Daily Cyber Briefing

Chrome Zero-Days, Cloudflare's Big Oops, and Why Gen Z Uses '12345

Mike Housch

Share episode

Today, we dive into a massive internet disruption that wasn't a cyberattack, as Cloudflare confirms a service-crashing bug, and we cover the urgent need to patch the seventh Google Chrome zero-day found this year. We also dissect a pervasive WhatsApp screen-sharing scam resulting in major losses and examine why Generation Z has the worst password security habits.

Mike Housch: Welcome back to Cyber Scoops & Digital Shenanigans, the podcast dedicated to tracking the chaos and control in the digital realm. I’m your host, Mike Housch.

Today, we are unpacking some major headlines. We start with the massive Tuesday outage that took down giants like ChatGPT, X, and Shopify, and the surprising truth behind why it happened. Hint: it wasn't the sophisticated nation-state attack some assumed. We’ll also tell you why you need to stop what you are doing and patch Google Chrome immediately, as attackers are already exploiting the seventh zero-day vulnerability discovered this year.

Then, we shift gears to look at the human element of security: social engineering. We have a detailed breakdown of a dangerous WhatsApp screen-sharing scam that is costing users hundreds of thousands of dollars globally. And finally, in a segment I’m calling "Password Pathetic," we look at research showing that the so-called "digital native" Generation Z uses a password that is statistically weaker than their 80-year-old grandparents'.

Before we dive into the deep end, a quick word from our sponsor...

Mike Housch: Let’s start with the operational side of cybersecurity. On Tuesday, a major service disruption hit Cloudflare. This caused outages across a wide range of online platforms, including major services like ChatGPT, X, Dropbox, Shopify, and even the game League of Legends. The incident also reportedly disrupted critical organizations like New Jersey Transit, New York City Emergency Management, and the French national railway company, SNCF.

Initially, Cloudflare reported seeing a “spike in unusual traffic,” which understandably led many in the industry to suspect a major cyberattack, perhaps a Distributed Denial-of-Service or DDoS attack. After all, Cloudflare regularly blocks significant record-breaking DDoS assaults aimed at its customers.

But here’s the scoop: Cloudflare stated that the service disruption was not the result of a hacker attack.

Cloudflare CTO Dane Knecht clarified that the root cause was actually a "latent bug in a service underpinning our bot mitigation capability" that started to crash after a routine configuration change. That configuration change then cascaded into a broad degradation across their network and other services. Knecht called the issue, its impact, and the time to resolution "unacceptable," and noted that work is already underway to prevent recurrence. Cloudflare began investigating the incident at 11:48 UTC, announced a fix at 14:42 UTC, though some errors persisted for two additional hours.

While this particular outage was an internal operational failure, not a cyberattack, it does underscore the widespread fragility of centralized internet infrastructure. Interestingly, the sources point out that it would not be surprising for some hackers, particularly hacktivists, to falsely take credit for such outages.

Now, shifting from an internal bug to a live external threat: Google Chrome users need to pay attention. Google has pushed an emergency patch for a high-severity Chrome bug that is already being exploited in the wild. This vulnerability, tracked as CVE-2025-13223, is a type confusion flaw located in the V8 JavaScript engine.

Crucially, this is the seventh Chrome zero-day vulnerability discovered and patched this year. A type confusion flaw occurs when the engine misinterprets a block of memory as one type of object and then treats it as something else. If chained with other bugs, this can lead to arbitrary code execution and potentially a full system compromise via a crafted HTML page. Google is specifically aware that an exploit for CVE-2025-13223 exists in the wild.

The discovery of this flaw on November 12th is credited to Clément Lecigne from Google's Threat Analysis Group (TAG), who specializes in tracking spyware and nation-state attackers abusing zero days for espionage. Google also issued a second emergency patch for another V8 type confusion bug, CVE-2025-13224, which was actually found by Google’s LLM-based bug hunting tool, Big Sleep.

The message here is crystal clear: If you use Chrome as your web browser, make sure you are running the most recent version, or risk full system compromise.

Mike Housch: Let’s talk about threats that don't need fancy zero-days—they just need human error. Social engineering remains the most powerful weapon in the cybercriminal’s arsenal. We’re tracking a dangerous screen-sharing scam targeting WhatsApp users that has become one of the fastest-growing threats globally.

This scheme exploits WhatsApp’s screen-sharing feature, which was introduced in 2023. The attackers don't rely on sophisticated malware; they rely entirely on psychological manipulation. They place unsolicited WhatsApp video calls, impersonating figures of authority like bank representatives, Meta support agents, or even distressed family members. They often spoof local phone numbers and blur their video feed to conceal their identities.

The core of the attack is creating a false sense of urgency, claiming there are unauthorized credit card charges, suspicious account activity, or pending verification issues. When the victim agrees to share their screen, the attacker gains comprehensive visibility into the user’s smartphone. They can observe passwords, two-factor authentication codes, one-time passwords (OTPs), and banking applications in real time.

In one documented case in Hong Kong, this scam resulted in a loss of HK$5.5 million, which is equivalent to US$700,000.

The ESET security researchers who identified this threat note that it exploits three critical elements: trust established through impersonated authority, urgency created by fabricated threats, and the control granted by screen-sharing.

Alarmingly, once they have screen access, the attackers can manipulate users into installing remote access tools like AnyDesk or TeamViewer, granting the criminals full control of the device. With access to incoming text messages and WhatsApp verification codes, they can hijack the victim’s WhatsApp account, access stored conversations, drain banking accounts, and then impersonate the victim to target friends and family, causing cascading waves of fraud.

The defense against this is non-technical: Users should never share their screen with unknown callers and must independently verify any alarming information through official channels. Additionally, enabling two-step verification in WhatsApp is crucial protection, as it requires a second authentication factor even if credentials are compromised.

Speaking of credentials, let’s talk passwords. A new report by NordPass offers some truly shocking data on password hygiene, or the lack thereof.

The finding? Generation Z—the 'Zoomers'—are officially worse at passwords than 80-year-olds. NordPass's analysis shows that the most common choice among those born in 1997 and younger was "12345," which is weaker than the password preferred by Millennials, Gen X, and Boomers, which was "123456".

For all age groups globally, "123456" remains the most common password, holding this undesirable crown for the sixth time in seven years. Security experts warn that any variant of these numerical strings can be cracked instantly. Attackers often skip expending resources on cracking and just spray lists of common passwords at authentication APIs for a quick win.

The problem extends into professional life, too. The password "admin" and its variations were among the most common passwords in use in professional environments, ranking as the second most used password globally and the top choice in countries like the US, UK, Canada, and Germany. While NordPass couldn't definitively say if this was poor choice or simply default credentials not being changed, other common defaults like "welcome" and "password" also featured heavily.

The only glimmer of hope is that the use of special characters is on the rise, with 32 of the 200 most common passwords containing one, usually an "@" used in place of 'A,' for example, "P@ssw0rd".

The overall conclusion from NordPass is grim: Despite significant awareness efforts, current approaches are failing to drive meaningful change in widespread password hygiene. The recommendation, as always, is to use a password manager and enable multi-factor authentication.

(13:00 - 18:00) Segment 3: Enterprise Risk Roundup: Ransomware, AI Shifts, and Operational Failures

Mike Housch: Moving to enterprise risks, we have updates on two significant ransomware incidents.

First, the Pennsylvania Office of the Attorney General (OAG) has confirmed a data breach following a ransomware attack that occurred earlier this year. The attack, which came to light in August, disrupted the OAG’s website, email accounts, and phone lines for roughly three weeks.

The Inc Ransom group took credit for the attack on September 21st, claiming to have stolen a massive 5.7 terabytes of data. They also falsely claimed to have gained "access to internal network of FBI," a claim that is not substantiated in the notice. The OAG’s investigation confirmed potential access to certain files, including those storing personal information like names, Social Security numbers, and medical information. While the OAG stated they had "no evidence of the misuse, or attempted misuse," experts find such statements unconvincing, as ransomware groups typically publish or privately share stolen data. Cybersecurity researcher Kevin Beaumont suggested in September that the OAG was likely penetrated via exploitation of a Citrix Netscaler vulnerability, sometimes dubbed CitrixBleed2.

Meanwhile, in Japan, the country’s largest brewer, Asahi, continues to suffer severe disruption to its domestic order and logistics systems, more than a month after a ransomware attack by the Qilin group. The disruption has been so severe that Asahi was forced to revert to manual processing, cutting beer shipments to approximately 10% of regular volumes during Japan’s peak season, allowing competitors to gain market share.

These incidents underscore the financial and operational reality of ransomware attacks.

Finally, let’s briefly touch on the shifting landscape of security, specifically around AI. The focus on AI security is growing, evidenced by major tech companies expanding their bug bounty programs. Meta paid out $4 million through its bug bounty program in 2025, bringing the total amount awarded since the program's inception to over $25 million. Meta received about 13,000 vulnerability reports this year, rewarding 800 of them. Notable reports included a method for enumerating WhatsApp accounts at scale and an incomplete validation issue in WhatsApp that could trigger processing content from an arbitrary URL. In response to researcher feedback, Meta is creating a tool, the WhatsApp Research Proxy, to analyze the messaging application's network protocol.

Elsewhere, Amazon launched a new private, invite-only AI bug bounty program aimed at strengthening its foundation models, including Amazon Nova. This program focuses on finding security vulnerabilities, biases, and potential for harmful activities like prompt injection.

The push toward AI is driving strategic changes in the cybersecurity firm landscape as well. Cybersecurity firm Deepwatch has laid off roughly a quarter of its workforce—between 60 and 80 employees—as part of a restructuring needed to "accelerate our significant investments in AI and automation" and enhance the company's technology capabilities.

And speaking of AI vulnerability, researchers recently uncovered EchoGram, a new attack technique that undermines common AI defense mechanisms like text classification and 'LLM-as-a-judge' guardrails. EchoGram uses specific token sequences to manipulate the defensive model’s verdict, allowing malicious prompts to be approved or causing false alarms. This systemic vulnerability affects defenses used in major models like GPT-4, Gemini, and Claude.

Mike Housch: What a week. From the accidental global outage caused by a routine configuration change at Cloudflare, to the urgent need to patch Chrome against active zero-day exploitation, and the persistent threat of social engineering, the common theme is vigilance.

Whether it’s a critical bug in a core service, or simply allowing a stranger to view your OTPs via screen-share, the consequences are severe. Remember, defense starts with the basics: patching immediately and practicing extreme skepticism against urgent requests for information or screen-sharing.

That’s all the scoops and shenanigans we have time for this week. Thank you for tuning in. Be safe out there, and we'll catch you next time.