HackDig : Dig high-quality web security articles for hackers

Hacker Downloads Vine's Entire Source Code

It took Twitter five minutes to fix a critical security flaw that would have allowed an attacker to download Vine's entire source code from its servers.Security researcher Avicoder is the one who discovered this issue, which he reported to Twitter on March 31.At the core of this issue resides an insecure Docker setup used by Twitter's staff to manage
Publish At:2016-07-24 12:10 | Read:4550 | Comments:0 | Tags:Security Fixes and Improvements

WooCommerce WP Stores Affected by Image-Based XSS Vulnerability

Automattic, the company that supervises WordPress and WooCommerce development, has patched a persistent XSS (cross-site scripting) vulnerability in the WooCommerce e-commerce plugin for WordPress.This bugfix is crucial because it has the potential of affecting over one million WordPress-powered stores, according to the most recent statistics from the WP Plug
Publish At:2016-07-22 05:20 | Read:3833 | Comments:0 | Tags:Security Fixes and Improvements Xss Vulnerability

Website Takeover Issue Fixed in WordPress' Most Popular Plugin

Older versions of the All in One SEO Pack WordPress plugin contain a vulnerability that allows an attacker to store malicious code in the website's admin panel that could potentially help them take over the website.At the time of writing, when accessing the WordPress Plugin directory's Popular section, the first plugin listed above everyone else is A
Publish At:2016-07-12 07:20 | Read:4124 | Comments:0 | Tags:Security Fixes and Improvements

Samsung Fixes Another Device Takeover Issue in Its Driver Update Tool

Samsung engineers have fixed yet another serious issue in its driver update utility, which if exploited would have allowed a malicious actor to take over a user's device.The issue, discovered by German security firm Blue Frost Security, affected the company's system update tool called SW Update. This app is your standard bloatware, packed with all Sa
Publish At:2016-06-14 03:30 | Read:3601 | Comments:0 | Tags:Security Fixes and Improvements

Stored XSS in Jetpack Plugin Puts Over One Million WordPress Sites at Risk

Automattic fixed a dangerous cross-site scripting (XSS) vulnerability in the Jetpack plugin affecting over one million sites that have this plugin installed.Jetpack is a free module provided by Automattic, the makers of WordPress, which adds features found on WordPress.com on custom WordPress sites created on the top of their famous open-source CMS platform.
Publish At:2016-05-28 09:05 | Read:5201 | Comments:0 | Tags:Security Fixes and Improvements Xss

7-Zip 16.0 Released to Fix Gaping Security Hole

The 7-Zip project released version 16.0 of their extremely popular open-source (de)compression software, which contains critical security fixes for two issues discovered by Cisco's Talos team.The issues are a heap overflow vulnerability (CVE-2016-2334) and an out-of-bounds read vulnerability (CVE-2016-2335). The most dangerous of these two is the latter,
Publish At:2016-05-13 04:05 | Read:3850 | Comments:0 | Tags:Security Fixes and Improvements

Lenovo Bloatware Patched to Fix System Takeover Bug

Lenovo has hid a crucial security update in an old security advisory from last year. The advisory details fixes for a vulnerability that, if exploited, could allow a malicious actor to take over the user's computer via the company's pre-installed junkware called the Lenovo Solution Center.Lenovo users should now go to Lenovo's website and downloa
Publish At:2016-05-07 20:20 | Read:4974 | Comments:0 | Tags:Security Fixes and Improvements

Oracle Patches 138 Bugs, 9 in Java, 31 in MySQL

In its quarterly update train, Oracle addressed 136 security issues in 49 different product suites, among which were the Oracle database, Java, MySQL, Solaris, VirtualBox, SPARC, and Berkeley DB.This Critical Patch Update (CPU) is the first one Oracle released using the CVSS 3.0 system instead of the old one, CVSS 2.0.The Common Vulnerability Scoring Standar
Publish At:2016-04-20 08:35 | Read:3618 | Comments:0 | Tags:Security Fixes and Improvements

Adobe Patches Flash Zero-Day Exploit Used to Deliver Cerber and Locky Ransomware

After issuing a security alert two days ago, Adobe has come through and released a new patch for Flash Player that fixes a dangerous zero-day bug that was used in live attacks to spread ransomware.Identified as CVE-2016-1019, this exploit was used as part of the Magnitude EK (exploit kit) to deliver the Cerber and Locky ransomware families.Adobe credited sec
Publish At:2016-04-08 12:35 | Read:4364 | Comments:0 | Tags:Security Fixes and Improvements exploit

XSS Bug in Magento Allows Attackers to Take Over Online Shops

The Magento project has released patches to fix a critical security bug in the CMS that's powering a large chunk of online shops all over the Internet.The bug is a stored XSS (cross-site scripting) vulnerability that can be exploited when registering a new user account, or when users are changing their current account's email address.The problem reli
Publish At:2016-01-24 01:00 | Read:4977 | Comments:0 | Tags:Security Fixes and Improvements Xss

Attackers Can Crash Your FreeBSD Box with One Single Malefic Ping

A malformed ping could easily take down your FreeBSD machine if certain conditions are met, and most of them are in standard FreeBSD configurations, researchers from the Positive Research Center have discovered.All versions of the FreeBSD operating system are affected by a vulnerability (CVE-2016-1879), which resides in how the SCTP (Stream Control Tran
Publish At:2016-01-22 12:50 | Read:4721 | Comments:0 | Tags:Security Fixes and Improvements

Oracle Fixes a Record-Breaking Number of 248 Security Bugs

Oracle's January 2016 CPU (Critical Patch Update) was released yesterday, and the company's developers outdid themselves by fixing a record number of 248 security bugs, more than they had ever done in any previous CPU.The previous record was of 198 patches, set during Oracle's July 2015 CPU.Analyzing the January CPU, most of the vulnerabilities c
Publish At:2016-01-21 00:40 | Read:4609 | Comments:0 | Tags:Security Fixes and Improvements

Trend Micro Password Manager Discloses Passwords via Leaky Node.js Server

Google's Project Zero researcher, Tavis Ormandy, has yet again discovered a security bug in one of the world's leading antivirus engines, this time in Trend Micro's Antivirus for Windows.According to Mr. Ormandy's findings, when installing the Trend Micro Antivirus for Windows, the company's Password Manager application, which comes bundl
Publish At:2016-01-11 23:40 | Read:3817 | Comments:0 | Tags:Security Fixes and Improvements

Cisco Patches Permission-Stealing Bug in Its Android WebEx Meetings App

Cisco has just fixed a vulnerability in its WebEx Meetings app for Android, one that allowed third-party applications to steal the WebEx app's permissions and execute malicious code.Cisco WebEx Meetings is a basic Web conferencing app developed around Cisco's WebEx service for online meetings and conferences. The service is quite potent and has a big
Publish At:2015-12-04 13:25 | Read:3605 | Comments:0 | Tags:Security Fixes and Improvements

United Airlines Takes 6 Months to Patch Mobile App Bug

Independent security researcher Randy Westergren found an information disclosure bug in the United Airlines mobile app, which he reported to the company via its bug bounty program, and he had to threaten the airline with public disclosure to have them fix it, six months later.The whole affair started back in March, when United Airlines made a big ruckus abou
Publish At:2015-11-24 18:20 | Read:3979 | Comments:0 | Tags:Security Fixes and Improvements

Tools