Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps. The software sniffers said they first came across the exploitable programming blunder while digging into webpage …

WhatsApp has patched a vulnerability it its smartphone code that could have been exploited by miscreants to crash victims' chat app simply by placing a call. Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported the flaw, a memory heap overflow issue, directly to WhatsApp in August. …

Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet. Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass …

An infosec bod has documented a remote-code execution flaw in Alpine Linux, a distro that pops up a lot in Docker containers. Max Justicz, researcher and creator of crowd-sourced bug bounty system Bountygraph, said on Thursday that the vulnerability could be exploited by someone with man-in-the-middle (MITM) network access, or …

A privilege escalation flaw in McAfee's True Key software remains open to exploitation despite multiple attempts to patch it. This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it. The flaw is an elevation of …

A bunch of new bug bounty rewards are up for grabs from the Zero Day Initiative, in a first-come, best-dressed program kicking off on August 1. The Trend Micro-backed operation announced on July 24 what it called the Targeted Incentive Program (TIP). Besides the mention of Microsoft Windows Server 2016, the TIP focuses paying …

Cisco has emitted 25 product security advisories – with four critical bugs flattened in its service provider-oriented Cisco Policy Suite. The suite’s Policy Builder toolkit can be exploited by an unauthenticated remote attacker to gain access to its policy interface, due to an authentication bug (CVE-2018-0376). The switch …

Huawei has rolled patches to various enterprise and broadcast products to fix a cryptography bug. In late 2017 (inferred from the bug's Common Vulnerabilities and Exposures entry, CVE-2017-17174, which was reserved in December), the company discovered some products had an insecure encryption algorithm. The flaw could allow a …

Get your ticket to the Cisco catwalk, sysadmins, and watch Switchzilla strut 24 FXOS and NX-OS software security advisories. Five advisories in the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection are dressed in a luscious, Critical-rated red, while the remaining 19 merely hit the High. Four of the …

Video Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system – and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, are path traversals that can potentially be …

Pre-boot software on Macs is often outdated, leaving Apple fans at a greater risk of malware attack as a result, according to new research. An analysis of 73,000 Apple Macs by Duo Security found that users are unknowingly exposed to sophisticated malware-based attacks because of outdated firmware. On average, 4.2 per cent of …

Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group. The most common high and medium-risk vulnerabilities were found in customer-facing web apps. NCC categorised vulnerabilities found in 168 financial services …

A Dutch researcher says he found a way to cause mischief on power grids by exploiting software bugs in solar power systems. Specifically, Willem Westerhof, a cybersecurity researcher at ITsec, said he uncovered worrying flaws within power inverters – the electrical gear turns direct current from solar panels into alternating …

WordPress has patched a series of vulnerabilities in its content management system shuttering bugs affecting more than 10 million users. The release of version 4.7.1 closes eight vulnerabilities including cross-site scripting, cross-site request forgery, and other remotely-acessible attack vectors. "This is a security release …

It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances. Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says. So far more than 360 instances have had data copied and …

Authors of the Sundown exploit kit have integrated a since patched and limited Microsoft Edge vulnerability from a security firm's public proof-of-concept. The addition of the twin bugs (CVE-2016-7200 and CVE-2016-7201) means unpactched users of one of the world's most unpopular web browsers are likely to be targeted by a wide …

Remote attackers can hose EMC hybrid flash storage thanks to cryptographic weaknesses. The patched vulnerability (CVE-2016-0917) affects EMC's VNX1, VNX2 and VNXe systems, including the end-of-life Celerra which will not receive a fix. EMC researchers wrote in a security notice that remote attackers could access the SMB …

Netgear has broken ranks from the consumer router security shame factory to offer a bug bounty sporting extra rewards for chained exploits. Hoping to shake the SOHOpeless tag, the vendor will hand out up to US$15,000 for hackers reporting global remote unauthorised access from the internet to Netgear devices, and unauthorised …