Security related links
- 2024 Open Source Security Report: Slowing Progress and New Challenges for DevSecOps - 145
- Advent of Cyber 2024 - 145
- From deals to DDoS: exploring Cyber Week 2024 Internet trends - 145
- Cloudflareâs developer domains increasingly abused by threat actors - 145
- Getting software control of the webcam LED on ThinkPad X230 without physical access to the laptop - 145
- Hacking Kia: Remotely Controlling Cars With Just a License Plate - 138
- Hacking cars in JavaScript (Running replay attacks in the browser with the HackRF) - 138
- How to prevent log injection vulnerability in JavaScript and Node.js applications - 138
- Delivery Robot Knocked Over Pedestrian, Company Offered âPromo Codesâ to Apologize - 138
- We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI - 138
- Year-Long Campaign of Malicious npm Packages Targeting Roblox Users - 138
- Sextortion Scams Now Include Photos of Your Home - 138
- Sextortion Scammers Try to Scare People by Sending Photos of Their Homes - 138
- Police officers are starting to use AI chatbots to write crime reports. Will they hold up in court? - 138
- Prompt Injections and a demo - 138
- Hacking misconfigured AWS S3 buckets: A complete guide - 138
- Passwords have problems, but passkeys have more - 138
- Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples - 138
- CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash - 128
- Our audit of Homebrew - 128
- The Six Dumbest Ideas in Computer Security - 125
- Password Breaking A to Z - 125
- regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server - 123
- 3 million iOS and macOS apps were exposed to potent supply-chain attacks - 123
- What happens when you refuse cookies? - 123
- Apple AirPods vulnerability - 123
- Thousands of servers could be at risk due to major OpenSSH security flaw - 123
- More Fun With The Known Exploited Vulnerabilities Catalog
- Windows AI feature that screenshots everything labeled a security âdisasterâ
- Google Contractor Used Admin Access to Leak Info From Private Nintendo YouTube Video
- Server-side request forgery (SSRF)
- Credentials Leaking with Subdomain Takeover
- An interview with the most prolific jailbreaker of ChatGPT and other leading LLMs
- How a Profane Joke on Twitter Spawned a Legal Army
- How malware authors play with the LNK file format
- String comparison timing attacks
- Cybercriminals Abuse Stack Overflow to Promote Malicious Python Package
- 10 years of the GitHub Security Bug Bounty program - 121
- AI Helps Catch CSRF Vulnerability Being Introduced in to 100,000+ Install WordPress Plugin Modula - 121
- Visual Studio Code extensions are much less secure than browser extensions or even npm packages - 121
- Disgruntled ex-employee costs company over $600,000 after he deletes all 180 of its test servers â found server deletion scripts on Google - 121
- Reverse Engineering a Restaurant Pager system đ˝ď¸ - 121
- Verification, sanitization, and type coercion for environment variables in Node.js and web applications. Supports TypeScript!
- Almost all citizens of city of Eindhoven have their personal data exposed
- Critical GitHub Enterprise Server Flaw Allows Authentication Bypass
- Microsoft outage took down Copilot, DuckDuckGo, and ChatGPT search features
- Two Santa Cruz students uncover security bug that could let millions do their laundry for free
- Relative Path File Injection: The Next Evolution in RPO
- âUnprecedentedâ Google Cloud event wipes out customer account and its backups
- Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
- Time to stop using relative paths in src and href⌠Relative Path File Injection: The Next Evolution in RPO
- Never, Ever, Ever Use Pixelation for Redacting Text
- New Anthropic Research Sheds Light on AIâs âBlack Boxâ
- Why Your Wi-Fi Router Doubles as an Apple AirTag
- How I upgraded my water heater and discovered how bad smart home security can be
- Privacy principles: search, learning and artificial intelligence
- American Radio Relay League cyberattack takes Logbook of the World offline
- Fatigue and shortages: cyber teams intentionally underreporting breaches
- New WiFi Vulnerability: The SSID Confusion Attack
- URLhaus - malicious URLs used for malware distribution.
- Hacking more than 130 000 car worldwide in 5 minutes
- Exploits and vulnerabilities in Q1 2024
- Protecting your email address via SVG instead of JS
- Dell warns of data breach, 49 million customers allegedly affected
- Threat Modeling for Developers
- Proton Mail Discloses User Data Leading to Arrest in Spain
- Threat actor says he scraped 49M Dell customer addresses before the company found out
- Google just patched the fifth zero-day exploit for Chrome this year
- AI systems are already skilled at deceiving and manipulating humans, study shows
- UK confirms Ministry of Defence payroll data exposed in data breach
- An Update on How Cybercriminals Are Using GenAI
- An Open Database Leaked Submissions to Utahâs Transphobic âBathroom Billâ Snitch Form
- Bank scammers using genuine push notifications to trick their victims
- Securing client-side JavaScript
- Why Your VPN May Not Be As Secure As It Claims
- Hackers try to exploit WordPress plugin vulnerability thatâs as severe as it gets
- This repository centralizes and summarizes practical and proposed defenses against prompt injection
- Deno: Digging Tunnels out of a JS Sandbox
- Vulnerabilities for AI and ML Applications are Skyrocketing
- Hacker Chat
- Itâs Not You. Those âI Am Not a Robotâ Tests Are Getting Harder
- Snyk Codeâs autofixing feature, DeepCode AI Fix, just got better
- What is server-side template injection?
- How Antithesis finds bugs (with help from the Super Mario Bros.
- The dangers of single line regular expressions
- The Windows Registry Adventure #1: Introduction and research results
- OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
- DDoS threat report for 2024 Q1
- Open sourcerers say suspected xz-style attacks continue to target maintainers
- My Cat Alerted Me to a DDoS Attack
- Browser Security Bugs that Arenât: JavaScript in PDF
- Surveillance through Push Notifications
- These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway
- Image Video injection attacks
- List of 2024 Leap Day Bugs
- Millions of Malicious âImagelessâ Containers Planted on Docker Hub Over 5 Years
- Visualizing malicious IP addresses.
- Logitechâs Mouse Software Now Includes ChatGPT Support, Adds Janky âai_overlay_tmpâ Directory to Usersâ Home Folders
- Supply chain attacks and the many different ways Iâve backdoored your dependencies
- How to delete the data Google has on you - 114
- Assessing the Y, and How, of the XZ Utils incident - 114
- How Long It Would Take A Hacker To Brute Force Your Password In 2024, Ranked - 114
- No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities - 114
- Google defended the Play Store from 2.28 million malicious apps last year - 114
- LLM4Shell: Discovering and Exploiting RCE Vulnerabilities in Real-World LLM-Integrated Frameworks and Apps - 113
- Demystifying RCE Vulnerabilities in LLM-Integrated Apps - 113
- Linus Torvalds on Security, AI, Open Source and Trust - 113
- Stealing session ids with phpinfo() and how to stop it - 113
- Using Legitimate GitHub URLs for Malware - 113
- PuTTY SSH client flaw allows recovery of cryptographic private keys
- What we need to take away from the XZ Backdoor
- New Technique to Trick Developers Detected in an Open Source Supply Chain Attack
- FBI warns of massive wave of road toll SMS phishing attacks
- Roku says 576,000 user accounts hacked after second security incident
- My ovulation tracker suddenly asked what state I live in
- Automated Large-Scale Analysis of Cookie Notice Compliance
- Jigsaw takes a raw shellcode input and outputs randomized shellcode, a lookup table, and a C/C++ stub to translate the randomized shellcode back to a usable format.
- The UX of UUIDs
- Crypto: getRandomValues() method
- Thousands of LG TVs are vulnerable to takeoverâhereâs how to ensure yours isnât one
- Twitterâs Clumsy Pivot to X.com Is a Gift to Phishers
- Weekend maintenance kicks an Italian bank offline for days
- How I discovered a 9.8 critical security vulnerability in ZeroMQ with mostly pure luck and my two cents about xz backdoor
- Deobfuscating / Unminifying Obfuscated Web App Code
- Big Tech passkey implementations are a trap
- Capture the Flag 101 Workshop
- Create objects instead of strings
- New Windows driver blocks software from changing default web browser
- Security Vulnerability of HTML Emails
- Test every type of configuration scanner against a single repo thatâs comically insecure with documented issues
- Tuesday, April 9, 2024 Security Releases
- US State Department investigates alleged theft of government data - 111
- We Tested Kidsâ Smart Toys for Privacy. Hereâs How You Can, Too
- Efficient Security Principle (ESP)
- Bypassing USBguard On Linux
- Oracle warns that macOS 14.4 update breaks Java on Apple CPUs
- Misconfigured Firebase instances leaked 19 million plaintext passwords
- Unpatchable vulnerability in Apple chip leaks secret encryption keys
- Responding to a cyber incident â a guide for CEOs
- Hackers can unlock over 3 million hotel doors in seconds
- Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver
- AutoSmuggle - A utility to quickly create your HTML smuggled files.
- HTML smuggling
- Timeline of the xz open source attack
- Everything I Know About the XZ Backdoor
- xzbot Exploration of the xz backdoor (CVE-2024-3094)
- The XZ Backdoor CVE-2024-3094
- Easy-to-use make-me-root exploit lands for recent Linux kernels. Get patching
- Backdoor Discovered in xz/liblzma Compression Library
- Linux could have been brought down by backdoor found in widely used utility
- Technologist vs spy: the xz backdoor debate
- How the backdoor was found
- Backdoor found in widely used Linux utility breaks encrypted SSH connections
- An Accidental Discovery of a Backdoor Likely Prevented Thousands of Infections
- The Xz Backdoor Highlights the Vulnerability of Open Source Softwareâand Its Strengths
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online - 109
- Free VPN apps on Google Play turned Android phones into proxies
- GitHub âbesiegedâ by malware repositories and repo confusion: Why youâll be ok
- Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs
- Using form hijacking to bypass CSP
- Exploring the GitHub Advisory Database for fun and (no) profit
- Secure by Design: Googleâs Perspective on Memory Safety
- Microsoft says Russian hackers stole source code after spying on its executives
- How We Bypassed Safari 17âs Advanced Audio Fingerprinting Protection
- Secutils.dev is an open-source, versatile, yet simple security toolbox for engineers and researchers built by application security engineers.
- Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs through a Global Scale Prompt Hacking Competition
- Is client side security dead - or a crucial part of the future?
- The 2038 Problem
- Report Uncovers Massive Sale of Compromised ChatGPT Credentials
- Retired Army officer charged with sharing classified information about Ukraine on foreign dating site
- MiTM phishing attack can let attackers unlock and steal a Tesla
- Calendar Meeting Links Used to Spread Mac Malware
- GitHub enables push protection by default to stop secrets leak
- Top 10 web hacking techniques of 2023
- Preventing SQL injection attacks in Node.js
- After decades of memory-related software bugs, White House calls on industry to act
- OWASP AI Security Overview
- Personal Security Checklist -The ultimate list of tips to secure your digital life
- Awesome Pentest Cheat Sheets
- VamPI - example API contains all the security issues the OWASP warns about
- Fixing security vulnerabilities with AI A peek under the hood of GitHub Advanced Security code scanning autofix. - 105
- Microsoft releases its internal generative AI red teaming tool to the public PyRIT can generate thousands of malicious prompts to test a gen AI model, and even score its response. - 105
- Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen â Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks - 105
- Open-Source Security Chip Released
- Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries
- QR Codes - whatâs the real risk?
- ThievingFox is a collection of post-exploitation tools to gather credentials from various password managers and windows utilities. E
- Each Facebook User is Monitored by Thousands of Companies
- How to weaponize LLMs to auto-hijack websites
- U.S. Internet Leaked Years of Internal, Customer Emails
- Snyk & Atlassian: How to embed security in AI-assisted software development
- JavaScript Security Vulnerabilities Tutorial â With Code Examples
- Ransomware attack forces 100 Romanian hospitals to go offline
- Microsoft and OpenAI say hackers are using ChatGPT to improve cyberattacks
- New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks
- Leaked Certificates (LoLCerts)
- North Korean Hackers Employ Generative AI for Cyberattacks
- New Linux glibc flaw lets attackers get root on major distros
- Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns
- mastodon fixed a flaw that can allow the takeover of any account
- Cloudflare hacked using auth tokens stolen in Okta attack
- Ofcom report finds 1 in 5 harmful content search results were âone-click gatewaysâ to more toxicity
- Akira Ransomware Infiltrates UK-Based Lush
- Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug
- Breaking Free from DRM: The Story of Hacking My Air Purifier
- NPM Malware
- Reversing and Tooling a Signed Request Hash in Obfuscated JavaScript
- Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
- What Is Nightshade?
Why Does It Work, and Limitations
- Founder of Neo-Nazi Group the Base Instructs Followers to Use âUncensoredâ AI
- Microsoft Closes Loophole That Created AI Porn of Taylor Swift
- Poisoning AI Models
- AI heralds the next generation of financial scams
Voice cloning is just one of the new tools in the trickstersâ armoury
- Social Engineering: Going On The Attack
- 27 Year Old Codebreaker Busted Myth Bitcoins Anonymity
- Troubling Tech Trends: The Dark Side of CES 2024
- Workshop: Identify, Trace, and Fix Endpoint Regression Issues
- Letâs inspect a phishing site - 102
- [The Face of Modern Conflict: What You Need to Know About Cyber Warfare]
- 9 Ways to Gain Experience in Cyber Security
- State of Ransomware 2024
- Understanding CORS - 101
- How to win at CORS - 101
- Critical Vulnerabilities Found in Open Source AI/ML Platforms - 100
- Saying goodbye to third-party cookies in 2024
- Front-end security best practices
- A List of Hacker Newsâs Undocumented Features and Behaviors
- A reliable method to prevent spam bots from completing input
- An open-source framework for conducting data poisoning attacks on recommendation systems, designed to assist researchers and practitioners.
- Android game devâs Google Drive misconfig highlights cloud security risks
- Attack of the week: Airdrop tracing
- Blind CSS Exfiltration: exfiltrate unknown web pages
- DBChaos - Stress-test your database with pre-defined queries. Validate slow and expensive queries that breaks your database
- Donât trust links with known domains: BMW affected by redirect vulnerability
- How 50% of telco Orange Spainâs traffic got hijacked â a weak password
- How I destroyed the companyâs DB And survived to talk about it
- Scaling vulnerability management across thousands of services and more than 150 million findings - Learn about how we run a scalable vulnerability management program built on top of GitHub.
- SEC Had a Fraught Cyber Record Before X Account Was Hacked
- Securing HTML fragments returned by API endpoints
- Stopping cyber attacks by using an Ad Blocker
- Raptor School Safety Software Breach Exposed 4 Million Records Including Highly Sensitive Data
- Web LLM attacks
- Preparing for a Security Engineering Interview
- Do Users Write More Insecure Code with AI Assistants?
- Asset inventory of over 800 public bug bounty programs - 99
- Ethical Hacking 101 Workshop - February 8 - 99
- GitLab warns of critical zero-click account hijacking vulnerability - 99
- Reports of GTA 5 source code leaked a year after Rockstar hack - 96
- Web injections: 40+ banks affected by new malware campaign - 96
- Malware posing as game cheats installs fake VPNs - 96
- Scapy - python-based interactive packet manipulation
- Breach Report Collection - 93
- 2023 AI code security report - 93
- ChatGPTâs training data can be exposed via a divergence attack 93
- File encryption in Python: An in-depth exploration of symmetric and asymmetric techniques
- Attack Techniques: Steganography â text/plain
- Your Smart TV Knows What Youâre Watching â The Markup
- MongoDB says customer data was exposed in a cyberattack
- New Microsoft Incident Response team guide shares best practices for security teams and leaders
- Unicode XSS via Combining Characters
- 15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack
- Code injection in Python: examples and prevention - Snyk
- Our prompt injection playground has gone open source!
- nexB/vulnerablecode: A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities.
- Hacktivists hacked a Irish water utility and interrupted water supply
- Security vs. Development: A game of priorities Snyk
- This tiny device is sending updated iPhones into a never-ending DoS loop Ars Technica
- Securing the Web forward: Addressing developer concerns in web security 2023 Blog W3C
- Defaulting on Single Page Applications (SPA)âzachleat.com
- How our whole team became undercover spies to learn about Prompt Injection Attacks
Show all 23 link categories
