#ios

An older version of Shein's Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast

By Waqas A hacker on a popular forum is claiming to have stolen Acer Inc.'s data in mid-February 2023. This is a post from HackRead.com Read the original post: Acer Data Breach? Hacker Claims to Sell 160GB Trove of Stolen Data

By Waqas This phishing scam exploits the popularity of the AI-based ChatGPT chatbot to steal funds and harvest the personal and financial details of users. This is a post from HackRead.com Read the original post: Alert: Scammers Pose as ChatGPT in New Phishing Scam

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/log_api.txt` in the case where the authentication fails. The issues occurs in `authorizationToUser()` in `greader.php`. If there is an issue with the request or the credentials, `unauthorized()` or `badRequest()` is called. Both these functions are printing the return of `debugInfo()` in the logs. `debugInfo()` will return the content of the request. By default, this will be saved in `users/_/log_api.txt` and if the const `COPY_LOG_TO_SYSLOG` is true, in syslogs as well. Exploiting this issue requires having access to logs produced by FreshRSS. Using the information from the logs, a malicious individual could get users' API keys (would be displayed if the users fills in a bad username) or passwords.

Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

A group of researchers has revealed what it says is a vulnerability in a specific implementation of CRYSTALS-Kyber, one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year. The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH

KioWare through 8.33 on Windows sets KioScriptingUrlACL.AclActions.AllowHigh for the about:blank origin, which allows attackers to obtain SYSTEM access via KioUtils.Execute in JavaScript code.

Categories: Awareness Categories: News Tags: travel Tags: safe Tags: devices Tags: VPN Tags: backups Tags: connections Tags: updates Here are some cybersecurity tips to keep you safe while you travel. (Read more...) The post 8 cybersecurity tips to keep you safe when travelling appeared first on Malwarebytes Labs.

Categories: News The most interesting security related news from the week of February 27 to March 5. (Read more...) The post A week in security (February 27 - March 5) appeared first on Malwarebytes Labs.

### Summary Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls that were implemented to patch vulnerability [CVE-2022-23080](https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2934713) by performing a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding) and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at `http://169.254.169.254` event if `169.254.169.254` is in the deny IP list). ### Details DNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to [`/api/src/services/file.ts`](https://github.com/directus/directus/blob/main/api/src/services/files.ts) for the function `importOne` t...