These tokens can be easily found and retrieved. This gives the attacker access to the underlying Twilio account, and as such to conversations, text messages and meta data.
FaceID is under some scrutiny after a research firm created a mask to fool it.
The article also mentions a Youtube video where a son can unlock his mom's phone using his face, although Apple does warn that siblings have a better chance of defeating the lock.
One library that helps to show those cookie warnings was found to host an in-browser Monero miner. It was discovered first on the site of Albert Heijn, the biggest Dutch supermarket chain.
In large part because most standard phishing kits gather the same data as Gmail uses to verify logins, like geolocation and phone numbers, which can be spoofed. The original paper can be read here.
One fun fact to also come out of the study: 47% of studied phishing kits came from Nigeria, with 11% from the US as runner-up.
This is to stop the massive rounds of ransomware attacks on unsecured MongoDB instances. Any new installation will be localhost only. When you enable Internet access, you will still have to enable authentication. They hope that this conscious step helps more engineers to do the right thing.
Update all the things
- Adobe released patches for Flash and Reader, fixing 56 vulnerabilities, most of which are remote code execution. One wonders if there is any original code left in those applications. link
- Microsoft releases 53 fixes, 25 of them for remote code execution bugs: link.
It includes a fix for a 17-year old bug that was found in an old Office tool, left in for backwards compatibility. More info on that here.
- CouchDB has released updates containing critical fixes: link.
There is a lot of security concern on Intel's Management Engine and Minix, the mini-OS that apparently ships with Intel chipsets. I haven't been able to figure out the implications completely, but this article does a decent job of writing up what we know so far.
He makes the all too true point that IoT is essentially in everything these days, even cars, yet most manufacturers have neither the means nor the urgency to handle security properly.
Long but interesting read where the NY Times digs into the effect the Shadowbrokers had on the NSA. In short: they still don't know wether it was a hack or an inside job, morale is seriously hurting, and ongoing operations have been severely impacted.
WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.