The security thread
- Started
- Last post
- 39 Responses
- sted0
ethereum.org forum
On December 16, we were made aware that someone had recently gained unauthorized access to a database from forum.ethereum.org. We immediately launched a thorough investigation to determine the origin, nature, and scope of this incident. Here is what we know:
- Continuity1
'WhatsApp backdoor allows snooping on encrypted messages'
- whatsapp is owned by facebook, is anyone really surprised?hans_glib
- Oh, no, certainly not surprised. Indeed, this vulnerability has been known for some time, according to the article. This is more of a PSA on my part.Continuity
- Bennn0
seriously, I dont care if the gov is spying on my sms... what i say over there is very uninteresting... like making joke to my gf, asking her whats for dinner or "want me to buy ticket for this show"
I'm using Signal anyway because I like it.
- but i get the point tho. i know.Bennn
- http://i.imgur.com/F…moldero
- What? No sexts? How boring :)ETM
- section_0140
If you're up to some dubious shit, and you're communicating over the web, you're not using WhatsApp or facebook messenger. Unless you're a moron of course.
Serious criminals will be bouncing encrypted messages off of multiple proxies at minimum. Probably with custom software for reading/writing messages.
- sted2
Amazon.
Change your passwords around amazon systems from all amazon sites to AWS accounts. No official info yet but there is a huge database for sale, with aws security credentials.
- Ooft, that'll torpedo Bezos massively, if true - especially where AWS is concerned.detritus
- i just changed it like 2 weeks ago! is this a separate breech from the big one last month?sarahfailin
- yes, they released some parts of the db to prove that it's realsted
- They can only hack your account *IF* you change your password... dun dun dunrobthelad
- sted0
A report by security firm UpGuard's Cyber Risk Team suggests the personal information of almost 62% of the United States' population was leaked as a result of a configuration error by a marketing firm employed by the Republican National Committee (RNC).
- Gnash0
https://www.macrumors.com/2017/1…
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
- monNom1
Do you use 3rd party/open-source scripts in your website and application builds? Should you trust them?
This guy lays out a shockingly simple method to spread malware and steal user data by taking advantage of developer laziness: Offer free opensource plugins, npm dependencies, etc.
- Related: Hotjar said recently they will stop collecting keystrokes and form-input data in their recordings. IE: Your analytics was/is keylogging your users.monNom
- sted0
A game named Valorant, which is currently under development and runs on Windows systems, is being used as bait in a campaign that targets Android devices. In the campaign, YouTube videos are being used to promote what is alleged to be mobile version of the game, available for Android and iOS devices. The videos are complete with fake user reviews and comments. Potential victims are directed to a website that is a spoofed version of the actual Valorant site. Two download links are provided on the spoofed site, one for iOS version, the other for the Android version. If the iOS link is clicked, the user is redirected to an affiliate site. If the Android link is clicked, and the Android device is configured to allow installation of apps outside of Google Play, the fake app will be installed. When the app is executed it imitates the game's loading screen but informs the victim the game needs to be unlocked which requires downloading another two apps. If the infection process is completed and the Android.FakeApp.176 payload is installed, the victim is redirected to the same affiliate site the iOS devices are directed to.
- sted1
An unpatched vulnerability in Apple's Safari web browser could be exploited to allow for the transfer of local files from a victim's machine or mobile device. Although Apple requested the researcher to hold off on disclosing the vulnerability, the researcher felt the timeline for a patch was too long. Apple stated it would not release a patch until Spring 2021. The vulnerability abuses the Web Share API, which allows users to share links from Safari through third-party applications. Using the "file:" scheme, an attacker could pass a link to the navigator.share function containing a file from the user file system. To perform the attack, a user must be compelled to visit a malicious website and perform actions detailed on that website. The researcher provided a proof-of-concept with an innocuous image file, which he urged visitors to share amongst their friends. Upon pressing the share button, the user is presented with various ways by which to share the image. Should the user choose email, the code, image URL, and an arbitrary file are attached. Additionally, he was able to demonstrate the stealing of the passwd file. In some cases, the victim may not notice the attachment or the name of the attachment may not be displayed, giving the attacker a slight advantage as the attachment could be out of sight on the victim's screen. The victim would need to scroll down to see the attached file. This vulnerability affects devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and macOS Catalina 10.15.5 with Safari 13.1.1. Further details can be found in the links located within the Reference section below.
- Boring. If there is no RCE, move on. If they want the /etc/passd they could just ask, those are only system users...grafician
- imbecile0
I thought they shut down...
-
Dear Barnes & Noble Customer,
It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.
We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details.
Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We give below answers to some frequently asked questions.
We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred. We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.
Barnes & Noble
FAQ1. Have my payment details been exposed?
No, your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system.2. Could a transaction be made without my authorization?
No, no financial information was accessible. It is always encrypted and tokenized.3. Was my email compromised?
No. Your email was not compromised as a result of this attack. However, it is possible that your email address was exposed and, as a result, you may receive unsolicited emails.4. Was any personal information exposed due to the attack?
While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.5. Do you retain any other information in the impacted systems?
Yes, we also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.
- sted2
Move your private projects out of github, entire source was leaked, breach is expected.
- sted0
godaddy,
linode,
linux dedicated servers hacked, details soon.
- sted0
gotoassist hacked, user details with password leaked.
- cherub0
I'm new to html forms, and this is my first time doing backend stuff. I am using a simple html form to plug into my action php
Simple question.
What is the general consensus?
Is GET more insecure, or POST?
why?
- POST doesn't show the data in the URL.uan
- ^thats what I read too. And apparently bots can mess with ur form if you use GET? or something like that?cherub
- bots and humans. you can hack both...you can try sql commands in the form to hack into the site if you want.uan
- that's why using the wp default login is a better idea...all the known attacks are covered.uan
- Always sanitize your inputs to filter XSS and SQL injection and use SSL/TLSspot13