Enlarge / Drops of the blood going onto an HIV quick test. (credit: Getty | BRITTA PEDERSEN)

Trendy, unproven "vampire facials" performed at an unlicensed spa in New Mexico left at least three women with HIV infections. This marks the first time that cosmetic procedures have been associated with an HIV outbreak, according to a detailed report of the outbreak investigation published today.

Ars reported on the cluster last year when state health officials announced they were still identifying cases linked to the spa despite it being shut down in September 2018. But today's investigation report offers more insight into the unprecedented outbreak, which linked five people with HIV infections to the spa and spurred investigators to contact and test nearly 200 other spa clients. The report appears in the Centers for Disease Control and Prevention's Morbidity and Mortality Weekly Report.

The investigation began when a woman between the ages of 40 and 50 turned up positive on a rapid HIV test taken while she was traveling abroad in the summer of 2018. She had a stage 1 acute infection. It was a result that was as dumbfounding as it was likely distressing. The woman had no clear risk factors for acquiring the infection: no injection drug use, no blood transfusions, and her current and only recent sexual partner tested negative. But, she did report getting a vampire facial in the spring of 2018 at a spa in Albuquerque called VIP Spa.

Read 8 remaining paragraphs | Comments

Some Android-powered TVs can expose the contents of users’ email inboxes if an attacker has physical access to the TV. Google initially told the office of Senator Ron Wyden that the issue, which is a quirk of how software is installed on these TVs, was expected behavior, but after being contacted by 404 Media, Google now says it is addressing the issue. 

The attack is an edge case but one that still highlights how the use of Google accounts, even on products that aren’t necessarily designed for browsing user data, can expose information in unusual ways, including TVs in businesses or ones that have been resold or given away.

“My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV,” Senator Ron Wyden told 404 Media in a statement.

In the video from January, YouTuber Cameron Gray laid out the issue while setting up an Android TV. He describes the video as “somewhat of PSA about why you should never log into an Android TV device using a Google account that contains anything sensitive.” As well as being able to access things you might expect an Android TV to access, such as YouTube, Gray explains someone could also “access basically anything about your Google account, and that includes email through Gmail, files through Google Drive, or even services where you’ve signed in through Google into an external service.”

“And it’s not very clear it’s possible,” he says.

The issue is that although Google mostly locks down functionality of Android TVs, with not even a web browser being installed and Chrome not being available to be downloaded from the Google Play Store, it still allows users to download third party browsers.

“This is an interesting issue since it's not necessarily a bug or security flaw in the traditional sense but more a form of intended behaviour that is extremely non-obvious to the average end user,” Gray told 404 Media in an email.

In his video Gray downloads another web browser called TV Bro. He then navigates to APK Pure, a popular APK archive, and downloads a copy of Chrome. After opening that, Chrome does not ask him to provide the password to his Google account. Instead, it uses the persistent login from the underlying Android OS itself that he created at setup. This version of Chrome isn’t designed to work with Android TVs and a remote control, so attackers would then need to plug in a USB keyboard and mouse. Gray then navigates to Gmail in Chrome and can view the Google account’s emails.

“Oh look, my Gmail inbox,” Gray says in the video. From here, an attacker could try to access other accounts which send password reset links to this Gmail address.

As Gray says, most people using an Android TV may log in with their Google account, then have the TV sitting in their business or home without a PIN or other form of authentication. This could also apply to a TV in an office, or one that a user sells or otherwise gives away with the Google account still signed in. Another case is when people may sign into an Android TV with their Google account in holiday accommodation.

In the video Gray recommends people use a throwaway Google account for their Android TV rather than their main Google account. 

Senator Wyden said “My staff promptly sent Google the video. Unfortunately, Google's initial response indicated that this was expected behavior and not a security problem.”

404 Media then approached Google for comment. A Google spokesperson said in a statement that “We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account.”

The statement added that “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.”

Wyden added “I'm glad Google has now changed course, acknowledged that this is a security problem and is beginning to fix it.”

Gray added “I'm pleased that it's been fixed, although it does feel as though it should have been fixed sooner since the issue has been known about publicly for long before I decided to make a video about it!”

Update: This piece has been updated to include comment from Gray.

California schools may soon need to provide halal and kosher meal options for students.

Dubbed the Halal and Kosher School Meals Act, a proposed bill in the California Legislature would require schools to provide kosher or halal meals if more than 5% of their students request such.

Both kosher and halal meals follow specific Jewish and Islamic dietary practices, respectively, for how food is prepared and served. For kosher meals, dairy and meat cannot be mixed, and only certain animals can be eaten. Halal requires animals to be slaughtered in a particular way and does not permit the consumption of pork products.

Sen. Josh Newman, D-Fullerton, said every student, no matter religion or culture, deserves to feel “supported and included at school” and his bill is one way that schools can do that.

“Kids shouldn’t have to choose between hunger and adhering to their religious beliefs,” Newman said. “This bill creates a more equitable system for students who observe halal or kosher dietary practices.”

“When suitable meals aren’t available for these students,” he said, “they often have to go without eating at school, something that is fundamentally unfair and clearly detrimental to their educational experience.”

For Shaykh Mustafa Umar, the senior religious director of the Islamic Center in Irvine, the bill is personal.

Umar’s children attend an elementary school in the Newport-Mesa School District. There have been times when his children would bring lunches from home so they wouldn’t have to worry if their meals at school were halal. When they don’t bring meals from home, they skip eating at school and just have a later meal at home.

“It has always been a struggle when it comes to food and public schools,” Umar said, adding that he is “extremely happy” to see such a bill that considers both Muslims and Jews.

“It hasn’t been easy,” he added. “Teachers would often say all the food is halal if there wasn’t any pork being served so the kids would get confused and tell me the teacher and the lunch lady said the food is halal when it actually was not. That was pretty frustrating.”

Umar had to teach his children how to explain halal to adults, which is “a lot for a second grader to take on.”

“I wish it wasn’t that way and they could just have good, healthy, halal options where there is no confusion,” Umar said.

The proposed bill, should it pass, would take effect in the 2025-2026 school year. If at least 5% of a school’s students request halal or kosher options, the school would need to provide them. If less than 5% request alternative options, a school could still provide those options but would not be mandated to do so.

The bill allows school districts or schools to survey students for their meal preferences, however they deem best.

Rabbi Dov Wagner, director of the Chabad Jewish Student Center at USC, said the bill would open up meal options for all students, something that has been tough for children in the past.

“Without access to kosher and halal meals, students are often put in a situation where they have to choose between their education and their religious traditions and heritage,” Wagner said. “That is an unfair choice to need to make.”

“All other students are being provided with meals that meet their dietary needs,” Wagner said. “Jewish and Muslim students deserve the same.”

California’s education code requires public school districts, county offices of education and charter schools serving students from transitional kindergarten to twelfth grade to provide two meals free of charge during each school day to students requesting a meal, regardless of their free or reduced-price meal eligibility. If a child is vegan, gluten-free or has any other allergies, they will be given a meal that fits their dietary needs after discussing them with the school.

But there are no standardized policies for providing meals tailored to a person’s diet for religious purposes, Newman’s spokesperson Brian Wheatley said.

“For students that keep halal or kosher, they were either limited to cherry-picking specific items from the cafeteria, bringing meals from home or, worst case, not eating at all,” Wheatley said. “We had testimony from one student that said that if she didn’t arrive in the cafeteria early enough, everything she could eat was gone.”

Just how much the bill would cost schools is not yet known, said Wheatley.

The bill will need to get the OK from the Senate Appropriations Committee to progress; a hearing has been set for Monday, April 29. It recently passed unanimously out of the Senate Education Committee.

After tensions led USC to drop its valedictorian and keynote speaker from its main commencement ceremony, the school canceled its largest graduation event.