Tag Archive for: Bug’

Hackers Exploit Bug In Magento To Access Payment Data On Ecommerce Sites

/in


(MENAFN– Investor Brand Network) A critical flaw in the open-source e-commerce platform Magento has allowed hackers to make backdoors into e-commerce websites and
steal payment data . Computer software company Adobe Inc. describes the error,
CVE-2024-2072 ,
as the“improper neutralization of special elements” that could allow attackers to make arbitrary code executions without any user interaction.

Adobe addressed the vulnerability on Feb. 13, 2024, as part of a batch of security updates while e-commerce security company Sansec announced that it…

Read More>>

NOTE TO INVESTORS:
The latest news and updates relating to NextPlat Corp. (NASDAQ: NXPL, NXPLW) are available in the company’s newsroom at

About BioMedWire

BioMedWire
(“BMW”) is a specialized communications platform with a focus on the latest developments in the Biotechnology (BioTech), Biomedical Sciences (BioMed) and Life Sciences sectors. It is one of 60+ brands within the
Dynamic Brand Portfolio
@
IBN
that delivers :
(1) access to a vast network of wire solutions via
InvestorWire
to efficiently and effectively reach a myriad of target markets, demographics and diverse industries ;
(2) article and
editorial syndication to 5,000+ outlets ;
(3) enhanced
press release enhancement
to ensure maximum impact ;
(4)
social media distribution
via IBN to millions of social media followers ;
and (5) a full array of tailored
corporate communications solutions . With broad reach and a seasoned team of contributing journalists and writers, BMW is uniquely positioned to best serve private and public companies that want to reach a wide audience of investors, influencers, consumers, journalists and the general public. By cutting through the overload of information in today’s market, BMW brings its clients unparalleled recognition and brand awareness.

BMW is where breaking news, insightful content and actionable information converge.

To receive SMS alerts from BioMedWire,“Biotech” to 888-902-4192 (U.S. Mobile Phones Only)

For more information, please visit

Please see full terms of use and disclaimers on the BioMedWire website applicable to all content provided by BMW, wherever…

Source…

Bugcrowd snaps up $102M for a ‘bug bounty’ security platform that taps 500K+ hackers

/in


Bugcrowd — the startup that taps into a database of half a million hackers to help organizations like OpenAI and the U.S. government set up and run bug bounty programs, cash rewards to freelancers who can identify bugs and vulnerabilities in their code — has picked up a big cash award of its own to grow its business further: an equity round of $102 million.

General Catalyst is leading the investment, with previous backers Rally Ventures and Costanoa Ventures also participating.

Bugcrowd has raised over $180 million to date, and while valuation is not being disclosed, CEO Dave Gerry said in an interview it is “significantly up” on its last round back in 2020, a $30 million Series D. As a point of comparison, one of the startup’s bigger competitors, HackerOne, was last valued at $829 million in 2022, according to PitchBook data.

The plan will be to use the funding to expand operations in the U.S. and beyond, including potentially M&A, and to build more functionality into its platform, which — in addition to bug bounty programs — also offers services including penetration testing and attack surface management, as well as training to hackers to increase their skiilsets.

That functionality is both of a technical but also human nature.

Gerry jokingly describes Bugcrowd’s premise as “a dating service for people who break computers” but in more formal terms, it is built around a two-sided security marketplace: Bugcrowd crowdsources coders, who apply to join the platform by demonstrating their skills. The coders might be hackers who only work on freelance projects, or people who work elsewhere and pick up extra freelance work in their spare time. Bugcrowd then matches these coders up, based on those particular skills, with bounty programs that are in the works among clients. Those clients, meanwhile, range from other technology companies through to any enterprise or organization whose operations rely on tech to work.

In doing all this, Bugcrowd has been tapping into a couple of important trends in the technology industry.

Organizations continue to build more technology to operate, and that means more apps, more automations, more integrations and much more data is…

Source…

Apple fixes zero-day bug in Apple Vision Pro that ‘may have been exploited’

/in


A day after reporters published their first hands-on review of Apple’s Vision Pro, the technology giant released its first security patch for the mixed reality headset to fix a vulnerability that “may have been exploited” by hackers in the wild.

On Wednesday, Apple released visionOS 1.0.2, the software that runs on the Vision Pro, with a fix for a vulnerability in WebKit, the browser engine that runs Safari and other web apps. Apple said the bug, if exploited, allowed malicious code to run on an affected device.

It’s the same vulnerability that Apple patched last week when it rolled out iOS 17.3, which included fixes for iPhones, iPads, Macs and Apple TV — all of which rely on WebKit. No patches for this bug, officially tracked as CVE-2024-23222, were released for Apple Watch.

It’s not immediately clear if malicious hackers used the vulnerability to specifically exploit Apple’s Vision Pro, and Apple spokesperson Scott Radcliffe would not say when asked by TechCrunch.

It also isn’t yet known who was exploiting the vulnerability, or for what reason.

It is not uncommon for malicious actors, such as spyware makers, to target weaknesses in WebKit as a way to break into the device’s underlying operating system and the user’s personal data. WebKit bugs can sometimes be exploited when a victim visits a malicious domain in their browser, or the in-app browser.

Apple rolled out several patches for WebKit bugs last year.

Vision Pro is expected to be available starting Friday.

Source…

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

/in


Jan 15, 2024NewsroomVulnerability / Browser Security

Opera MyFlaw Flaw

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

“This is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser’s security boundaries.

Cybersecurity

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called “Opera Touch Background,” which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

Opera MyFlaw Flaw

In the case of Opera, the domains that can talk to the extension should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both controlled by the browser vendor itself.

“This exposes the messaging API to any page that matches the URL patterns you specify,” Google notes in its documentation. “The URL pattern must contain at least a second-level domain.”

Guardio Labs said it was able to unearth a “long-forgotten” version of the My Flow landing page hosted on the domain “web.flow.opera.com” using the urlscan.io website scanner tool.

Opera MyFlaw Bug

“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it…

Source…