Category: vulnerabilities

Auto Added by WPeMatico

Security Vulnerability in Saflok’s RFID-Based Keycard Locks

Posted on By infossl
cybersecurity, hacking, hotels, Internet of Things, locks, Security technology, Uncategorized, vulnerabilities

It’s pretty devastating: Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker … Read More “Security Vulnerability in Saflok’s RFID-Based Keycard Locks” »

Google Pays $10M in Bug Bounties in 2023

Posted on By infossl
economics of security, google, Security technology, Uncategorized, vulnerabilities

BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million. For Android, the world’s most popular and widely used mobile operating system, the program awarded … Read More “Google Pays $10M in Bug Bounties in 2023” »

On Software Liabilities

Posted on By infossl
academic papers, cybersecurity, Security technology, software liability, Uncategorized, vulnerabilities

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: “Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor.” Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section 2 canvasses the different fields of law (warranty, … Read More “On Software Liabilities” »

Data Exfiltration Using Indirect Prompt Injection

Posted on By infossl
ChatGPT, LLM, Security technology, Uncategorized, vulnerabilities

Interesting attack on a LLM: In Writer, users can enter a ChatGPT-like session to edit or create their documents. In this chat session, the LLM can retrieve information from sources on the web to assist users in creation of their documents. We show that attackers can prepare websites that, when a user adds them as … Read More “Data Exfiltration Using Indirect Prompt Injection” »

New Windows/Linux Firmware Attack

Posted on By infossl
bios, exploits, firmware, linux, Security technology, Uncategorized, vulnerabilities, windows

Interesting attack based on malicious pre-OS logo images: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux…. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating … Read More “New Windows/Linux Firmware Attack” »

New Bluetooth Attack

Posted on By infossl
authentication, bluetooth, cyberattack, man-in-the-middle attacks, secrecy, Security technology, Uncategorized, vulnerabilities

New attack breaks forward secrecy in Bluetooth. Three news articles: BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices. This is achieved by exploiting four flaws in the session key derivation process, two of which are new, … Read More “New Bluetooth Attack” »

Breaking Laptop Fingerprint Sensors

Posted on By infossl
authentication, biometrics, fingerprints, identification, reports, Security technology, sensors, Uncategorized, vulnerabilities

They’re not that good: Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface … Read More “Breaking Laptop Fingerprint Sensors” »

Email Security Flaw Found in the Wild

Posted on By infossl
cross-site scripting, e-mail, Security technology, Uncategorized, vulnerabilities, zero-day

Google’s Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world. TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To … Read More “Email Security Flaw Found in the Wild” »

Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy

Posted on By infossl
computer security, patching, proxies, Security technology, squid, Uncategorized, vulnerabilities, web

In a rare squid/security post, here’s an article about unpatched vulnerabilities in the Squid caching proxy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. Powered by WPeMatico

Leaving Authentication Credentials in Public Code

Posted on By infossl
credentials, Security technology, Uncategorized, vulnerabilities

Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained … Read More “Leaving Authentication Credentials in Public Code” »