The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Have you recently bought a OnePlus 6? Don't leave your phone unattended. A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked. A bootloader is part of the phone's built-in firmware and locking it down stops users from replacing or modifying the phone's operating system with any uncertified third-party ROMs, ensuring the system boots into the right operating system. Discovered by security researcher Jason Donenfeld of Edge Security , the bootloader on OnePlus 6 is not entirely locked, allowing anyone to flash any modified boot image on to the handset and take full control of your phone. In a video demonstration, Donenfeld showed how it is possible for an attacker with physical access to OnePlus 6 to boot any malicious image using the ADB tool's fastboot command, giving the attacker complete control ove...

In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services , and anonymization tools . VPNs, or Virtual Private Networks , are third-party services that help users access block banned websites by encrypting users' Internet traffic and routing it through a distant connection, hiding their location data and access sites that are usually restricted or censored by a specific country. According to the amendments to the Code of Administrative Offenses of the Russian Federation, besides introducing fines for providing links to banned resources, the lower house of Russian parliament, the State Duma, will also impose fines on search engines if they fail to stop issuing links to resources providing up-to-date database of blocked domains upon users request. According to the bill, individuals who break the law ...

Facebook admits as many as 14 millions of its users who thought they're sharing content privately with only friends may have inadvertently shared their posts with everyone because of a software bug. Facebook said in front of Congress in March over the Cambridge Analytica scandal that "every piece of content that you share on Facebook you own, you have complete control over who sees it and how you share it," but the news came out to be another failure of the company to keep the information of millions of users private. Facebook typically allows users to select the audiences who can see their posts, and that privacy setting remains the default until the user itself manually updates it. However, the social media giant revealed Thursday that it recently found a bug that automatically updated the default audience setting for 14 million users' Facebook posts to "Public," even if they had intended to share them just with their friends, or a smaller group...

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG ,  Qihoo 360  and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. "The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on ...

Marcus Hutchins , the British malware analyst who helped stop global Wannacry menace , is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information. Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015. Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums, and the FBI accused Hutchins of writing and promoting it online, including via YouTube. Hutchins pleaded not guilty at a court hearing in August 2017 in Milwaukee and release on $30,000 bail. However, earlier this week, a revised superseding indictment [ PDF ] was filed with the Wisconsin Eastern District Court, under which Hutchins faces four new charges alo...