Security
Headlines
HeadlinesLatestCVEs

Tag

#google

APT-C-60 Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack,

The Hacker News
Open in Source
#vulnerability#google#git#backdoor#bitbucket#The Hacker News
Hacker in Snowflake Extortions May Be a U.S. Soldier

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

GHSA-2xcc-vm3f-m8rw: @lobehub/chat Server Side Request Forgery vulnerability

### Summary lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. ### Details * visit https://chat-preview.lobehub.com/ * click settings -> llm -> openai * fill the OpenAI API Key you like * fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#") * then lobe will echo the ssrf result The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web. ![image](https://github.com/lobehub/lobe-chat/assets/55245002/d55e21e0-59d8-4a8e-8c56-4bcda3302dc2) ![image](https://github.com/lobehub/lobe-chat/assets/55245002/86833362-4e9e-4d07-9542-420db541f7a4) ![image](https://github.com/lobe...

My Car Knows My Secrets, and I'm (Mostly) OK With That

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Tips and Tools for Social Media Safety

Protect your social media presence with tools like privacy checkups, monitoring services, and digital footprint scanners. Stay secure by avoiding oversharing, limiting third-party app permissions, and using strong passwords.

GLASSBRIDGE: Google Blocks Thousands of Pro-China Fake News Sites

Google reveals GLASSBRIDGE: A network of thousands of fake news sites pushing pro-China narratives globally. These sites, run by PR firms, spread disinformation and lack transparency.

Spotify, Audible, and Amazon used to push dodgy forex trading sites and more

Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Google has introduced a new feature called Restore Credentials to help users restore their account access to third-party apps securely after migrating to a new Android device. Part of Android's Credential Manager API, the feature aims to reduce the hassle of re-entering the login credentials for every app during the handset replacement. "With Restore Credentials, apps can seamlessly onboard

99% of UAE’s .ae Domains Exposed to Phishing and Spoofing

Only 1.11% of UAE's 37,926 .ae domains have implemented DMARC, leaving most vulnerable to phishing and and spoofing attacks.