Security News > 2021 > September

The Matrix.org Foundation, which oversees the Matrix decentralized communication protocol, said on Monday multiple Matrix clients and libraries contain a vulnerability that can potentially be abused to expose encrypted messages. The organization said a blunder in an implementation of the Matrix key sharing scheme - designed to allow a user's newly logged-in device to obtain the keys to decrypt old messages - led to the creation of client code that fails to adequately verify device identity.

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.

Lots of companies these days either run bug bounties, or hire an outside company to look after bug submissions, which shows that they are genuinely interested in knowing about security vulnerabilities in their products or services. Secondly, even researchers who do this sort of thing for a living need to know the right place to start, and having a standardised storage place for contact details makes bug reporting easier for everyone.

The REvil ransomware gang's tentacles shot out yet again last week, with the ransomware gang's servers back online, a fresh victim listed on its site, ransomware payments back up and flowing, and an explanation of why it took a two-month hiatus. Has reported, REvil posted twice on the Exploit underground forum on Friday, Sept. 10, to clarify what happened during that Kaseya-related key generation process and how a coder fat-fingered the generation and leaking of the universal key.

End-to-end encryption isn't designed to secure messages against the intended recipients. New revelations about WhatsApp's moderator access to messages last week might seem like they run counter to the company's privacy-forward brand, but a closer look shows the messaging service's privacy protections remain in place and are operating as intended.

Because in today's world, essentially everyone is a potential target for ransomware - and that means security pros have their work cut out for them. Social-engineering schemes such as phishing attacks continue to be one of the most common vectors for ransomware and other cybersecurity attacks.

A security vulnerability in the WooCommerce Multi Currency plugin could allow any customer to change the pricing for products in online stores. WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin allows e-tailers to set pricing for international shoppers; the plugin automatically detects a customer's geolocation and displays pricing in the customer country's currency, with the exchange rate set manually or automatically using current exchange rates.

Learn tips on how you can use the Linux openssl command to find critical certificate details. It's important to not only keep an eye on upcoming SSL certificate expirations but to completely verify the success of renewing/replacing these certificates.

The smart home could be ripe for IoT device attacks as cybercriminals rake in record ransomware payments. Remote work may be responsible for the increase in attacks, Kaspersky says.

The US Federal Trade Commission warns of extortion scammers targeting the LGBTQ+ community via online dating apps such as Grindr and Feeld. As the FTC revealed, the fraudsters would pose as potential romantic partners on LGBTQ+ dating apps, sending explicit photos and asking their targets to reciprocate.