Security News

Cybercriminals are constantly exploring and documenting new ways to go around the 3D Secure protocol used for authorizing online card transactions. 3DS adds a layer of security for online purchases using credit or debit cards.

Germany-based cybersecurity company Genua has fast-tracked a fix for a critical flaw in one of its firewall products. Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua touts as a two-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "Skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.

An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior. Finally, before the skills can be actively made public to Alexa users, developers must submit their skills to be vetted and verified by Amazon.

In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization. About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved - Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited.

A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication. The flaw stems from improper token validation on an API endpoint in Cisco's ACI MSO. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller devices," said Cisco on Wednesday.

Cisco has addressed a maximum severity authentication bypass vulnerability found in the API endpoint of the Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine. "A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device," Cisco explained.

As browser-makers move to defang third-party cookies, marketers are increasingly switching to alternative tracking techniques. In 2019, Firefox was equipped with Enhanced Tracking Protection by default, blocking known trackers, third-party tracking cookies and cryptomining scripts.

Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim's stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card's PIN, and even fool the terminal into accepting unauthentic offline card transactions.

Attackers are abusing Google's Apps Script business application development platform to steal credit card information submitted by customers of e-commerce websites while shopping online. They take advantage of the fact that online stores would consider Google's Apps Script domain as trusted and potentially whitelisting all Google subdomains in their sites' CSP configuration.