Security News
According to Snyk, SourMint actively performed ad fraud on hundreds of iOS apps and brought with it major privacy concerns to hundreds of millions of consumers. On the surface, the MintegralAdSDK posed as a legitimate advertising SDK for iOS app developers, but its malicious code appeared to commit ad attribution fraud by secretly accessing link clicking activity within thousands of iOS apps that use the SDK. SourMint also spied on user link click activity, improperly tracking requests performed by the app and reporting it back to Mintegral's servers.
Cloud communications platform as a service company Twilio this week disclosed a security incident that resulted in hackers uploading a modified version of the TaskRouter JS SDK to its site. Designed to provide easy interaction with the Twilio TaskRouter, the SDK was hosted in an Amazon Web Services S3 bucket that was improperly secured, thus becoming accessible to the attackers.
Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets. "Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user's browser load an extraneous URL that has been associated with the Magecart group of attacks," the company shared.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
Twilio today confirmed one or more miscreants sneaked into its unsecured cloud storage systems and modified a copy of the JavaScript SDK it shares with its customers. In short, someone was able to get into Twilio's Amazon Web Services S3 bucket, which was left unprotected and world-writable, and alter the TaskRouter v1.20 SDK to include "Non-malicious" code that appeared designed primarily to track whether or not the modification worked.
Adobe has patched a total of 36 vulnerabilities in its Acrobat and Reader products and the DNG software development kit. Several researchers have been credited by Adobe for reporting the Acrobat and Reader vulnerabilities.
Adobe has fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative Software Development Kit. Those include 24 critical- and important-severity flaws in its Acrobat and Reader application, used for creating and managing PDF files, and 12 in its Adobe DNG Software Development Kit, which provides support for reading and writing DNG files used for digital photography.
Onfido, the global identity verification and re-authentication provider, announced new accessibility features to its Software Development Kit, focused on enabling people with disability and impairments to connect to more businesses and services remotely with secure digital access. Designed with accessibility and inclusion in mind, the enhancements enable Onfido customers to verify more users during registration, identity verification and re-authentication, improving the digital customer journey with the highest level of fraud protection.
Facebook is suing the data analytics firm OneAudience for allegedly developing a malicious, social-media-profile-grabbing software development kit and then paying app developers to embed it in their apps. According to the complaint, OneAudience's malicious SDK swiped the data that Facebook users had agreed to share with the app - data that may have included their name, email address, the country where they logged in from, time zone, Facebook ID, and, sometimes, gender.
VMware on Tuesday advised customers using VMware Tools version 10 for Windows to update their installations to version 11 due to a local privilege escalation vulnerability. According to the virtualization giant, the repair operation in VMware Tools 10.x.y is affected by a race condition that allows an attacker who has access to the guest virtual machine to escalate their privileges.