Security News

Amazon Awards $18,000 for Exploit Allowing Kindle E-Reader Takeover
2021-01-21 12:26

Amazon has awarded an $18,000 bug bounty for an exploit chain that could have allowed an attacker to take complete control of a Kindle e-reader simply by knowing the targeted user's email address. The first vulnerability in the exploit chain was related to the "Send to Kindle" feature, which allows users to send an e-book in MOBI format to their Kindle device via email as an attachment.

Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover
2021-01-13 19:41

Two vulnerabilities in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities.

Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities
2021-01-12 14:12

One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. Bug bounty hunter Pouya Darabi discovered in November that an attacker could have created invisible posts on any Facebook page, including verified pages, without having any permissions on the targeted page.

Critical Bugs in Dell Wyse Thin Clients Allow Code Execution, Client Takeovers
2020-12-21 17:00

Dell has patched two critical security vulnerabilities in its Dell Wyse Thin Client Devices, which are small form-factor computers optimized for connecting to a remote desktop. The bugs allow arbitrary code execution and the ability to access files and credentials, researchers said.

D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws
2020-12-09 14:56

Some of the impacted router models were first introduced in 2012 and appear to lack the same type of patching cadence as more modern D-Link router models. The routers are common home networking devices sold at numerous retail outlets, which means that people working remotely due to the COVID-19 pandemic likely are exposing not only their own environments but also corporate networks to risk, Digital Defense researchers noted.

QNAP patches QTS vulnerabilities allowing NAS device takeover
2020-12-07 09:10

Network-attached storage maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.

iPhone Bug Allowed for Complete Device Takeover Over the Air
2020-12-02 13:52

Details tied to a stunning iPhone vulnerability were disclosed by noted Google Project Zero researcher Ian Beer. Until now, were known about the bug that could have allowed a threat actor to completely take over any iPhone within a nearby vicinity.

Spotify Users Hit with Rash of Account Takeovers
2020-11-23 18:50

VpnMentor's research team spotted an open Elasticsearch database containing more than 380 million individual records, including login credentials and other user data, actively being validated against Spotify accounts. The database in question contained over 72 GB of data, including account usernames and passwords verified on Spotify; email addresses; and countries of residence.

TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities
2020-11-23 18:33

A researcher has earned nearly $4,000 from TikTok after discovering a couple of vulnerabilities that could have been chained to hijack accounts. Muhammed Taskiran, a 20-year-old researcher based in Germany, informed TikTok in late August that a URL parameter on tiktok.com was "Reflecting its value without being properly sanitized."

TikTok fixes bugs allowing account takeover with one click
2020-11-23 18:28

TikTok has addressed two vulnerabilities that could have allowed attackers to take over accounts with a single click when chained together for users who signed-up via third-party apps. German bug bounty hunter Muhammed Taskiran discovered a reflected cross-site scripting security bug - also known as a non-persistent XSS - in a TikTok URL parameter reflecting its value without proper sanitization.