Security News

A cybersecurity enthusiast learned recently that Airbnb accounts can be easily hijacked by creating a new account on the home-rental service with a phone number that in the past belonged to another Airbnb customer. A SecurityWeek reader named Maya contacted us recently after her husband was accidentally signed into another user's account when trying to create an Airbnb account.

Which cybersecurity failures cost companies the most and which defenses have the highest ROI?Massachusetts Institute of Technology scientists have created a cryptographic platform that allows companies to securely share data on cyber attacks they suffered and the monetary cost of their cybersecurity failures without worrying about revealing sensitive information to their competitors or damaging their own reputation. Essential features of security automation for the AWS platformA common security problem in AWS is an open S3 storage bucket where data is publicly readable on the Internet.

In June 2020, the Japanese cryptocurrency exchange Coincheck reported that hackers gained access to its domain registrar provider and hijacked its coincheck.com domain name. The two incidents illustrate the growing threat of Domain Name System hijacking.

The latest variant of this trojan extracts email threads from Outlook, which it uses for phishing attacks, says Check Point Research. A new phishing campaign analyzed by threat intelligence provider Check Point reveals how the old Qbot trojan has been repurposed to phish people by capturing their email threads.

Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution is possible without user interaction.

Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps on the victim's device and steal data. Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android.

A critical privilege-escalation vulnerability affecting Android devices has been found that allows attackers to hijack any app on an infected phone - potentially exposing private SMS messages and photos, login credentials, GPS movements, phone conversations and more. The bug is dubbed the "StrandHogg 2.0" vulnerability by the Promon researchers who found it, due to its similarity to the original StrandHogg bug discovered last year.

Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting vulnerability that could have been exploited to hijack accounts. The researcher says he discovered the vulnerability in the window.

Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. "Essentially, the extensions are phishing for secrets - mnemonic phrases, private keys, and keystore files," explained Harry Denley, director of security at MyCrypto.

The attackers are changing DNS settings on Linksys routers to redirect users to a malicious website promising an informative COVID-19 app, says security provider BitDefender. Phony coronavirus maps are being created with malware as the payload. And as more people work from home, a new type of attack is targeting home routers to spread a malicious coronavirus-themed app, according to a blog post published Wednesday by BitDefender.