Security News

Twitter last week started sending emails to developers to inform them of a vulnerability that might have resulted in the disclosure of developer information, including API keys. Designed to provide developers using the Twitter platform and APIs with access to documentation, community discussion, and other type of information, the portal also offers app and API key management functionality.

The source code for Windows XP and other elderly Microsoft operating systems appears to have leaked online as the mega-corp's Ignite developer shindig came to an end. The source of the alleged code leak is unclear; a torrent for the archive popped up on internet armpit 4chan and contains what appears to be Windows XP Service Pack 1, as well as some other past-their-sell-by-date flavours of Microsoft's greatest hits.

Microsoft earlier this month exposed a 6.5TB Elastic server to the world that included search terms, location coordinates, device ID data, and a partial list of which URLs were visited. The data appears to be generated by the Bing mobile app, which promises users "Getting rewarded is easy, just search with the Bing," and has been downloaded more than 10 million times from Google's Play Store at least.

WizCase experts have identified an unprotected Elasticsearch server that contained terabytes of data pertaining to users of Microsoft's Bing mobile application. White hat hacker Ata Hakcil, who identified the leak, was able to confirm that the Elasticsearch server belonged to Microsoft's Bing mobile app by installing the application and running a search for WizCase.

An unsecured database has exposed sensitive data for users of Microsoft's Bing search engine mobile application - including their location coordinates, search terms in clear text and more. While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities - giving bad actors information ripe for blackmail attacks, phishing scams and more.

Users of 70 different adult dating and e-commerce websites have had their personal information exposed, thanks to a misconfigured, publicly accessible Elasticsearch cloud server. The data kept on the server was connected to a notification tool used by Mailfire's clients to market to their website users and, in the case of dating sites, notify website users of new messages from potential matches.

Security consultant Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that exposed a segment of Razer's infrastructure to the public internet, for anyone to see. "As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud. In fact, 86 percent of companies deploy cloud applications, yet just 34 percent have single sign-on solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions."

Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.

The Maze hacker gang claims it has infected computer memory maker SK hynix with ransomware and leaked some of the files it stole. For what it's worth, the Maze crew doesn't tend to need to fib about these sort of things.

A just-released volume [PDF] from the panel's dossier on Russia's efforts to meddle in that year's White House race pretty much accuses the Assange-run WikiLeaks of actively helping Moscow in its dirty work - by obtaining the internal memos from Russian hackers and spreading them online to derail Hillary Clinton's campaign and help nudge Donald Trump to victory. 'A key role in the Russian influence campaign'.