Security
Headlines
HeadlinesLatestCVEs

Tag

#web

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024). All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian […]

Alexander V. Leonov
Open in Source
#vulnerability#web#windows#microsoft#linux#apache#git#wordpress#php#rce#vmware#blog
Your location or browsing habits could lead to price increases when buying online

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

Fintech Bill Pay Platform “Willow Pays” Exposes Over 240,000 Records

Security researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow…

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

A week in security (January 13 – January 19)

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and…

How to Get Around the US TikTok Ban

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

15K Fortinet Device Configs Leaked to the Dark Web

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

GHSA-fcr8-4r9f-r66m: nbgrader's `frame-ancestors: self` grants all users access to formgrader

### Impact Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. ### Workarounds - Disable `frame-ancestors: self`, or - enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame). ### References JupyterHub documentation on why and when `frame-ancestors: self` is insecure...

WhatsApp spear phishing campaign uses QR codes to add device

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...