Security News

Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple's web browser software. At first telling, the bug sounds both undramatic and unimportant: although it allows private data to leak between separate browser tabs that contain content from unrelated websites, the amount of data that leaks is minuscule.

While traditional application security controls remain necessary, they are not quite up to the API security challenge. There are certain basic API security practices organizations can implement to create a more resilient API security posture.

Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services S3 bucket during a cloud-security audit, and it's sharing the story to inspire other organizations to double-check their own systems. The laundry list of SEGA's potentially exposed data is nauseating - API keys, internal messaging systems, cloud systems, user data and more.

The attack technique is script-based and dubbed "Autom", because it exploits the file "Autom.sh". Attackers have consistently abused the API misconfiguration during the campaign's active period, however the evasion tactics have varied - allowing adversaries to fly under the radar, wrote Aquasec's research arm Team Nautilus in a report published Wednesday.

Web app attacks against UK businesses have increased by 251% since October 2019, putting both organizations and consumers at risk, an Imperva reserach reveals. In a study of nearly 4.7 million web application-related cyber security incidents, Imperva Research Labs finds that attacks are increasing, on average, by 22% each quarter.

Protecting mobile applications and APIs against automated threats is a top priority for online commerce businesses, according to data from a study published by DataDome. Focusing on mobile application and API protection Two-thirds of respondents report that focusing on mobile application and API protection is a key priority for the next 12 months.

A suspected Iranian state-supported threat actor is deploying a newly discovered backdoor named 'Aclip' that abuses the Slack API for covert communications. Slack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic due to its widespread deployment in the enterprise.

You don't have to log into the network to use the phone - it happens in the background via the SIM. Moreover, the mobile subscriber identity is one of the most widely used forms of digital identity. Firstly, it merely proves the user has access to a phone number, potentially through social engineering, not possession of a physical security token / device.

Jason Kent, hacker-in-residence at Cequence, found a way to exploit a Toyota API to get around the hassle of car shopping in the age of supply-chain woes. First, some background: Many outlets have widely reported that manufacturers are putting 99 percent of a vehicle together, parking it in a lot somewhere and assuming the missing parts, like computer chips, will be available soon and they'll be able to make the engines run so the vehicles can be sold.

Cisco's Vijoy Pandey has tools and tips to help businesses get visibility into their APIs. APIs are responsible for taking some of the most valuable data that an organization uses and sending that data, when requested, to another application using the API to decode that data in a way the app can understand and return to its user.