Interesting bug where by using the <audio> tag and the range parameter inside a service worker, a site could remotely load any content from any other site, bypassing CORS completely (Cross-Origin Resource Sharing). Several browsers were vulnerable at some point, but only Edge was left. You can find the technical write-up here.
Nothing groundbreaking after all the unsecured MongoDB and Redis instances, but a good reminder to make sure you secure your Firebase implementation properly.
Using just the public key or key ID, one could spoof a digital signature that would be seen as valid by the PGP implementation. Lot's of tools have received patches.
DNS Rebinding is getting more attention these days. The article explains the vulnerability well, and shows how a researcher was able to use it to remotely control Google Home, Roku and Sonos devices.
gVisor is a sandbox system to run untrusted containers in isolation, integrated with Docker and Kubernetes.
It's been known in forensics for years, so consider it more of a head's up: when using Quicklook or Finder for files on an encrypted drive, the thumbnail (both for images and documents) can be stored on a non-encrypted location.
Interesting blogpost on the upcoming iOS feature that auto-fills two-factor SMS tokens. It would be a great convenience, but it might come with risks too.
WAFs are a good security measure but the security of your web applications should not solely depend on it, because they can be bypassed. Watch this demo on Paul’s Security Weekly during which a researcher from Netsparker explains and demos how modern web application firewalls can be defeated.
Fleetsmith just launched new security features: remote lock and wipe of employees' devices and kernel extension whitelisting. You can also escrow each Mac's FileVault recovery key, and enforce a company policy for password and screen saver settings. I use Fleetsmith every day, much recommended :)