The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Google was in the news last week for a misleading claim that "with Location History off, the places you go are no longer stored," which is not true. Now, the search engine giant is once again in the news after a San Diego man has filed the first lawsuit against Google over this issue. Last week, the Associated Press investigation revealed that the search engine giant tracks movements of millions of iPhone and Android device users, even if they have disabled the "Location History" setting to prevent it. However, it turned out that to fully opt-out of having your location activities stored by Google, you also have to disable the 'Web and App Activity' control as well, about which the company has mentioned deep into its product documentation. In response to the AP investigation, Google defended itself by saying, "there are a number of different ways that Google may use location to improve people's experience," and that "we provide c...

Microsoft claims to have uncovered another new Russian hacking attempts targeting United States' Senate and conservative think tanks ahead of the 2018 midterm elections. The tech giant said Tuesday that the APT28 hacking group—also known as Strontium, Fancy Bear , Sofacy, Sednit, and Pawn Storm, which is believed to be tied to the Russian government—created at least six fake websites related to US Senate and conservative organizations to trick its visitors and hack into their computers. Three fake web domains were intended to look as if they belonged to the U.S. Senate, while one non-political website spoofed Microsoft's own online products. The two other phony websites were designed to mimic two U.S. conservative organizations: The Hudson Institute — a conservative Washington think tank hosting extended discussions on topics including cybersecurity, among other important activities. The International Republican Institute (IRI) — a nonprofit group that promotes ...

Well, there's something quite embarrassing for Apple fans. Though Apple servers are widely believed to be unhackable, a 16-year-old high school student proved that nothing is impossible. The teenager from Melbourne, Australia, managed to break into Apple servers and downloaded some 90GB of secure files, including extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts. The teen told the authorities that he hacked Apple because he was a huge fan of the company and "dreamed of" working for the technology giant. What's more embarrassing? The teen, whose name is being withheld as he's still a minor, hacked the company's servers not once, but numerous times over the course of more than a year, and Apple's system administrators failed to stop their users' data from being stolen. When Apple finally noticed the intrusion, the company contacted the FBI, which took the help of the Australian Fede...

Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions. The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3. PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function. If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string. Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring...

With the release of Chrome 68, Google prominently marks all non-HTTPS websites as 'Not Secure' on its browser to make the web a more secure place for Internet users. If you haven't yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser. Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website. The vulnerability, identified as CVE-2018-6177 , takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by "Blink Engine," including Google Chrome. To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (loca...