Apple has fixed a flaw in the "Sign in with Apple" feature that could have enabled attackers to break into user accounts for third-party services.Apple has paid security researcher Bhavuk Jain $100,000 for the discovery of a critical flaw in its "Sign in with Apple" feature. The now-patched vulnerability, if exploited, could have let attackers bypass authent

byPaul DucklinA security reseacher from Delhi in India is a tidy $100,000 richer thanks to a bug bounty payout from Apple for an account takeover flaw that he discovered in the Sign in with Apple system.Bhavuk Jain, a serial bug bounty hunter, has described how he found the sort of bug that leaves you thinking, “It can’t have been that simple!

A security researcher claims Apple paid a $100,000 bug bounty reward for a critical vulnerability in Sign in with Apple, the company’s privacy-focused authentication system.The vulnerability was reported to the Cupertino-based tech giant in April, and was found to impact third-party applications that were using Sign in with Apple without additional security

Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware.Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and Sal

The U.S. National Security Agency (NSA) warned that the Sandworm team is exploiting a vulnerability that affects Exim Mail Transfer Agent (MTA) software.In a cybersecurity advisory published on May 28, the NSA revealed that the Sandworm team has been exploiting the Exim MTA security flaw since August 2019.The vulnerability (CVE-2019-10149) first appeared in

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, ac

byJohn E DunnResearchers have publicised a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks.Discovered by Norwegian company Promon, the bug is called ‘StrandHogg 2.0’, the name denoting that this is an “evil twin” follow up to a similar flaw of the

byJohn E DunnHow many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries use

Researchers at Norwegian app security company Promon on Tuesday disclosed the existence of a serious Android vulnerability that allows a piece of malware to hijack nearly any application installed on the victim’s device.In December 2019, Promon warned that an Android vulnerability, which it dubbed StrandHogg, was being exploited by tens of malicious Android

byDanny BradburyDocker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service. The bug, discovered by Ceri Coburn, a researcher at security consultancy Pen Test Partners, exposed Docker for Windows to privilege elevation.Docker is a container system that lets administrators run applications in thei

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device: Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authen

Only the truly committed ever reach the summit of anything. This sentiment holds true for vulnerability management. An organization cannot reach the summit without a serious commitment to fund and staff the program appropriately across the organization.Reaching ML:5 means tying the program to the business. Everyone must be aligned with the metrics and be rea

Samsung has released a security update for its popular Android smartphones which includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014.On its Android security update page Samsung thanks researcher Mateusz Jurczyk of Google Project Zero for the discovery of the vulnerability that could – he claims ̵

Have you ever been around someone who is just better at something than you are? Like when you were in school and there was this person who was effortless at doing things correctly? They had great study habits, they arrived on time, they were prepared and confident in the materials that they studied in class, and they were a consistently high performer at eve

Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn’t mean that they’re necessarily the thing that will get your company hacked.This week, US-CERT has published its list of what it describes as the “Top 10 Routinely Exploited Vulnerabilities” for the last three years.The l