Ten million Ukrainians are without power just as temperatures fall to freezing and below after more Russian missile attacks, President Volodymyr Zelensky said. CNN spoke to Kyiv residents and how they’re coping
What to know about the Trump indictment on the eve of his court appearance
Don't Miss
CNN
—
The escalating climate crisis is shifting many people’s purchasing patterns and this extends to the $500 billion dollar global beauty industry which is grappling with a range of sustainability challenges across product manufacturing, packaging and disposal.
Strategy and consulting firm Simon Kucher’s Global Sustainability Study 2021 found 60% of consumers around the world rated sustainability as an important purchase criterion, and 35% were willing to pay more for sustainable products or services.
This shift in consumer preferences has propelled many beauty brands to set environmental goals: to move away from single-use and virgin plastics, provide recyclable, reusable and refillable packaging and offer more transparency around products’ ingredients so customers can ascertain how “green” their purchase is.
However, consumers still struggle to understand the sustainability credentials of many products, according to the British Beauty Council. This is because the industry’s clean-up efforts have been inconsistent, and fall short of making a recognizable impact in the absence of collective goal-setting, global strategy and standardized regulations.
Ingredient and branding transparency
There is no international standard for the beauty industry on how much product ingredient information to share with customers — or how to do so. Brands can set their own rules and goals, giving rise to confusion and “greenwashing,” where sustainability claims are often touted but not substantiated.
Companies often use marketing language like “clean beauty” to make it seem like their products are natural, for example, when they may not actually be organic, sustainable or ethically made.
“The term ‘clean beauty’ has become quite dangerous. It’s used to sell more products,” according to British Beauty Council CEO Millie Kendall, who added that such buzzwords are losing traction in the UK as British customers wise up to their shortcomings. “Customers need better marketing information and certification information.”
In a 2021 report calling on the industry to have “the courage to change” their business practices, the British Beauty Council wrote that, all too often, even natural ingredients involved in manufacturing products give way to “over-consumption, non-regenerative farming practices, pollution, waste and neglect.”
“The only way out of this is transparency,” Kendall told CNN.
Jen Lee, chief impact officer at US-based brand Beautycounter, said she continues to see confusion over ingredients among consumers. (In 2013, the company launched and published “The Never List,” which currently cites more than 2,800 chemicals — including heavy metals, parabens and formaldehyde — it claims to never use in its products.)
“Natural vs. synthetic ingredients has been a conversation. People think natural is safer, but it’s not always the case,” Lee explained. “Natural ingredients formulated in the industry can have toxic load. Heavy metals can occur in natural components of the earth.”
“We used to be more natural and organic,” added Sasha Plavsic, founder of makeup brand ILIA Beauty. “What was challenging is (that) raw materials were difficult to source or would come in inconsistently or products wouldn’t perform.”
Most makeup is created and molded at high temperatures, Plavsic explained. Purely organic materials often fall apart in this heat, leading to inconsistent results and subpar product performance. “Not every synthetic is bad,” Plavsic said. “Sometimes, it helps create the best in class formula.”
The industry’s plastic packaging is a particular sustainability challenge — 95% is thrown away and the vast majority is not recycled, according to the British Beauty Council.
The cosmetics business is the fourth biggest plastic packaging user globally — after food and beverage, industrial packaging and pharmaceuticals — and plastic is about 67% of the industry’s packaging volume, according to Vantage Market Research. Beauty giant L’Oreal used 144,430 metric tons of plastic in its packaging material in 2021, for example, according to the Ellen Macarthur Foundation (EMF). Estee Lauder Companies reported its brands produced 71,600 metric tons of plastic in product packaging that same year.
And only 9% of the global plastic waste is recycled, according to a report from the Organisation for Economic Co-operation and Development. The United States only recycles 4% of its plastic waste.
Many brands are trying to phase out harmful plastics from their operations and adopt post-consumer recycled (PCR) plastic. (L’Oreal has set a target of 50% PCR plastic usage by 2025, while Estee Lauder is targeting 25% “or more” PCR plastic — but both are far from achieving their targets.)
“Between 60-70 major global brands have made unprecedented progress” in PCR plastic usage across industries, EMF’s Plastic Initiative Lead Sander DeFruyt told CNN. But DeFruyt stressed that PCR plastic must be adopted in conjunction with brands removing single and virgin plastics from their usage cycles to truly make a difference.
However, PCR plastic is not easy to find — low recycling rates around the world mean there is limited supply. Meanwhile, demand for it is growing demand across industries, DeFruyt said. This competition hikes up its price, which is already higher than virgin plastic.
Hair care brand FEKKAI claims that it used up to 95% PCR content in its packaging, but pricing and supply issues posed a challenge, forcing it to currently aim for containers and packaging that feature at least 50% PCR in its packaging.
“PCR plastic is more expensive than stock plastic. The cost is hard and then sourcing it is too,” founder Frédéric Fekkai told CNN. “PCR is close to our heart, but there is a massive demand, so finding recycled plastic is difficult.”
Beauty retailers plays a pivotal — and under-utilized — role, with control over stocking decisions and supply chains. But many vary when it comes to the standards they set for brands they sell.
“Smaller businesses do more, full stop,” said Jessi Baker, founder of the technology platform Provenance, which helps brands display their sustainability credentials for customers. “They move more nimbly. Some of them are born-good brands — climate friendliness was part of their setup. They don’t need to restructure their entire supply chain. Their culture already has it compared to the larger brands who need to work hard to change.”
Sephora launched its “Clean + Planet Positive” initiative in 2021, which labeled products that met its set criteria. (This is separate from the French retailer’s “Clean at Sephora” program, which is currently facing a consumer lawsuit alleging it carries a significant percentage of products understood by customers to be harmful.) Target launched a similar program in 2022, featuring a “Target Zero” icon for both online and in-store offerings that either have reusable, recyclable, compostable or reduced plastic packaging, or feature waterless or concentrated products.
Still, many steps taken by brands and retailers do not even begin to touch on the waste and pollution generated throughout supply chains, manufacturing and shipping, all huge problems for the industry to grapple with.
The gaps in standardization in the beauty ecosystem can, to some extent, be filled by certifications such as the US-born B Corporation, or B Corp. This accreditation, one of the most well-known in the beauty space, is issued by the non-profit B Lab, which scores a company on a variety of criteria around ethics and sustainability. However beneficial it may be among eco-conscious consumers, though, it is currently completely voluntary for brands to apply for.
Governments and multinationals enforcing regulations and setting a base line for brands to operate from when making sustainability claims would go a long way to making change, many experts and business leaders believe.
Susanne Kaufmann, founder of her namesake beauty brand, says her efforts in Austria would reap better results if more countries around the world had stricter, more uniform garbage disposal laws.
“I package our product in a recyclable material,” Kaufmann said. (Her products’ packaging, which is refillable and reusable, is made from 75% recycled plastic — and is 100% recyclable.) If I send this to the US, the garbage is not separated… and it’s not recyclable,” she explained, referring to inconsistencies in recycling laws across the United States.
And when it comes to ingredients, the European Chemicals Agency lists 2,495 substances banned from use in cosmetic products marketed for sale or use in the bloc. But the US Food and Drug administration only lists 11, making it more challenging for American consumers to find safer, greener options. The Environmental Working Group, a non-profit watchdog, studied lab tests of 51 sunscreen products in 2021 and found that only 35% of products met the EU standard, compared with 94% that passed the US standard.
However, while government can set minimum requirements, Mia Davis, vice president of sustainability and impact at beauty retailer Credo Beauty, says the needle will move in the private sector.
“Regulation can raise the floor a bit. A person who doesn’t know about any (sustainability issues) should still be able to walk into a bodega and get clean products… But that’s never going to be what the market can do,” she said. “Market leadership is key.”
In the absence of bold regulations or global standards on sustainability practices, this “leadership” — undertaken both by brands and customers in the beauty marketplace — is likely to be the most immediately impactful vector for addressing the industry’s climate shortcomings. It will take continued collective advocacy and initiative to see meaningful climate-conscious change.
Don't Miss
Editor’s Note: This story was originally published in April 2023.
CNN
—
Slumped on his club, head buried in his arm, Rory McIlroy looked on the verge of tears.
The then-21-year-old had just watched his ball sink into the waters of Rae’s Creek at Augusta National and with it, his dream of winning The Masters, a dream that had looked so tantalizingly close mere hours earlier.
As a four-time major winner and one of the most decorated names in the sport’s history, few players would turn down the chance to swap places with McIlroy heading into Augusta this week.
Yet on Sunday afternoon of April 10, 2011, not a golfer in the world would have wished to be in the Northern Irishman’s shoes.
A fresh-faced, mop-headed McIlroy had touched down in Georgia for the first major of the season with a reputation as the leading light of the next generation of stars.
An excellent 2010 had marked his best season since turning pro three years earlier, highlighted by a first PGA Tour win at the Quail Hollow Championship and a crucial contribution to Team Europe’s triumph at the Ryder Cup.
Yet despite a pair of impressive top-three finishes at the Open and PGA Championship respectively, a disappointing missed cut at The Masters – his first at a major – served as ominous foreshadowing.
McIlroy shot 74 and 77 to fall four strokes short of the cut line at seven-over par, a performance that concerned him enough to take a brief sabbatical from competition.
But one year on in 2011, any lingering Masters demons looked to have been exorcised as McIlroy flew round the Augusta fairways.
Having opened with a bogey-free seven-under 65 – the first time he had ever shot in the 60s at the major – McIlroy pulled ahead from Spanish first round co-leader Alvaro Quirós with a second round 69.
It sent him into the weekend holding a two-shot cushion over Australia’s Jason Day, with Tiger Woods a further stroke behind and back in the hunt for a 15th major after a surging second round 66.
And yet the 21-year-old leader looked perfectly at ease with having a target on his back. Even after a tentative start to the third round, McIlroy rallied with three birdies across the closing six holes to stretch his lead to four strokes heading into Sunday.
The youngster was out on his own ahead of a bunched chasing pack comprising Day, Ángel Cabrera, K.J. Choi and Charl Schwartzel. After 54 holes, McIlroy had shot just three bogeys.
“It’s a great position to be in … I’m finally feeling comfortable on this golf course,” McIlroy told reporters.
“I’m not getting ahead of myself, I know how leads can dwindle away very quickly. I have to go out there, not take anything for granted and go out and play as hard as I’ve played the last three days. If I can do that, hopefully things will go my way.
“We’ll see what happens tomorrow because four shots on this golf course isn’t that much.”
The truth can hurt, and McIlroy was about to prove his assessment of Augusta to be true in the most excruciating way imaginable.
His fourth bogey of the week arrived immediately. Having admitted to expecting some nerves at the first tee, McIlroy sparked a booming opening drive down the fairway, only to miss his putt from five feet.
Three consecutive pars steadied the ship, but Schwartzel had the wind in his sails. A blistering birdie, par, eagle start had seen him draw level at the summit after his third hole.
A subsequent bogey from the South African slowed his charge, as McIlroy clung onto a one-shot lead at the turn from Schwartzel, Cabrera, Choi, and a rampaging Woods, who shot five birdies and an eagle across the front nine to send Augusta into a frenzy.
Despite his dwindling advantage and the raucous Tiger-mania din ahead of him, McIlroy had responded well to another bogey at the 5th hole, draining a brilliant 20-foot putt at the 7th to restore his lead.
The fist pump that followed marked the high-water point of McIlroy’s round, as a sliding start accelerated into full-blown free-fall at the par-four 10th hole.
His tee shot went careening into a tree, ricocheting to settle between the white cabins that separate the main course from the adjacent par-three course. It offered viewers a glimpse at a part of Augusta rarely seen on broadcast, followed by pictures of McIlroy anxiously peering out from behind a tree to track his follow-up shot.
Though his initial escape was successful, yet another collision with a tree and a two-putt on the green saw a stunned McIlroy eventually tap in for a triple bogey. Having led the field one hole and seven shots earlier, he arrived at the 11th tee in seventh.
By the time his tee drive at the 13th plopped into the creek, all thoughts of who might be the recipient of the green jacket had long-since switched away from the anguished youngster. It had taken him seven putts to navigate the previous two greens, as a bogey and a double bogey dropped him to five-under – the score he had held after just 11 holes of the tournament.
Mercifully, the last five holes passed without major incident. A missed putt for birdie from five feet at the final hole summed up McIlroy’s day, though he was given a rousing reception as he left the green.
Mere minutes earlier, the same crowd had erupted as Schwartzel sunk his fourth consecutive birdie to seal his first major title. After starting the day four shots adrift of McIlroy, the South African finished 10 shots ahead of him, and two ahead of second-placed Australian duo Jason Day and Adam Scott.
McIlroy’s eight-over 80 marked the highest score of the round. Having headlined the leaderboard for most of the week, he finished tied-15th.
Tears would flow during a phone call with his parents the following morning, but at his press conference, McIlroy was upbeat.
“I’m very disappointed at the minute, and I’m sure I will be for the next few days, but I’ll get over it,” he said.
“I was leading this golf tournament with nine holes to go, and I just unraveled … It’s a Sunday at a major, what it can do.
“This is my first experience at it, and hopefully the next time I’m in this position I’ll be able to handle it a little better. I didn’t handle it particularly well today obviously, but it was a character-building day … I’ll come out stronger for it.”
Once again, McIlroy would be proven right.
Just eight weeks later in June, McIlroy rampaged to an eight-shot victory at the US Open. Records tumbled in his wake at Congressional, as he shot a tournament record 16-under 268 to become the youngest major winner since Tiger Woods at The Masters in 1997.
The historic victory kickstarted a golden era for McIlroy. After coasting to another eight-shot win at the PGA Championship in 2012, McIlroy became only the third golfer since 1934 to win three majors by the age of 25 with triumph at the 2014 Open Championship.
Before the year was out, he would add his fourth major title with another PGA Championship win.
And much of it was owed to that fateful afternoon at Augusta. In an interview with the BBC in 2015, McIlroy dubbed it “the most important day” of his career.
“If I had not had the whole unravelling, if I had just made a couple of bogeys coming down the stretch and lost by one, I would not have learned as much.
“Luckily, it did not take me long to get into a position like that again when I was leading a major and I was able to get over the line quite comfortably. It was a huge learning curve for me and I needed it, and thankfully I have been able to move on to bigger and better things.
“Looking back on what happened in 2011, it doesn’t seem as bad when you have four majors on your mantelpiece.”
McIlroy’s contentment came with a caveat: it would be “unthinkable” if he did not win The Masters in his career.
Yet as he prepares for his 15th appearance at Augusta National this week, a green jacket remains an elusive missing item from his wardrobe.
Despite seven top-10 finishes in his past 10 Masters outings, the trophy remains the only thing separating McIlroy from joining the ranks of golf immortals to have completed golf’s career grand slam of all four majors in the modern era: Gene Sarazen, Ben Hogan, Gary Player, Jack Nicklaus, and Tiger Woods.
A runner-up finish to Scottie Scheffler last year marked McIlroy’s best finish at Augusta, yet arguably 2011 remains the closest he has ever been to victory. A slow start in 2022 meant McIlroy had begun Sunday’s deciding round 10 shots adrift of the American, who teed off for his final hole with a five-shot lead despite McIlroy’s brilliant 64 finish.
At 33 years old, time is still on his side. Though 2022 extended his major drought to eight years, it featured arguably his best golf since that golden season in 2014.
And as McIlroy knows better than most, things can change quickly at Augusta National.
Don't Miss
See the world’s deepest fish
Scientists captured the unknown snailfish species at a depth of more than 27,000 feet, as part of an expedition in trenches off Japan.
Don't Miss
Sign up for CNN’s Wonder Theory science newsletter. Explore the universe with news on fascinating discoveries, scientific advancements and more.
CNN
—
Cruising at a depth of 8,336 meters (over 27,000 feet) just above the seabed, a young snailfish has become the deepest fish ever filmed by scientists during a probe into the abyss of the northern Pacific Ocean.
Scientists from University of Western Australia and Tokyo University of Marine Science and Technology released footage of the snailfish on Sunday filmed last September by sea robots in deep trenches off Japan.
Along with the filming the deepest snailfish, the scientists physically caught two other specimens at 8,022 meters and set another record for the deepest catch.
Previously, the deepest snailfish ever spotted was at 7,703 meters in 2008, while scientists had never been able to collect fish from anywhere below 8,000 meters.
“What is significant is that it shows how far a particular type of fish will descend in the ocean,” said marine biologist Alan Jamieson, founder of the Minderoo-UWA Deep Sea Research Centre, who led the expedition.
Scientists are filming in the trenches off Japan as part of a 10-year study into the deepest fish populations in the world. Snailfish are members of Liparidae family, and while most snailfish live in shallow water, others survive at some of the greatest depths ever recorded, Jamieson said.
During the two-month survey last year, three “landers” – automatic sea robots fitted with high-resolution cameras – were dropped into three trenches – the Japan, Izu-Ogasawara and Ryukyu trenches – at varying depths.
In the Izu-Ogasawara trench, footage showed the deepest snailfish hovering calmly alongside other crustaceans on the seabed.
Jamieson classified the fish as a juvenile and said younger deep sea snailfish often stay as deep as possible to avoid being eaten by bigger predators that swim at shallower depths.
Another clip shot at between 7,500 and 8,200 meters in the same trench showed a colony of fish and crustaceans munching at bait tied to an undersea robot.
Images of the two captured snailfish – identified as Pseudoliparis belyaevi – provide a rare glimpse of the unique features that help the deep sea species survive the extreme environment.
They have tiny eyes, a translucent body, and their lack of swim bladder, which helps other fish float, works to their advantage, Jamieson said.
The professor said the Pacific Ocean is particularly conducive to vibrant activity due to its warm southern current, which encourages sea creatures to go deeper, while its abundant marine life provides a good source of food for bottom feeders.
Scientists would like to know more about creatures living at extreme depths, but cost is the constraint, Jamieson said, adding that each lander alone costs them $200,000 to assemble and operate.
“The challenges are that technology has been expensive and scientists don’t have a lot of money,” he said.
Don't Miss
CNN
—
It is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.
But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings.
And once installed, it’s tough to remove.
While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.
In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff.
Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.
“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm.
“This is highly unusual, and it is pretty damning for Pinduoduo.”
Malware, short for malicious software, refers to any software developed to steal data or interfere with computer systems and mobile devices.
Evidence of sophisticated malware in the Pinduoduo app comes amid intense scrutiny of Chinese-developed apps like TikTok over concerns about data security.
Some American lawmakers are pushing for a national ban on the popular short-video app, whose CEO Shou Chew was grilled by Congress for five hours last week about its relations with the Chinese government.
The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets. Both are owned by Nasdaq-listed PDD, a multinational company with roots in China.
While Temu has not been implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion.
There is no evidence that Pinduoduo has handed data to the Chinese government. But as Beijing enjoys significant leverage over businesses under its jurisdiction, there are concerns from US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities.
The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.
An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.
Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”
CNN has contacted PDD multiple times over email and phone for comment, but has not received a response.
Pinduoduo, which boasts a user base that accounts for three quarters of China’s online population and a market value three times that of eBay
(EBAY), wasn’t always an online shopping behemoth.
Founded in 2015 in Shanghai by Colin Huang, a former Google employee, the startup was fighting to establish itself in a market long dominated by e-commerce stalwarts Alibaba
(BABA) and JD.com
(JD).
It succeeded by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas.
Pinduoduo posted triple digit growth in monthly users until the end of 2018, the year it listed in New York. By the middle of 2020, though, the increase in monthly users had slowed to around 50% and would continue to decline, according to its earnings reports.
It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.
According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai.
“The goal was to reduce the risk of being exposed,” they said.
By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests and preferences, according to the source.
This allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders, they said.
The team was disbanded in early March, the source added, after questions about their activities came to light.
PDD didn’t reply to CNN’s repeated requests for comment on the team.
Approached by CNN, researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February.
Google Play is not available in China, and Android users in the country download their apps from local stores. In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app.
The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.
“Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.
The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said. It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added.
Check Point Research additionally identified ways in which the app was able to evade scrutiny.
The app deployed a method that allowed it to push updates without an app store review process meant to detect malicious applications, the researchers said.
They also identified in some plug-ins the intent to obscure potentially malicious components by hiding them under legitimate file names, such as Google’s.
“Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” they said.
Android targeted
In China, about three quarters of smartphone users are on the Android system. Apple
(AAPL)’s iPhone has 25% market share, according to Daniel Ives of Wedbush Securities.
Sergey Toshin, the founder of Oversecured, said Pinduoduo’s malware specifically targeted different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi and Oppo.
CNN has reached out to these companies for comment.
Toshin described Pinduoduo as “the most dangerous malware” ever found among mainstream apps.
“I’ve never seen anything like this before. It’s like, super expansive,” he said.
Most phone manufacturers globally customize the core Android software, the Android Open Source Project (AOSP), to add unique features and applications to their own devices.
Toshin found Pinduoduo to have exploited about 50 Android system vulnerabilities. Most of the exploits were tailor made for customized parts known as the original equipment manufacturer (OEM) code, which tends to be audited less often than AOSP and is therefore more prone to vulnerabilities, he said.
Pinduoduo also exploited a number of AOSP vulnerabilities, including one which was flagged by Toshin to Google in February 2022. Google fixed the bug this March, he said.
According to Toshin, the exploits allowed Pinduoduo access to users’ locations, contacts, calendars, notifications and photo albums without their consent. They were also able to change system settings and access users’ social network accounts and chats, he said.
Of the six teams CNN spoke to for this story, three did not conduct full examinations. But their primary reviews showed that Pinduoduo asked for a large number of permissions beyond the normal functions of a shopping app.
They included “potentially invasive permissions” such as “set wallpaper” and “download without notification,” said René Mayrhofer, head of the Institute of Networks and Security at the Johannes Kepler University Linz in Austria.
Disbanding the team
Suspicions about malware in Pinduoduo’s app were first raised in late February in a report by a Chinese cybersecurity firm called Dark Navy. Even though the analysis didn’t directly name the shopping giant, the report spread quickly among other researchers, who did name the company. Some of the analysts followed up with their own reports confirming the original findings.
Soon after, on March 5, Pinduoduo issued a new update of its app, version 6.50.0, which removed the exploits, according to two experts who CNN spoke to.
Two days after the update, Pinduoduo disbanded the team of engineers and product managers who had developed the exploits, according to the Pinduoduo source.
The next day, team members found themselves locked out of Pinduoduo’s bespoke workplace communication app, Knock, and lost access to files on the company’s internal network. Engineers also found their access to big data, data sheets and the log system revoked, the source said.
Most of the team were transferred to work at Temu. They were assigned to different departments at the subsidiary, with some working on marketing or developing push notifications, according to the source.
A core group of about 20 cybersecurity engineers who specialize in finding and exploiting vulnerabilities remain at Pinduoduo, they said.
Toshin of Oversecured, who looked into the update, said although the exploits were removed, the underlying code was still there and could be reactivated to carry out attacks.
Pinduoduo has been able to grow its user base against a backdrop of the Chinese government’s regulatory clampdown on Big Tech that began in late 2020.
That year, the Ministry of Industry and Information Technology launched a sweeping crackdown on apps that illegally collect and use personal data.
In 2021, Beijing passed its first comprehensive data privacy legislation.
The Personal Information Protection Law stipulates that no party should illegally collect, process or transmit personal information. They’re also banned from exploiting internet-related security vulnerabilities or engaging in actions that endanger cybersecurity.
Pinduoduo’s apparent malware would be a violation of those laws, tech policy experts say, and should have been detected by the regulator.
“This would be embarrassing for the Ministry of Industry and Information Technology, because this is their job,” said Kendra Schaefer, a tech policy expert at Trivium China, a consultancy. “They’re supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator.”
The ministry has regularly published lists to name and shame apps found to have undermined user privacy or other rights. It also publishes a separate list of apps that are removed from app stores for failing to comply with regulations.
Pinduoduo did not appear on any of the lists.
CNN has reached out to the Ministry of Industry and Information Technology and the Cyberspace Administration of China for comment.
On Chinese social media, some cybersecurity experts questioned why regulators haven’t taken any action.
“Probably none of our regulators can understand coding and programming, nor do they understand technology. You can’t even understand the malicious code when it’s shoved right in front of your face,” a cybersecurity expert with 1.8 million followers wrote last week in a viral post on Weibo, a Twitter-like platform.
The post was censored the next day.
Don't Miss
German Chancellor Olaf Scholz on Monday assured Moldova of Berlin’s support on its path to accession to the European Union as Moldovan and American officials allege Russia of trying to weaken the government in Chisinau.
“Moldova is part of our European family. In the summer, we granted it candidate status. And I very much welcome how resolutely Moldova has tackled the necessary reforms that are indispensable for EU accession,” Scholz told a news conference in Bucharest, Romania alongside Romanian President Klaus Iohannis and Moldovan President Maia Sandu.
“Moldova can be sure of our support on this path. I assured the President [Sandu] of this once again today. Moldova does not stand alone, but receives massive international support,” the German chancellor continued.
Scholz expressed “great concern” about reports of alleged Russian attempts to destabilize Moldova and said Germany would do its “utmost” to support Moldova in arming itself against “attempts of destabilization by Russia.”
In February, Moldova’s President Sandu accused Russia of planning to use “saboteurs who have undergone military training and are disguised as civilians” to destabilize the country — claims which were rejected by Russia’s foreign ministry as “unfounded.”
According to White House officials, the US believes that Russia is working to weaken the Moldovan government, as it continues to seek closer ties with the European Union.
“The sovereignty and territorial integrity of any state is inviolable. This requirement of the Helsinki Final Act and other agreements under international law was also signed by Russia. And it is still valid. Therefore, we do our utmost to support Moldova in arming itself against attempts of destabilization by Russia,” Scholz said.
Speaking at the same event, Sandu said that “it is very important, and I am happy that Moldova is a dialogue partner with Romania and Germany. The projects we are involved in together are very useful for our people and will strongly lead us to the accession (to the European Union).”
CNN’s Radina Gigova, Anna Chernova and Natasha Bertrand contributed reporting to this post.
Don't Miss
READ: Trump indictment related to hush money payment
Don't Miss
