Security News

Twitch source code and streamers' and users' sensitive information were allegedly leaked online by an anonymous user on the 4chan imageboard. The leaker shared a torrent link leading to a 120GB archive containing data allegedly stolen from roughly 6,000 internal Twitch Git repositories.

Victims of ransomware attacks in the United States may soon have to report any payments to hackers within 48 hours, according to a new legislation proposal titled the 'Ransom Disclosure Act'. Require ransomware victims to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;.

Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet. Express Travel is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode.

An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre.

An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre.

Academic researchers have found a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet with express mode enabled. Apple Pay solved the problem with Express Transit, a feature that allows a transaction to go through without unlocking the device.

Two newly discovered malicious Android applications on Google Play Store have been used to target users of Brazil's instant payment ecosystem in a likely attempt to lure victims into fraudulently transferring their entire account balances into another bank account under cybercriminals' control. "The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications [] to carry out their attacks," Check Point Research said in an analysis shared with The Hacker News.

The US Treasury on Tuesday sanctioned virtual cryptocurrency exchange Suex OTC for handling financial transactions for ransomware operators, an intervention that's part of a broad US government effort to disrupt online extortion and related cyber-crime. According to the US Treasury, more than 40 per cent of the firm's known transaction history involves illicit entities, and that it handled payments from at least eight ransomware variants.

App developers have once again been accused of having butterfingers when it comes to API keys, leaving millions of mobile app users at risk of exposing their personal and payment data. "But like so much of cybersecurity, it's a could-a, should-a situation:"CloudSEK has observed that a wide range of companies - both large and small - that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages," according to CloudSEK researchers Arshit Jain and Sai Ahladini Tripathy.

An open redirect on a UK council-backed property website allowed low-level miscreants to evade filters. The website operated by tech services biz Civica had an open redirect being actively abused by spammers, piggybacking off the website's domain authority so their messages weren't flagged up by scanning tools.