#FactCheck: Old Jerusalem Clash Video Falsely Shared as Chaos at Tel Aviv Airport

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

‍

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

‍

How Does XSS Work?

1. Injection: A malicious user submits code through a website input, like a comment or form.
2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
3. Exploitation:The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:

• Accepting trusted input from the users.  
• After users' input, web pages have the strings embedded without any sanitisation.  
• Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  <script>alert('XSS');</script>  

‍

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

• Copy session tokens through hidden HTTP requests.  
• From attacker-controlled domains, load attacker scripts.  
• Change the DOM structure to show fake login forms for phishing.

‍

Types of XSS Attacks: XSS (Cross-Site Scripting) attacks can occur in three main variations: 

1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

‍

What Makes XSS a Threat?  

‍

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following: 

• Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
• Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
• Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
• Website Vandalism. Modified website material lowers the esteem of the brand.  
• Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  ‍

‍

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

‍‍

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

 Input Validation and Output Encoding:

• Ensure input validation is in place on the client and server.
• Perform output encoding relative to context: HTML: <, >, &.
• JavaScript: Escape quotes and slashes

Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';

Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:

• TextContent for inserting text.
• CreateElement() and other DOM creation methods for structured content.

Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 

Framework Protections: Use the protective features in frameworks such as:

• React, which escapes data embedded in JSX automatically.
• Angular, which uses context-aware sanitisation.

Periodic Security Assessment:

• Use DAST tools to test the security posture of an application.
• Perform thorough penetration testing and security-oriented code reviews.

‍

‍Best Practices for Developers: Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.

• Educate developers on OWASP secure coding guidelines.
• Automate scanning for vulnerabilities in CI/CD pipelines.

‍

‍Conclusion:

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

‍

References

• https://owasp.org/www-community/attacks/xss/
• https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting
• https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting
• https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

‍

‍

Introduction

‍

The use of AI in content production, especially images and videos, is changing the foundations of evidence. AI-generated videos and images can mirror a person’s facial features, voice, or actions with a level of fidelity to which the average individual may not be able to distinguish real from fake. The ability to provide creative solutions is indeed a beneficial aspect of this technology. However, its misuse has been rapidly escalating over recent years. This creates threats to privacy and dignity, and facilitates the creation of dis/misinformation. Its real-world consequences are the manipulation of elections, national security threats, and the erosion of trust in society. 

‍

Why India Needs Deepfake Regulation

‍

Deepfake regulation is urgently needed in India, evidenced by the recent Rashmika Mandanna incident, where a hoax deepfake of an actress created a scandal throughout the country. This was the first time that an individual's image was superimposed on the body of another woman in a viral deepfake video that fooled many viewers and created outrage among those who were deceived by the video. The incident even led to law enforcement agencies issuing warnings to the public about the dangers of manipulated media.

This was not an isolated incident; many influencers, actors, leaders and common people have fallen victim to deepfake pornography, deepfake speech scams, defraudations, and other malicious uses of deepfake technology. The rapid proliferation of deepfake technology is outpacing any efforts by lawmakers to regulate its widespread use. In this regard, a Private Member’s Bill was introduced in the Lok Sabha in its Winter Session. This proposal was presented to the Lok Sabha as an individual MP's Private Member's Bill. Even though these have had a low rate of success in being passed into law historically, they do provide an opportunity for the government to take notice of and respond to emerging issues. In fact, Private Member's Bills have been the catalyst for government action on many important matters and have also provided an avenue for parliamentary discussion and future policy creation. The introduction of this Bill demonstrates the importance of addressing the public concern surrounding digital impersonation and demonstrates that the Parliament acknowledges digital deepfakes to be a significant concern and, therefore, in need of a legislative framework to combat them.

‍

Key Features Proposed by the New Deepfake Regulation Bill

‍

The proposed legislation aims to create a strong legal structure around the creation, distribution and use of deepfake content in India. Its five core proposals  are: 

1. Prior Consent Requirement: individuals must give their written approval before producing or distributing deepfake media, including digital representations of themselves, as well as their faces, images, likenesses and voices. This aims to protect women, celebrities, minors, and everyday citizens against the use of their identities with the intent to harm them or their reputations or to harass them through the production of deepfakes.

2. Penalties for Malicious Deepfakes: Serious criminal consequences should be placed for creating or sharing deepfake media, particularly when it is intended to cause harm (defame, harass, impersonate, deceive or manipulate another person). The Bill also addresses financially fraudulent use of deepfakes, political misinformation, interfering with elections and other types of explicit AI-generated media. 

3. Establishment of a Deepfake Task Force: To look at the potential impact of deepfakes on national security, elections and public order, as well as on public safety and privacy. This group will work with academic institutions, AI research labs and technology companies to create advanced tools for the detection of deepfakes and establish best practices for the safe and responsible use of generative AI. 

4. Creation of a Deepfake Detection and Awareness Fund: To assist with the development of tools for detecting deepfakes, increasing the capacity of law enforcement agencies to investigate cybercrime, promoting public awareness of deepfakes through national campaigns, and funding research on artificial intelligence safety and misinformation.

‍

How Other Countries Are Handling Deepfakes

‍

1. United States
Many States in the United States, including California and Texas, have enacted laws to prohibit the use of politically deceptive deepfakes during elections. Additionally, the Federal Government is currently developing regulations requiring that AI-generated content be clearly labelled. Social Media Platforms are also being encouraged to implement a requirement for users to disclose deepfakes.

2. United Kingdom
In the United Kingdom, it is illegal to create or distribute intimate deepfake images without consent; violators face jail time. The Online Safety Act emphasises the accountability of digital media providers by requiring them to identify, eliminate, and avert harmful synthetic content, which makes their role in curating safe environments all the more important.

3. European Union:
The EU has enacted the EU AI Act, which governs the use of deepfakes by requiring an explicit label to be affixed to any AI-generated content. The absence of a label would subject an offending party to potentially severe regulatory consequences; therefore, any platform wishing to do business in the EU should evaluate the risks associated with deepfakes and adhere strictly to the EU's guidelines for transparency regarding manipulated media.

4. China:
China has among the most rigorous regulations regarding deepfakes anywhere on the planet. All AI-manipulated media will have to be marked with a visible watermark, users will have to authenticate their identities prior to being allowed to use advanced AI tools, and online platforms have a legal requirement to take proactive measures to identify and remove synthetic materials from circulation.

‍

Conclusion

‍

Deepfake technology has the potential to be one of the greatest (and most dangerous) innovations of AI technology. There is much to learn from incidents such as that involving Rashmika Mandanna, as well as the proliferation of deepfake technology that abuses globally, demonstrating how easily truth can be altered in the digital realm. The new Private Member's Bill created by India seeks to provide for a comprehensive framework to address these abuses based on prior consent, penalties that actually work, technical preparedness, and public education/awareness. With other nations of the world moving towards increased regulation of AI technology, proposals such as this provide a direction for India to become a leader in the field of responsible digital governance.

‍

References 

‍

1. https://www.ndtv.com/india-news/lok-sabha-introduces-bill-to-regulate-deepfake-content-with-consent-rules-9761943
2. https://m.economictimes.com/news/india/shiv-sena-mp-introduces-private-members-bill-to-regulate-deepfakes/articleshow/125802794.cms
3. https://www.bbc.com/news/world-asia-india-67305557
4. https://www.akingump.com/en/insights/blogs/ag-data-dive/california-deepfake-laws-first-in-country-to-take-effect
5. https://codes.findlaw.com/tx/penal-code/penal-sect-21-165/ 
6. https://www.mishcon.com/news/when-ai-impersonates-taking-action-against-deepfakes-in-the-uk#:~:text=As%20of%2031%20January%202024,of%20intimate%20deepfakes%20without%20consent. 
7. https://www.politico.eu/article/eu-tech-ai-deepfakes-labeling-rules-images-elections-iti-c2pa/ 
8. https://www.reuters.com/article/technology/china-seeks-to-root-out-fake-news-and-deepfakes-with-new-online-content-rules-idUSKBN1Y30VT/

‍

Introduction

Twitter is a popular social media plate form with millions of users all around the world. Twitter’s blue tick system, which verifies the identity of high-profile accounts, has been under intense scrutiny in recent years. The platform must face backlash from its users and brands who have accused it of basis, inaccuracy, and inconsistency in its verification process. This blog post will explore the questions raised on the verification process and its impact on users and big brands.

What is Twitter’s blue trick System?

The blue tick system was introduced in 2009 to help users identify the authenticity of well-known public figures, Politicians, celebrities, sportspeople, and big brands. The Twitter blue Tick system verifies the identity of high-profile accounts to display a blue badge next to your username.

According to a survey, roughly there are 294,000 verified Twitter Accounts which means they have a blue tick badge with them and have also paid the subscription for the service, which is nearly $7.99 monthly, so think about those subscribers who have paid the amount and have also lost their blue badge won’t they feel cheated?

The Controversy

Despite its initial aim, the blue tick system has received much criticism from consumers and brands. Twitter’s irregular and non-transparent verification procedure has sparked accusations of prejudice and inaccuracy. Many Twitter users have complained that the network’s verification process is random and favours account with huge followings or celebrity status. In contrast, others have criticised the platform for certifying accounts that promote harmful or controversial content.

Furthermore, the verification mechanism has generated user confusion, as many need to understand the significance of the blue tick badge. Some users have concluded that the blue tick symbol represents a Twitter endorsement or that the account is trustworthy. This confusion has resulted in users following and engaging with verified accounts that promote misleading or inaccurate data, undermining the platform’s credibility.

How did the Blue Tick Row start in India?

On 21 May 2021, when the government asked Twitter to remove the blue badge from several profiles of high-profile Indian politicians, including the Indian National Congress Party Vice-President Mr Rahul Ghandhi.

The blue badge gives the users an authenticated identity. Many celebrities, including Amitabh Bachchan, popularly known as Big B, Vir Das, Prakash Raj, Virat Kohli, and Rohit Sharma, have lost their blue tick despite being verified handles.

What is the Twitter policy on blue tick?

To Twitter’s policy, blue verification badges may be removed from accounts if the account holder violates the company’s verification policy or terms of service. In such circumstances, Twitter typically notifies the account holder of the removal of the verification badge and the reason for the removal. In the instance of the “Twitter blue badge row” in India, however, it appears that Twitter did not notify the impacted politicians or their representatives before revoking their verification badges. Twitter’s lack of communication has exacerbated the controversy around the episode, with some critics accusing the company of acting arbitrarily and not following due process.

Is there a solution?

The “Twitter blue badge row” has no simple answer since it involves a complex convergence of concerns about free expression, social media policies, and government laws. However, here are some alternatives:

• Establish clear guidelines: Twitter should develop and constantly implement clear guidelines and policies for the verification process. All users, including politicians and government officials, would benefit from greater transparency and clarity.
• Increase transparency: Twitter’s decision-making process for deleting or restoring verification badges should be more open. This could include providing explicit reasons for badge removal, notifying impacted users promptly, and offering an appeals mechanism for those who believe their credentials were removed unfairly.
• Engage in constructive dialogue: Twitter should engage in constructive dialogue with government authorities and other stakeholders to address concerns about the platform’s content moderation procedures. This could contribute to a more collaborative approach to managing online content, leading to more effective and accepted policies.
• Follow local rules and regulations: Twitter should collaborate with the Indian government to ensure it conforms to local laws and regulations while maintaining freedom of expression. This could involve adopting more precise standards for handling requests for material removal or other actions from governments and other organisations.

Conclusion

To sum up, the “Twitter blue tick row” in India has highlighted the complex challenges that Social media faces daily in handling the conflicting interests of free expression, government rules, and their own content moderation procedures. While Twitter’s decision to withdraw the blue verification badges of several prominent Indian politicians garnered anger from the government and some public members, it also raised questions about the transparency and uniformity of Twitter’s verification procedure. In order to deal with this issue, Twitter must establish clear verification procedures and norms, promote transparency in its decision-making process, participate in constructive communication with stakeholders, and adhere to local laws and regulations. Furthermore, the Indian government should collaborate with social media platforms to create more effective and acceptable laws that balance the necessity for free expression and the protection of citizens’ rights. The “Twitter blue tick row” is just one example of the complex challenges that social media platforms face in managing online content, and it emphasises the need for greater collaboration among platforms, governments, and civil society organisations to develop effective solutions that protect both free expression and citizens’ rights.