#mac

### Summary The `CacheHandler` class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 The file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. I think `600` is a sensible default.  ### Details This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. ### PoC Run an application that uses spotipy with client creation like this: ```python from pathlib import Path import spotipy from os import getenv def create_spotify_client(client_id: str, client_secret: str) -> spotipy.Spotify: """Create and return an auth...

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

HaveIbeenPwned (HIBP) website has significantly expanded its database with hundreds of millions of newly compromised credentials extracted by hackers though infostealer logs.

Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, according to new findings from Palo Alto Networks Unit 42. "Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized

Cybersecurity researchers have flagged an updated version of the LightSpy implant that comes equipped with an expanded set of data collection features to extract information from social media platforms like Facebook and Instagram. LightSpy is the name given to a modular spyware that's capable of infecting both Windows and Apple systems with an aim to harvest data. It was first documented in

Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader.  The threat cluster has been assessed to be an extension of a long-running campaign mounted by a Belarus-aligned threat actor dubbed Ghostwriter (aka Moonscape,

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to…

An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.

In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time.

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.