15 matches found
CVE-2020-10077
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk...
Cloudflare Public Bug Bounty: Cloudflare CASB Confused Deputy Problem
A vulnerability was found in Cloudflare CASB on Microsoft and GitHub integrations, allowing an attacker to create a new integration and access sensitive information if they were able to enumerate a valid tenant UUID or domain. The issue was resolved by disallowing the creation of multiple...
To settle with the DoJ, Uber must confess to a cover-up. And it did.
Uber covered up the 2016 data breach that affected its 57 million customers and drivers. The confession came as part of the settlement between the DOJ US Department of Justice and the taxi company, which will see it avoid criminal prosecution. In a press release from the DOJ, Uber "admits that it...
To settle with the DoJ, Uber must confess to a cover-up. And it did.
Uber covered up the 2016 data breach that affected its 57 million customers and drivers. The confession came as part of the settlement between the DOJ US Department of Justice and the taxi company, which will see it avoid criminal prosecution. In a press release from the DOJ, Uber "admits that it...
Cloudflare Public Bug Bounty: HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function
The Edge Rules engine used by Cloudflare Transform Rules features string modifying functions like lower and concat, which accepted hexadecimal-encoded characters such as ”\x0a\x0d“. This allowed for manipulation of request headers e.g. injecting an additional header and, as a consequence, made HT...
Microsoft Internal Solorigate Investigation – Final Update
We believe the Solorigate incident is an opportunity to work with the community, to share information, strengthen defenses and respond to attacks. We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidenc...
Yandex Employee Caught Selling Access to Users' Email Inboxes
Russian Dutch-domiciled search engine, ride-hailing and email service provider Yandex on Friday disclosed a data breach that compromised 4,887 email accounts of its users. The company blamed the incident on an unnamed employee who had been providing unauthorized access to the users' mailboxes for...
CVE-2020-10077
GitLab EE 3.0 through 12.8.1 allows SSRF. An internal investigation revealed that a particular deprecated service was creating a server side request forgery risk...
The GOP Is Mired in Conspiracies—and It's About to Get Worse
Opinion: If you thought the impeachment hearings were bad, wait until attorney general William Barr's internal investigation comes to light...
UniCredit Suffers Third Breach Despite Investing Billions in Cybersecurity
Despite investing 2.4 billion euros since 2016 to upgrade its cybersecurity profile, Italian banking institution UniCredit has suffered its third recent data breach, this time impacting 3 million customers. The company said in a short data breach announcement on its website that names, telephone...
UniCredit Bank Suffers 'Data Incident' Exposing 3 Million Italian Customer Records
UniCredit, an Italian global banking and financial services company, announced today that it suffered a security incident that leaked some personal information belonging to at least 3 million of its domestic customers. Officially founded in 1870, UniCredit is Italy's biggest banking and financial...
Hostinger Suffers Data Breach – Resets Password For 14 Million Users
Popular web hosting provider Hostinger has been hit by a massive data breach, as a result of which the company has reset passwords for all customers as a precautionary measure. In a blog post published on Sunday, Hostinger revealed that "an unauthorized third party" breached one of its servers an...
Millions of Passwords leaked from Social Site Formspring
Formspring, a social Q&A website popular with teenagers,this week disabled its users' passwords after discovering a security breach. Formspring founder and CEO Ade Olonoh apologized to users for the inconvenience, and advised them to change their passwords when they log back into Formspring. A bl...
Japanese Parliament Struggling To Address Hack, Data Theft
The fallout from a targeted attack on computers belonging to members of the Japanese House of Representatives continued on Tuesday, with claims that both servers and PCs on the House network were infected with a password stealing Trojan, and reports that House members had taken to storing sensiti...
HBGary E-mails: DuPont, Other Firms Hit In Aurora Attack
Emails unearthed by the HBGary hack reveal that Chinese hackers compromised the networks of chemical company, DuPont, and more than a dozen others high profile Western firms in late 2009 as part of a wide-scale hack since dubbed “Operation Aurora.” The revelations, gleaned from leaked e-mail,...