Security News
Google Chrome is getting a new feature that increases security when clicking on web page links that open URLs in a new window or tab. This attribute has a known security issue that allows the newly opened page to utilize javascript to redirect the original page to a different URL. This redirected URL can be anything the threat actor wants, including phishing pages or pages that automatically download malicious files.
Rapid7 found Apple's Safari browser, as well as the Opera Mini and Yandex browsers, were vulnerable to JavaScript-based address bar spoofing. He went on to explain: "By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website."
Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software. The Mountain View ads giant said it will hand folks each up to $5,000 in Google Compute Engine credits to conduct fuzzing tests on JS interpreters, earmarking $50,000 total for the program.
The cross-site scripting flaws could allow attackers to execute JavaScript in targets' browsers. Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates.
A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns. The skimmer is basic, containing the expected components and functionality of such a kit, namely an administration panel, an exfiltration gateway, and a skimming script generator, but has an advanced design, suggesting that it is the work of a skilled developer, Visa notes in a security alert.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
A popular WordPress search engine optimisation plugin with around two million installs could have been abused to hijack a target website, according to a threat intel firm. "This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel's 'all posts' page," said WordPress-focused infosec biz Wordfence in a blog post about the vuln in the All in One SEO Pack plugin.
A report released Tuesday by security provider Tala Security maintains that most major websites are ill-equipped to combat the flaws in JavaScript, thus putting their customer and user data at risk. For its "2020 Global Data at Risk State of the Web Report," Tala analyzed the security defenses of the top 1,000 websites as ranked by Alexa.
Barclays Bank appears to have been using no less than the Internet Archive's Wayback Machine as a "Content distribution network" to serve up a Javascript file. Archive.org went down, it would presumably break Barclays' website as well.