The letter outlined not only the improper access engineers had to WhatsApp user data, but a variety of other shortcomings, including a “failure to inventory user data,” as required under privacy laws in California, the European Union, and the FTC settlement, failure to locate data storage, an absence of systems for monitoring user data access,… Read More »
Cloudflare on Thursday acknowledged this failure, writing: We failed three times. The first time because 1.1.1.1 is an IP certificate and our system failed to alert on these. The second time because even if we were to receive certificate issuance alerts, as any of our customers can, we did not implement sufficient filtering. With the… Read More »
Representatives from Google and Mozilla said in emails that their Chrome and Firefox browsers have never trusted the certificates, and there was no need for users to take any action. An Apple representative responded to an email with this link to a list of certificate authorities Safari trusts. Fina was not included. It wasn’t immediately… Read More »
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. In response, Google has revoked the tokens that were used in the breaches and disabled integration… Read More »
The maker of Passwordstate, an enterprise-grade password manager for storing companies’ most privileged credentials, is urging them to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. The authentication bypass allows hackers to create a URL that accesses an emergency access page for Passwordstate. From… Read More »
Don’t believe everything you read—especially when it’s part of a marketing pitch designed to sell security services. The latest example of the runaway hype that can come from such pitches is research published today by SquareX, a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a… Read More »
US Senator Ron Wyden accused the federal judiciary of “negligence and incompetence” following a recent hack, reportedly by hackers with ties to the Russian government, that exposed confidential court documents. The breach of the judiciary’s electronic case filing system first came to light in a report by Politico three weeks ago, which went on to… Read More »
BI.ZONE said the Paper Werewolf delivered the exploits in July and August through archives attached to emails impersonating employees of the All-Russian Research Institute. The ultimate goal was to install malware that gave Paper Werewolf access to infected systems. While the discoveries by ESET and BI.ZONE were independent of each other, it’s unknown if the… Read More »
Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure–as well as police, intelligence agencies, and military forces around the world–that made any communication secured with the algorithm vulnerable to eavesdropping. When the researchers publicly disclosed the issue in 2023, the European Telecommunications… Read More »
The obfuscated code inside an .svg file downloaded from one of the porn sites. Credit: Malwarebytes The obfuscated code inside an .svg file downloaded from one of the porn sites. Credit: Malwarebytes Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called… Read More »