The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A security researcher has discovered a critical vulnerability in Facebook Messenger that could allow an attacker to read all your private conversation, affecting the privacy of around 1 Billion Messenger users. Ysrael Gurt, the security researcher at BugSec and Cynet, reported a cross-origin bypass-attack against Facebook Messenger which allows an attacker to access your private messages, photos as well as attachments sent on the Facebook chat. To exploit this vulnerability, all an attacker need is to trick a victim into visiting a malicious website; that's all. Once clicked, all private conversations by the victim, whether from a Facebook's mobile app or a web browser, would be accessible to the attacker, because the flaw affected both the web chat as well as the mobile application. Dubbed " Originull ," the vulnerability actually lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from...

Those innocent-looking apps in your smartphone can secretly spy on your communications or could allow hackers to do so. Hard to believe, but it's true. Recently, Trustwave's SpiderLabs analysts discovered a hidden backdoor in Skype for Apple's macOS and Mac OS X operating systems that could be used to spy on users' communications without their knowledge. The backdoor actually resides in the desktop Application Programming Interface (API) that allows third-party plugins and apps to communicate with Microsoft-owned Skype — the popular video chat and messaging service. Appeared to have been around since at least 2010, the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X. How an Attacker can Take Complete Control of Your Skype The malicious app could bypass authentication process if they "identified themselves as the program responsible for interfacing with th...

For the last Patch Tuesday for this year, Microsoft has released 12 security bulletins, half of which are rated 'critical' as they give attackers remote code execution capabilities on the affected computers. The security bulletins address vulnerabilities in Microsoft's Windows, Office, Internet Explorer and Edge. The first critical security bulletin, MS16-144 , patches a total of 8 security vulnerabilities in Internet Explorer, 3 of which had publicly been disclosed before Microsoft issued patches for them, though the company said they're not being exploited in the wild. The 3 publicly disclosed vulnerabilities include a Microsoft browser information disclosure vulnerability (CVE-2016-7282), a Microsoft browser security feature bypass bug (CVE-2016-7281) and a scripting engine memory corruption vulnerability (CVE-2016-7202) that allow remote code execution on the affected computer. The remaining 5 security flaws include a scripting engine memory corruption b...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Here's some bad news for Android users again. Certain low-cost Android smartphones and tablets are shipped with malicious firmware, which covertly gathers data about the infected devices, displays advertisements on top of running applications and downloads unwanted APK files on the victim's devices. Security researchers from Russian antivirus vendor Dr.Web have discovered two types of downloader Trojans that have been incorporated in the firmware of a large number of popular Android devices operating on the MediaTek platform, which are mostly marketed in Russia. The Trojans, detected as Android.DownLoader.473.origin and Android.Sprovider.7 , are capable of collecting data about the infected devices, contacting their command-and-control servers, automatically updating themselves, covertly downloading and installing other apps based on the instructions it receives from their server, and running each time the device is restarted or turned on. The list of Android devic...

Since its launch over a month ago, new virtual currency Zcash (ZEC) has become a significant way for cybercrooks to make money by infecting computers with software mining program. Launched in late October, Zcash (ZEC) is a new cryptocurrency currency that claims to be more anonymous than Bitcoin, as the sender, recipient and value of transactions can be hidden. With this premise, Zcash attracted significant interest from academics, investors, miners, and cyber criminals. Within the first few hours of its launch, 1 ZEC reached $30,000, a relatively high value any cryptocurrency ever had. At the time of writing, 1 ZEC is worth 0.06 BTC or around $49. However, according to a blog post published on Monday by Kaspersky Lab, cyber criminals have already started deploying malware that installs on and infects the computers of unsuspecting users and then uses their resources to mine Zcash for the hacker's profit. You Might have Zcash Mining Malware on Your PC! The actual s...