Security News

'We're finding bugs way faster than we can fix them': Google sponsors 2 full-time devs to improve Linux security
2021-02-24 16:01

Worried about the security of Linux and open-source code, Google is sponsoring a pair of full-time developers to work on the kernel's security. Both are already working at the Linux Foundation, so what is new? "Gustavo's been working on the Linux kernel at the Linux Foundation for several years now," Lorenc tells us.

Android devs: If you're using the Google Play Core Library, update it against this remote file inclusion CVE. Pronto
2020-12-03 15:01

Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google's Play Core library for Android - versions that contained a remote file inclusion vulnerability. They found that the Play Core Library, an in-app update and streamlining feature offered to Android devs, could be abused to "Add executable modules to any apps using the library".

Google forces devs to reveal Chrome extensions’ data use, privacy practices
2020-11-19 10:38

Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), "In clear and easy to understand language," in the extension's detail page in the Chrome Web Store. "You'll need to provide information about your app's privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect," Apple told app developers.

None of our apps (except those 3) could secretly slurp Facebook user details, devs rage to High Court of England and Wales
2020-11-03 17:20

Mobile app developers accused by Facebook of deploying "Malicious" SDKs to scrape users' data from the social network have hit back, telling London's High Court that nearly all their apps were "Not capable" of harvesting data from Facebook itself. Haltas has now hit back, claiming that all but three of his apps couldn't possibly scrape data from Facebook because they didn't use the Login with Facebook feature.

China reveals audit of 320,000 local apps, with 34 booted from app stores and hundreds of devs warned they could suffer same fate
2020-10-23 04:27

Through most of 2020 bans on Chinese apps have meant geopolitical strife, but China yesterday revealed it has started banning some of its own apps. A ban on 34 apps was among the nuggets of news revealed, with their banishment from local app stores the result of a departmental trawl of 320,000 apps offered in local download-marts.

Old and busted: Targeting servers and web bugs. New hotness: Pwning devs with targeted poisoned stacks
2020-09-04 11:15

Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers. "Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "But [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."

Microsoft Announces New Security Features for Devs, Customers
2020-05-21 08:41

At this week's Build virtual event, Microsoft announced new Identity and Azure features meant to improve security for both application developers and enterprise customers. This week, Microsoft announced two new additions to Azure Security Center: the availability of Azure Secure Score API to customers, and the public availability of suppression rules for Azure Security Center alerts, which are meant to reduce alerts fatigue.

OpenBSD devs patch authentication bypass bug
2019-12-06 11:31

One of the internet's most popular free operating systems allowed attackers to bypass its authentication controls.

Facebook confesses 100 devs may have accessed leaked Groups data
2019-11-07 12:48

It shut down that access in April 2018, or at least thought it did. At least 11 improperly accessed data in the last two months.

Chrome devs tell world that DNS over HTTPS won't open the floodgates of hell
2019-10-29 18:02

Well, their version of it won't, they claim Chrome devs have had a little rant about "misinformation", repeating that DNS-over-HTTPS (DoH) won't yet be introduced by default in upcoming builds of...