Security News

Google shares Spectre PoC targeting browser JavaScript engines
2021-03-12 19:30

Google has published JavaScript proof-of-concept code to demonstrate the practicality of using Spectre exploits targeting web browsers to access information from a browser's memory. According to the Google Security Team, the PoC shared today works across a wide range of processor architectures, operating systems, and hardware generations.

New Browser Attack Allows Tracking Users Online With JavaScript Disabled
2021-03-12 18:53

Researchers have discovered a new side-channel that they say can be reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled. In avoiding JavaScript, the side-channel attacks are also architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms, including Intel Core, AMD Ryzen, Samsung Exynos 2100, and Apple M1 CPUs - making it the first known side-channel attack on the iPhone maker's new ARM-based chipsets.

'Earth Wendigo' Hackers Exfiltrate Emails Through JavaScript Backdoor
2021-01-06 20:44

A newly identified malware attack campaign has been exfiltrating emails from targeted organizations using a JavaScript backdoor injected into a webmail system widely used in Taiwan. As an initial attack vector, the group used spear-phishing emails containing obfuscated JavaScript code meant to load malicious scripts from an attacker-controlled remote server.

Google Chrome to block JavaScript redirects on web page URL clicks
2020-11-09 14:37

Google Chrome is getting a new feature that increases security when clicking on web page links that open URLs in a new window or tab. This attribute has a known security issue that allows the newly opened page to utilize javascript to redirect the original page to a different URL. This redirected URL can be anything the threat actor wants, including phishing pages or pages that automatically download malicious files.

JavaScript-based address bar spoofing vulns patched in Safari, Yandex, Opera
2020-10-24 07:14

Rapid7 found Apple's Safari browser, as well as the Opera Mini and Yandex browsers, were vulnerable to JavaScript-based address bar spoofing. He went on to explain: "By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website."

And you thought Fuzzilli was a pasta... Google offers up $50k in cloud credits to fuzz the hell out of JavaScript engines
2020-10-02 22:50

Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software. The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program.

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers
2020-09-08 16:52

The cross-site scripting flaws could allow attackers to execute JavaScript in targets' browsers. Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates.

Visa Issues Alert for 'Baka' JavaScript Skimmer
2020-09-07 08:54

A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns. The skimmer is basic, containing the expected components and functionality of such a kit, namely an administration panel, an exfiltration gateway, and a skimming script generator, but has an advanced design, suggesting that it is the work of a skilled developer, Visa notes in a security alert.

Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers
2020-07-21 23:10

Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.

Twilio: Someone broke into our unsecured AWS S3 silo, added 'non-malicious' code to our JavaScript SDK
2020-07-21 23:10

Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.