Infosec in Brief How did journalist Jeffrey Goldberg’s phone number end up in a Signal group chat? According to The Guardian, US national security adviser Mike Waltz accidentally saved it into the contact file of a campaign staffer who later took a job at the US National Security Council official.

A Sunday report, citing sources familiar with a White House investigation into the matter, claims that during the 2024 US election campaign Goldberg emailed the Trump campaign with questions for a story.

That email reached campaign staffer Brian Hughes, who apparently wanted Waltz – then a surrogate spokesperson for the Trump campaign – to be aware of Goldberg’s inquiries so he could offer informed comment if a story appeared.

Hughes therefore sent Goldberg’s inquiry, which included the journalist’s phone number, to Waltz.

Waltz then reportedly saved Goldberg’s phone number into his contact file for Hughes.

Several months after that exchange, Hughes was working at the National Security Council and Walz decided to include him in the now-infamous “Houthi PC small group” Signal group he used to discuss a planned attack on Houthi rebels in Yemen.

As a phone number he’d saved for Hughes was actually Goldberg’s phone number, the journalist was invited to the group.

The rest is history: Goldberg reported that Trump administration officials used Signal instead of the US government’s own secure comms channels, putting sensitive info at risk and perhaps violating government records-keeping requirements.

The Guardian report emerged after Politico reported Waltz may have set up 20 or more chats in which sensitive government info was discussed on Signal.

Citing four unnamed sources, Politico reported discussions on Ukraine, China, and Gaza were conducted on Signal.

“Waltz built the entire [National Security Council] communications process on Signal,” one of the sources told Politico.

Google re-patches Quick Share flaws it flubbed first time around

Google botched a fix for 10 vulnerabilities in the Windows version of its Quick Share data transfer software, according to researchers at attack simulation firm SafeBreach.

The vulns were discussedby SafeBreach in August 2024 at the DefCon conference, where the company’s researchers explained they could be chained to achieve full remote code execution on any Windows machine that had Quick Share enabled.

Google responded to the vulnerabilities, dubbed “QuickShell,” by issuing fixes for CVE-2024-38271 and CVE-2024-38272, and updating Quick Share

In a blog post published last week, SafeBreach research team leader Or Yair reported his testing of the QuickShell patches uncovered a pair of serious shortcomings.

The first alleged mistake was in Google’s fix for a remote denial of service issue triggered by file names with invalid UTF8 continuation bytes. Yair and his colleague Shmuel Cohen claim Google’s fixes only solved the problem for files they provided as proofs of concept for the flaw.

“Google added code that verifies that file names do not start with specifically null terminators,” Yair wrote. “We could still exploit this vulnerability by using a file name that contains a different invalid UTF8 continuation byte.”

The second mistake saw Google attempt, and apparently fail, to patch a remote unauthorized file write issue in the exploit chain. SafeBreach asserts that Google’s fix doesn’t prevent unauthorized writes, and only deleted a single file when a Quick Share session ends.

“Our assumption was that [sending a second file] might confuse Quick Share into thinking that there was only one ‘Unknown File’ to delete,” Yair predicted. “Our hypothesis was confirmed.”

Google has since issued yet another CVE and fix for the issue. Quick Share for Windows version 1.0.2002.2 and more recent versions include the fix.

Yair said this should serve as a lesson to fix problems, not symptoms.

“Even when code is complex, vendors should always address the real root cause of vulnerabilities that they fix,” Yair concluded of the whole QuickShell saga. “The implications are relevant to the software industry as a whole.”

Fediverse bug bounty launched

Security researchers interested in open source and distributed software, take notice: Open source governance foundation Nivenly is launching a limited bug bounty trial program for anyone able to suss out security flaws in Mastodon, Lemy, Funkwhale, PeerTube and other eligible “Fediverse” projects.

According to a blog post published last week, Nivenly is offering $250 for anyone who identifies a vulnerability or contributes a patch for a flaw with a CVSS score of between 7.0 and 8.9, while critical vulnerabilities with a CVSS score of 9.0+ will be worth $500.

As this is a “time and funds limited” run, there’s $5,000 up for grabs between now and September 30, 2025. Individual contributors are only eligible for up to $1,000 in payouts.

The Fediverse is a loose alliance of social media services that allow the content they carry to be federated into a single feed if users choose to do so.

Baltimore bilked in ‘sophisticated’ vendor fraud scheme

The city government of Baltimore, Maryland last week admitted it lost almost a million dollars after falling victim to a sophisticated vendor impersonation scam.

According to local news sources, an unknown miscreant spent months posing as a vendor employee, using classic vendor impersonation tricks like changing the vendor’s bank account information and convincing the city to send them two payments – one for $721,000 and another for $803,000. The former has been recovered, the latter is still reportedly missing.

The scammer apparently went to great lengths to fool their victims, supplying legitimate documentation for the bank account information change. The crims also reportedly used a Starlink account to mask their IP address, which helped them to avoid geofencing technology used by city systems to block offshore scammers.

“They have very good technology and so it requires us to be constantly vigilant so that we’re one step ahead,” Baltimore deputy Comptroller Erika McClammy told The Baltimore Banner. “In this instance, we were one step behind.”

Another week, another critical WordPress plugin vulnerability

WordPress plugins are often found to include serious security vulnerabilities, and we have a couple more to report this week – both in the “WP Ultimate CSV Importer” plugin, a tool that does what it says on the tin and has over 20,000 active installations.

WordFence, a company that makes security plugins for WordPress and also runs a bug bounty program focused on plugins, last week reported a pair of significant flaws in a WordPress plugin called “WP Ultimate CSV Importer”. The bugs include a CVSS 8.8 arbitrary file upload vulnerability (CVE-2025-2008) and a CVSS 8.1 arbitrary file deletion vulnerability (CVE-2025-2007).

When exploited together, an authenticated attacker with subscriber-level access to a site that uses WP Ultimate CSV Importer can potentially take control and even delete core WordPress files like wp-config.php.

A patch is available – anyone using the affected plugin should be sure they are on version 17.9.1 or a mor recent update. ®