Security News

A security researcher says he has earned $20,000 for a high-severity GitHub Enterprise vulnerability that might have allowed an attacker to execute arbitrary commands. GitHub Enterprise, the on-premises version of GitHub.com, is designed to make it easier for large enterprise software development teams to collaborate.

Ireland's efforts to keep residents informed about coronavirus has fallen foul of the same basic SMS vulnerability that one of their British neighbours experienced back in March. Lulzsec-bod-turned-security-consultant Jake Davis reckoned the Irish government is using an SMS sender name that is vulnerable to spoofing - a process that is simple and straightforward, not that we're going to explain how it's done.

A team of researchers has received hundreds of thousands of dollars in bug bounties from Apple for reporting 55 vulnerabilities, including ones that exposed source code, employee and customer apps, warehouse software, and iCloud accounts. Researchers Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes decided in early July to take part in Apple's bug bounty program and attempt to find as many vulnerabilities as possible in the tech giant's systems and services.

At the Virus Bulletin Conference last week, two security researchers explained how they were able to compromise the command and control panels of 10 Internet of Things botnets. The researchers, Aditya K. Sood and Rohit Bansal of SecNiche Security Labs, revealed at the online conference that they were able to access the C&C panels of the Mana, Vivid, Kawaii, Verizon, Goon, 911-Net, Purge Net, Direct, 0xSec, and Dark botnets.

Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery attacks or execute arbitrary code and take over the administration server. Azure App Service is a cloud computing-based platform that's used as a hosting web service for building web apps and mobile backends.

Researchers from segmentation solutions provider Guardicore have identified a series of vulnerabilities that could have been exploited by a hacker to turn a TV remote into a spying device. The research focused on the XR11 remote provided by Comcast to Xfinity customers.

A security flaw in an internet-connected male chastity device could allow hackers to remotely lock it - leaving users trapped, researchers have warned. The locking mechanism is controlled with a smartphone app via Bluetooth - marketed as both an anti-cheating and a submission sex play device - but security researchers have found multiple flaws that leave it vulnerable to hacking.

A voice-activated TV remote can be turned into a covert home surveillance device, according to researchers from infosec firm Guardicore who probed the device to show that a man-in-the-middle attack could compromise it. Guardicore discovered an attack vector on US telco giant Comcast's Xfinity XR11 voice remote - of which around 18 million units have been sold - that allowed malicious people to turn it into an eavesdropping device.

A researcher at privileged access management solutions provider CyberArk has discovered vulnerabilities in the products of 10 cybersecurity vendors. The research focused on vulnerabilities that can allow an attacker or a piece of malware to escalate privileges using symlink attacks or DLL hijacking.

Ransomware negotiators may have to pay up in new ways if they intercede with cybercriminals on companies' behalf. The U.S. Department of the Treasury said Thursday that companies that facilitate ransomware payments to cyber-actors on behalf of victims may face sanctions for encouraging crime and future ransomware payment demands.