Hacks

The database was available for anyone to access without a password. Recently on October 16, 2019, a team of two dark web researchers named Bob Diachenko and Vinny Troia discovered a database containing a massive trove of personal records of more than 1.2 billion people. While they were looking for exposures through  BinaryEdge  and  Shodan , they stumbled upon the server which had an IP address that could be traced to Google Cloud Services.  In total, the database was home to over 4 terabytes of data sitting in plain sight for public access. Found on an exposed Elasticsearch server; the good news is that these records did not host login credentials, social security numbers or payment card details. A look at the details shared by researchers indicates that the data was scraped from social media platforms including  Twitter ,  Facebook ,  LinkedIn  and  GitHub , a Git repository hosting service. Additionally, it contains ...

Researchers discovered a critical vulnerability in Docker that allows an attacker to take complete control of the host and the containers associated with it. The Docker vulnerability resides in the copy command (cp) used in containers platforms such as  Docker ,  Podman , and  Kubernetes . This command can be used to copy files & folders between the container and the local file system. The commands can be used like below: docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|- docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH Docker Copy Command Vulnerability According to researchers, this is the first Docker cp command that leads to a full container escape after the runC vulnerability identified in February. The vulnerability can be exploited by the attacker if the docker already compromised with any previous vulnerabilities or if the user runs a malicious container image from an untrusted source. “If the user then executes the vulnerable cp command to ...

With its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system, Google yesterday set up a new challenging level for hackers that could let them win a bounty of up to $1.5 million. Starting today, Google will pay $1 million for a "full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices," the tech giant said in a  blog post  published on Thursday. Moreover, if someone manages to achieve the same in the developer preview versions of Android, Google will pay an additional $500,000, making the total to $1.5 million—that's 7.5 times more than the previous top Android reward. Introduced within the Pixel 3 smartphones last year,  Google's Titan M  secure element is a dedicated security chip that sits alongside the main processor, primarily designed to protect devices against the boot-time attacks. In other words, Titan M ...

Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website. The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident. According to OnePlus, the company discovered the breach just last week after an unauthorized party accessed order information of its customers, including their names, contact numbers, emails, and shipping addresses. "Last week while monitoring our systems, our security team discovered that some of our users' order information was accessed by an unauthorized party," the  company said . OnePlus also assured that not all customers were affected and that the attackers were not able to access any payment information, passwords, and associated accounts. "Impacted users may receive spam an...

Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system. VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft's RDP service. The implementation of the VNC system includes a "server component," which runs on the computer sharing its desktop, and a "client component," which runs on the computer that will access the shared desktop. In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it. There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android. Considering that t...