Security should always be a focus for any web project, but with so many people working from home, it has become more important than ever. The primary purpose of any website is to provide information to an audience and solve specific problems. But without having specific discussions regarding privacy and security with a site provider, [...] Read More... The post MacSites Security – Site Content and Form Data Collection Guidelines appeared first on MacSites.| MacSites
Customer Pain Points “Gap” in security protection after new business launch A financial company launched a new business system; the O&M team had to manually add the server IP to the WAF whitelist. Due to the cumbersome approval process, the configuration was not completed until 3 days later. During this period, hackers had invaded the […]| NSFOCUS, Inc., a global network and cyber security leader, protects enterpris...
Employee training, robust cybersecurity, updated antivirus software, and SSL encryption security are some of the best data security practices for remote workers| Techie Loops
Let’s be honest, the internet’s security system was held together with digital duct tape and wishful thinking. For years, we’ve been relying on a process for verifying website legitimacy that was about as secure as a screen door on a submarine. Domain Control Validation? More like Domain Casual Validation. It was practically an open invitation […] The post Chrome Just Declared War on Bad Certificates (And Your Website Might Be Next) appeared first on Poly Plugins.| Poly Plugins
Certificate Transparency (CT) has been one of the biggest advancements in web security, keeping users safe from threats such as certificate fraud and man-in-the-middle attacks. While CT has been around for over 11 years, enforcement has varied across...| Transparency.dev Community Blog
Attacks on encryption continue. The UK government has just reportedly handed Apple a Technical Capability Notice – effectively demanding that Apple allow UK law enforcement access to their users’ encrypted cloud servers. This is the latest in a series of recent pushes by the UK Government and security services to establish backdoors in the end-to-end encrypted services which underpin a great deal of our lives. It is also happening at a time when many of us are really quite scared of the t...| Light Blue Touchpaper
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.| Threatpost
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.| Threatpost
TL;DR: Login CSRF in combination with an HTTP Referer header-based open redirect in Airbnb’s OAuth login flow, could be abused to steal OAuth access tokens of all Airbnb identity providers and eventually authenticate as the victim on Airbnb’s website and mobile application. This attack did not rely on a specific OAuth identity provider app configuration flaw (e.g. wildcards in whitelisted redirect_uri URLs), which made it generic for all Airbnb’s identity providers (Facebook & Google at...| Arne Swinnen
I publicly disclosed a vulnerability that I responsibly disclosed to Ubiquity via the HackerOne platform. It concerned a subdomain takeover issue via Amazon Cloudfront (ping.ubnt.com) in combination with shared session cookies between subdomains on *.ubnt.com, which ultimately lead to a complete Authentication Bypass of their SSO system (sso.ubnt.com). It can be found here.| Arne Swinnen
Introduction| Arne Swinnen
TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This could have allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited ...| Arne Swinnen
TL;DR: Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones. Facebook fixed both issues and awarded a combined bounty of $5.000.| Arne Swinnen
TL;DR: Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (approx. 500 million) were in a vulnerable locked state (approx. 20 million). Facebook fixed the vulnerability within a day and granted a $5.000 bounty 10 days later.| Arne Swinnen
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.| threatpost.com