Issue 61


OnePlus credit card breach impacts up to 40k users

The attacker breached their web server and injected a script in the checkout page that recorded credit cards. Anyone who entered their credit card info on between November 2017 and January 11, 2018 may be affected.


EFF and Lookout report on massive malware campaign dubbed Dark Caracal

It seems to be a very sophisticated malware-for-hire distribution, active since 2012 and used, this time, by the Lebanese government. Which was found out because of sloppy security work on their own part, funnily enough. The full 51-page report is a nice read too.


Remote code execution vulnerability in Electron software framework (Slack, Skype, Twitch, Atom, ...)

It doesn't affect all Electron apps, only Windows-based ones that register themselves to handle custom protocol formats like myapp://. Update when needed though. Windows Defender has also been updated to detect exploit attempts.


iMessage bug "chaiOS" freezes and crashes your iPhone or Mac

The only way to recover is restoring your phone to factory settings. Updates for both platforms are underway.


Reddit rolls out 2FA to all its users

It's still a bit rough around the edges, like you can't select 'Remember device', for example. But good news nonetheless.


Introducing Chronicle, a new Alphabet company in cybersecurity

It's a graduate of Google's (Alphabet's) X program. It aims to detect hacking attempts much sooner, before the real damage is done.


Meltdown and Spectre, explained

A long but amazing blogpost, taking its time to explain Spectre and Meltdown properly.


Bypassing Cloudflare using Internet-wide scan data

An well written bit of research on how attackers can still get your IP address, even when you're behind Cloudflare (so you can still be attacked directly without Cloudflare protecting you).


Top 12 DDoS attack types

Nice succinct list of various types of DDoS attacks that happen today, with a short explanation.



Bypassing web application firewalls

WAFs are a good security measure but the security of your web applications should not solely depend on it. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be bypassed.