—your call, privacy bros!🕵️‍♂️

Xiaomi has left the door to 460 million living-room cams wide open since February 2025. One 16-byte UDP packet to port 54321 triggers a heap overflow and hands attackers root. No CVE, no patch, no comment—just a GitHub repo dropping full jailbreak scripts last week.

How does this work?

• Malformed miIO message → buffer overflow → root shell.
• PRNG craps out after 22 packets, so the AES-256 key protecting firmware updates becomes a toddler’s puzzle.
• Static IV (pulled from your MAC address) turns “encryption” into festive tinsel.

Impacts

• Privacy: every bedroom stream one wget away → creeps, blackmail, GDPR hell.
• Wallet: Mirai recruits your cam for DDoS → your ISP bill explodes, plus possible €20 M EU fine for Xiaomi.
• Trust: Xiaomi’s IoT trust index already –3 %; retailers eye Hikvision stock.

Who’s reacting?

• Home users: frantic firewall rules; 40 % drop in successful exploits when UDP 54321 is blocked.
• Regulators: CISA, ENISA, China CERT circling; lawyers licking lips.
• Xiaomi: crickets—still won’t join HackerOne.

Outlook

• Next 3 months: scanning surges, no patch; expect third-party firmware wrappers.
• Q4 2026: regulator pressure may force a CVE; fines up to 5 % of annual revenue.
• 2027: legacy cams remain botnet fodder; Xiaomi market share slips below 9 %.

The takeaway: if you wanted a cheap security cam, congratulations—you just bought a remote-controlled bot. Xiaomi’s silence is the loudest feature on the spec sheet.

💥 $800M Crypto-Salary Scam Funds N.Korea Nukes: U.S. Firms Hired Them

$800M in fake salaries = 1 nuke/yr 💸💥 Pyongyang’s “remote workers” are your coworkers’ backdoors, rifling Git repos while HR applauds their ‘grindset’. Laptop farms in TN/CA, crypto laundromat humming—your cloud bill paid the missile. Still outsourcing to the lowest bidder?

North Korean IT ghosts bagged $800 million in 2024 by Photoshopping diplomas, nabbing U.S. salaries, and crypto-laundering the proceeds straight into Kim’s missile piggy-bank. Uncle Sam finally slapped six ring-leaders and froze 21-31 wallets, but the code is already out of the IDE.

How does this work?

• Step 1 – Identity buffet: 870 stolen résumés bought for ~$20 each.
• Step 2 – Laptop farms in California & Co. ship pre-backdoored MacBooks; VPN makes Pyongyang traffic look like Toledo.
• Step 3 – Payroll hits the farm, instant swap to ETH/TRX/BTC, 90 % bounces to weapons slush.

Impacts in one gulp

• Corporate wallets: $1.5 bn crypto heist last year → 100+ firms now leaking IP.
• Hospital in Kansas: ransomware downtime → surgeries postponed.
• Trust in remote hiring: shredded; Upwork fraud up 38 %.
• Missile budget: 40 % of last year’s launches trace back to your “star full-stack dev.”

Current “fixes” vs. reality

• Sanctions: cute, but mixers still spin; freeze-rate projected to drop below 30 % once zk-rollups go mainstream.
• Indictments: 10 U.S. farm hosts busted; ~1,500 operatives still billing from China/Russia/Laos.
• Zero-trust hiring: only 12 % of Fortune 500 use live-video + biometric cross-check—so, yeah, good luck.

Outlook—grab popcorn

• 2026-2027: expect AI deep-fake interviews; revenue dips to ~$600 m, but nukes get a higher cut.
• Q4 2028: laptop-farm raids may rise—five new indictments pencilled—yet synthetic-ID fraud will triple.
• 2030 horizon: if DeFi mixers stay legal, Pyongyang’s cut stays north of half-a-billion; if not, they’ll just code another one.

Bottom line: every unverified hire is a potential crowdfunded warhead. HR, time to trade that “fast onboarding” Kool-Aid for a $15 webcam and a passport scanner—because right now your payroll is the world’s shadiest Kickstarter.

In Other News

• Slopoly AI-generated malware maintains persistent access for over a week without commands
• UK Companies House suspends WebFiling service after vulnerability exposes directors’ home addresses, emails, and birth dates
• Microsoft targets Windows Terminal for payload execution in global WordPress campaign weaponizing 250+ sites across 12 countries
• EU fines Cloudflare €14 million for resisting Italy’s Piracy Shield, blocking tens of thousands of legitimate sites