- FitMetrix: a fitness software provider, had an open Elasticsearch database exposing user data of millions (exact number unknown).
- US Department of Defense: Personal information and credit card details of 30.000 employees were compromised through a third party service provider.
- DonaldDaters: a recently launched dating app for Trump supporters, had an open database exposing personal information, session tokens and private messages.
- 35 million US voter records were found for sale on a hacking forum.
This is as painful as they come. You tell the server "I'm authenticated, really!", and it goes "I believe you, come on in!". ... You'll want to check if you run LibSSH in your infrastructure and patch.
This is an update on the "View As" vulnerability. The attackers stole regular contact information from one half of users impacted, but far more from the other ~14 million people, including most recent locations they've checked in, most recent searches, and more.
Cross fingers that no serious vulnerability gets found after New Year's, I guess?
This is a collective decision by Microsoft, Google, Apple, and Mozilla. TLS 1.2 and 1.3 are so prevalent that the fallout should be minimal.
Another passcode bypass, discovered by the same person who found the last one. Looking it the steps involved I'm curious how he finds these vulnerabilities, kudos to him.
The arrest happened in my home country of Belgium, no less. The intelligence officer recruited engineers from US aviation firms to travel to China and hand over blueprints.
This was previously launched for EU users, under the GDPR, but is now also available to the US.
He's patched over 100.000 vulnerable routers, leaving a note about the fixed vulnerability and a Telegram channel for questions. A vigilante with a helpline, I can't help but get a kick out of it.
If you're into the Wordpress ecosystem: this site aggregates Wordpress-related security news in daily or weekly e-mails and feeds.
Fun article on how the author went about hacking the Android payment app for this vending machine.
Fantastic post, going through every step of a TLS connection, showing every byte that's involved and explaining what it does.
I use 1Password to securely share passwords and notes with my colleagues. Can't recommend them enough and I'm super honoured to have them as a sponsor.
Both startups and enterprises use Templarbit to protect their web applications, APIs and microservices. Run a next-gen WAF or ship a smart Content Security Policy workflow in minutes.