内容来源：https://www.wired.com/story/security-news-this-week-it-takes-2-minutes-to-hack-the-eus-new-age-verification-app/

内容总结：

本周全球科技与安全领域风波不断，多起事件引发对隐私保护与数据安全的广泛担忧。

在美国，麦迪逊广场花园等场所被曝秘密构建“监控网络”，对访客实施人脸识别、社交媒体监控及线下追踪。与此同时，美国国会众议院因两党分歧，仅将无证监听项目“702条款”短暂延期10天，长期授权受阻。

科技企业方面，Meta公司计划为智能眼镜添加人脸识别功能，遭到70余个民间组织联名反对，认为这将加剧隐私风险并可能助长跟踪骚扰等行为。人工智能的滥用问题同样引发关注：非自愿深度伪造裸照在全球至少28国的校园内蔓延，已发现超600名青少年受害者；而OpenAI与Anthropic相继推出聚焦网络安全的AI模型，标志着AI竞赛已延伸至网络安全赛道。

通信平台Telegram因持续为涉嫌人口贩卖的加密交易平台“信保”提供运营空间受到批评。该平台在英国制裁后仍完成超5亿美元交易，凸显平台监管困境。

欧洲近期连续出现重大安全漏洞。欧盟推出的年龄验证应用上线即被曝存在严重安全隐患，专家称其“两分钟内即可被攻破”。此外，欧洲最大健身连锁品牌Basic-Fit确认约百万用户银行数据遭泄露，全球酒店预订巨头Booking.com也承认发生客户数据外泄。

社交平台Bluesky周四遭遇分布式拒绝服务攻击，服务出现中断，但用户数据未受影响。事件促使部分用户转向其他独立运营的替代平台。

在美国移民及海关执法局近期大规模招聘中，部分被录用者背景审查存在疏漏，多人曾有行为不端或债务纠纷记录。该局承认在部分人员背景审查完成前即发放了录用通知。

俄罗斯加密货币交易所Grinex宣称因遭遇“外国特工”网络攻击，损失价值超1300万美元用户资产，并已暂停运营。该交易所被指系受制裁平台Garantex的继任实体，但其关于“国家支持黑客”的说法未公开证据支持。

中文翻译：

计划在麦迪逊广场花园度过一个盛大的夜晚？尽情享受吧——但别说我们没提醒过你。

本周《连线》杂志的一项调查揭示了麦迪逊广场花园所有者吉姆·多兰及其安全主管约翰·埃弗索尔建立的私人监控体系的新细节。根据法庭记录和《连线》的消息来源，前往花园及多兰拥有的其他一些场所的访客曾遭受人脸识别、社交媒体监控、现场监视等对待。

美国政府无证监听权限本周遭遇阻碍。尽管前总统唐纳德·特朗普推动长期重新授权所谓的"第702条"间谍项目，但众议院20名共和党议员投票反对全面重新授权，迫使议长迈克·约翰逊仅将该项目延长10天。

Meta的雷朋和奥克利AI智能眼镜存在形象问题——这并非没有原因。包括美国公民自由联盟和全国妇女组织在内的70多个民间团体本周致信该公司，要求其放弃为AI眼镜配备人脸识别功能的任何计划。这些团体认为，在已经能秘密录制他人视频的可穿戴设备中加入人脸识别功能，将进一步侵蚀隐私的残存表象，并可能为跟踪者、家庭施暴者和联邦特工提供便利。

根据《连线》与Indicator的分析，未经同意的深度伪造裸照已成为全球学校的祸害。通过追踪公开报道的针对初高中女生使用深度伪造"脱衣"技术的事件，我们在全球28个国家识别出超过600名受害者。

你或许会认为，从自家平台封禁一个价值200亿美元的诈骗黑市是理所当然的事。但Telegram不这么想。《连线》调查发现，尽管英国政府将该平台指定为人口贩运的协助者并制裁了这类有史以来最大的在线市场，这款通讯应用仍继续托管"信保交易"。加密货币追踪公司Elliptic表示，在英国实施制裁后的19天内，信保又完成了5.05亿美元的交易。

AI竞赛终于进入网络安全赛道。在Anthropic揭示其新模型Mythos对安全现状构成独特风险后，OpenAI宣布其也制定了新的网络安全战略，并推出配套的新模型GPT-5.4-Cyber。

还有更多！每周我们都会汇总未深入报道的安全与隐私新闻。点击标题阅读完整报道。请注意安全防护。

两分钟即可攻破欧盟新版年龄验证应用

欧盟委员会本周发布了用于验证社交媒体和色情网站访客年龄的免费开源应用。在周三的新闻发布会上，欧盟委员会主席乌尔苏拉·冯德莱恩宣称，随着该应用的发布，未能核查用户年龄的平台"再无借口"。然而这是在专家发现该应用存在安全漏洞之前。

据《政治报》报道，安全顾问保罗·摩尔在X平台上声称发现该应用存在一系列安全问题，使他在"不到两分钟内"成功入侵。问题包括该应用存储用户创建的PIN码的方式，可能允许攻击者轻易接管用户的应用资料。（白帽黑客巴蒂斯特·罗伯特向《政治报》证实了该漏洞。）摩尔在帖子中标记冯德莱恩并总结道："这款产品终将成为重大数据泄露的催化剂，只是时间问题。"

健身连锁与酒店巨头披露重大数据泄露事件

欧洲最大健身连锁品牌Basic-Fit周一确认发生重大数据泄露，约百万客户的银行资料遭泄露。仅荷兰就有约20万会员受影响。被盗数据包括银行信息及客户姓名、家庭住址、电子邮箱、电话号码和出生日期。发言人向《寄存器》透露，比利时、法国、德国、卢森堡和西班牙的会员也通过记录会员到店信息的同一系统遭受类似攻击。据报道，未存储的密码未受影响。

同日，全球旅行及酒店预订巨头Booking.com确认黑客可能窃取了客户姓名、邮箱地址、电话号码及预订详情等数据。该公司告知TechCrunch已"注意到可疑活动"并"采取控制措施"。疑似客户在Reddit发布的公司通知显示泄露涉及用户"可能向住宿方提供的任何信息"。TechCrunch报道称Booking.com拒绝透露泄露范围细节，但向《卫报》表示未丢失"财务信息"。

Bluesky遭DDoS攻击服务中断

Bluesky网站和应用程序周四遭遇公司确认的分布式拒绝服务攻击后陷入瘫痪。首席运营官罗斯·王表示这场"复杂"攻击始于东部时间4月15日晚8:40左右，导致信息流、通知和搜索功能间歇性故障。公司称未发现用户数据遭未授权访问的证据。

中断影响Bluesky自身基础设施，但基于底层AT协议运行独立实例的Blacksky等社区未受影响。Blacksky告知TechCrunch过去12小时迁移请求激增，用户和竞争对手ATmosphere运营商正在推广替代方案。截至周五下午，其状态页面显示服务已完全恢复。

ICE向背景存疑申请者提供职位

特朗普政府曾进行大规模招聘。国土安全部1月新闻稿称ICE在不到一年内雇佣超1.2万名官员和特工。作为申请流程，移民官员本应接受全面背景调查，涵盖可能存在的逮捕记录、累积债务及过去七年接触的外国公民等。《美联社》对40名ICE特工进行独立背景调查，发现3人因先前执法工作中涉嫌不当行为面临诉讼，数人因欠债历史面临法律行动。国土安全部未对具体聘用决定置评，但向美联社承认向部分申请者发放"临时录用通知书"，并在背景调查完成前即允许开始工作。

俄罗斯加密货币交易所Grinex遭黑客攻击归咎外国间谍

被广泛报道协助俄罗斯规避制裁的加密货币交易所Grinex周四突然宣布暂停运营，此前其称黑客窃取价值超10亿卢布（约1300万美元）的用户资金。Grinex在社交媒体公告中指责某外国"特殊部门"，称"数字痕迹和攻击性质表明攻击者拥有不友好国家机构独有的空前资源和技术水平"，似乎旨在"对俄罗斯金融主权造成直接损害"。这家曾遭美国金融制裁的交易所是另一家因协助规避制裁等涉嫌金融犯罪被制裁的俄罗斯交易所Garantex的继任者。据Elliptic分析，Grinex很可能由相同所有者创建并继承了Garantex的资金与客户。Grinex未就资金遭国家支持黑客窃取的说法提供公开证据。

英文来源：

Planning a big night out at Madison Square Garden? Have fun—but don’t say we didn’t warn you.
A WIRED investigation this week revealed new details about the private surveillance state instituted by MSG owner Jim Dolan and his head of security, John Eversole. According to court records and WIRED sources, visitors to the Garden and some other Dolan-owned venues have been subjected to face recognition, social media monitoring, in-person surveillance, and more.
The US government’s warrantless wiretap powers hit a roadblock this week. Despite a push from President Donald Trump for a long-term reauthorization of the so-called Section 702 spy program, 20 Republican lawmakers in the House of Representatives voted against a full reauthorization, forcing Speaker Mike Johnson to merely extend the program for an additional 10 days.
Meta’s Ray-Ban and Oakley AI smartglasses have an image problem—for good reason. More than 70 civil society groups, including the ACLU and the National Organization for Women, sent a letter to the company this week, demanding that it abandon any plans it may have to equip its AI glasses with face-recognition features. The groups argue that including face recognition in the wearable devices, which can already surreptitiously record videos of people, would further erode any semblance of privacy and potentially facilitate stalkers, domestic abusers, and federal agents.
Nonconsensual deepfake nudes are a scourge at schools around the world, according to an analysis by WIRED and Indicator. By tracking publicly reported incidents of deepfake “nudify” tech used against middle- and high-school-aged girls, we were able to identify more than 600 victims in 28 countries around the world.
You might think banning a $20 billion black market for scammers from your platform would be a no-brainer. But not if you’re Telegram. A WIRED investigation found that the messaging app continued to host Xinbi Guarantee despite the UK government’s designating it a facilitator of human trafficking and sanctioning the largest-ever online marketplace of its kind. Crypto-tracing firm Elliptic says that Xinbi carried out another $505 million in transactions in the 19 days after the UK issued its sanction.
The AI race has finally entered the cybersecurity lap. After Anthropic revealed its new model, Mythos, as a unique risk to the security status quo, OpenAI announced that it, too, has a new cybersecurity strategy, and a new model to go with it—GPT-5.4-Cyber.
That’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
It Takes 2 Minutes to Hack the EU’s New Age Verification App
The European Commission this week released its free, open source app for verifying the ages of visitors to social networks and pornography websites. At a press conference on Wednesday, European Commission president Ursula von der Leyen proclaimed that, with the release of the app, “there are no more excuses” for platforms that fail to check users’ ages. That, however, was before experts found the app to be a security disaster.
As reported by Politico, security consultant Paul Moore claimed on X to have found a series of security issues with the app that allowed him to hack it “in less than 2 minutes.” The issues include how the app reportedly stores a user-created PIN that could allow an attacker to easily take over that person’s app profile. (Baptiste Robert, a whitehat hacker, confirmed the vulnerability to Politico.) Tagging von der Leyen in his post, Moore concluded, “This product will be the catalyst for an enormous breach at some point. It's just a matter of time.”
A Gym Chain and a Hotel Giant Disclose Major Data Breaches
Europe's largest gym chain, Basic-Fit, confirmed a major data breach on Monday, revealing that the bank details of roughly a million customers were compromised. Around 200,000 members in the Netherlands alone were affected. The stolen data includes bank details along with customers' names, home and email addresses, phone numbers, and dates of birth. A spokesperson told The Register that members in Belgium, France, Germany, Luxembourg, and Spain were also similarly hit through a single system that records member visits to clubs. No passwords, which Basic-Fit says it does not store, were reportedly compromised.
The same day, global travel and hotel reservation giant Booking.com confirmed that hackers may have extracted customer data including names, emails addresses, phone numbers, and booking details. The company informed TechCrunch that it “noticed some suspicious activity” and “took action to contain the issue.” Company notices posted by purported customers on Reddit appear to disclose a breach touching on “anything” the users “may have shared with the accommodation.” TechCrunch reported that Booking.com had declined to share details about the scope of the breach, but did separately tell The Guardian that no “financial information” was lost.
Bluesky Buckles Under DDoS Attack
Bluesky’s site and app struggled through Thursday after what the company confirmed was a distributed denial-of-service attack. Chief operations officer Rose Wang said the “sophisticated” attack began April 15 around 8:40 pm ET and caused intermittent failures across feeds, notifications, and search. The company said it has not seen any evidence of unauthorized access to user data.
The outages hit Bluesky’s own infrastructure but spared communities like Blacksky that run their own instances on the underlying AT Protocol. Blacksky told TechCrunch it has seen a significant spike in migration requests over the past 12 hours, as users and rival ATmosphere operators promote alternatives. As of Friday afternoon, its status page shows the service fully operational.
ICE Offered Jobs to Applicants With Dubious Backgrounds
The Trump administration has been on a hiring spree. A Department of Homeland Security press release from January says that ICE hired over 12,000 officers and agents in less than a year. As part of their job applications, immigration officers are supposed to go through extensive background checks that probe everything from what arrests they might have had, the debts they’ve racked up, and foreign nationals they’ve interacted with in the past seven years. The Associated Press did its own background checks on 40 ICE agents and found three that had faced lawsuits because of alleged misconduct in their previous law enforcement jobs, and several that reportedly faced legal actions because of their histories of unpaid debt. DHS didn’t comment on specific hiring choices, but acknowledged to the AP that it had given some applicants “temporary selection letters” and offers to start working before their full background checks had been completed.
Russian Crypto Exchange Grinex Hacked, Blames Foreign Spies
The Russian cryptocurrency exchange Grinex, widely reported to have aided Russia’s sanctions evasion, abruptly announced Thursday that it would be suspending its operations following a breach that it says allowed a hacker to steal more than a billion rubles’ worth of its users’ funds, equivalent to more than $13 million dollars. In its announcements on its social accounts, Grinex blamed the “special services” of a foreign country, writing that the “digital traces and the nature of the attack indicate an unprecedented level of resources and technologies available exclusively to structures of unfriendly states” and seemed to be aimed at “causing direct damage to Russia's financial sovereignty.” Grinex, which was itself sanctioned by US financial authorities, had served as the successor to Garantex, another Russian exchange that had been sanctioned for enabling sanctions evasion and other alleged financial crimes. According to crypto-tracing firm Elliptic, Grinex was likely created by the same owners and inherited Garantex funds and customers. Grinex didn’t provide any public evidence to back its claim that the theft of its funds was carried out by state-sponsored hackers.