A couple of years ago, a judge in Arizona issued a restraining order against journalist Camryn Sanchez at the behest of a state senator, Wendy Rogers. The ordeal was alarming, but press freedom advocates were able to breathe a sigh of relief when the order was struck down by another judge a few weeks later. That Rogers is, well, out of her mind, made it easier to hope that the whole thing was an isolated incident.

Unfortunately, that doesn’t appear to be the case. A Maryland journalist, Will Fries, was recently served with a “peace order” that would’ve barred him from city hall in Salisbury. The order, requested by the city’s communications director (allegedly in coordination with higher-ups), followed Fries’ reporting on the city’s purported policy requiring media inquiries to be routed through its communications office — which officials cited to restrict Fries from asking questions during a committee meeting.

Fortunately, a judge ultimately declined to issue the order. But after the Arizona restraining order and plenty of other instances of local officials claiming bizarre grounds to punish routine newsgathering, it would be a mistake to dismiss Fries’ case as a one-off.

We talked to Fries about the experience via email. Our conversation is below.

Tell us briefly about your background and the kind of reporting you do for The Watershed Observer.

For over a decade, I’ve worked to counter disinformation and malign influence across communities. I’ve done investigative work for nonprofits and tech companies, served on major presidential campaigns, and overseen digital strategy for former Portland (Oregon) Mayor Ted Wheeler (where things got interesting). Most recently, I launched The Watershed Observer to provide communities with faithful reporting at the intersection of local and global issues.

We want to talk about the “peace order,” or restraining order, that a government employee sought against you in Salisbury, but it looks like there’s a bit of press freedom “Inception” going on — that ordeal arose from your reporting on another press freedom issue. What happened on August 6 in Salisbury, Maryland?

Salisbury’s Mayor’s Office claimed the Human Rights Advisory Committee advised him to remove a rainbow crosswalk. In reality, the committee had voted against that and gone on public record disputing the mayor’s communications. I received reports, tips, and outreach, and I reviewed the committee’s approved May meeting minutes.

As a courtesy, I let the committee know ahead of time that I planned to take part in the open, public forum section of their August 6 meeting. After being recognized, when I raised questions about the mayor’s false statement, the mayor’s liaison blocked both me and the committee from discussion, falsely claiming a city policy barred journalists from participating. No such policy exists. Later, the mayor’s comms director sent an email exclusively targeting the Human Rights Committee and their ability to speak with the press and public about their public work, the same group that had raised concerns about the mayor’s misinformation.

The kind of policy that the mayoral staffer cited, that city employees are required to route all media inquiries to a communications office, has been referred to as “censorship by PIO,” or public information officer, because of how it limits the information obtainable by journalists. They’ve repeatedly been held unconstitutional. Putting aside that the commission members weren’t actually city employees subject to the policy — and that even if a city policy could restrict employees from answering certain questions, it certainly can’t block reporters from asking them — how have you observed these policies impacting the press?

The city’s actions had a tangible chilling effect. After the comms director’s email, some committee members hesitated to go on record, while others only spoke confidentially. In practice, this limited the committee’s ability to speak publicly about human rights issues or potential concerns regarding the mayor and his staff.

“If someone is a nongovernment actor who produces media to be consumed by the public, they are press. The idea of official versus unofficial press is a ridiculous invention.”

Will Fries

I say actions, not policy, because there is no legitimate city policy banning journalists from participating in public meetings, and such a rule would serve no legitimate purpose. The false claim and creation of policy was fabricated in the moment to intimidate and coerce members of the public body, and me, in order to suppress participation in further discussing the mayor’s office’s gross misrepresentation of the committee’s public work. Its only purpose was to block accountability and prevent scrutiny.

I noticed in some correspondence, the comms director seems to refer to you as someone who claims to be a member of the media, and distinguishes between what she sees as official and unofficial press. As an independent journalist, how do you think city officials should determine who is or isn’t really the press? Or should they at all?

If someone is a nongovernment actor who produces media to be consumed by the public, they are press. The idea of “official” versus “unofficial” press is a ridiculous invention, completely at odds with constitutional protections and civic norms. The city of Salisbury has no legitimate policy distinguishing “real” from “not real” press, nor could it. That notion exists only to imply the city can ignore questions or accountability from anyone they don’t consider “official press.” They can’t. In Maryland, our Declaration of Rights explicitly extends the freedom of the press to “every citizen,” and many states have similar protections.

Talk about the follow-up reporting you did, or tried to do, after the August 6 meeting.

After the August 6 meeting, I did what any responsible journalist would do: I followed up. I gave the city employee a chance to clarify. I reached out to the mayor’s comms director for confirmation and comment. I also shared my reporting with the committee, inviting them to add their perspectives. Instead of engaging, the comms director issued an email exclusively to the Human Rights Advisory Committee, discouraging members from speaking to the press or the public. They spread falsehoods about me and my reporting in retaliation, rather than investigate the reality themselves or address the underlying facts of the mayor’s misinformation about the Human Rights Committee and mayor’s staff improperly interfering at the August 6 meeting. I also filed public records requests to learn more about the city’s processes and policies.

Then you got the peace order from the mayor’s comms director. Which allegations in the peace order application do you contend were factually false, and did the city ever present any evidence that those allegations were, in fact, true?

The comms director falsely claimed I was behind a nonthreatening and fact-forward whistleblower email that raised serious ethical concerns about her conduct, and petitioned that this, combined with my public records requests, somehow were grounds for a peace order. Those allegations were unfounded, baseless, and unsupported by any evidence. The petition functioned solely as retaliation against protected activities and now fits into an observable pattern of the city disregarding realities.

I’ve had a long investigatory career, and I am aware of other instances where peace orders have been misused as tools to discredit reporters and witnesses, or to intimidate people participating in serious investigations. At the same time, it’s important for everyone to recognize that lawful peace orders serve an important and serious purpose: They protect individuals from genuine threats and ensure safety in difficult circumstances. I believe that misuse and abuse of peace orders is rare.

So stripping away the allegations you dispute, what’s left is essentially that you sought comment for stories from the comms director, filed public records requests, and voiced your displeasure with how officials had characterized your reporting. That all sounds like routine journalistic conduct (especially when city policy doesn’t allow you to talk to anyone else besides the comms director) and a pretty open-and-shut case. Was it easy to get this thrown out?

Once all false statements and disprovable allegations are removed, what remains is professional conduct and routine journalism: seeking comment, filing records requests, and following up on city actions, activities documented by journalists every day. It’s concerning that it went as far as a court proceeding, but the judge ultimately ruled there was no basis for the petition.

Do you think higher-ups at the city had anything to do with the effort to obtain a peace order against you, which, incidentally, would have restricted you from entering city headquarters?

During sworn testimony, the mayor’s comms director acknowledged she pursued the peace order with encouragement and guidance from the city solicitor’s office and the Police Department. If that testimony were false, it would amount to perjury. In addition, I have received reports from trusted sources that an elected official may have personally participated. All of this indicates the effort wasn’t an isolated action by one employee, but part of a broader institutional attempt to retaliate against a reporter and restrict reporting access.

The U.S. Press Freedom Tracker, a project of Freedom of the Press Foundation (FPF), only has one case documented in which a judge knowingly entered a restraining order against a journalist (the Tracker is not documenting your case because the court declined to issue the order). That case involved a state senator in Arizona who objected to a reporter knocking on her door, and the order was later overturned. But there have been plenty of cases involving reporters being arrested, ticketed, investigated, sued, raided, or criminally charged over routine journalism. How do you think what happened to you fits into this broader national trend of local authorities retaliating against the press for doing its job?

We are seeing instances in which some people with public responsibilities respond to journalists with resistance or retaliation rather than openness. These actions rarely arise from legitimate concern and more often reflect institutional reluctance to confront reality or uphold accountability. In some cases, public officials entrusted with serving their communities treat engagement and transparency as risks rather than obligations. The healthiest communities are built on leaders who stay open, accountable, and ready to face tough questions from the public and the press.

Everyone has a responsibility to support press freedom, including journalists, city employees, and members of the public. Sometimes that responsibility is as simple as subscribing to a news outlet. Other times, it involves asking hard questions and sharing difficult truths with the public. And in some cases, it requires taking personal risks, including facing arrest or accusations, to advance public interests.

In this climate, we all have a responsibility to ask ourselves the hard questions about what we each can do to strengthen a free and transparent society.

freedom.press/issues/journalis…

Dear Friend of Press Freedom,

For 157 days, Rümeysa Öztürk has faced deportation by the United States government for writing an op-ed it didn’t like, and for 76 days, Mario Guevara has been imprisoned for covering a protest. Read on for more, and click here to subscribe to our other newsletters.

Government excuses for Öztürk secrecy are insulting

A recent court filing suggests the U.S. government is abusing the Freedom of Information Act to hide potentially damning evidence about its March arrest of Öztürk over her co-authorship of an op-ed criticizing Israel.

The government told Freedom of the Press Foundation (FPF), in response to a lawsuit we’ve filed for Öztürk’s records, that releasing them would be an invasion of privacy, although it’s not clear whose. Read more here. And to learn more about our FOIA work, subscribe to our secrecy newsletter, The Classifieds.

• SUBSCRIBE

Stop congressional secrecy bill

A new legislative proposal – almost identical to one we opposed in 2023 – would allow members and even former members of Congress to compel the censorship of a broad range of information that journalists and others are constitutionally entitled to publish.

It would impede journalists’ and watchdogs’ efforts to, for example, check property, vehicle or travel records to investigate bribery allegations, monitor lawmakers leaving their districts during emergencies, scrutinize potential financial conflicts impacting policy positions, and a myriad of other newsworthy matters. We collaborated with our friends at Defending Rights & Dissent on a petition to lawmakers to stop this censorial proposal. Contact your senator here.

Police: Don’t impersonate journalists

We told you last week that police in Eugene, Oregon, said they’d stop putting their videographers in “PRESS” vests. Great.

But the practice was disturbing enough that we thought police in Eugene and elsewhere needed to understand the dangers of government employees posing as journalists — from providing propagandists with greater access than real journalists to exposing journalists and police officers alike to the risk of assault.

We led a letter from press and liberties groups to Eugene’s police chief, copying national associations of police communications personnel.Read it here.

Another journalist restraining order

A couple years ago, a judge in Arizona issued a restraining order against journalist Camryn Sanchez at the behest of a state senator, Wendy Rogers. That ordeal was alarming, but press freedom advocates were able to breathe a sigh of relief when the order was struck down by another judge a few weeks later. That Rogers is, well, out of her mind, made it easier to hope that the whole thing was an isolated incident.

Unfortunately, that doesn’t appear to be the case. Maryland journalist Will Fries was recently served with a “peace order” that would’ve barred him from city hall in Salisbury. Fortunately, a judge ultimately declined to issue the order, but after the Arizona restraining order and plenty of other instances of local officials claiming bizarre grounds to punish routine newsgathering, it would be a mistake to dismiss Fries’ case as a one-off.

We talked to Fries about the experience via email. Read the conversation here.

What we’re reading

Israel’s killing of six Gaza journalists draws global condemnation (Al Jazeera). We told Al Jazeera that “Any story that quotes an Israeli official or references Israeli allegations should say that Israel does not allow the international press to verify its claims and kills the local journalists who try.”

Homeland Security tells watchdog it hasn’t kept text message data since April (The New York Times). We told the Times that “Agencies cannot get away from responding to FOIA requests by intentionally degrading their capabilities … This is like a fire department saying, ‘We don’t have a hose, so we’re not going to put out the fires anymore.’”

Accepted at universities, unable to get visas: inside Trump’s war on international students (The Intercept). “An intrepid reporter who wants to use his time in America to become an even more effective watchdog against government corruption is an undesirable in the eyes of a corrupt government like ours,” we told The Intercept about journalist Kaushik Raj’s student visa denial.

News groups ask judge to increase protections for journalists covering LA protests (Courthouse News). The federal government apparently believes that assaulting journalists covering protests is legal because “videotaping can lead to violence.” The First Amendment says otherwise.

The student newspaper suing Marco Rubio over targeted deportations (The Intercept). “It does not matter if you’re a citizen, here on a green card, or visiting Las Vegas for the weekend — you shouldn’t have to fear retaliation because the government doesn’t like what you have to say,” Conor Fitzpatrick of the Foundation for Individual Rights and Expression told The Intercept.

Lack of local news tied to government secrecy, new report says (Medill Local News Initiative). A new study by the Brechner Center for the Advancement of the First Amendment shows that states with more newspapers are more likely to respond to records requests, and states with fewer papers are more likely to ignore them.

Public broadcast cuts hit rural areas, revealing a political shift (The New York Times). Rural stations in Alaska and elsewhere may no longer have the bandwidth to send emergency alerts. That could be the difference between life and death.

Opinion: D.C. must invest in local news (The 51st). Funding local news by directing public grants through consumer coupons is a creative way to address the local news crisis. Local governments must act to keep community news from dying.

freedom.press/issues/governmen…

If you haven’t been following [Will Cogley]’s animatronic adventures on YouTube, you’re missing out. He’s got a good thing going, and the latest step is an adorable robot that tracks you with its own eyes.

Yes, the cameras are embedded inside the animatronic eyes.That was a lot easier than expected; rather than the redesign he was afraid of [Will] was able to route the camera cable through his existing animatronic mechanism, and only needed to hollow out the eyeball. The tiny camera’s aperture sits nigh-undetectable within the pupil.

On the software side, face tracking is provided by MediaPipe. It’s currently running on a laptop, but the plan is to embed a Raspberry Pi inside the robot at a later date. MediaPipe tracks any visible face and calculates the X and Y offset to direct the servos. With a dead zone at the center of the image and a little smoothing, the eye motion becomes uncannily natural. [Will] doesn’t say how he’s got it set up to handle more than one face; likely it will just stick with the first object identified.

Eyes aren’t much by themselves, so [Will] goes further by creating a little robot. The adorable head sits on a 3D-printed tapered roller bearing atop a very simple body. Another printed mechanism allows for pivot, and both axes are servo-controlled, bringing the total number of motors up to six. Tracking prefers eye motion, and the head pivots to follow to try and create a naturalistic motion. Judge for yourself how well it works in the video below. (Jump to 7:15 for the finished product.)

We’ve featured [Will]’s animatronic anatomy adventures before– everything from beating hearts, and full-motion bionic hands, to an earlier, camera-less iteration of the eyes in this project.

Don’t forget if you ever find yourself wading into the Uncanny Valley that you can tip us off to make sure everyone can share in the discomfort.

youtube.com/embed/IPBu5Q2aogE?…

hackaday.com/2025/08/28/animat…

I ricercatori della Reichman University (Israele) hanno descritto in dettaglio in un articolo sulla rivista Nature Electronics i crescenti rischi e minacce derivanti da fattori naturali e artificiali sui cavi di comunicazione sottomarini, che costituiscono la spina dorsale dell’infrastruttura Internet globale e trasmettono oltre il 95% del traffico dati internazionale.

ezstandalone.cmd.push(function () { ezstandalone.showAds(604); });
Tra gli esempi da loro citati figurano un’eruzione vulcanica nel 2022 che ha causato uno tsunami e onde d’urto sottomarine che hanno interrotto il collegamento in fibra ottica tra il Regno di Tonga e la Repubblica delle Figi, facendo sprofondare la nazione insulare nell’isolamento digitale.

Nell’ultimo anno e mezzo, diversi nuovi incidenti hanno messo in luce la vulnerabilità delle infrastrutture via cavo. Linee sottomarine principali nel Mar Rosso, nel Mar Baltico e nell’Oceano Pacifico sono state danneggiate, in alcuni casi probabilmente intenzionalmente.

ezstandalone.cmd.push(function () { ezstandalone.showAds(612); });
I danni ai cavi principali causati da ancore o reti a strascico d’altura provocano frequenti interruzioni e la crescente tendenza a danneggiare in modo mirato aumenta il rischio di arresti intenzionali con gravi conseguenze. L’articolo presenta indicazioni scientificamente fondate per la modernizzazione dell’infrastruttura di comunicazione globale, basate su tre sistemi alternativi in grado di ridurre la dipendenza dalla vulnerabilità dei cavi sottomarini.

La prima opzione è rappresentata dalle reti satellitari per le comunicazioni laser. Costellazioni satellitari in orbita terrestre bassa sono già state create nell’ambito di progetti NASA e del sistema Starlink. Possono fornire velocità di trasferimento dati paragonabili alla fibra ottica, senza rischi sismici o geopolitici. I progressi nell’ottica adattiva e nei canali di comunicazione intersatellitare ad alta velocità consentono di contrastare efficacemente gli effetti delle interferenze atmosferiche.

La seconda soluzione è rappresentata dalle piattaforme aeree ad alta quota basate su droni alimentati a energia solare e dirigibili stratosferici. Gli sviluppi in questo campo non sono ancora completi, ma i prototipi hanno dimostrato che tali piattaforme possono fornire un’infrastruttura internet flessibile e resiliente.

ezstandalone.cmd.push(function () { ezstandalone.showAds(613); });
Un terzo approccio prevede la creazione di reti wireless ottiche sottomarine autonome basate su più veicoli robotici dotati di laser blu-verdi che formano una rete dinamica di canali di comunicazione ottica a corto raggio. Tali sistemi possono fornire ridondanza critica per i cavi operativi. Sono particolarmente promettenti per applicazioni militari, per l’energia in acque profonde e per il monitoraggio ambientale.

Ma la ridondanza dei cavi da sola non è sufficiente a contrastare le minacce del XXI secolo, dai disastri geologici ai conflitti geopolitici. È necessaria una reale diversificazione dell’infrastruttura digitale globale, sostengono gli autori dello studio.

L'articolo I cavi di sottomarini sono vulnerabili! Servono nuove strategie proviene da il blog della sicurezza informatica.

There’s a dizzying number of specialist 3D printing materials out there, some of which do try to offer an alternative to PLA, PA6, ABS, etc., while others are happy to stay in their own niche. Polyvinylidene fluoride (PVDF) is one of these materials, with the [My Tech Fun] YouTube channel recently getting sent a spool of PVDF for testing, which retails for a cool $188.
Some of the build plate carnage observed after printing with PVDF. (Credit: My Tech Fun, YouTube)
Reading the specifications and datasheet for the filament over at the manufacturer’s website it’s pretty clear what the selling points are for this material are. For the chemists in the audience the addition of fluoride is probably a dead giveaway, as fluoride bonds in a material tend to be very stable. Hence PVDF ((C₂H₂F₂)_n) sees use in applications where strong resistance to aggressive chemicals as well as hydrolysis are a requirement, not to mention no hygroscopic inclinations, somewhat like PTFE and kin.

In the video’s mechanical testing it was therefore unsurprising that other than abrasion resistance it’s overall worse and more brittle than PA6 (nylon). It was also found that printing this material with two different FDM printers with the required bed temperature of 110°C was somewhat rough, with some warping and a wrecked engineering build plate in the Bambu Lab printer due to what appears to be an interaction with the usual glue stick material. Once you get the print settings dialed in it’s not too complicated, but it’s definitely not a filament for casual use.

youtube.com/embed/tYyk9kOpGOE?…

hackaday.com/2025/08/28/pvdf-t…

A few days ago we brought you word that Google was looking to crack down on “sideloaded” Android applications. That is, software packages installed from outside of the mobile operating system’s official repository. Unsurprisingly, a number of readers were outraged at the proposed changes. Android’s open nature, at least in comparison to other mobile operating systems, is what attracted many users to it in the first place. Seeing the platform slowly move towards its own walled garden approach is concerning, especially as it leaves the fate of popular services such as the F-Droid free and open source software (FOSS) repository in question.

But for those who’ve been keeping and eye out for such things, this latest move by Google to throw their weight around isn’t exactly unexpected. They had the goodwill of the community when they decided to develop an open source browser engine to keep the likes of Microsoft from taking over the Internet and dictating the rules, but now Google has arguably become exactly what they once set out to destroy.

Today they essentially control the Internet, at least as the average person sees it, they control 72% of the mobile phone OS market, and now they want to firm up their already outsized control which apps get installed on your phone. The only question is whether or not we let them get away with it.

Must be This High to Ride

First, “sideloading”. The way you’re supposed to install apps on your Android device is through the Google Play store, and maybe your phone manufacturer’s equivalent. All other sources are, by default, untrusted. What used to be refreshing about the Android ecosystem, at least in comparison, was how easy it was to sideload an application that didn’t come directly from, and profit, Big G. That is what’s changing.

Of course, the apologists will be quick to point out that Google isn’t taking away the ability to sideload applications on Android. At least, not on paper. What they’re actually doing is making it so sideloaded applications need to be from a verified developer. According to their blog post on the subject, they have no interest in the actual content of the apps in question, they just want to confirm a malicious actor didn’t develop it.

The blog post attempts to make a somewhat ill-conceived comparison between verifying developer identities with having your ID checked at the airport. They go on to say that they’re only interested in verifying each “passenger” is who they say they are for security purposes, and won’t be checking their “bags” to make sure there’s nothing troubling within. But in making this analogy Google surely realizes — though perhaps they hope the audience doesn’t pick up on — the fact that the people checking ID at the airport happen to wear the same uniforms as the ones who x-ray your bags and run you through the metal detector. The implication being that they believe checking the contents of each sideloaded package is within their authority, they have simply decided not to exercise that right. For now.

Conceptually, this initiative is not unlike another program Google announced this summer: OSS Rebuild. Citing the growing risk of supply chain attacks, where malicious code sneaks into a system thanks to the relatively lax security of online library repositories, the search giant offers a solution. They propose setting up a system by which they not only verify the authors of these open source libraries, but scan them to make sure the versions being installed match the published source code. In this way, you can tell that not only are you installing the authentic library, but that no rogue code has been added to your specific copy.

Google the Gatekeeper

Much like verifying the developer of sideloaded applications, OSS Rebuild might seem like something that would benefit users at first glance. Indeed, there’s a case to be made that both programs will likely identify some low-hanging digital fruit before it has the chance to cause problems. An event that you can be sure Google will publicize for all it’s worth.

But in both cases, the real concern is that of authority. If Google gets to decide who a verified developer is for Android, then they ultimately have the power to block whatever packages they don’t like. To go back to their own airport security comparison, it would be like if the people doing the ID checks weren’t an independent security force, but instead representatives of a rival airline. Sure they would do their duty most of the time, but could they be trusted to do the right thing when it might be in their financial interests not to? Will Google be able to avoid the temptation to say that the developers of alternative software repositories are persona non grata?

Even more concerning, who do you appeal to if Google has decided they don’t want you in their ecosystem? We’ve seen how they treat YouTube users that have earned their ire for some reason or another. Can developers expect the same treatment should they make some operational faux pas?

Let us further imagine that verification through OSS Rebuild becomes a necessary “Seal of Approval” to be taken seriously in the open source world — at least in the eyes of the bean counters and decision makers. Given Google’s clout, it’s not hard to picture such an eventuality. All Google would have to do to keep a particular service or library down is elect not to include them in the verification process.

Life Finds a Way

If we’ve learned anything about Google over the years, it’s that they can be exceptionally mercurial. They’re quick to drop a project and change course if it seems like it isn’t taking them where they want to go. Even projects that at one time seemed like they were going to be a pivotal part of the company’s future — such as Google+ — can be kicked to the curb unceremoniously if the math doesn’t look right to them. Indeed, the graveyard of failed Google initiatives has far more headstones than the company’s current roster of offerings.

Which is so say, that there’s every possibility that user reaction to this news might be enough to get Google to take a different tack. Verified sideloading isn’t slated to go live until 2027 for most of the world, although some territories will get it earlier, and a lot can happen between now and then.

Even if Google goes through with it, they’ve already offered something of an olive branch. The blog post mentions that they intend to develop a carve out in the system that will allow students and hobbyists to install their own self-developed applications. Depending on what that looks like, this whole debate could be moot, at least for folks like us.

In either event, the path would seem clear. If we want to make sure there’s choice when it comes to Android software, the community needs to make noise about the issue and keep the pressure on. Google’s big, but we’re bigger.

hackaday.com/2025/08/28/the-br…

Un esperto di sicurezza ha scoperto che sei dei gestori di password più diffusi, utilizzati da decine di milioni di persone, sono vulnerabili al clickjacking, un fenomeno che consente agli aggressori di rubare credenziali di accesso, codici di autenticazione a due fattori e dati delle carte di credito.

ezstandalone.cmd.push(function () { ezstandalone.showAds(604); });
Il problema è stato segnalato per la prima volta dal ricercatore indipendente Marek Tóth, che ha presentato un rapporto sulle vulnerabilità alla recente conferenza di hacker DEF CON 33. Le sue scoperte sono state successivamente confermate dagli esperti di Socket, che hanno contribuito a informare i fornitori interessati e a coordinare la divulgazione pubblica delle vulnerabilità.

Ha testato il suo attacco su varianti specifiche di 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass e LogMeOnce e ha scoperto che tutte le versioni del browser potevano far trapelare dati sensibili in determinati scenari.

ezstandalone.cmd.push(function () { ezstandalone.showAds(612); });
Gli aggressori possono sfruttare le vulnerabilità quando le vittime visitano pagine dannose o siti vulnerabili ad attacchi XSS o al cache poisoning. Di conseguenza, gli aggressori sono in grado di sovrapporre elementi HTML invisibili all’interfaccia del gestore delle password. L’utente penserà di interagire con innocui elementi cliccabili sulla pagina, ma in realtà attiverà il riempimento automatico, che “trapelerà” le sue informazioni riservate agli hacker.

L’attacco si basa sull’esecuzione di uno script su un sito web dannoso o compromesso. Questo script utilizza impostazioni di trasparenza, sovrapposizioni o eventi puntatore per nascondere il menu a discesa di compilazione automatica del gestore password del browser. Allo stesso tempo, l’aggressore sovrappone elementi falsi e fastidiosi alla pagina (come banner di cookie, pop-up o CAPTCHA). Tuttavia, i clic su questi elementi conducono a controlli nascosti del gestore delle password, che portano alla compilazione di moduli con informazioni riservate.

Ha dimostrato diversi sottotipi DOM e exploit dello stesso bug: manipolazione diretta dell’opacità dell’elemento DOM, manipolazione dell’opacità dell’elemento radice, manipolazione dell’opacità dell’elemento padre e sovrapposizione parziale o completa.

ezstandalone.cmd.push(function () { ezstandalone.showAds(613); });
Il ricercatore ha anche dimostrato l’utilizzo di un metodo in cui l’interfaccia utente segue il cursore del mouse e, di conseguenza, qualsiasi clic dell’utente, ovunque si trovi, attiva il riempimento automatico dei dati. Allo stesso tempo, Toth ha sottolineato che lo script dannoso può rilevare automaticamente il gestore di password attivo nel browser della vittima e quindi adattare l’attacco a un obiettivo specifico in tempo reale.

Di conseguenza, il ricercatore ha testato 11 gestori di password per individuare la vulnerabilità al clickjacking e ha scoperto che tutti erano vulnerabili ad almeno uno dei metodi di attacco. Sebbene Toth avesse informato tutti i produttori dei problemi già nell’aprile 2025 e li avesse anche avvisati che la divulgazione pubblica delle vulnerabilità era prevista per DEF CON 33, non ci fu alcuna risposta immediata. La scorsa settimana, Socket ha contattato nuovamente gli sviluppatori per ribadire la necessità di assegnare CVE ai problemi nei prodotti interessati.

I rappresentanti di 1Password hanno definito il rapporto del ricercatore “informativo”, sostenendo che il clickjacking è una minaccia comune da cui gli utenti dovrebbero essenzialmente proteggersi. Anche gli sviluppatori di LastPass hanno trovato il rapporto “informativo” e Bitwarden ha riconosciuto i problemi e, sebbene l’azienda non li abbia considerati gravi, le correzioni sono state implementate nella versione 2025.8.0, rilasciata la scorsa settimana. I seguenti gestori di password, che complessivamente contano circa 40 milioni di utenti, sono attualmente vulnerabili agli attacchi di clickjacking:

ezstandalone.cmd.push(function () { ezstandalone.showAds(614); });

• 1Password 8.11.4.27
• Bitwarden 2025.7.0
• Enpass 6.11.6 (correzione parziale implementata nella versione 6.11.4.2)ezstandalone.cmd.push(function () { ezstandalone.showAds(615); });
• Password iCloud 3.1.25
• LastPass 4.146.3
• LogMeOnce 7.12.4ezstandalone.cmd.push(function () { ezstandalone.showAds(616); });

Le patch sono già state implementate nei loro prodotti: Dashlane (v6.2531.1 rilasciata il 1° agosto), NordPass, ProtonPass, RoboForm e Keeper (17.2.0 rilasciata a luglio). Ora si consiglia agli utenti di assicurarsi di aver installato le versioni più recenti disponibili dei prodotti.

L'articolo I gestori di password più diffusi, tra cui LastPass, 1Password e Bitwarden sono vulnerabili al clickjacking proviene da il blog della sicurezza informatica.