The most recent big iOS update, which makes it easier to opt out of ads that track you across apps and web sites, has sent the digital marketing industry into a bit of a tizzy. That includes Facebook, which has been telling users that tracking helps keep its services “free of charge.” Never fear! Facebook is doing just fine, and choosing to preserve your privacy is not going to result in an Instagram service fee.
Elsewhere in social media privacy news, Twitter rolled out a so-called Tip Jar this week that lets you send money to your favorite users. Which, fine! But it failed to vet how PayPal handles payments, potentially exposing users' home or email addresses when they send or receive a tip. It's yet another reminder that tech companies need to test not just for the security implications of new features, but for their abusability as well.
A former Netflix executive was convicted this week of taking bribes while he was with the company. And the New York Attorney General's Office found that internet service providers flooded the net neutrality comment period with millions of fake submissions.
You should also set aside some time to read our feature on the hacking of Vastaamo, the largest network of mental-health providers in Finland, and the devastating impact on patients when their records were released into the world.
And there's more! Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
The long-promised death of Flash continues to play out longer than it probably should. While Microsoft removed Flash Player from its Edge browser last fall, and Adobe nuked it with an update in January, Flash has managed to hang on as a component of the Windows 10 operating system. But not for long! A pair of updates rolling out in June and July will excise Flash from Windows 10 for good. For all practical purposes, no one really uses Flash anymore, and it hasn't had any official support for months. So while this Windows 10 move is largely a formality, it's a necessary one for your security.
The biggest Peloton news this week is the recall of its Tread and Tread+ treadmills over physical safety concerns. But security researchers also revealed this week that a flaw in the home fitness company's API allowed anyone on the internet to see a Peloton user's age, gender, weight, city, and other data, even if their account was set to private. Peloton has fixed the underlying issue, but it failed to tell the researcher it had done so within the standard 90-day disclosure window.
Speaking of long-overdue fixes! Dell has finally released fixes for a vulnerability in one of its drivers that dates back 12 years, which by this point affects “hundreds of millions” of the company's devices. The good news is, an attacker would have needed access to the targeted computer before they could pull off the attack; it's not something that could have been exploited remotely. The bad news is that it could have allowed a full takeover once that initial foothold was in place. So update your Dell DBUtil driver, if you're in a position to do so! The security researchers who found the flaw are releasing a proof-of-concept in June, and you'll certainly want to be patched before then.
China's Hafnium hacking group made history with its assault on Microsoft Exchange servers earlier this year. But a new report from UK and US intelligence services shows that Russia's SVR—the same group believed to be behind the SolarWinds attack—was quick to scan for vulnerable servers after the flaws came to light. The advisory also includes additional details about the SVR's hacking tools, an attempt to expose the group at the center of Russia's extensive espionage ambitions. Whether the SVR did anything in the course of its hacking that merits the outsized US sanctions response in March remains an open question.