#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

More Celebrity Photos Leaked — Kim Kardashian and Others Targeted

More Celebrity Photos Leaked — Kim Kardashian and Others Targeted

Sep 21, 2014
So far people have not forgotten about the recent celebrity iCloud hacking scandal , a new wave of photographs of celebrities have been leaked in what appears to be the second edition of the massive leak related to the celebrities intimate-images on Internet earlier this month. Among the victims of the most recent leak were reality television star Kim Kardashian , 33, actor Vanessa Hudgens , 25, and U.S. national women's soccer team goalie Hope Solo , 33. Mary-Kate Olsen, Avril Lavigne, Hayden Panettiere, Lake Bell, Leelee Sobieski and former Disney stars Aly and AJ Michalka are other potential victims of this hacking scandal. A video of Aubrey Plaza and previously unreleased photographs of celebrities included in the last leak, such as Oscar-winner Jennifer Lawrence and The Big Bang Theory star Kaley Cuoco , were also released with the recent privacy breach . The leaked Celebrity Photos first appeared Saturday morning on the image-sharing site 4Chan and were also post
Yahoo Quickly Fixes SQL Injection Vulnerability Escalated to Remote Code Execution

Yahoo Quickly Fixes SQL Injection Vulnerability Escalated to Remote Code Execution

Sep 20, 2014
Yahoo! was recently impacted by a critical web application vulnerabilities which left website's database and server vulnerable to hackers. A cyber security expert and penetration tester, Ebrahim Hegazy a.k.a Zigoo from Egypt , has found a serious SQL injection vulnerability in Yahoo's website that allows an attacker to remotely execute any commands on its server with Root Privileges. According to Hegazy blog post , the SQLi vulnerability resides in a domain of Yahoo! website i.e. https://innovationjockeys.net/tictac_chk_req.php . Any remote user can manipulate the input to the " f_id " parameter in the above URL, which could be exploited to extract database from the server. While pentesting, he found username and password ( encoded as Base64 ) of Yahoo!' admin panel stored in the database. He decoded the Administrator Password and successfully Logged in to the Admin panel. Furthermore, SQL injection flaw also facilitate the attacker to exploit Remote Cod
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
Avira Vulnerability Puts Users' Online Backup Data At Risk

Avira Vulnerability Puts Users' Online Backup Data At Risk

Sep 20, 2014
A popular Anti-virus software Avira that provides free security software to its customers with Secure Backup service is vulnerable to a critical web application vulnerability that could allow an attacker to take over users' account, putting millions of its users' account at risk. Avira is very popular for their free security software that comes with its own real-time protection module against malware and a secure backup service. Avira was considered to be the sixth largest antivirus vendor in 2012 with over 100 million customers worldwide. A 16 year-old security researcher ' Mazen Gamal ' from Egypt told The Hacker News that Avira Website is vulnerable to CSRF (Cross-site request forgery) vulnerability that allows him to hijack users' accounts and access to their online secure cloud backup files. CSRF VULNERABILITY TO  ACCOUNT TAKEOVER Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
How to Detect SQL Injection Attacks

How to Detect SQL Injection Attacks

Sep 19, 2014
SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode's 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application. A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. There is a reason they're on the OWASP Top 10 . Termed " injection flaws ", they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into
'The Home Depot' Data Breach Put 56 Million Payment Cards at Risk

'The Home Depot' Data Breach Put 56 Million Payment Cards at Risk

Sep 19, 2014
Home Depot , the nation's largest home improvement retailer, announced on Thursday that a total of 56 million unique payment cards were likely compromised in a data breach at its stores, suggesting that the data breach on Home improvement chain was larger than the Target data breach that occurred last year during Christmas holidays. The data theft occurred between April and September at Home Depot stores in both the United States and Canada, but the confirmation comes less than a week after the retailer first disclosed the possibility of a breach. " We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges, " Home Depot CEO Frank Blake said in a statement. " From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so. " It is believe that the cybercriminals successfully compromised the
Chinese Hackers Hacked Into U.S. Defense Contractors 20 Times In Just One Year

Chinese Hackers Hacked Into U.S. Defense Contractors 20 Times In Just One Year

Sep 18, 2014
Chinese hackers associated with the Chinese government have successfully infiltrated the computer systems of U.S. defense contractors working with the government agency responsible for the transportation of military troops and goods across the globe, a Senate investigators have found. The Senate Armed Services Committee has been investigating the issue for the past year and found that the U.S. Military's Transportation Command (TRANSCOM) has been infiltrated at least 20 times in a single year, out of which only two were detected. This is probably the most serious allegation yet against China. The successful intrusions attributed to an "advanced persistent threat," a term used to designate sophisticated threats commonly associated with governments. All of those intrusions were attributed to China, the report stated. The investigation was conducted in the 12 months period from June 2012 to June 2013 based on information provided by the Federal Bureau of Investigat
Adobe Releases Critical Security Updates for Acrobat and Reader

Adobe Releases Critical Security Updates for Acrobat and Reader

Sep 18, 2014
After a week delay, Adobe has finally pushed out critical security updates for its frequently-attacked Reader and Acrobat PDF software packages to patch serious vulnerabilities that could lead to computers being compromised. The new versions of Adobe Reader and Acrobat released Tuesday for both Windows and Macintosh computers address eight vulnerabilities, five of which could allow for remote code execution . The remaining three vulnerabilities involve a sandbox bypass vulnerability that can be exploited to escalate an attacker's privileges on Windows, a denial-of-service (DoS) vulnerability related to memory corruption, and a cross-site scripting (XSS) flaw that only affects the programs on the Mac platform. According to Adobe's advisory , applying the patches will involve a system restart. The affected versions are: Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh Adobe Reade
Apple Rolls Out iOS 8 with Bucket of Security Fixes

Apple Rolls Out iOS 8 with Bucket of Security Fixes

Sep 18, 2014
Apple has finally released iOS 8 , the latest version of its operating system, for free to iPhone, iPad and iPod touch users. The company has assured that the latest iOS 8 update is a significant step away up from iOS 7. You can grab the new update through an over-the-air update accessible by going to Settings > General > Software Update . If you don't want to download the update wirelessly due to a limited or restricted data plan, you can also download the update by connecting your phone to the latest version of iTunes . iOS 8 was first revealed publicly at the Apple's Worldwide Developer Conference (WWDC) in June, showing off an improved Notification Centre. Apart from the security patches, iOS 8 has a number of new features and functions tied to your location. Additionally, it has new privacy settings, which allow users to limit how long data is stored for, such as message expiry features and new private browsing settings. VULNERABILITIES PATCHED A
How a Cell Phone User Can be Secretly Tracked Across the Globe

How a Cell Phone User Can be Secretly Tracked Across the Globe

Sep 17, 2014
Since we are living in an era of Mass surveillance conducted by Government as well as private sector industries, and with the boom in surveillance technology, we should be much worried about our privacy. According to the companies that create surveillance solutions for law enforcement and intelligence agencies, the surveillance tools are only for governments. But, reality is much more disappointing. These surveillance industries are so poorly regulated and exceedingly secretive that their tools can easily make their way into the hands of repressive organizations. Private surveillance vendors sell surveillance tools to governments around the world, that allows cellular networks to collect records about users in an effort to offer substantial cellular service to the agencies. Wherever the user is, it pinpoint the target's location to keep every track of users who own a cellphone — here or abroad. We ourselves give them an open invitation as we all have sensors in our
Malicious Kindle Ebook Let Hackers Take Over Your Amazon Account

Malicious Kindle Ebook Let Hackers Take Over Your Amazon Account

Sep 17, 2014
If you came across a Kindle e-book download link from any suspicious sources or somewhere other than Amazon itself, check twice before you proceed download. As downloading an eBook could put your personal information at risk. A security researcher has uncovered a security hole in Amazon's Kindle Library that could lead to cross-site scripting ( XSS ) attacks and account compromises when you upload a malicious ebook. AMAZON CREDENTIALS – BOON FOR HACKERS The flaw affects the " Manage Your Content and Devices " and " Manage your Kindle " services in Amazon's web-based Kindle Library, which could allow a hacker to inject and hide malicious lines of code into into e-book metadata, such as the title text of an eBook, in order to compromise the security of your Amazon account. Gaining access to your Amazon account credentials is one of the biggest boons for hackers, as they can set-up new credit cards in your account or max out the current ones on file with some big
Win Apple's iPhone 6 For Free – A New Facebook Scam

Win Apple's iPhone 6 For Free – A New Facebook Scam

Sep 17, 2014
Apple's iPhone 6 FREE ? Of course not ! It's only a hoax, but scammers have announced the just release iPhone 6 free. Another Facebook scam is circulating across the popular social networking website just days after Apple unveiled its upcoming iPhone 6 and iPhone 6 Plus, as scammers take advantage of all the hype and use them to lure Facebook users. THREE SIMPLE STEPS AND iPHONE 6 IS YOURS — REALLY? As usual, This new scam promises a chance to Win a free iPhone 6 to those users who complete a series of steps, as reported by Hoax-Slayer. You just need to go through "three easy steps" to get a chance to win the device: Like the Facebook page created to propagate the scam Share the page with your Facebook friends Download a "Participation Application" But before you proceed to the last step, a pop-up window leads you to participate in a survey before you can download the application. The survey will ask you to share your name, address, p
New Android Browser Vulnerability Is a “Privacy Disaster” for 70% Of Android Users

New Android Browser Vulnerability Is a "Privacy Disaster" for 70% Of Android Users

Sep 17, 2014
A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users' open websites, and there is now a Metasploit module available to easily exploit this dangerous flaw. The exploit targets vulnerability ( CVE-2014-6041 ) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch, but there has not been much public discussion on it. The Android bug has been called a " privacy disaster " by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is " sufficiently shocking ." " By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser secur
Cybersecurity Resources