Security
Headlines
HeadlinesLatestCVEs

Tag

#android

Facebook spied on Snapchat users to get analytics about the competition

Facebook is accused of using potentially criminal methods to spy on Snapchat users to gain a commercial advantage over its competition.

Malwarebytes
Open in Source
#web#ios#android#amazon#ssl
Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

By Waqas Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers.… This is a post from HackRead.com Read the original post: Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

Disturbing robocaller fined $9.9 million

A robocaller that spoofed a local phone number and presented his targets with inflammatory and disturbing content has received a hefty fine.

Apple Chip Flaw Leaks Secret Encryption Keys

Plus: The Biden administration warns of nationwide attacks on US water systems, a new Russian wiper malware emerges, and China-linked hackers wage a global attack spree.

GHSA-wfgj-wrgh-h3r3: SSRF Vulnerability on assetlinks_check(act_name, well_knowns)

### Summary While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the "/.well-known/assetlinks.json" endpoint for all hosts written with "android:host". In the AndroidManifest.xml file. Since MobSF does not perform any input validation when extracting the hostnames in "android:host", requests can also be sent to local hostnames. This may cause SSRF vulnerability. ### Details Example <intent-filter structure in AndroidManifest.xml: ``` <intent-filter android:autoVerify="true"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:host="192.168.1.102/user/delete/1#" android:scheme="http" /> </intent-filter> ``` We defined it as android:host="192.168.1.102/user/delete/1#". Here, the "#" character at the end of the hos...

Canada revisits decision to ban Flipper Zero

Since the main reason for the ban was to prevent car thefts that didn't happen, we're happy to see the change of heart.

Apple's iMessage Encryption Puts Its Security Practices in the DOJ's Crosshairs

Privacy and security are an Apple selling point. But the DOJ’s new antitrust lawsuit argues that Apple selectively embraces privacy and security features in ways that hurt competition—and users.

Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels.

New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

By Waqas Another day, another cybersecurity threat hits unsuspected users! This is a post from HackRead.com Read the original post: New Malware “BunnyLoader 3.0” Steals Credentials and Crypto

Siemens SIMATIC

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Expected Behavior Violation, Improper Authentication, Out-of-bounds Write, Use After Free, Inadequate Encryption Strength, Use of Insufficiently Random Values, Incorrect Authorization, Improper Locking, Improper Restriction of Rendered UI Layers or Frames, Improper Privilege Management, Missing Authorization, Cleartext Storage of Sensitive ...