#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

social networking | Breaking Cybersecurity News | The Hacker News

Getting off the Attack Surface Hamster Wheel: Identity Can Help

Getting off the Attack Surface Hamster Wheel: Identity Can Help

Jan 10, 2024 Attack Surface / Cybersecurity
IT professionals have developed a sophisticated understanding of the enterprise attack surface – what it is, how to quantify it and how to manage it.  The process is simple: begin by thoroughly assessing the attack surface, encompassing the entire IT environment. Identify all potential entry and exit points where unauthorized access could occur. Strengthen these vulnerable points using available market tools and expertise to achieve the desired cybersecurity posture.  While conceptually straightforward, this is an incredibly tedious task that consumes the working hours of CISOs and their organizations. Both the enumeration and the fortification pose challenges: large organizations use a vast array of technologies, such as server and endpoint platforms, network devices, and business apps. Reinforcing each of these components becomes a frustrating exercise in integration with access control, logging, patching, monitoring, and more, creating a seemingly endless list of tasks.  However
Google+ to Shut Down Early After New API Flaw Hits 52.5 Million Users

Google+ to Shut Down Early After New API Flaw Hits 52.5 Million Users

Dec 10, 2018
Google today revealed that Google+ has suffered another massive data breach, forcing the tech giant to shut down its struggling social network four months earlier than its actual scheduled date, i.e., in April 2019 instead of August 2019. Google said it discovered another critical security vulnerability in one of Google+'s People APIs that could have allowed developers to steal private information on 52.5 million users, including their name, email address, occupation, and age. The vulnerable API in question is called "People: get" that has been designed to let developers request basic information associated with a user profile. However, software update in November introduced the bug in the Google+ People API that allowed apps to view users' information even if a user profile was set to not-public. Google engineers discovered the security issue during standard testing procedures and addressed it within a week of the issue being introduced. The company said
Why SaaS Security is Suddenly Hot: Racing to Defend and Comply

Why SaaS Security is Suddenly Hot: Racing to Defend and Comply

Jun 13, 2024SaaS Security / Shadow IT
Recent supply chain cyber-attacks are prompting cyber security regulations in the financial sector to tighten compliance requirements, and other industries are expected to follow. Many companies still don't have efficient methods to manage related time-sensitive SaaS security and compliance tasks. Free SaaS risk assessment tools are an easy and practical way to bring visibility and initial control to SaaS sprawl and Shadow AI. These tools now offer incremental upgrades , helping security professionals meet their company budget or maturity level.  Regulatory pressure, SaaS and AI proliferation, and increased risk of breaches or data leaks through 3rd party apps, make SaaS security one of the hottest areas for practitioners to learn and adopt. New regulations will require robust third-party SaaS risk lifecycle management that begins with SaaS service discovery and third-party risk management (TPRM) and ends with the requirement from CISOs to report incidents in their supply chain
Facebook Employees can Access your Account without Password

Facebook Employees can Access your Account without Password

Feb 28, 2015
Do you know that your Facebook account can be accessed by Facebook engineers and that too without entering your account credentials? Recent details provided by the social network giant show who can access your Facebook account and when. No doubt, Facebook and other big tech companies including Google, Apple and Yahoo! are trying to keep their data out of reach from law enforcement and spies agencies by adopting encrypted communication and end-to-end encryption solutions in near future, but right now they have access to your personal data, and at least few of their employees can access it with one click. Earlier this week, director at the record label Anjunabeats, Paavo Siljamäki , brought attention to this issue by posting a very interesting story on his Facebook wall. During his visit to Facebook office in LA, a Facebook engineer logged into his Facebook account after his permission, but the strange part — they did it without asking him for the password. ACCESS WITHOUT
cyber security

Start With a Free Risk Assessment to Find, Fix, and Fly Through SaaS Security

websiteWing SecuritySaaS Security / Shadow IT
In just minutes, uncover and take action against hidden SaaS threats with Wing's advanced SSPM solution.
'Facebook To Begin Charging Users $2.99 / Month' — Totally BULLSHIT!

'Facebook To Begin Charging Users $2.99 / Month' — Totally BULLSHIT!

Sep 23, 2014
Facebook going to charge users per month?? Nobody expected such a news story this week, but it seems that Facebook will No longer be a Free Service, according to reports claimed by the National Report , " Facebook To Begin Charging Users $2.99/mo Starting November 1st ", which turns out fake. Thank God !! This new report is circulating via social media which claims that the social networking giant will begin charging charging $2.99 (€2.33) per month for each user starting November 1, 2014 in an effort to fight against the rising costs the company is facing. Of course, the claims are simply untrue. Facebook has not announced any such plans to begin charging its users a monthly fee for access to the regular site services that has more than 1.3 billion monthly users. NICELY FRAMED HOAX The report comes via the 'satirical' fake-news website , which is a complete Hoax, just like many similar ' Facebook to start charging ' hoaxes before it. But Wh
Popular Photo Sharing Website Likes.com Vulnerable To Multiple Critical Flaws

Popular Photo Sharing Website Likes.com Vulnerable To Multiple Critical Flaws

Sep 07, 2014
Likes.com, one of the emerging social networking site and popular image browsing platform, is found vulnerable to several critical vulnerabilities that could allow an attacker to completely delete users' account in just one click. Likes.com is a social networking website that helps you to connect with people you like and make new friends for free. Just like any other social place, users can always follow their favorite tag or people who catch their fancy. It is much easier to use and is designed for those who want to look at pictures different people upload. An independent security researcher Mohamed M. Fouad from Egypt has found a series of critical security vulnerabilities in the Likes website that really pose danger to its users. The vulnerabilities he found not only have capability to add any post, comment to users' account as well as delete users' account, but the vulnerabilities can be escalated to deface entire website by posting malicious URLs and delete all use
LinkedIn Boosts Security With New Session Alert and Privacy Control Tools

LinkedIn Boosts Security With New Session Alert and Privacy Control Tools

Sep 04, 2014
With a need to give more controls in users' hands, LinkedIn has introduced a few new security features that the company says will help users of the social network for professionals keep their accounts and data more secure. SESSION ALERTS Just like Google, Facebook, Yahoo and other online services, LinkedIn has added a new option within the settings tab that allows users to see where and on what devices they are logged into their account. From there, users can sign out of various sessions with one click. This will include details about the users' current sessions, the browser name, operating system, carrier and IP address, which is used to give an approximate location of the device through which the session is occurring. Just like the Facebook feature, LinkedIn lets people to approve the devices to be used, and if somebody accesses a user's LinkedIn account from an unapproved device it will alert user. PASSWORD ALERTS LinkedIn has also introduced its password c
Facebook's Internet.Org App Offers Free Internet in Zambia

Facebook's Internet.Org App Offers Free Internet in Zambia

Jul 31, 2014
Earlier this month, the founder of the Social Networking giant highlighted the future of universal Internet access, the dream that Facebook founder Mark Zuckerberg wants to fulfil, in an effort to make Internet access available to everyone across the world just like a service as essential as of 911 in the case of an emergency. Dream comes true! Facebook Inc. (FB) in partnership with Bharti Airtel Ltd. (BHARTI) of India today launches its first Android and web application with free data access to a wide range of services, according to Guy Rosen, a product management director at Facebook. This new offering from Facebook is launching in Zambia before coming to other developing countries eventually, and provided through a mobile application known as Internet.org , named after a project developed by the world's biggest social networking site to expand Internet access to the developing world. "Right now, only 15% of people in Zambia have access to the internet, Zuckerberg s
Foursquare vulnerability that exposes 45 million users' email addresses

Foursquare vulnerability that exposes 45 million users' email addresses

Jan 28, 2014
A location based Social Networking platform with 45 million users,' Foursquare ' was vulnerable to the primary email address disclosed.  Foursquare is a Smartphone application that gives you details of nearby cafes, bars, shops, parks using GPS location and also tells about your friends nearby. According to a Penetration tester and hacker ' Jamal Eddin e ',  an attacker can extract email addresses of all 45 million users just by using a few lines of scripting tool. Basically the flaw exists in the Invitation system of the Foursquare app. While testing the app, he found that invitation received on the recipient's end actually disclosing the sender's email address, as shown above. Invitation URL:  https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe& uid = 64761059 &sig=mmlx96RwGrQ2fJAg4OWZhAWnDvc%3D Where 'uid' parameter represents the sender's profile ID.  Hacker noticed th
23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware

23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware

Jan 21, 2014
In the previous reports of Cyber Intelligence firm ' IntelCrawler ' named Sergey Tarasov , a 17-year-old teenager behind the nickname " ree[4] ", as the developer of BlackPOS malware. BlackPOS also known as "reedum" or 'Kaptoxa' is an effective crimeware kit, used in the massive heist of possibly 110 million consumers' Credit-Debit cards, and personal information from the TARGET . Later Researchers's investigation revealed that the original coder of BlackPOS Malware was actually a 23-year-old young hacker named Rinat Shabayev and the teen, Sergey Taraspov is the incharge for the technical support department. In an interview with Russian channel ' LifeNews ', Rinat Shabayev admitted that he had developed the BlackPOS crimeware kit. He clarified that the program developed by him was not meant for any kind of data theft, instead the program was written for the security testing. He developed the malware with the he
More details about alleged 17-year-old Russian BlackPOS Malware Author released

More details about alleged 17-year-old Russian BlackPOS Malware Author released

Jan 20, 2014
Security experts at IntelCrawler provided a new interesting update on BlackPOS malware author , that he forgot to delete his Social networking profile even after the last exposure from the investigators. As we have reported a few days before that the Intelligence firm IntelCrawler  has identified a 17 year old teenager, known as " Ree [4] " in the underground market, as the author of the BlackPOS /Kaptoxa malware used in the attack against Target and Neiman Marcus retailers. The teenager is not directly responsible for the Target attack, but he sold the BlackPOS to other Cyber Gangs, including the admin's of underground credit cards market places, " . rescator ", " Track2 . name ", " Privateservices.biz " and many others were his clients. Who is Ree [ 4]? IntelCrawler exposed REE [ 4]'s original profile as Sergey Taraspov,  a 17 year old Russian programmer, based in St . Petersburg and Nizhniy Novgorod (Russian Federation). Before both brea
Facebook Open URL Redirection vulnerability

Facebook Open URL Redirection vulnerability

Nov 16, 2013
Security Researcher Dan Melamed discovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions. An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack . An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog . The Facebook Open URL Redirection vulnerability exists at landing.php  page with " url " parameter, i.e. https://facebook.com/campaign/landing.php?url=https://yahoo.com This URL will always redirects user to the Facebook 's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string: https://facebo
Microsoft's Social network Yammer vulnerable to OAuth Bypass hack

Microsoft's Social network Yammer vulnerable to OAuth Bypass hack

Aug 04, 2013
Yammer , is the Enterprise Social Network service that was launched in 2008 and sold to Microsoft in 2012. Yammer is a secure, private social network for your company. Yammer is used for private communication within organizations or between organizational members and pre-designated groups, making it an example of enterprise social software. Ateeq Khan,  Pakistani researcher from The Vulnerability Laboratory Research  team has discovered multiple critical Vulnerabilities in the Microsoft Yammer Social Network. An  OAuth bypass session token web vulnerability is detected in the official Microsoft Yammer Social Network online-service application. OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. According to the advisory , The vulnerability allows remote attackers to bypass the token protecti
Vulnerability allows Hacking Facebook account and password reset within a minute

Vulnerability allows Hacking Facebook account and password reset within a minute

Jul 15, 2013
Security expert Dan Melamed discovered a critical vulnerability in Facebook platform that allow an attacker to take complete control over any account. The vulnerability is considered critical because it would allow a hacker to hack potentially any Facebook account. Dan Melamed presented the discovery on his blog . Dan demonstrated that how a hacker can reset the victim's account password just by tricking him to visit a malicious exploit code. The flaw affects the Facebook " claim email address " component. When an user tries to add an email address already registered to Facebook platform, he has the option to " claim it ". The loophole exists here, when user claim an email address, Facebook did not check from whom the request came from. This allows an email to be claimed on any Facebook account. The exploit is possible provided that: An existing account having the email address that the attacker wants to claim. Another existing account to initiate the claim p
Iran’s Intelligence Minister Admits to Hacking Opposition Emails

Iran's Intelligence Minister Admits to Hacking Opposition Emails

Dec 28, 2011
Iran's Intelligence Minister, Heydar Moslehi, has publicly admitted to hacking the emails of opposition members. Iranian news agencies, including ILNA, quoted Moslehi stating that emails were the primary communication tool for opposition members during last year's postelection protests. The Intelligence Ministry was able to break into these emails and defeat "the enemy." "One of the officials, in his speech, carelessly announced that we have access to the emails. Within 24 hours, they coded and password-protected their emails," Moslehi said. "Of course, we in the Intelligence Ministry broke those passwords within 48 hours." Moslehi mentioned that emails were exchanged between "foreigners and their elements inside Iran." Speaking at a December 25 conference on the achievements of Iranian expatriates at Tehran's Shahid Beheshti University, he said Iran controlled "many dimensions" of the postelection protests by monitoring email. He accused the United States of
Expert Insights
Cybersecurity Resources