The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Do you know that any app you have installed on your Android phone can monitor the network activities—even without asking for any sensitive permission—to detect when other apps on your phone are connecting to the Internet? Obviously, they cant see the content of the network traffic, but can easily find to which server you are connecting to, all without your knowledge. Knowing what apps you often use, which could be a competing or a financial app, "shady" or "malicious" app can abuse this information in various ways to breach your privacy. But it seems like Google has planned to address this serious privacy issue with the release of its next flagship mobile operating system. With Android P, any app will no longer be able to detect when other apps on your Android device are connecting to the Internet, according to the new code changes in Android Open Source Project (AOSP) first noticed by XDA Developers. "A new commit has appeared in the Android Open S...

A team of security researchers has reportedly discovered a total of eight new " Spectre-class " vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well. Dubbed Spectre-Next Generation , or Spectre-NG , the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise, which claims that Intel has classified four of the new vulnerabilities as "high risk" and remaining four as "medium." The new CPU flaws reportedly originate from the same design issue that caused the original Spectre flaw , but the report claims one of the newly discovered flaws allows attackers with access to a virtual machine (VM) to easily target the host system, making it potentially more threatening than the original Spectre vulnerability. "Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret k...

For the very first time, security researchers have discovered an effective way to exploit a four-year-old hacking technique called Rowhammer to hijack an Android phone remotely. Dubbed GLitch , the proof-of-concept technique is a new addition to the Rowhammer attack series which leverages embedded graphics processing units (GPUs) to carry out a Rowhammer attack against Android smartphones. Rowhammer is a problem with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing anyone to change the value of contents stored in computer memory. Known since at least 2012, the issue was first exploited by Google's Project Zero researchers in early 2015, when they pulled off remote Rowhammer attacks on computers running Windows and Linux. Last year, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam demonstrated that the Rowhammer technique could ...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Twitter is urging all of its 330 million users to change their passwords after a software glitch unintentionally exposed its users' passwords by storing them in readable text on its internal computer system. The social media network disclosed the issue in an official blog post and a series of tweets from Twitter Support. According to Twitter CTO Parag Agrawal, Twitter hashes passwords using a popular function known as bcrypt, which replaces an actual password with a random set of numbers and letters and then stored it in its systems. This allows the company to validate users' credentials without revealing their actual passwords, while also masking them in a way that not even Twitter employees can see them. However, a software bug resulted in passwords being written to an internal log before completing the hashing process—meaning that the passwords were left exposed on the company's internal system. Parag said Twitter had found and resolved the problem itsel...

Happy 'World Password Day'! Today is a good time for you to audit your password practices and stop using terrible passwords to protect your online accounts. Experts advice that: Your password must—be long Your password must—be unpredictable Your password must—have at least one number Your password must—not have any dictionary word Your password must—have upper and lowercase letters Your password must—have at least one special character Your password must—be unique and different for every site OK, got it. But who the hell can remember such complex passwords and that too for every [redacted] different site? But don't worry. If you are sick of having to remember dozens of different passwords for dozens of various websites, a great solution is to use a good password manager . Password Manager can significantly reduce the pain to remember every password, along with eliminating for your bad habit of setting a weak password and re-using that same password ever...

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers. Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V. Discovered by Swiss developer and security researcher Michael Hanselmann , the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image. This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host. As Hanselmann explained  in his personal blog, "Importing a Docker container image or...

Facebook announced a whole lot of new features at its 2018 Facebook F8 developers conference, including Dating on Facebook, letting users clear their web browsing history, real-time language translation within Messenger, and many more. Besides announcing exciting features for its social media platform, Facebook CEO Mark Zuckerberg also gave us a quick look at the features Facebook introduced for companies that it owns, like WhatsApp and Instagram. During Facebook's F8 conference on Tuesday, Zuckerberg announced a long-awaited feature for WhatsApp— Group Video Calling . Yes, you heard that right. WhatsApp would soon be adding a group video calling feature to the popular end-to-end messaging app, making it possible for its over billion users to have face-to-face conversations with multiple people at once. Although there are not many details about the WhatsApp group video calling feature at this moment, it is clear that WhatsApp will now allow four people to have one-on-one...

Facebook announced a whole lot of new features at its 2018 Facebook F8 developers conference, along with the keynote by its CEO Mark Zuckerberg addressing concerns from app developers after Facebook paused 3rd-party app review in the wake of the Cambridge Analytica scandal. Here are some big takeaways from Zuckerberg's keynote on Day 1 of Facebook F8, held for two days, May 1 and 2, at the McEnery Convention Center in San Jose, California: FaceDate—Facebook's New Tinder-Like 'Dating' Feature Still Single? Don't worry because Facebook doesn't want you to remain single for long. The social network giant is introducing a new dating feature that will allow you to build your profile that will only be visible to other Facebook users (non-friends) who have also opted into looking for love. Dubbed FaceDate, the new feature will match your profile based on all its data with others to find potential suitors and messaging will happen in a dedicated inbox rat...

If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought. Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts' credentials. Dubbed FacexWorm , the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month. New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs. It is not the first malware to abuse Facebook Messenger...

Remember a young hacker who hacked jail systems in an attempt to release his prison inmate early? Well, that hacker will now be joining his inmate behind bars. Konrads Voits of Ypsilanti, Michigan, has been sentenced to seven years and three months in prison for attempting to hack the Washtenaw County Jail computer system and modifying prison records to get his friend released early. Besides spending 87 months in prison, Voits has also been ordered to pay $235,488 in fine to Washtenaw County for the cost accrued in investigating and cleaning up the infiltration that resulted in the compromise of personal information of around 1,600 employees, the US Justice Department announced last week. Between January 24th, 2017 and March 10th, 2017, Voits successfully tricked IT staff at Washtenaw County Jail into visiting a phony website at "ewashtenavv.org," which mimics the official URL, "ewashtenaw.org." The malicious website then installed malware on the IT ...

Earlier this month, Oracle patched a highly critical Java deserialization remote code execution vulnerability in its WebLogic Server component of Fusion Middleware that could allow attackers to easily gain complete control of a vulnerable server. However, a security researcher, who operates through the Twitter handle @pyn3rd and claims to be part of the Alibaba security team, has now found a way using which attackers can bypass the security patch and exploit the WebLogic vulnerability once again. WebLogic Server acts as a middle layer between the front end user interface and the backend database of a multi-tier enterprise application. It provides a complete set of services for all components and handles details of the application behavior automatically. Initially discovered in November last year by Liao Xinxi of NSFOCUS security team, the Oracle WebLogic Server flaw (CVE-2018-2628) can be exploited with network access over TCP port 7001. If exploited successfully, the fl...

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!! Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device. Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions. However, the device doesn't remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration. Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap. However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefin...