Unlike some side channel attacks, it hasn’t taken long to show how these exploits would work in the real world. The team took advantage of the flaws using JavaScript in common browsers like Chrome and Firefox, not to mention virtual machines in the cloud. While Take A Way only dribbles out a small amount of information compared to Meltdown or Spectre, that was enough for the investigators to access AES encryption keys.

It’s possible to address the flaw through a mix of hardware and software, the researchers said, although it’s not certain how much this would affect performance. Software and firmware fixes for Meltdown and Spectre have typically involved speed penalties, although the exact hit depends on the task.

We’ve asked AMD for comment. However, the authors suggest that AMD has been slow to respond. They said they submitted the flaws to AMD in late August 2019, but haven’t heard back despite keeping quiet about the flaw for the past several months.

The findings haven’t been without controversy, although it doesn’t appear to be as questionable as some thought at first. While Hardware Unboxed found disclosures that Intel funded the research, raising concerns about the objectivity of the study, the authors have also received backing from Intel (and other sources) for finding flaws in the company’s own chips as well as other products. It appears to just be a general effort to spur security research, then. As it stands, the funding source doesn’t change the practical reality — AMD may have to tweak its CPU designs to safeguard against Take A Way attacks going forward.

Data leaks by their nature subject people to some kind of unnecessary risk, but this latest could be genuinely dangerous. Researchers at vpnMentor have discovered that a porn cam affiliate network, PussyCash, left nearly 20GB of models’ extremely sensitive data exposed in an Amazon S3 bucket. The repository included not only 875,000 keys for different file types (such as photos and videos), but personal info for over 4,000 models worldwide that includes their names, ID photos, passport/ID numbers, release forms and driver’s license images. Some of the data could be up to 20 years old, but other info is just weeks old — there’s a very real chance stalkers, extortionists and others could have used this to threaten many of the models.

In response, Poshmark announced it conducted an internal investigation with support from a security forensics firm and “did not find any material vulnerabilities.” It has, however, “enhanced security measures across all systems to help prevent this type of incident from happening in the future.”

In a blog post, Poshmark advises users to change their passwords just in case. The accessed data does not include financial information or physical addresses, and affected users will be notified by email. The company added that hashed passwords are protected by encryption, which should make them difficult (but not impossible) to crack. This sort of data does, however, leave people open to the risk of phishing scams.

The company apologized for the breach, saying, “Poshmark is a platform built on love and transparency, and we’re committed to serving you, and our entire community, every step of the way. You are the core of our business, and without you, we wouldn’t be the community we are today. We sincerely regret any concern this may cause you, and we’re here to answer any questions you may have.”

The main issue involved booking confirmation emails, according to Symantec principal threat researcher Candid Wueest. Many of the messages include an active link that directs to a separate website where guests can access their reservation having to log in again. The booking code and the guest email are often in the URL itself, which in and of itself isn’t a big deal.

But, like many businesses, hotels share your personal data with third parties, meaning that your booking code and email are visible to them as well. The attacker would only need access to your booking code and email in order to find your address, full name, cell phone number, passport number and other highly sensitive information. Symantec also found that a smaller number of hotels didn’t encrypt the links sent in confirmation emails, giving attackers another window of opportunity.

A Symantec spokesperson told Engadget that the company contacted the hotels that had the security flaw and that most, but not all, of the hotels were taking measures to fix it. Symantec would not disclose which hotels were named in the study, but said it looked at a total of 45 different websites, including boutique hotels and major chains with hundreds of locations, covering more than 1,500 hotels.

What can customers do in the meantime to guard their privacy? Symantec advises that people use a VPN to change their hotel reservation when connected to public WiFi. Also, you can check the URL of your confirmation link to see if your booking details are exposed. A URL with the security flaw would look like this: https://booking.the-hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld

Wueest told Engadget in an email that he also looked at five travel search engines, and found similar security flaws. “This (…finding) shows it is a general issue in the travel industry and not just a local issue,” he wrote.