The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

After exposing private tweets , plaintext passwords , and personal information for hundreds of thousands of its users, here is a new security blunder social networking company Twitter admitted today. Twitter announced that the phone numbers and email addresses of some users provided for two-factor authentication (2FA) protection had been used for targeted advertising purposes—though the company said it was 'unintentional.' In a blog post, the company said an 'error' in its 'Tailored Audiences and Partner Audiences advertising system' inadvertently used the information provided by users for security reasons to run targeted ads based on the advertisers' own marketing lists. "When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize," Twitter said in a blog po

Microsoft today rolling out its October 2019 Patch Tuesday security updates to fix a total of 59 vulnerabilities in Windows operating systems and related software, 9 of which are rated as critical, 49 are important, and one is moderate in severity. What's good about this month's patch update is that after a very long time, none of the security vulnerabilities patched by the tech giant this month is being listed as publicly known or under active attack. Moreover, there is no roll-up patch for Adobe Flash Player bundled in Windows update for this month. Besides this, Microsoft has also put up a notice as a reminder for Windows 7 and Windows Server 2008 R2 users, warning them that the extended support for these two operating systems is about to end in the next two months and that they will no longer receive updates as of January 14, 2020. Two of the critical vulnerabilities patched this month are remote code execution flaws in the VBScript engine, and both exist in the way VBS

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

After releasing a patch for a critical zero-day remote code execution vulnerability late last month, vBulletin has recently published a new security patch update that addresses 3 more high-severity vulnerabilities in its forum software. If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take complete control over targeted web servers and steal sensitive user information. Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132 , is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271 . vBulletin RCE and SQLi Flaws The RCE flaw resides in the w

I have really bad news for Adobe customers in Venezuela… California-based software company Adobe on Monday announced to soon ban accounts and cancel the subscriptions for all of its customers in Venezuela in order to comply with economic sanctions that the United States imposed on the Latin American country. The Trump administration issued an executive order on 5th August 2019, targeting the President of Venezuela Nicolas Maduro for allegedly usurping the presidency and violating the human rights of the country's citizens. The Presidential Executive Order 13884 has been designed to block American companies and individuals from conducting virtually all trade with Venezuela. As a result, Adobe has now decided to deactivate all accounts in the country, leaving thousands of users and companies without access to the company's graphics and multimedia software, including Photoshop, Illustrator, Acrobat Reader, Adobe After Effects, Lightroom, and Flash Player. "The

Almost every application contains security vulnerabilities, some of which you may find today, but others would remain invisible until someone else finds and exploits them—which is the harsh reality of cybersecurity and its current state. And when we say this, Signal Private Messenger —promoted as one of the most secure messengers in the world—isn't any exception. Google Project Zero researcher Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could allow malicious caller to force a call to be answered at the receiver's end without requiring his/her interaction. In other words, the flaw could be exploited to turn on the microphone of a targeted Signal user's device and listen to all surrounding conversations. However, the Signal vulnerability can only be exploited if the receiver fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the receiver's device

Another day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android. What's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group—infamous for selling zero-day exploits to governments—or one of its customers, to gain control of their targets' Android devices. Discovered by Project Zero researcher Maddie Stone, the details and a proof-of-concept exploit for the high-severity security vulnerability, tracked as CVE-2019-2215, has been made public today—just seven days after reporting it to the Android security team. The zero-day is a use-after-free vulnerability in the Android kernel's binder driver that can allow a local privileged attacker or an app to escalate their privileges to gain root access to a vulnerable device and potentially take full remote control of the device. Vulnerable Android D

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library th

Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems. Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years. Since phishing is more sort of a one-time opportunity for hackers before their victims suspect it and likely won't fall for the same trick again, sophisticated hacking groups have started putting a lot of effort, time and research to design well-crafted phishing campaigns. In one such latest campaign discovered by cybersecurity researchers at Check Point, a Chinese hacking group, known as Rancor , has been found conducting very targeted and extensive attacks against Southeast Asian government entities from December 2018 to June 2019. What's interesting about this ongoing 7-month long campaign is