Vulnerabilities | SC Media

Vulnerabilities

Instagram fixed after researcher finds way to link account info to PII

Facebook has repaired a vulnerability in its Instagram social media platform, after a researcher found that it could be exploited to link users’ phone numbers to their account numbers, usernames and actual names. With the help a brute-force algorithm and a network of bots, malicious actors could have leveraged the flaw to bypass data security…

Flaws in Imperial, Dabman web radios could lead to full compromise

Researchers have disclosed a pair of vulnerabilities in multiple Imperial and Dabman-branded web radios that could allow malicious actors to remotely compromise the IoT devices. Telestar Digital GmbH, the company that manufacturers the web radios, has patched both problems, according to a security advisory yesterday from Vulnerability Lab, whose researchers made the discovery. Several reports…

A great deal of web apps are vulnerable to SQL injection attacks according to Netsparker

Apps vulnerable to SQL injection by way of virtual assistant verbal commands

Malicious hackers can use verbal commands to perform SQL injections on web-based applications run by virtual assistants such as Amazon’s Alexa, researchers say. “Leveraging voice-command SQL injection techniques, hackers can give simple commands utilizing voice text translations to gain access to applications and breach sensitive account information,” reports Baltimore, Maryland-based Protego Labs, in a blog…

Metasploit Project publishes exploit for Bluekeep bug

Coders late last week publicly released a working exploit for the dangerous Bluekeep bug that was found and patched earlier this year in Microsoft’s Remote Desktop Protocol implementation. Designated as CVE-2019-0708, BlueKeep is a remote Windows kernel use-after-free vulnerability that could be used to create wormable attacks similar to the WannaCry ransomware incident of May…

WordPress update fixes assortment of XSS flaws

The developers of WordPress last week issued a short-cycle maintenance release for its content management system software, introducing 29 fixes and improvements. The new version, 5.2.3, remedies six issues that can enable cross-site scripting (XSS) attacks. These include XSS flaws found in post previews, stored comments and shortcode previews, and another XSS vulnerability that results…

Vulnerability round-up: Mozilla, Cisco and Samba issue security updates

The Mozilla Foundation, Cisco Systems and the Samba development team yesterday all issued security updates for their respective products, fixing a multitude of software vulnerabilities. Mozilla released updates for Firefox 69, as well as Firefox Extended Support Release (ESR) versions 68.1 and 60.9, in the process patching 20 flaws among them. The only critical-severity bug…

TaiwanUSB

Supermicro fixes BMC software flaws that expose servers to virtual USB attacks

High-tech manufacturer Supermicro this week issued an update for its baseboard management controller (BMCs) software, after researchers found a series of vulnerabilities that remote attackers could exploit to mount USB devices to affected servers over any network connection, including the internet. The bugs affect Supermicro’s X9, X10, X11, H11 and H12 servers, and are found…

Instagram asks security researchers to check out ‘Checkout’ feature

Instagram is reportedly recruiting white-hat researchers to test the security of its new Checkout feature, which allows users to buy merchandise from select brands without ever having to leave the social media app. CNN this week reported that Facebook-owned Instagram is restricting the testing to only those individuals who have submitted high-quality research to its…

AppleMalware2

iOS 12.4 update reintroduced old bug, enabling jailbreak for current devices

Apple’s latest iOS update reportedly undid a patch that was introduced in the previous release, a mistake that allowed a security researcher to publish a jailbreak for the most up-to-date version of the operating system. The unpatched vulnerability is CVE-2019-8605, an arbitrary code execution bug caused by a use-after-free condition. Working in tandem with Google…

Next post in Mobile Security