#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Application Security | Breaking Cybersecurity News | The Hacker News

Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks

Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks
Oct 07, 2022
In what's a new phishing technique, it has been demonstrated that the Application Mode feature in Chromium-based web browsers can be abused to create "realistic desktop phishing applications." Application Mode is designed to offer native-like experiences in a manner that causes the website to be launched in a separate browser window, while also displaying the website's favicon and hiding the address bar. According to security researcher mr.d0x – who also devised the browser-in-the-browser ( BitB ) attack method earlier this year – a bad actor can leverage this behavior to resort to some HTML/CSS trickery and display a fake address bar on top of the window and fool users into giving up their credentials on rogue login forms. "Although this technique is meant more towards internal phishing, you can technically still use it in an external phishing scenario," mr.d0x  said . "You can deliver these fake applications independently as files." This is

Taking the Risk-Based Approach to Vulnerability Patching

Taking the Risk-Based Approach to Vulnerability Patching
Jul 27, 2022
Software vulnerabilities are a major threat to organizations today. The cost of these threats is significant, both financially and in terms of reputation. Vulnerability management and patching can easily get out of hand when the number of vulnerabilities in your organization is in the hundreds of thousands of vulnerabilities and tracked in inefficient ways, such as using Excel spreadsheets or multiple reports, especially when many teams are involved in the organization. Even when a process for patching is in place, organizations still struggle to effectively patch vulnerabilities in their assets. This is generally because teams look at the severity of vulnerabilities and tend to apply patches to vulnerabilities in the following severity order: critical > high > medium > low > info. The following sections explain why this approach is flawed and how it can be improved. Why is Patching Difficult? While it is well known that vulnerability patching is extremely important, it

The Continuing Threat of Unpatched Security Vulnerabilities

The Continuing Threat of Unpatched Security Vulnerabilities
Mar 08, 2022
Unpatched software is a computer code containing known security weaknesses. Unpatched vulnerabilities refer to weaknesses that allow attackers to leverage a known security bug that has not been patched by running malicious code. Software vendors write additions to the codes, known as "patches," when they come to know about these application vulnerabilities to secure these weaknesses. Adversaries often probe into your software, looking for unpatched systems and attacking them directly or indirectly. It is risky to run unpatched software. This is because attackers get the time to become aware of the  software's unpatched vulnerabilities  before a patch emerges. A  report  found that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. It was recorded that in 2021,  65  new vulnerabilities arose that were connected to ransomware. This was observed to be a twenty-nine percent growth compared to the number of vulnerabilities in 2020.  Gr

Latest Firefox 95 Includes RLBox Sandboxing to Protect Browser from Malicious Code

Latest Firefox 95 Includes RLBox Sandboxing to Protect Browser from Malicious Code
Dec 07, 2021
Mozilla is beginning to roll out Firefox 95 with a new sandboxing technology called RLBox that prevents untrusted code and other security vulnerabilities from causing "accidental defects as well as supply-chain attacks." Dubbed " RLBox " and implemented in collaboration with researchers at the University of California San Diego and the University of Texas, the improved protection mechanism is designed to harden the web browser against potential weaknesses in off-the-shelf libraries used to render audio, video, fonts, images, and other content. To that end, Mozilla is incorporating "fine-grained sandboxing" into five modules, including its  Graphite  font rendering engine,  Hunspell  spell checker,  Ogg  multimedia container format,  Expat  XML parser, and  Woff2  web font compression format. The framework uses  WebAssembly , an open standard that defines a portable binary-code format for executable programs that can be run on modern web browsers, to i

Our journey to API security at Raiffeisen Bank International

Our journey to API security at Raiffeisen Bank International
Nov 04, 2021
This article was written by Peter Gerdenitsch, Group CISO at Raiffeisen Bank International, and is based on a presentation given during Imvision's Executive Education Program, a series of events focused on how enterprises are taking charge of the API security lifecycle. Launching the "Security in Agile" program Headquartered in Vienna, Raiffeisen Bank International (RBI) operates across 14 countries in Central and Eastern Europe with around 45,000 employees. Our focus is on providing universal banking solutions to customers, as well as developing digital banking products for the retail and corporate markets. Accordingly, RBI has a substantial R&D division, making for a very large community of IT and engineering professionals all over Europe. Back in 2019, we began shifting to a product-led agile setup for RBI, introducing various security roles contributing and collaborating to achieve our strategic goals. As part of this journey, we established the security champ

[eBook] The Guide for Reducing SaaS Applications Risk for Lean IT Security Teams

[eBook] The Guide for Reducing SaaS Applications Risk for Lean IT Security Teams
Oct 13, 2021
The Software-as-a-service (SaaS) industry has gone from novelty to an integral part of today's business world in just a few years. While the benefits to most organizations are clear – more efficiency, greater productivity, and accessibility – the risks that the SaaS model poses are starting to become visible. It's not an overstatement to say that most companies today run on SaaS. This poses an increasing challenge to their security teams.  A new guide from XDR and SSPM provider Cynet, titled The Guide for Reducing SaaS Applications Risk for Lean IT Security Teams ( download here ), breaks down exactly why SaaS ecosystems are so risky, and how security teams can mitigate those dangers.  Today, the average midsize company uses 185 SaaS apps. What this means is that the number of app-to-person connections has risen exponentially. Most midsize companies have nearly 4,406 touch points, creating an attack surface that requires significant resources to simply monitor. The risk of a digital

Rethinking Application Security in the API-First Era

Rethinking Application Security in the API-First Era
Jul 01, 2021
Securing applications it the API-first era can be an uphill battle. As development accelerates, accountability becomes unclear, and getting controls to operate becomes a challenge in itself. It's time that we rethink our application security strategies to reflect new priorities, principles and processes in the API-first era. Securing tomorrow's applications begins with assessing the business risks today. The trends and risks shaping today's applications As the world continues to become more and more interconnected via devices — and the APIs that connect them — individuals are growing accustomed to the frictionless experience that they provide. While this frictionless reality is doubtlessly more user-friendly, i.e., faster and more convenient, it also requires a trade-off. This convenience demands openness, and openness is a risk when it comes to cybersecurity. According to  Sidney Gottesman , Mastercard's SVP for Security Innovation, the above situation leads to one

Importance of Application Security and Customer Data Protection to a Startup

Importance of Application Security and Customer Data Protection to a Startup
Jan 21, 2021
When you are a startup, there are umpteen things that demand your attention. You must give your hundred percent (probably even more!) to work effectively and efficiently with the limited resources. Understandably, the  application security importance  may be pushed at the bottom of your things-to-do list. One other reason to ignore web application protectioncould be your belief that only large enterprises are prone to data breaches, and your startup is hardly noticeable to become a target. Well, these eye-opening  statistics  prove otherwise. 43% of security attacks target small businesses New small businesses witnessed a 424% rise in security breaches in 2019 60% of small businesses close within six months of cyberattacks SMEs can lose more than $2.2 million a year to cyberattacks How Can Cyber Breaches Impact Your Startup? Unless you belong to the category of data security startups ,  which are thoroughly familiar with the importance of a secure web app, your startup can f

Critical RCE Flaw Affects F5 BIG-IP Application Security Servers

Critical RCE Flaw Affects F5 BIG-IP Application Security Servers
Jul 04, 2020
Cybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5's BIG-IP networking devices running application security servers. The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage. According to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw and reported it to F5 Networks, the issue resides in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC). BIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, an

Severe Flaw Disclosed In StackStorm DevOps Automation Software

Severe Flaw Disclosed In StackStorm DevOps Automation Software
Mar 11, 2019
A security researcher has discovered a severe vulnerability in the popular, open source event-driven platform StackStorm that could allow remote attackers to trick developers into unknowingly execute arbitrary commands on targeted services. StackStorm, aka "IFTTT for Ops," is a powerful event-driven automation tool for integration and automation across services and tools that allows developers to configure actions, workflows, and scheduled tasks, in order to perform some operations on large-scale servers. For example, you can set instructions (if this, then that) on Stackstorm platform to automatically upload network packet files to a cloud-based network analyze service, like CloudShark, in events when your security software detects an intrusion or malicious activity in the network. Since StackStorm executes actions—which can be anything, from the HTTP request to an arbitrary command—on remote servers or services that developers integrate for automated tasks, the pl

Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now
Apr 06, 2018
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it. Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications. In an advisory released today by Pivotal, the company detailed following three vulnerabilities discovered in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions: Critical : Remote Code Execution with spring-messaging (CVE-2018-1270) High : Directory Traversal with Spring MVC on Windows (CVE-2018-1271) Low : Multipart Content Pollution with Spring Framework (CVE-2018-1272) Vulnerable Spring Framework versions expose STOMP clients over WebSocket endpoints with an in-memory STOMP broker through the 'spring-messaging' module, which could allow an attacker to send a mali

Hacker finds flaws that could let anyone steal $25 Billion from a Bank

Hacker finds flaws that could let anyone steal $25 Billion from a Bank
May 17, 2016
A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application. Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code. Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits. While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning , allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates. Also Read:  Best Password Manager — For

Is Telegram Really Secure? — 4 Major Privacy Issues Raised by Researcher

Is Telegram Really Secure? — 4 Major Privacy Issues Raised by Researcher
Nov 19, 2015
The terrorist groups are encouraging its followers to use Telegram to make their propaganda invisible from law enforcement, but some security experts believe that Telegram may not be as secure as jihadi advocates may like to believe. Telegram is an end-to-end encrypted messaging service that has been adopted by a lot more people than ISIS — as of last year, the company claimed more than 50 Million Telegram users sending 1 Billion messages per day. Terrorists love Telegram because it not only provides an encrypted Secret Chat feature that lets its users broadcast messages to unlimited subscribers but also offers self-destructing message allowing users to set their messages to self-destruct itself after a certain period. Is Telegram Really Secure? In a blog post published Wednesday, the security researcher known as " the Grugq " pointed out several issues with Telegram that might obstruct terrorists from using it.  Here's the list of issues with

Verizon FiOS app vulnerability Exposes 5 MILLION Customers' Email Addresses

Verizon FiOS app vulnerability Exposes 5 MILLION Customers' Email Addresses
Jan 19, 2015
A critical vulnerability discovered in Verizon 's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS , which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it shou

Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack

Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack
Nov 03, 2014
Do you use  TextSecure Private Messenger  for your private conversations? If yes, then Are you sure you are actually using a Secure messaging app? TextSecure , an Android app developed by Open WhisperSystems , is completely open-source and claims to support end-to-end encryption of text messages. The app is free and designed by keeping privacy in mind. However, while conducting the first audit of the software, security researchers from Ruhr University Bochum found that the most popular mobile messaging app is open to an Unknown Key-Share attack . After Edward Snowden revealed state surveillance programs conducted by the National Security Agency, and meanwhile when Facebook acquired WhatsApp , TextSecure came into limelight and became one of the best alternatives for users who want a secure communication. " Since Facebook bought WhatsApp , instant messaging apps with security guarantees became more and more popular ," the team wrote in the paper titled,
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.