Unsafe yaml load can lead to remote code execution on 04/05/2024
Liberapay disclosed a bug submitted by mrrobot2050: https://hackerone.com/reports/2467232 [...]
Liberapay disclosed a bug submitted by mrrobot2050: https://hackerone.com/reports/2467232 [...]
Rafael de Carvalho shares 3 tips for managing the pitfalls of saying "yes." [...]
Squid-shaped purses for sale. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. [...]
I have spoken at several TED conferences over the years. TEDxPSU 2010: “Reconceptualizing Security” TEDxCambridge 2013: “The Battle for Power on the Internet” TEDMed 2016: “Who Controls Your Medical Data?” I’m putting this here because I want all three links in one place. [...]
U.S. Dept Of Defense disclosed a bug submitted by maskedpersian: https://hackerone.com/reports/2221104 [...]
U.S. Dept Of Defense disclosed a bug submitted by maskedpersian: https://hackerone.com/reports/2479161 [...]
U.S. Dept Of Defense disclosed a bug submitted by neg0x: https://hackerone.com/reports/2434904 [...]
U.S. Dept Of Defense disclosed a bug submitted by kurogai: https://hackerone.com/reports/2417864 [...]
U.S. Dept Of Defense disclosed a bug submitted by maskedpersian: https://hackerone.com/reports/2444032 [...]
U.S. Dept Of Defense disclosed a bug submitted by neg0x: https://hackerone.com/reports/2433970 [...]
Node.js disclosed a bug submitted by uzlopak: https://hackerone.com/reports/2377760 [...]
Node.js disclosed a bug submitted by iylz: https://hackerone.com/reports/2408074 [...]
Node.js disclosed a bug submitted by bpingel: https://hackerone.com/reports/2237099 [...]
The Polish Embassy has posted a series of short interview segments with Marian Rejewski, the first person to crack the Enigma. Details from his biography. [...]
Adobe disclosed a bug submitted by renzi: https://hackerone.com/reports/1842801 [...]
Learn the importance of using a CREST-certified and approved security partner for your pentest engagements. [...]
By Francesco Bertolaccini You’ve reached computer programming nirvana. Your journey has led you down many paths, including believing that God wrote the universe in LISP, but now the truth is clear in your mind: every problem can be solved by writing one more compiler. It’s true. Even our soon-to-be artificially intelligent overlords are nothing but compilers, just as the legends foreto [...]
Sriram Karra and Christiaan Brand, Google product managersLast year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announced that passkeys have been used to authenticate users more than 1 billion times across over 400 million Google Accounts.As more users encounter pass [...]
The UK is the first country to ban default passwords on IoT devices. On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufactur [...]
Deriv.com disclosed a bug submitted by zacian: https://hackerone.com/reports/2270082 - Bounty: $100 [...]
Shopify disclosed a bug submitted by ryanmoles6: https://hackerone.com/reports/1590115 [...]
Shopify disclosed a bug submitted by niraj1mahajan: https://hackerone.com/reports/1162443 - Bounty: $500 [...]
HackerOne has partnered with Zoom to select EverythingALS as the Hack For Good donation option for ALS Awareness Month. [...]
I am retiring from HackerOne and have started the search for my successor as CEO of this awesome company. [...]
Scammers tricked a company into believing they were dealing with a BBC presenter. They faked her voice, and accepted money intended for her. [...]
IBM disclosed a bug submitted by suryahss: https://hackerone.com/reports/2456603 [...]
Posted by Will Harris, Chrome Security Team .code { font-family: "Courier New", Courier, monospace; font-size: 11.8px; font-weight: bold; background-color: #f4f4f4; padding: 2px; border: 1px solid #ccc; border-radius: 2px; white-space: pre-wrap; display: inline-block; line-height: 12px; } .highlight { color: red; } Chromium's sandbox [...]
As we have in previous editions of the ThreatStats report, we highlight the industry’s top API-related attacks and trends. New to this version, however, is a detailed analysis of API attacks targeting AI-based applications, representing a new and rapidly expanding threat vector. And while we encourage you to download the full report, here are some key observations about what you’ll find within. AP [...]
A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients. On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” deman [...]
By Nat Chin Welcome to our deep dive into the world of invariant development with Curvance. We’ve been building invariants as part of regular code review assessments for more than 6 years now, but our work with Curvance marks our very first official invariant development project, in which developing and testing invariants is all we did. Over the nine-week engagement, we wrote and tested 216 invari [...]
Meta has threatened to pull WhatsApp out of India if the courts try to force it to break its end-to-end encryption. [...]
🗣️This is part of a series of posts examining the methods malicious Python code gains execution.The previous installment of this series demonstrated the weakness in allowing source distributions as dependencies. They lead to executing arbitrary code from setup.py files tucked away in the dependency hierarchy. A best practice is to enumerate the complete set of dependencies, in the f [...]
Internet Bug Bounty disclosed a bug submitted by bart: https://hackerone.com/reports/2453328 - Bounty: $3645 [...]
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent. The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In Febru [...]
As the use of GenAI and LLMs has ramped up, so have the vulnerabilities that come with them, and one of the worst is prompt injection. [...]
Posted by Steve Kafka and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Play Trust and Safety) A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide the framework to create that experience for both users and developers. Here's what these principles mean in practice: (S)afeguard our Users. Help them discover [...]
To outmanoeuvre cybercriminals, the key is to beat them to the punch by working with ethical hackers. However, a question often arises: Can we trust ethical hackers? Especially when we don’t know them personally? Through platforms such as Intigriti, the short answer is yes, you can trust these individuals. However, the word ‘hacker’ carries a […] The post The tr [...]
During the Cold War, the US Navy tried to make a secret code out of whale song. The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer—the Combo Signal Recognizer (CSR)—would detect the specific patterns and decode them on the other end. In theory, this idea was relatively simple. A [...]
In case you missed it on our Twitter channel, we’ve recently launched Misconfigurations Mapper (or MisconfigMapper for short)! Misconfig Mapper is a new project designed by Intigriti Hackers Team to help you find security misconfigurations in popular services used at your bug bounty/penetration testing targets (such as Atlassian, Jenkins, etc.).Additionally it can help you find […] The [...]
HackerOne disclosed a bug submitted by xklepxn: https://hackerone.com/reports/2442008 [...]
Hyperledger disclosed a bug submitted by another_dude: https://hackerone.com/reports/2471956 [...]
Internet Bug Bounty disclosed a bug submitted by parantheses: https://hackerone.com/reports/2401359 - Bounty: $2580 [...]
Internet Bug Bounty disclosed a bug submitted by scyoon: https://hackerone.com/reports/2402193 - Bounty: $2580 [...]
Shubhi Gupta shares tips and lessons from 12 years of being an on-call engineer. [...]
A cruise ship is searching for the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. [...]
Lambert Rosique and Jan Keller, Security Workflow Automation, and Diana Kramer, Alexandra Bowen and Andrew Cho, Privacy and Security Incident ResponseIntroductionAs security professionals, we're constantly looking for ways to reduce risk and improve our workflow's efficiency. We've made great strides in using AI to identify malicious content, block threats, and discover and fix vulnerabilities. We [...]
Exhausted but hopeful and longing for new horizons, the Infrastructure Team embarked on the "Container Journey." [...]
Charlie Kroon discusses tips for good writing to make you a better and more impactful engineer. [...]
By Will Song The Trail of Bits cryptography team is pleased to announce the open-sourcing of our pure Rust and Go implementations of Leighton-Micali Hash-Based Signatures (LMS), a well-studied NIST-standardized post-quantum digital signature algorithm. If you or your organization are looking to transition to post-quantum support for digital signatures, both of these implementations have been engin [...]
Recent years have witnessed a dramatic surge in cyberattacks, with both the frequency and sophistication of attacks reaching unprecedented levels. Cybercrime is anticipated to cost companies all over the globe an estimated $10.5 trillion annually by 2025, and IoT attacks alone are expected to double by then too. While the immediate (typically financial) impacts of a cyberatta [...]
Kashmir Hill has a really good article on how GM tricked its drivers into letting it spy on them—and then sold that data to insurance companies. [...]
PlayStation disclosed a bug submitted by theflow0: https://hackerone.com/reports/2177925 - Bounty: $12500 [...]
You can now streamline and enhance your vulnerability management process with HackerOne’s in-platform GenAI copilot, Hai. [...]
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming to an end. The advent of AI threatens to destroy the complex online ecosystem that allows writers, ar [...]
Internet Bug Bounty disclosed a bug submitted by bart: https://hackerone.com/reports/2453322 - Bounty: $2580 [...]
🗣️This is part of a series of posts examining the methods malicious Python code gains execution. If you haven't already, you'll likely want to start with the core concept of package spoofing.We're back at it, thinking like attackers that find ways to trick unsuspecting developers into running malware. Previous methods explored creating trojan functions and imports, wh [...]
🗣️This is part of a series of posts examining the methods malicious Python code gains execution. If you haven't already, you'll likely want to start with the core concept of package spoofing.Calling a trojan functionThis method is also maybe the most obvious: add additional code to existing functions. What easier way to gain code execution in Python than to write a functio [...]
🗣️This is part of a series of posts examining the methods malicious Python code gains execution.Creating a functional package and hosting it on the Python Package Index (PyPI) is the foundation of most malicious Python packages. Making one that developers will actually want is hard. Malware authors know that proper R&D is essential to their success. Instead of research and devel [...]
The primary vector for malicious code running in software developer environments (e.g., local system, CI/CD runners, production servers, etc.) is software dependencies. This is third-party code which often means open-source software, also known as running code from strangers on the internet.The prized goal for attackers is arbitrary code execution. It’s the stuff high CVE scores are made of [...]
Learn about the importance of SOC 2 Type II compliance and how to address it with methodology-driven pentesting. [...]
Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history of the attack and highlighting the broader context of North Korean APTs operating in open-source ecosystems. Since then, it’s been relatively quiet—until today. [...]
Posted by Yoshi Yamaguchi, Santiago Díaz, Maud Nalpas, Eiji Kitamura, DevRel team The Reporting API is an emerging web standard that provides a generic reporting mechanism for issues occurring on the browsers visiting your production website. The reports you receive detail issues such as security violations or soon-to-be-deprecated APIs, from users’ browsers from all over the world. Collectin [...]
Who is an ethical hacker, what is a bug bounty program, and why is human-powered security the best method for strengthening your security posture? [...]
IBM disclosed a bug submitted by hassan_sheet: https://hackerone.com/reports/2090964 [...]
Mozilla disclosed a bug submitted by griffinf: https://hackerone.com/reports/2467999 [...]
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, [...]
Internet Bug Bounty disclosed a bug submitted by w0x42: https://hackerone.com/reports/2442613 - Bounty: $2580 [...]
Internet Bug Bounty disclosed a bug submitted by bart: https://hackerone.com/reports/2334401 - Bounty: $4860 [...]
Capital One and 52 highly skilled global ethical hackers came together for the organization's second live hacking event with HackerOne. [...]
The transport and logistics (T&L) industry is a crucial player in today’s interconnected world, enabling the seamless movement of goods across long distances with exceptional efficiency. However, this very efficiency has also made the industry a prime target for cyber attacks. As T&L companies rely increasingly on digital technologies to optimize operations, they become v [...]
Adobe disclosed a bug submitted by renzi: https://hackerone.com/reports/1842800 [...]
Wallarm introduced its ongoing Open Source API Firewall project to the world at the recently concluded Blackhat Asia 2024 conference in Singapore. The open-source API Firewall by Wallarm is a free, lightweight API Firewall designed to protect REST and GraphQL API endpoints across cloud-native environments using API schema validation. By relying on a positive security model, our API Firewall only a [...]
Sheer disclosed a bug submitted by tuannq_gg: https://hackerone.com/reports/2337938 - Bounty: $200 [...]
Hyperledger disclosed a bug submitted by adnanthekhan: https://hackerone.com/reports/2410111 - Bounty: $2000 [...]