May 30, 2024 at 10:06AM In 2023, over 23,000 vulnerabilities were disclosed, leading to a race to release exploits. Coordinated disclosure involves alerting vendors and waiting to publicly release findings. Full disclosure argues for immediate transparency to prompt patches. Responsible disclosure is crucial due to the potential exploitation of vulnerabilities. Publicly releasing exploit research can … Read more
May 2, 2024 at 11:18AM Several Android apps in the Google Play Store were found vulnerable to a path traversal-affiliated exploit, allowing malicious apps to overwrite files in the vulnerable app’s home directory. The implications include arbitrary code execution and token theft. Vulnerable apps include Xiaomi File Manager and WPS Office, but the issue has … Read more
April 4, 2024 at 07:30AM Researcher Bartek Nowotarski has unveiled a new denial-of-service (DoS) attack method named HTTP/2 Continuation Flood, potentially posing a greater threat than the previous Rapid Reset vulnerability. The attack exploits a flaw in the handling of HTTP/2 frames and has affected various implementations. Patches and mitigations are being issued, and the … Read more
January 3, 2024 at 10:39AM Cybersecurity researcher Runa Sandvik, known for her ‘situative’ approach, emphasizes the need for contextual understanding in cybersecurity. She believes curiosity, stubbornness, and an interest in the topic are vital for aspiring researchers. Sandvik discusses revenue sources for researchers, the ethics of bug bounties, responsible disclosure, and its legal implications. She … Read more
December 12, 2023 at 09:28AM Former Uber CISO Joe Sullivan disclosed details of the 2016 data breach at Black Hat Europe, reflecting on his firing and legal issues. The breach compromised 57 million accounts, and a $100,000 payment to attackers was considered a bug bounty. Sullivan emphasizes the importance of personal protections for security professionals … Read more
November 20, 2023 at 09:33AM Johnson Controls has released patches for a critical vulnerability found in some of its industrial refrigeration products. The flaw, known as CVE-2023-4804, could allow unauthorized access to debug features. Impacted products include control panels used in the food and beverage industry worldwide. The patches fix the vulnerability that could potentially … Read more