Aggregator

A vulnerability could allow recovery of the phone number associated with a Google account by carrying out a brute force attack. The security researcher who goes online with the moniker “brutecat” discovered that it is possible to brute force the phone number of any Google abusing an issue in the company’s account recovery feature. A […]

Первый миллион роботов мы соберём сами — остальные соберут нас.

Insights on the Expanding Threat Landscape from AWS and Deloitte
As geopolitical tensions rise, companies face an expanding threat landscape - particularly through IoT and OT vulnerabilities that leave cloud infrastructures at risk, said PJ Hamlen at Amazon Web Services, and Julie Bernard at Deloitte & Touche LLP.

Lawmakers Quiz Execs on Security; State AG Seek to Block Sale of Bankrupt Firm
While a Congressional committee grilled 23andMe executives on Tuesday about security and privacy, 28 states filed a lawsuit to stop the sale of the bankrupt genetics testing firm unless the company obtains explicit consent from each customer for the transfer or their information to a third party.

Crash Records and Driver Data Exposed in Texas Transportation Hack
Hackers accessed the Texas Department of Transportation's crash records system using a compromised account, stealing nearly 300,000 reports containing personal and vehicle information that could be used for fraud, the department warned in a letter to impacted individuals.

Experts Call for Continuous Assessments of Vendor Risk - Not Just at Onboarding
As vendor ecosystems grow in complexity, many organizations still view third-party risk management as a static assessment of vendors as they're onboarded. But organizations often focus too heavily on upfront vetting of vendors and fail to track how their risk profiles may change over time.

A vulnerability, which was classified as problematic, has been found in Xagio SEO Plugin up to 7.1.0.16 on WordPress. Affected by this issue is some unknown functionality. The manipulation of the argument HTTP_REFERER leads to cross site scripting. This vulnerability is handled as CVE-2025-3302. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Events Calendar Plugin up to 6.13.2 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-5144. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as critical has been found in CubeWP Plugin up to 1.1.23 on WordPress. Affected is the function update_user_meta. The manipulation leads to privilege escalation. This vulnerability is traded as CVE-2025-4315. It is possible to launch the attack remotely. There is no exploit available.

A critical vulnerability (CVE-2025-4275) in Insyde H2O UEFI firmware allows attackers to bypass Secure Boot protections by injecting malicious digital certificates via an unprotected NVRAM variable. Dubbed Hydroph0bia, this flaw enables pre-boot execution of unsigned code, posing severe risks to enterprise and consumer devices. Insecure NVRAM Variable Handling The vulnerability stems from the improper use […]

The post Insyde UEFI Flaw Enables Digital Certificate Injection via NVRAM Variable appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

В Купертино обновили всё на свете — и всё равно остались уязвимы.

Telegram 创始人兼 CEO Pavel Durov 今年早些时候声称，在该应用 12 年历史中从未披露一字节私人消息。但 Telegram 并非端对端加密，要获取其私人消息，也许只要中间人并不需要 Telegram 的“配合”？IStories 的调查发现，45 岁的俄罗斯网络工程师 Vladimir Vedeneev 控制着 Telegram 的网络基础设施，法庭文件显示，他被赋予了对部分 Telegram 服务器的独家访问权限，甚至还能代表 Telegram 签署合同（以首席财务官的身份）。没有证据表明他的公司与俄罗斯合作或向其提供数据。但与 Vedeneev 有密切联系的两家公司其客户之一是俄罗斯联邦安全局（FSB）。匿名乌克兰 IT 专家声称俄罗斯军方在控制了 Telegram 的网络基础设施之后能对乌克兰进行中间人级别的监控。他表示俄罗斯对用户的通信内容不感兴趣，元数据——IP 地址、用户位置和通信联络人——的分析能透露更多情报。Telegram 用户之间的聊天默认并不启用端对端加密，即使启用了，该应用使用的 MTProto 协议在加密消息前都会添加一个未加密字段 auth_key_id。这一字段让识别特定用户设备成为可能。

Пока другие шумят про ИИ, Apple просто делает тихую революцию.

Currently trending CVE - Hype Score: 12 - Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability

Google Chrome’s Stable channel is being updated to version 137.0.7151.103 for Windows and Mac, with Linux receiving version 137.0.7151.103 as well. The rollout will take place gradually over the coming days and weeks, ensuring smooth deployment and minimal disruption for users. The official changelog provides a detailed breakdown of all modifications and enhancements included in […]

The post Multiple Chrome Flaws Enable Remote Code Execution by Attackers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

相关恶意网址和恶意IP归属地主要涉及：美国、德国、荷兰、法国、瑞士、哥伦比亚、新加坡、越南。

Poseidon的AppleScript代码显示，它可以收集浏览器数据，其中包括来自基于Chrome的浏览器和钱包的特定扩展数据。

OWASP Nettacker is a free, open-source tool designed for network scanning, information gathering, and basic vulnerability assessment. Built and maintained by the OWASP community, Nettacker helps security pros automate common tasks like port scanning, service detection, and brute-force attacks. It offers a controlled and extensible framework for running these tests. What it does Nettacker scans networks to find weaknesses. It maps out live hosts, open ports, services, and basic misconfigurations. It can also run some … More →

The post OWASP Nettacker: Open-source scanner for recon and vulnerability assessment appeared first on Help Net Security.

Ubuntu 桌面团队成员 Jean Baptiste Lallement 宣布，即将于今年 10 月推出的下个版本 Ubuntu 25.10 其桌面环境 GNOME 将停止支持 X11。GNOME 项目已计划在 GNOME 49 中移除对 X11 的支持，而 GNOME 49 计划于 9 月发布，Ubuntu 此举旨在未雨绸缪，为下个 LTS（长期支持）版本 Ubuntu 26.04 做好准备。Ubuntu 25.10 是 26.04 前的一个过渡版本，让 25.10 和 26.04 保持一致有助于减少碎片化，让开发者和用户有更多时间准备和适应。