Jump to content
Killersites Community
Sign in to follow this  
LSW

Current Threats

Recommended Posts

WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites

https://thehackernews.com/2019/04/wordpress-ios-security.html

Quote

 

If you have a "private" blog with WordPress.com and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites.
 
WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorization tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email.
 
Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of WordPress.com, for example, Imgur or Flickr.
 
That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a WordPress.com authorization token to Imgur, leaving a copy of the token in the access logs of the Imgur's web server.

 

 

 

Share this post


Link to post
Share on other sites

Millions of Facebook Records Found Unsecured on AWS

https://www.databreachtoday.com/millions-facebook-records-found-unsecured-on-aws-a-12337

Quote

 

Two third-party Facebook application developers exposed users' personal information by leaving the data exposed without a password in unsecured Amazon Web Services S3 buckets, researchers from the security firm UpGuard said Wednesday. One data set contained 540 million unsecured records, the report found. It's not clear how many users were affected.

For months, UpGuard researchers had attempted to contact the two companies about the exposed user data, but one firm did not remove the personally identifiable information from public view until Bloomberg contacted it about a story this week, UpGuard reports.
 
The second company has been out of business for several years, UpGuard found.
 
It's unclear if anyone attempted to access or steal this data before it was discovered, a UpGuard spokeswoman tells Information Security Media Group. It's also not known how long that data was stored without a password within AWS.

 

 

Share this post


Link to post
Share on other sites

Researcher Reveals Multiple Flaws in Verizon Fios Routers — PoC Released

https://thehackernews.com/2019/04/verizon-wifi-router-security.html

Quote

A cybersecurity researcher at Tenable has discovered multiple security vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected to it.

 

Share this post


Link to post
Share on other sites

Popular Video Editing Software Website Hacked to Spread Banking Trojan

https://thehackernews.com/2019/04/free-video-editing-malware.html

Quote

 

If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer.
 
The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again.
 
According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer.
 
Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection.

 

 

Share this post


Link to post
Share on other sites

Investigation results in banning of six fraudulent (yet popular) Android apps from the Play Store

https://www.techspot.com/news/79742-investigation-results-banning-six-fraudulent-popular-android-apps.html

Quote

 

In brief: An investigation conducted by Buzzfeed in collaboration with Check Point, Method Media Intelligence and ESET security firms found that six apps published by DU Global were clicking on in-app ads to generate revenue illegally and without the user’s knowledge. They also lied about their developer and country of origin, don’t comply with GDPR regulation and ask for many dangerous permissions that are completely unnecessary to function. Combined, they have over 90 million downloads.
 
Needless to say, if you’ve downloaded any of them: Selfie Camera, Total Cleaner, Smart Cooler, RAM Master, AIO Flashlight and Omni Cleaner – delete them now. Thankfully Google removed them from the Play Store as soon as they were alerted.

 

 

Share this post


Link to post
Share on other sites

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

https://thehackernews.com/2019/04/wordpress-plugin-hacking.html

Quote

 

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin.
 
The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog.
 
Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978.

 

 

Share this post


Link to post
Share on other sites

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

https://thehackernews.com/2019/04/wordpress-woocommerce-security.html

Quote

 

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.
 
A WordPress security company—called "Plugin Vulnerabilities"—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.
 
To be clear, the reported unpatched vulnerability doesn't reside in the WordPress core or WooCommerce plugin itself.
 
Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites.

 

 

 

Share this post


Link to post
Share on other sites

Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks

https://thehackernews.com/2019/04/email-signature-spoofing.html

Quote

 

A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients.
 
The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.
 
When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you.
 
However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user.

 

 

Share this post


Link to post
Share on other sites

New Class of CPU Flaws Affect Almost Every Intel Processor Since 2011

https://thehackernews.com/2019/05/intel-processor-vulnerabilities.html

Quote

 

Academic researchers today disclosed details of the newest class of speculative execution side-channel vulnerabilities in Intel processors that impacts all modern chips, including the chips used in Apple devices.
 
After the discovery of Spectre and Meltdown processor vulnerabilities earlier last year that put practically every computer in the world at risk, different classes of Spectre and Meltdown variations surfaced again and again.
 
Now, a team of security researchers from multiple universities and security firms has discovered different but more dangerous speculative execution side-channel vulnerabilities in Intel CPUs.
 
The newly discovered flaws could allow attackers to directly steal user-level, as well as system-level secrets from CPU buffers, including user keys, passwords, and disk encryption keys.

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×