browser exploit | Breaking Cybersecurity News | The Hacker News

A team of Canadian cybersecurity researchers has uncovered a sophisticated and targeted mobile hacking campaign that is targeting high-profile members of various Tibetan groups with one-click exploits for iOS and Android devices. Dubbed Poison Carp by University of Toronto's Citizen Lab, the hacking group behind this campaign sent tailored malicious web links to its targets over WhatsApp, which, when opened, exploited web browser and privilege escalation vulnerabilities to install spyware on iOS and Android devices stealthily. "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas," the researchers say . What's more? The researchers said they found "technical overlaps" of Poison Carp with two recently discovered campaigns against the Uyghur community in China—the iPhone hacking campaign

Google has by default enabled a security feature called "Site Isolation" in its web browser with the release of Chrome 67 for all desktop users to help them protect against many online threats, including Spectre and Meltdown attack . Site Isolation is a feature of the Google Chrome web browser that adds an additional security boundary between websites by ensuring that different sites are always put into separate processes, isolated from each other. Since each site in the browser gets its own sandboxed process, the feature makes it harder for untrusted websites to access or steal information of your accounts on other websites. In January this year when Google Project Zero researchers disclosed details of Spectre and Meltdown CPU vulnerabilities, the tech giant recommended Chrome desktop users to manually turn on Site Isolation feature on their devices to mitigate speculative side-channel attacks. "Even if a Spectre attack were to occur in a malicious web page,

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Browser extensions have become a standard part of the most popular browsers and essential part of our lives for surfing the Internet. But not all extensions can be trusted. One such innocent looking browser add-on has been caught collecting browsing history of millions of users and selling them to third-parties for making money. An investigation by German television channel NDR ( Norddeutscher Rundfunk ) has discovered a series of privacy breaches by Web Of Trust (WOT) – one of the top privacy and security browser extensions used by more than 140 Million online users to help keep them safe online. Web of Trust has been offering a " Safe Web Search & Browsing " service since 2007. The WOT browser extension, which is available for both Firefox and Chrome, uses crowdsourcing to rate websites based on trustworthiness and child safety. However, it turns out that the Web of Trust service collects extensive data about netizens' web browsing habits via its brows

In Brief Microsoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows. A security bulletin, MS16-102 , patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser. Users of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file. Web Page with PDF Can Hack Your Windows Computer Since Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online. Web browsers for all other affected operating systems do not automatically

Yesterday a new classified NSA document was leaked by Edward Snowden - titled ' Tor Stinks ' in which ideas were being kicked around for identifying Tor users or degrading the user experience to dissuade people from using the Tor browser. The NSA had a very hard time while tracking down all Tor  users and monitoring their traffic, especially since Tor servers are all over the world, but they make tracking easier by adopting  the following techniques: By running their own hostile Tor nodes Using zero-day vulnerability of Firefox browser By tracking user' browser Cookies Tor access node tracking is not new and the Document says that both the NSA and GCHQ run Tor nodes themselves. In order to trace traffic back to a particular Tor user the NSA needs to know the ' entry, relay and exit ' nodes in the anonymizer cloud between the user and the destination website. So for tracking purpose they used self-hosted nodes, that is able to trace a very small number of To

A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic in just 30 seconds. The technique was demonstrated at the Black Hat security conference in Las Vegas ( Presentation PDF  & Paper ) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel. Neal, Yoel and Angelo ( From left to right) at BlackHat BREACH ( Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext ) is very targeted and don't decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings. Angelo Prado told The Hacker News , " We are using a compression oracle is leveraging the building blocks from CRIME , on a different compression c

Mozilla has launched Firefox 21 for Mac, Windows, and Linux, adding a number of improvements, namely to the browser's Social API. " Today, we are adding multiple new social providers Cliqz, Mixi and msnNOW to Firefox ," wrote Mozilla in a blog post today. The browser first added Facebook integration back in December, and the inclusion of these services goes a long way towards making social integration an even larger part of the services offered. The Do Not Track feature has been part of Firefox for some time now. You can enable it to add information to each connection request to tell sites about your tracking preference. Along with adding more social integration, the release also closed up security holes in the browser rated as high in severity, including two in the Mozilla Maintenance Service although only one of them left the browser open to potential remote exploits . Fixed in Firefox 21 MFSA 2013-48 Memory corruption found using Address Sanitize

Oracle has released emergency patches multiple of times in recent months for Java for one after another set of vulnerabilities . About 100 million computers reported to be vulnerable to unauthorized access via different flaw in Java software. Department of Homeland Security's US-CERT already warned users to disable Java permanently to stop hackers from taking control of users' machines. Security experts advised,'T he best defense we have right now for these kinds of attacks is to disable Java in the browser forever' . According to Websense experts, Most browser installations use outdated versions of the Java plug-in that are vulnerable to at least one of several exploits used in popular web attack toolkit. Exploit kits are a very common tool for distribution of many Java-based threats. To detect the vulnerable Java versions that are installed on systems and Websense experts, used their technology via ' threat intelligence network' , which monitors bi

Feross Aboukhadijeh , 22-year-old Web developer from Stanford has discovered  HTML5 browser exploit can flood your Hard Drive with Cat and Dogs i.e junk data. Many times a website needs to leave a little data i.e 5-10KB on your computer like a cookie, but HTML5 allow sites to store larger amounts of data (like 5-10 MB). In a proof-of-concept he was able to full up 1 GB of HDD space every 16 seconds. He created FillDisk.com in order to demonstrate the exploit in HTML5. Once user will visit the website the Web Storage standard allows website to place large amounts of data on your drive. Please note that, It's not a hack and this exploit won't allow attackers to access your computer. However, Web browsers have the ability to limit just how much space websites can dump onto your hard drive. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit. Whereas Chrome, Safari (iOS and desktop), and IE vulnerable to this. You can fin