Security
Headlines
HeadlinesLatestCVEs

Tag

#git

New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls

Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed FakeCall that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information. "FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming

The Hacker News
Open in Source
#android#google#git#auth#The Hacker News
NAKIVO Backup for MSP: Best Backup Solution for MSPs

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Half of Online Child Grooming Cases Now Happen on Snapchat, Reports UK Charity

Online grooming crimes against children have reached a record high, with Snapchat being the most popular platform for…

EmeraldWhale's Massive Git Breach Highlights Config Gaps

The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.

GHSA-cwgg-57xj-g77r: changedetection.io Path Traversal

### Summary When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked ### Details The root cause is the payload source:file:///etc/passwdpasses the regex [here](https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19) and also passes the check [here](https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35) where a traditional file:///etc/passwd would get blocked ### PoC [CL-ChangeDetection.io Path Travsersal-311024-181039.pdf](https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf) ### Impact It depends on where the webdriver is deployed but generally this is a high impact vulnerability

GHSA-qm92-93fv-vh7m: Path traversal in oak allows transfer of hidden files within the served root directory

### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as its URL encoded form `%2F`. ### Details 1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first. 2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. ### PoC ```ts // server.ts import { Application } from "jsr:@oak/[email protected]"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await ...

OWASP Releases AI Security Guidance

OWASP has released guidance materials addressing how to respond to deepfakes, AI security best practices, and how to secure open source and commercial generative AI applications.

4 Main API Security Risks Organizations Need to Address

Misconfigurations, weak authentication, and logic flaws are among the main drivers of API security risks at many organizations.

IT Security Centralization Makes the Use of Industrial Spies More Profitable

As organizations centralize IT security, the risk of espionage is silently becoming a more profitable threat.