The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin known as ' WordPress SEO by Yoast ,' which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO). The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst , developer of the WordPress vulnerability scanner ' WPScan '. All the versions prior to 1.7.3.3 of 'WordPress SEO by Yoast' are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today. SQL injection (SQLi) vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information ...

Microsoft has come up with its most important Patch Tuesday for this year, addressing the recently disclosed critical the FREAK encryption-downgrade attack , and a separate five-year-old vulnerability leveraged by infamous Stuxnet malware to infect Windows operating system. Stuxnet malware , a sophisticated cyber-espionage malware allegedly developed by the US Intelligence and Israeli government together, was specially designed to sabotage the Iranian nuclear facilities a few years ago. First uncovered in 2010, Stuxnet targeted computers by exploiting vulnerabilities in Windows systems. Thankfully, Microsoft has issued a patch to protect its Windows machines that have been left vulnerable to Stuxnet and other similar attacks for the past five years. The fixes are included in MS15-020 which resolves Stuxnet issue. The company has also issued an update that patches the FREAK encryption vulnerability in its SSL/TSL implementation called Secure Channel (Schannel). The fix...

" Signup or Login with Facebook " ?? You might think twice before doing that next time. A security researcher has discovered a critical flaw that allows hackers take over Facebook accounts on websites that leverage ' Login with Facebook ' feature. The vulnerability doesn't grant hackers access to your actual Facebook password, but it does allow them to access your accounts using Facebook application developed by third-party websites such as Bit.ly , Mashable , Vimeo , About.me , Stumbleupon , Angel.co and possibly many more. FLAW EXPLOITS THREE CSRFs PROTECTION Egor Homakov , a researcher with pentesting company Sakurity, made the social network giant aware of the bug a year ago, but the company refused to fix the vulnerability because doing so would have ruined compatibility of Facebook with a vast number of websites over the Internet. The critical flaw abuses the lack of CSRF ( Cross-Site Request Forgery ) protection for three different proce...

Security researchers at the Central Intelligence Agency (CIA) have worked for almost a decade to target security keys used to encrypt data stored on Apple devices in order to break the system. Citing the top-secret documents obtained from NSA whistleblower Edward Snowden, The Intercept blog reported that among an attempt to crack encryption keys implanted into Apple's mobile processor, the researchers working for CIA had created a dummy version of Xcode . CIA's WEAPON TO HACK APPLE DEVICES Xcode is an Apple's application development tool used by the company to create the vast majority of iOS apps. However using the compromised development software, CIA, NSA or other spies agencies were potentially allowed to inject surveillance backdoor into programs distributed on Apple's App Store. In addition, the custom version of Xcode could also be used to spy on users, steal passwords, account information, intercept communications, and disable core security features of...

Security researchers have find out ways to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips and gaining higher kernel privileges on the system. The technique, dubbed " rowhammer ", was outlined in a blog post published Monday by Google's Project Zero security initiative, a team of top security researchers dedicatedly identifies severe zero-day vulnerabilities in different software. Rowhammer is a problem with recent generation DRAM chips in which repeatedly accessing a row of memory can cause " bit flipping " in an adjacent row which could allow anyone to change the value of contents stored in computer memory. WHAT IS ROWHAMMER BUG DDR memory is arranged in an array of rows and columns, which are assigned to various services, applications and OS resources in large blocks. In order to prevent each application from access...

In this post-Snowden era of mass surveillance, being out-of-reach from the spying eyes really doesn't mean they can not get you. So, if you are concerned about your data privacy and are actually searching for a peer-to-peer encrypted messaging service, then it's time to get one. " Otr.to " — an open-source peer-to-peer browser-based messaging application that offers secure communication by making use of "Off-the-Record" (OTR) Messaging , a cryptographic protocol for encrypting instant messaging applications. OTR (Off-the-Record) is one of the most secure cryptographic protocol that offers strong encryption for real time communications i.e. Chatting and Messaging services. Off-the-Record simply means that there is nothing on the record, so nobody can prove that two parties had an Internet chat conversation or said anything specific. ORT.to uses WebRTC to exchange messages via decentralized peer-to-peer communication , which means chat logs bet...

Recently a mobile-security firm Bluebox claimed that the brand new Xiaomi Mi4 LTE comes pre-installed with spyware /adware and a " forked " vulnerable version of Android operating system on top of it, however, the company denies the claim. Xiaomi , which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. On 5th March, when Bluebox researchers claimed to have discovered some critical flaws in Mi4 LTE smartphone, Xiaomi issued a statement to The Hacker News claiming that " There are glaring inaccuracies in the Bluebox blog post " and that they are investigating the matter. RESEARCHERS GET TROLLED BY CHINESE SELLERS Now, Xiaomi responded to Bluebox Labs by preparing a lengthy denial to their claims and said the new Mi4 smartphone purchased by Bluebox team in China (known as the birthplace of fake smartphones) was not an original Xiaomi smartphone but a coun...

While WhatsApp is very reserved to its new calling feature, cyber scammers are targeting WhatsApp users across the world by circulating fake messages inviting users to activate the new ' WhatsApp calling feature for Android'  that infects their smartphones with malicious apps. If you receive an invitation message from any of your friend saying, "Hey, I'm inviting you to try WhatsApp Free Voice Calling feature, click here to activate now —> https://WhatsappCalling.com" ,  BEWARE! It is a Scam . The popular messaging app has begun rolling out its much-awaited Free Voice Calling feature — similar to other instant messaging apps like Skype and Viber — to Android users which allows users to make voice calls using Internet. However, for now, the free WhatsApp calling feature is invite-only and only appears to work for people running the latest version of WhatsApp app for Android on a Google Nexus 5 phone running the latest Android 5.0.1 Lollipop . H...

A critical vulnerability has been discovered in the Google Apps for Work that allows hackers to abuse any website's domain name based email addresses, which could then be used to send phishing emails on company's behalf in order to target users. If you wish to have an email address named on your brand that reads like admin@yourdomain.com instead of myemail@gmail.com , then you can register an account with Google Apps for Work. The Google Apps for Work service allows you to use Gmail, Drive storage, Calendar, online documents, video Hangouts, and other collaborative services with your team or organization. To get a custom domain name based email service from Google, one just need to sign up like a normal Gmail account. Once created, you can access your domain's admin console panel on Google app interface, but can not be able to use any service until you get your domain verified from Google. SENDING PHISHING MAILS FROM HIJACKED ACCOUNTS Cyber security researchers ...

Do you own a Facebook Business page? If yes, then you will notice a drop in the number of "likes" on your Facebook Page by next week, which could be quite disappointing but, Facebook believes, will help business to know their actual followers. FACEBOOK'S OFFICIAL MASS AUTO-UNLIKE The social network giant is giving its Pages a little spring cleaning, purging them of memorialized and voluntarily deactivated inactive Facebook accounts in an attempt to make its users data more meaningful for businesses and brands. Facebook purge will begin from March 12, Facebook said, and should continue over the next few weeks. " Over the coming weeks, Page admins should expect to see a small dip in their number of Page likes as a result of this update, " Facebook said in a blog post. " It's important to remember, though, that these removed likes represent people who were already inactive on Facebook. " FACEBOOK TO DETECT FAKE FOLLOWERS Facebook is ...

Once again the very popular and the world's third largest smartphone distributor Xiaomi , which had previously been criticized for secretly stealing users' information from the device without the user's permissions, has been found spreading malware . The top selling Android smartphone in China, Xiaomi Mi4 LTE , has been found to be shipped with pre-loaded spyware/adware and a "forked," or not certified, vulnerable version of Android operating system on top of that, according to a San Francisco-based mobile-security company, Bluebox. Xiaomi, which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. Just like other Xiaomi devices, Mi4 LTE smartphone seems to attract a large number of customers with more than 25,000 units sold out in just 15 seconds on India's online retailer Flipkart . Security Researcher Andrew Blaich of Bluebox firm revealed Thursday that the brand new ...

If you have recently installed or updated the popular BitTorrent client μTorrent 3.4.2 Build 28913 on your computer, then you read this warning post right now. Users of the μTorrent file-sharing service are complaining that the latest update of software used for torrent downloading is silently installing a piece of unwanted software called EpicScale , which is basically a Bitcoin mining software . Note: Story update has been added below. USER COMPLAINTS ON SILENT  INSTALLATION The Epic Scale , installed without the consent of users, is a cryptocurrency mining software that reportedly uses the combined computing power of users to generate Bitcoin income for BitTorrent company. The unwanted software slows down the host computers and is particularly harder to remove from the system. The Bitcoin mining software was recently highlighted at uTorrent's complaint forum where a member ' Groundrunner ' says: " There was no information about this during ins...