Web Security | SC Media

Web Security

Magecart attack on e-commerce service impacts Sesame Street store and many more

Magecart hackers found out how to get to Sesame Street’s online store – and in all likelihood thousands more merchants – by initially compromising e-commerce and shopping cart service provider Volusion to deliver the credit card-skimming code. Israel-based security researcher Marcel Afrahim, who for his day job works as a research developer at Check Point…

Google launches Password Checkup security tool

Google has added a new feature to its password manager that will study a person’s passwords and then inform them on its strength and whether it has been compromised. Password Checkup will not only check a user’s personal choices, but also make personalized recommendations, wrote Andreas Tuerk, product manager for Password Manager. The three primary…

Browser-hijacking Ghostcat malware haunts online publishers

The cat came back the very next day… and it keeps coming back. A malvertising operation designed to infect online publishers with browser-hijacking malware called Ghostcat-3PC has launched at least 18 separate infection campaigns in the last three months alone, according to a new report from the Digital Security & Operations (DSO) team at The…

Attacker breaches Comodo forums by exploiting vBulletin flaw

More than 170,000 users of online forums operated by cybersecurity company Comodo Group reportedly had their data stolen by a malicious actor who exploited a recently disclosed vulnerability in vBulletin’s internet forum software. The Clifton, N.J.-based Comodo learned of the attack on September 29, and responded by taking its forums offline and applying patches, the…

PHP update fixes arbitrary code execution flaw, 9 other bugs

The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) on Friday issued a security advisory urging developers to upgrade to the latest version of PHP in order to patch an arbitrary code execution vulnerability that was found in the programming language. “PHP is prone to a heap-based buffer overflow vulnerability because the…

WordPress Rich Review plugin vulnerable to malvertising

An estimated 16,000 WordPress websites are running a plugin that is vulnerable to unauthenticated plugin option updates. WordFence, a WordPress security solution provider, has reported that the plugin Rich Reviews has a vulnerability that is currently being abused and can be exploited to deliver stored cross-site scripting (XSS) payloads. This can result in malvertisements being…

VBulletin

Reports: Actively exploited zero-day found in vBulletin forum software

The vBulletin internet forum software package reportedly contains a critical zero-day remote code execution vulnerability that attackers have been actively exploiting, possibly as far back as three years ago. Multiple news organizations are reporting that a researcher studying the well-known forum software published a pre-auth RCE exploit for the bug on vBulletin’s Full Disclosure security mailing…

IE, Firefox, Chrome and Safari's protection against phishing was tested.

Microsoft patches flaws in IE, Defender

Microsoft Corp. yesterday issued out-of-band updates for a pair of security vulnerabilities, one in Internet Explorer and one in its Defender anti-malware software for Windows. Discovered by Clément Lecigne of Google’s Threat Analysis Group and designated CVE-2019-1367, the IE bug is a memory corruption vulnerability that can be exploited for remote code execution in the…

Eight cities’ payment records impacted in Click2Gov portal breach

For the second time since 2017, the third-party government bill-payment portal Click2Gov has experienced a significant data breach affecting thousands of individuals in multiple cities across the U.S. Government entities use the Click2Gov portal to accept payments for permits, licenses, fines and utilities. Discovered by fraud intelligence experts at Gemini Advisory, this latest attack compromised…

Chrome security issues addressed with Stable channel update

Google updated its Chrome Stable channel to version 77.0.3865.90 for Windows, Mac, and Linux to implement four security fixes, one rated critical and three high. The critical CVE-2019-13685 covers a use-after-free in UI issue; CVE-2019-13688 (high) deals with a use-after-free in media; CVE-2019-13687 (high) a use-after-free in media and CVE-2019-13686 (high) a use-after-free in offline…

Next post in Vulnerabilities