The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A security researcher has discovered a critical vulnerability in Facebook Messenger that could allow an attacker to read all your private conversation, affecting the privacy of around 1 Billion Messenger users. Ysrael Gurt, the security researcher at BugSec and Cynet, reported a cross-origin bypass-attack against Facebook Messenger which allows an attacker to access your private messages, photos as well as attachments sent on the Facebook chat. To exploit this vulnerability, all an attacker need is to trick a victim into visiting a malicious website; that's all. Once clicked, all private conversations by the victim, whether from a Facebook's mobile app or a web browser, would be accessible to the attacker, because the flaw affected both the web chat as well as the mobile application. Dubbed " Originull ," the vulnerability actually lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from...

Those innocent-looking apps in your smartphone can secretly spy on your communications or could allow hackers to do so. Hard to believe, but it's true. Recently, Trustwave's SpiderLabs analysts discovered a hidden backdoor in Skype for Apple's macOS and Mac OS X operating systems that could be used to spy on users' communications without their knowledge. The backdoor actually resides in the desktop Application Programming Interface (API) that allows third-party plugins and apps to communicate with Microsoft-owned Skype — the popular video chat and messaging service. Appeared to have been around since at least 2010, the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X. How an Attacker can Take Complete Control of Your Skype The malicious app could bypass authentication process if they "identified themselves as the program responsible for interfacing with th...

For the last Patch Tuesday for this year, Microsoft has released 12 security bulletins, half of which are rated 'critical' as they give attackers remote code execution capabilities on the affected computers. The security bulletins address vulnerabilities in Microsoft's Windows, Office, Internet Explorer and Edge. The first critical security bulletin, MS16-144 , patches a total of 8 security vulnerabilities in Internet Explorer, 3 of which had publicly been disclosed before Microsoft issued patches for them, though the company said they're not being exploited in the wild. The 3 publicly disclosed vulnerabilities include a Microsoft browser information disclosure vulnerability (CVE-2016-7282), a Microsoft browser security feature bypass bug (CVE-2016-7281) and a scripting engine memory corruption vulnerability (CVE-2016-7202) that allow remote code execution on the affected computer. The remaining 5 security flaws include a scripting engine memory corruption b...

Here's some bad news for Android users again. Certain low-cost Android smartphones and tablets are shipped with malicious firmware, which covertly gathers data about the infected devices, displays advertisements on top of running applications and downloads unwanted APK files on the victim's devices. Security researchers from Russian antivirus vendor Dr.Web have discovered two types of downloader Trojans that have been incorporated in the firmware of a large number of popular Android devices operating on the MediaTek platform, which are mostly marketed in Russia. The Trojans, detected as Android.DownLoader.473.origin and Android.Sprovider.7 , are capable of collecting data about the infected devices, contacting their command-and-control servers, automatically updating themselves, covertly downloading and installing other apps based on the instructions it receives from their server, and running each time the device is restarted or turned on. The list of Android devic...

Since its launch over a month ago, new virtual currency Zcash (ZEC) has become a significant way for cybercrooks to make money by infecting computers with software mining program. Launched in late October, Zcash (ZEC) is a new cryptocurrency currency that claims to be more anonymous than Bitcoin, as the sender, recipient and value of transactions can be hidden. With this premise, Zcash attracted significant interest from academics, investors, miners, and cyber criminals. Within the first few hours of its launch, 1 ZEC reached $30,000, a relatively high value any cryptocurrency ever had. At the time of writing, 1 ZEC is worth 0.06 BTC or around $49. However, according to a blog post published on Monday by Kaspersky Lab, cyber criminals have already started deploying malware that installs on and infects the computers of unsuspecting users and then uses their resources to mine Zcash for the hacker's profit. You Might have Zcash Mining Malware on Your PC! The actual s...

Europol has announced that the law enforcement agencies from 13 countries around the globe have arrested 34 users of Netspoof DDoS attack tool and interviewed and warned 101 suspects in a global crackdown. According to the report published on the official website of Europol, law enforcement authorities worldwide have made the arrest between 5 December and 9 December 2016. Europol's European Cybercrime Centre (EC3) supported the law enforcement agencies in their efforts to identify suspects in the European Union and beyond. Arrested Suspects Are Mainly Teenagers All those arrested are mainly "young adults under the age of 20," who are suspected of paying for Netspoof stresser as well as booters services to maliciously deploy DDoS-for-hire software and using them to launch cyber attacks. The ddos attacks flooded target websites and web servers with massive amounts of data, leaving those services inaccessible to users. Europol's European Cybercrime Cent...

The non-profit organization behind TOR – the largest online anonymity network that allows people to hide their real identity online – has launched an early alpha version of Sandboxed Tor Browser 0.0.2 . Yes, the Tor Project is working on a sandboxed version of the Tor Browser that would isolate the Tor Browser from other processes of the operating system and limit its ability to interact or query low-level APIs that can lead to the exposure of real IP addresses, MAC addresses, computer name, and more. Sandboxing is a security mechanism for separating running programs. When an application is sandboxed, its process runs in a separate environment from the underlying operating system, so that errors or security issues in that application can not be leveraged to affect other parts of the OS. Sandbox applications are enabled in their own sequestered area and memory, where they can be worked on without posing any threat to other applications or the operating system. Major moder...