website security | Breaking Cybersecurity News | The Hacker News

After enabling ' Site Isolation ' security feature in Chrome for desktops last year, Google has now finally introduced 'the extra line of defence' for Android smartphone users surfing the Internet over the Chrome web browser. In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser. Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites. Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains. The feature gained attention in January 2018,

The United States Department of Justice said today that they had arrested hundreds of criminals in a global crackdown after taking down the largest known child porn site on the dark web and tracing payments made in bitcoins. With an international coalition of law enforcement agencies, federal officials have arrested the administrator of the child sexual abuse site, 23-year-old Jong Woo Son of South Korea, along with 337 suspects who have been charged for allegedly using the site. The site in question is "Welcome to Video," which operated from June 2015 until March 2018 and hosted over 250,000 sexual exploitation videos of children, toddlers, and infants, which comprised of roughly over 8TB of data. According to a press release published by DoJ, the Welcome to Video site hosted more than 250,000 unique videos, and almost 45 percent of the videos contain new images that have not been previously known to exist. The operation also resulted in the rescue of at least 23

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases. phpMyAdmin is a free and open source administration tool for MySQL and MariaDB that's widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms. Discovered by security researcher and pentester Manuel Garcia Cardenas , the vulnerability claims to be a cross-site request forgery (CSRF) flaw, also known as XSRF, a well-known attack wherein attackers trick authenticated users into executing an unwanted action. Identified as CVE-2019-12922 , the flaw has been given a medium rating because of its limited scope that only allows an attacker to delete any server configured in the setup page of a phpMyAdmin panel on a victim's server. To be noted, it's not something you should not be much worried abo

XKCD —one of the most popular webcomic platforms known for its geeky tech humor and other science-laden comic strips on romance, sarcasm, math, and language—has suffered a data breach exposing data of its forum users. The security breach occurred two months ago, according to security researcher Troy Hunt who alerted the company of the incident, with unknown hackers stealing around 562,000 usernames, email and IP addresses, as well as hashed passwords. However, the leaked data was actually discovered by security researcher and data analyst Adam Davies, who shared a copy of it with Hunt. At the time of writing, XKCD has taken down its forum and posted a short notice on its homepage, as shared below, urging its users to change their passwords immediately. "The xkcd forums are currently offline. We've been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashe

Cybersecurity researchers have discovered over 80 Magecart compromised e-commerce websites that were actively sending credit card information of online shoppers to the attackers-controlled servers. Operating their businesses in the United States, Canada, Europe, Latin America, and Asia, many of these compromised websites are reputable brands in the motorsports industry and high fashion, researchers at Aite Group and Arxan Technologies revealed today in a report shared with The Hacker News. In a world that's growing increasingly digital, Magecart attacks have emerged as a key cybersecurity threat to e-commerce websites. Magecart is an umbrella term given to different cybercriminal groups that are specialized in secretly implanting online credit card skimmers on compromised e-commerce websites with an intent to steal payment card details of their customers. These virtual credit card skimmers, also known as formjacking attack , are basically JavaScript code that hackers

In a move to protect its users based in Kazakhstan from government surveillance, Google, Apple and Mozilla finally today came forward and blocked Kazakhstan's government-issued root CA certificate within their respective web browsing software. Starting today, Chrome, Safari and Firefox users in Kazakhstan will see an error message stating that the " Qaznet Trust Network " certificate should not be trusted when attempting to access a website that responds with the government-issued certificate. As The Hacker News reported last month , all major Kazakh Internet Service Providers (ISPs) are forcing their customers into installing a government-issued root certificate on their devices in order to regain access to their Internet services. The root certificate in question, labeled as " trusted certificate " or "national security certificate," if installed, allows ISPs to intercept, monitor, and decrypt users' encrypted HTTPS and TLS connections,

If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called " local user verification ," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password. The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later. Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sit

If your e-commerce website runs on the OXID eShop platform , you need to update it immediately to prevent your site from becoming compromised. Cybersecurity researchers have discovered a pair of critical vulnerabilities in OXID eShop e-commerce software that could allow unauthenticated attackers to take full control over vulnerable eCommerce websites remotely in less than a few seconds. OXID eShop is one of the leading German e-commerce shop software solutions whose enterprise edition is being used by industry leaders including Mercedes, BitBurger, and Edeka. Security researchers at RIPS Technologies GmbH shared their latest findings with The Hacker News, detailing about two critical security vulnerabilities that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software. It should be noted that absolutely no interaction between the attacker and the victim is necessary to execute both vulnerabilities, and the flaws work against the def

If you use Slack, a popular cloud-based team collaboration server, and recently received an email from the company about a security incident, don't panic and read this article before taking any action. Slack has been sending a "password reset" notification email to all those users who had not yet changed passwords for their Slack accounts since 2015 when the company suffered a massive data breach. For those unaware, in 2015, hackers unauthorisedly gained access to one of the company's databases that stored user profile information, including their usernames, email addresses, and hashed passwords. At that time, attackers also secretly inserted code, probably on the login page, which allowed them to capture plaintext passwords entered by some Slack users during that time. However, immediately following the security incident, the company automatically reset passwords for those small number of Slack users whose plaintext passwords were exposed, but asked other aff

In every organization, there is a person who's directly accountable for cybersecurity. The name of the role varies per the organization's size and maturity – CISO, CIO, and Director of IT are just a few common examples – but the responsibility is similar in all places. They're the person who understands the risk and exposure, knows how prepared the team and most important – what the gaps are and how they can be best addressed. Apart from actually securing the organization – and losing some sleep over it – this individual has another equally important task: to communicate the security risk, needs, and status to the company's management. After all, the level of security rises in direct proportion to the amount of invested resources, and management people are the ones who decide and allocate them. Since management people are not typically cybersecurity savvy, engaging them can be challenging – one must find the balance between high-level explanations, a direct c

Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer. Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser. The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the "file://" scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders. Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same

Note: We have updated this story to reflect new information after Stack Overflow changed its original announcement and shared more details on the security incident. Stack Overflow, one of the largest question and answer site for programmers, revealed today that unknown hackers managed to exploit a bug in its development tier and then almost a week after they gained unauthorized access to its production version. Founded by Jeff Atwood and Joel Spolsky in 2008, Stack Overflow is the flagship site of the Stack Exchange Network. With 10 million registered users and over 50 million unique visitors every month, Stack Overflow is very popular among professional and enthusiast programmers. In an older version of the announcement published by Mary Ferguson, VP of Engineering at Stack Overflow, the company confirmed the breach but said it did not find any evidence that hackers accessed customers' accounts or any user data. However, the updated announcement now says that after

A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google's Titan Security Keys that could not be patched with a software update. However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles. In a security advisory published Wednesday, Google said a "misconfiguration in the Titan Security Keys Bluetooth pairing protocols" could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired. Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks. Titan Security Key, which sells for $50 in the Google Store, includes two keys—a USB-A security key with NFC, and a

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company—called " Plugin Vulnerabilities "—that recently gone rogue in order to protest against moderators of the WordPress's official support forum has once again dropped details  and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin. To be clear, the reported unpatched vulnerability doesn't reside in the WordPress core or WooCommerce plugin itself. Instead, the vulnerability exists in a plugin , called WooCommerce Checkout Manager , that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites. The vulnerability in question is an "arbitrary file upload" issue that can be exploi

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog. Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978 . Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code. However, the same day when Soc

Drupal, the popular open-source content management system, has released security updates to address multiple "moderately critical" vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites. According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in third-party libraries that are included in Drupal 8.6, Drupal 8.5 or earlier and Drupal 7. One of the security flaws is a cross-site scripting (XSS) vulnerability that resides in a third-party plugin, called JQuery, the most popular JavaScript library that is being used by millions of websites and also comes pre-integrated in Drupal Core. Last week, JQuery released its latest version jQuery 3.4.0 to patch the reported vulnerability, which has not yet assigned a CVE number, that affects all prior versions of the library to that date. "jQuery 3.4.0 includes a fix for som

An unprotected database belonging to JustDial , India's largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy "88888 88888" customer care number, The Hacker News has learned and independently verified. Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings. Rajshekhar Rajaharia , an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial's database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers. The leaked data includes JustDial users' na

If your online e-commerce business is running over the Magento platform, you must pay attention to this information. Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities. Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of websites across the Internet with more than 250,000 merchants using the open source e-commerce platform. Though most of the reported issues could only be exploited by authenticated users, one of the most severe flaws in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers. The flaw, which does not have a CVE ID but internally labeled "PRODSECBUG-2198," could allow remote hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access

Cybersecurity researchers today disclosed details of two newly identified Magecart attacks targeting online shoppers of bedding retailers MyPillow and Amerisleep . Magecart is an umbrella term researchers gave to at least 11 different hacking groups that are specialized in implanting malware code on e-commerce websites with an intent to steal payment card details of their customers silently. Magecart made headlines last year after attackers conducted several high-profile cyber attacks against major international companies including British Airways , Ticketmaster , and Newegg . Magecart hackers use a digital payment card skimmer, a few lines of malicious Javascript code they insert into the checkout page of hacked websites and designed to captured payment information of customers in real time and then send it to a remote attacker-controlled server. Earlier this year, Magecart attackers also compromised nearly 277 e-commerce websites in a supply-chain attack by inserting its