Search results for How can we prevent Cookies from using our data | Breaking Cybersecurity News | The Hacker News

As part of  Checkmarx's mission  to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users to ...

Phishing attacks remain a huge challenge for organizations in 2025. In fact, with attackers increasingly leveraging identity-based techniques over software exploits, phishing arguably poses a bigger threat than ever before.  Attackers are increasingly leveraging identity-based techniques over software exploits, with phishing and stolen credentials (a byproduct of phishing) now the primary cause of breaches. Source: Verizon DBIR Attackers are increasingly leveraging identity-based techniques over software exploits, with phishing and stolen credentials (a byproduct of phishing) now the primary cause of breaches. Source: Verizon DBIR Attackers are turning to identity attacks like phishing because they can achieve all of the same objectives as they would in a traditional endpoint or network attack, simply by logging into a victim's account. And with organizations now using hundreds of internet apps across their workforce, the scope of accounts that can be phished or targeted with s...

Some risks don't breach the perimeter—they arrive through signed software, clean resumes, or sanctioned vendors still hiding in plain sight. This week, the clearest threats weren't the loudest—they were the most legitimate-looking. In an environment where identity, trust, and tooling are all interlinked, the strongest attack path is often the one that looks like it belongs. Security teams are now challenged to defend systems not just from intrusions—but from trust itself being turned into a weapon. ⚡ Threat of the Week Microsoft SharePoint Attacks Traced to China — The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread a week after the discovery of the zero-day exploits, with more than 400 organizations globally compromised. The attacks have been attributed to two known Chinese hacking groups tracked as Linen Typhoon (aka APT27), Violet Typhoon (aka APT31), and a suspected China-based threat actor codenamed Storm-2603 t...

The security landscape now moves at a pace no patch cycle can match. Attackers aren't waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow's breach. This week's recap explores the trends driving that constant churn: how threat actors reuse proven tactics in unexpected ways, how emerging technologies widen the attack surface, and what defenders can learn before the next pivot. Read on to see not just what happened, but what it means—so you can stay ahead instead of scrambling to catch up. ⚡ Threat of the Week Google Patches Actively Exploited Chrome 0-Day — Google released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability, CVE-2025-10585, has been described as a type confusion issue in the V8 JavaScript ...

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected. These attacks don't depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior. The real concern? Control isn't just being challenged—it's being quietly taken. This week's updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points. ⚡ Threat of the Week Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emer...

Preview : Web App Hacker's Handbook 2nd Edition ! The first draft of the new edition of WAHH is now completed, and the lengthy editing and production process is underway. Just to whet everyone's appetite, I'm posting below an exclusive extract from the Introduction, describing what has changed in the second edition. (And in a vain attempt to quell the tidal wave of questions: the book will be published in October; there won't be any more extracts; we don't need any proof readers, thanks.) What's Changed in the Second Edition? In the four years since the first edition of this book was published, much has changed and much has stayed the same. The march of new technology has, of course, continued apace, and this has given rise to specific new vulnerabilities and attacks. The ingenuity of hackers has also led to the development of new attack techniques, and new ways of exploiting old bugs. But neither of these factors, technological or human, has created a rev...

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior. Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert. Here's how that false sense of security was broken again this week. ⚡ Threat of the Week Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .N...

What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed. This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground. ⚡ Threat of the Week Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. ...

This week, cyber attackers are moving quickly, and businesses need to stay alert. They're finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren't updated regularly, it could lead to serious damage. The message is clear: don't wait for an attack to happen. Take action now to protect your business. Here's a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let's get into the details. ⚡ Threat of the Week Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987),...

Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel. The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of Washington, University of California (San Diego), and Carnegie Mellon University. Pixnapping, at its core, is a pixel-stealing framework aimed at Android devices in a manner that bypasses browser mitigations and even siphons data from non-browser apps like Google Authenticator by taking advantage of Android APIs and a hardware side-channel, allowing a malicious app to weaponize the technique to capture 2FA codes in under 30 seconds. "Our key observation is that Android APIs enable an attacker to create an analog to [Paul] Stone-style attacks outside of the browser," the researchers...

Signaling a major shift to its ads-driven business model, Google on Wednesday unequivocally stated it would not build alternate identifiers or tools to track users across multiple websites once it begins phasing out third-party tracking cookies from its Chrome browser by early 2022. "Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers,"  said  David Temkin, Google's director of product management for ads privacy and trust. "Advances in aggregation, anonymization, on-device processing and other privacy-preserving technologies offer a clear path to replacing individual identifiers." The changes, which could potentially reshape the advertising landscape, are expected only to cover websites visited via Chrome and do not extend to mobile apps. At the same time, Google acknowledged that other companies might find alternative ways to track individual us...

It's easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn't just patching fast, but watching smarter and staying alert for what you don't expect. Here's a quick look at this week's top threats, new tactics, and security stories shaping the landscape. ⚡ Threat of the Week F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevat...

Attacks that target users in their web browsers have seen an unprecedented rise in recent years. In this article, we'll explore what a "browser-based attack" is, and why they're proving to be so effective.  What is a browser-based attack? First, it's important to establish what a browser-based attack is. In most scenarios, attackers don't think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party services that are now the backbone of business IT. The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year's Snowflake customer breaches or the still-ongoing Salesforce attacks to see the impact.  The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers — and ex...