Hacker News with Generative AI: Security Vulnerabilities

Homeland Security funding for CVE program expires (theregister.com)
US government funding for the world's CVE program – the centralized Common Vulnerabilities and Exposures database of product security flaws – ends Wednesday.

Cybersecurity, Government Funding, Security Vulnerabilities

143 points by dxs 10 days ago | 6 comments

Azure's Weakest Link? How API Connections Spill Secrets (binarysecurity.no)
Binary Security found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.

Cloud Security, Azure, APIs, Security Vulnerabilities

137 points by hland 45 days ago | 64 comments

Hacking Subaru: Tracking and controlling cars via the admin panel (samcurry.net)
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Cybersecurity, Automotive, Hacking, Security Vulnerabilities

548 points by ramimac 93 days ago | 320 comments

D-Link says it won't patch 60k older modems (techradar.com)

Cybersecurity, Networking, Technology, Security Vulnerabilities

267 points by lobo_tuerto 150 days ago | 170 comments

D-Link says replace vulnerable routers or risk pwnage (theregister.com)
Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.

Cybersecurity, Networking, Security Vulnerabilities, Hardware

8 points by fork-bomber 157 days ago | 1 comments

Unauthenticated RCE vs. all GNU/Linux systems (+ others) disclosed 3 weeks ago (twitter.com)

Cybersecurity, Linux, Security Vulnerabilities

35 points by jesboat 214 days ago | 5 comments

Zero-Click Calendar invite vulnerability chain in macOS (medium.com)
I found a zero-click vulnerability in macOS Calendar, which allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This could lead to many bad things including malicious code execution which can be combined with security protection evasion with Photos to compromise users’ sensitive Photos iCloud Photos data. Apple has fixed all of the vulnerabilities between October 2022 and September 2023.

macOS Security, Zero-Click Exploits, Calendar Apps, Security Vulnerabilities

461 points by jviide 224 days ago | 159 comments

BSI discovers serious vulnerabilities in Mastodon, some minor ones in Matrix (heise.de)

Cybersecurity, Social Media, Security Vulnerabilities, Open Source

5 points by flo123456 234 days ago | 0 comments

The new frontier in script kiddie security vulnerability reports (microsoft.com)

Cybersecurity, Security Vulnerabilities, Script Kiddies, Microsoft

17 points by ingve 276 days ago | 0 comments

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere (arstechnica.com)

Cybersecurity, Networking, Security Vulnerabilities, Protocol

11 points by tapper 290 days ago | 0 comments

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere (arstechnica.com)