Discord Finds Age Identification May Have Privacy Concerns
Digest
This cybersecurity update highlights several critical issues. Discord has halted its age verification experiment with Persona due to user privacy backlash. SolarWinds has released an urgent patch for four critical remote code execution vulnerabilities in its Serve-U software. A high-severity privilege escalation flaw in Splunk Enterprise for Windows allows local users to gain higher access. Additionally, Texas is suing smart TV manufacturers like Samsung and Sony for alleged surveillance through Automated Content Recognition (ACR) technology, which captures viewing data without adequate consent.
Outlines
Cybersecurity News: Discord, SolarWinds, Splunk, and Smart TV Surveillance
This segment covers multiple cybersecurity incidents, including Discord's discontinuation of its age verification experiment with Persona due to user privacy concerns and backlash. It also details critical remote code execution vulnerabilities in SolarWinds Serve-U software, requiring urgent patching, and a high-severity privilege escalation flaw in Splunk Enterprise for Windows. Finally, it discusses lawsuits filed against smart TV manufacturers for alleged surveillance via Automated Content Recognition (ACR) technology.
Keywords
Discord
Paused age verification experiment with Persona due to user privacy concerns and backlash.
Persona
Identity verification provider whose partnership with Discord ended amid privacy concerns.
SolarWinds Serve-U
Software with critical remote code execution vulnerabilities requiring urgent patching.
Privilege Escalation
Vulnerability allowing local users to gain higher system permissions, affecting Splunk Enterprise.
Splunk Enterprise
Software with a high-severity vulnerability enabling local privilege escalation on Windows.
Smart TV Surveillance
Allegations against manufacturers like Samsung and Sony for data collection via ACR technology.
Automated Content Recognition (ACR)
Technology in smart TVs used to capture viewing data, leading to lawsuits over consent.
Remote Code Execution (RCE)
Critical vulnerability type found in SolarWinds Serve-U, allowing remote attackers to run code.
Q&A
Why did Discord end its partnership with Persona?
Discord ended its partnership due to significant user backlash and privacy concerns. Users questioned the extent of data collected by Persona's age verification system, leading to distrust.
What are the main concerns with SolarWinds Serve-U vulnerabilities?
The vulnerabilities allow critical remote code execution, requiring high privileges on the server. Since Serve-U is self-hosted, users must manually upgrade to be protected, leaving many servers exposed.
How can a local user exploit the Splunk Enterprise vulnerability?
Incorrect permissions on the installation directory allow a low-privileged local user to read/write unauthorized files. This can lead to escalating privileges, disrupting logging, tampering with data, or deeper network infiltration.
What is the core allegation in the lawsuits against smart TV manufacturers?
The lawsuits allege that smart TV manufacturers use ACR technology to capture images of what users are watching, transmitting this data without meaningful consent, potentially for advertising or profiling.
Show Notes
Discord Drops Persona Age Verification, SolarWinds Serv-U Critical RCEs, Splunk Windows Priv Esc, and Smart TV Screenshot Surveillance Lawsuits
In this episode of Cybersecurity Today, host Jim Love covers Discord ending its age-verification experiment with Persona after user backlash and researcher findings that Persona's front-end code suggested up to 269 verification checks, including watch list screening and risk scoring, amid already-thin trust following an earlier breach that exposed government ID images. The show also highlights SolarWinds Serv-U 15.5.0.4 patches for four critical (CVSS 9.1) remote code execution vulnerabilities (CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541), noting they require high privileges and that self-hosted Windows/Linux instances must be upgraded, with estimates ranging from under 1,200 to over 12,000 internet-exposed servers. Splunk discloses a high-severity Windows privilege escalation flaw (CVE-2025-2386, CVSS 8.0) caused by incorrect install-directory permissions in versions before 10.0.0.2, 9.4.0.6, 9.3.0.8, and 9.2.10, enabling local users to potentially escalate privileges and tamper with logging. Finally, Texas Attorney General Ken Paxton sues Samsung, Sony, LG, Hisense, and TCL, alleging smart TVs use automated content recognition to capture screen content—potentially up to twice per second—and transmit it without meaningful consent, with implications for both home viewing and confidential business use; the episode emphasizes reviewing and disabling ACR settings and accounting for network-connected screens in security models.
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst
00:00 Sponsor Message Meter
00:20 Discord Age Verification Backlash
01:37 Persona Code Raises Alarms
03:08 SolarWinds Serv-U Critical RCEs
04:51 Splunk Windows Priv Esc
06:18 Smart TV Screenshot Surveillance
08:35 Wrap Up and Sponsor Thanks
Table of contents
United States
