The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A Google developer helps Apple to fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications. Security loophole allowed attacker to hijack the connection, because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store. Researcher Elie Bursztein revealed on his blog that he had alerted Apple of numerous security issues last July but that Apple had only turned on HTTPS for the App Store last week. An attacker only needs to be on the same network as the person who is using the App Store. From there, they can intercept the communications between the device and the App Store and insert their own commands. The malicious user could take advantage of the unsecure connection to carry out a number of different attacks i.e steal a password, force someone to purchase an app by swapping it with a different app that the buyer actually intende...

Google Drive is the new home for Google Docs , that users can access everywhere for Storing files safely. In a recent demonstration hacker successfully performed an attack on Google Docs to trick users to grab their Facebook, Gmail, Yahoo credentials with Credit Card Information. Security researcher Christy Philip Mathew came up with combination of  Clickjacking and CSRF vulnerabilities in Google's Docs that can allow a hacker to create a document in victim's Drive for further phishing attack. For those who are not aware about Clickjacking, It is a technique where an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. He explain how this technique can be executed to pwn a Google user to steal victim's all type of credentials with a phishing attack. Here attacker need to send a Malicious URL to the victim, where victim needs to interact with some buttons only. Vulnera...

Using a new attack on most popular Android phones platform, a team of researchers in Germany managed to grab stored cryptographic keys if the device is frozen state for an hour. The method which able to bypasses Google's data scrambling encryption system introduced in Android 4.0 Ice Cream Sandwich to reveal the phone's hidden data, when leaving Android phones in a freezer until they fell below -10 degrees Celsius, which revealed previously scrambled data, including contact lists, browsing histories, and photos. The team developed software called FROST , Forensic Recovery of Scrambled Telephones, which lets them copy data from the phone for analysis on a computer. Abstract   explains ," We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are general...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title ' Facebook Page Verification ' and using Facebook Security Logo as shown in the screenshot posted above. Phishing app URL: https://apps.facebook.com/verify-pages/ Application hosted on:   https://talksms.co.uk/ The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information. Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verifi...

As the popularity of Android has boomed, more and more malware is targeting the platform. Digital miscreants are using fraudulent developer accounts on Google's Play marketplace to spread malware. According to latest  Mobile Threat report from F-Secure , Android malware continued to gain in share in 2012 and was responsible for 79 percent of all threats for the year, up from 66 percent in 2011, but Google developer responded with," F-Secure can say that anything is malware ". F-secure report said, In the fourth quarter alone, 96 new families and variants of Android threats were discovered, which almost doubles the number recorded in the previous quarter.  According to official Google figures, there are over 700,000 apps and games in the Play marketplace and malware on Android jumped 850 percent between 2012 and this year. Whereas an Google Android developer reply to TechCrunch technology generalist ," They say they detected...