Application Security news, articles & updates| SC Media

Application Security

Device owners demand opt-out power from COVID-19 contact tracing apps

To encourage widespread acceptance of Bluetooth-based COVID-19 contact tracing applications, developers should allow consumers to opt out of data sharing at any time, and they should also be more forthcoming about their security efforts and data usage, according to the results of a new survey. For the study, Checkmarx polled 1,500 Americans and found that…

Salt exploit attacks expose underestimated threat vector: Infrastructure-as-Code tools

Malicious actors have pounced on a pair of critical vulnerabilities found in SaltStack’s open-source, event-based IT automation and configuration management tool Salt. In a series of quick strikes over the weekend, one or more attackers exploited the flaws — disclosed and patched just days earlier — to compromise the “Salt master” servers of several prominent users,…

Two information-disclosing bugs found in Twitter Android

In the span of five days, reports of two Twitter Android app vulnerabilities have surfaced: one that could cause attackers to view nonpublic account information or control accounts, and another that reportedly allowed a researcher to look up details on 17 million accounts. In a Dec. 20 blog post, Twitter noted that it issued an…

Facebook sues surveillance tool provider and hosts of hacking websites

Facebook this week filed a lawsuit against a reputed spyware provider that allegedly exploited a WhatsApp vulnerability to enable smartphone hacking, and also pursued legal action against the domain hosts of multiple websites that allegedly offer tools for hacking the social network. On Tuesday, Facebook and its encrypted messaging subsidiary WhatApp filed a complaint against…

Twitter users’ 2FA info found its way to advertisers

Twitter this week disclosed that it gave advertisers access to email addresses and phone numbers that users had supplied to the social media messaging platform, originally for two-factor authentication purposes. The company is asserting that this practice was inadvertent. In an online post, Twitter acknowledged that data intended for “safety or security purposes” went to…

Android apps with scores of downloads serve up annoying ads, unwanted subscriptions

Hundreds of millions of Android devices have potentially been compromised by malicious adware and ad fraud apps that on the surface appear to offer harmless services such as selfie filters, weather forecasts or VPN security, according to a trio of recently released research reports. Late last week, researchers at mobile security company Wandera reported finding…

Report: Scotiabank exposed source code and credentials on GitHub repositories

For months in some instances, Canadian banking giant Scotiabank reportedly stored highly sensitive digital property on a series of publicly open and accessible GitHub repositories, potentially exposing its internal source code, login credentials and access keys. The financial institution had the repositories “torn down” earlier this week after being alerted to the error, according to…

A great deal of web apps are vulnerable to SQL injection attacks according to Netsparker

Apps vulnerable to SQL injection by way of virtual assistant verbal commands

Malicious hackers can use verbal commands to perform SQL injections on web-based applications run by virtual assistants such as Amazon’s Alexa, researchers say. “Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information,” reports Baltimore, Maryland-based Protego Labs, in a blog…

Instagram asks security researchers to check out ‘Checkout’ feature

Instagram is reportedly recruiting white-hat researchers to test the security of its new Checkout feature, which allows users to buy merchandise from select brands without ever having to leave the social media app. CNN this week reported that Facebook-owned Instagram is restricting the testing to only those individuals who have submitted high-quality research to its…

Flaw allows attackers to alter media files sent via WhatsApp, Telegram, say researchers

Researchers have reported a vulnerability in the Android versions of WhatsApp and Telegram that could allow malicious actors to manipulate media files sent via the apps. This “media file-jacking” flaw could allow attackers to alter photographs, modify invoices (to aid in a financial scam), swap out files in a particular channel feed, or potentially even…

Next post in Vulnerabilities