Design/Logic Flaw

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding opt parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scop...

CVE-2014-7922

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding opt parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scop...

CVE-2014-7922

CVE-2014-7922 involves the GoogleAuthUtil.getToken method in the Google Play services SDK prior to 2015. The vulnerability arises when the code sets parameters in OAuth token requests after detecting a corresponding opt parameter in the Bundle extras argument, enabling a crafted application to by...

CVE-2014-7922

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding opt parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scop...

Hackers Can Remotely Install Malware Apps to Your Android Device

Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks to install and launch malicious applications remotely on Android devices. Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options XFO...

Google Play Bug Can Allow Code Execution

Using a combination of vulnerabilities in the Google Play store and the Android stock browser, attackers can install malicious apps remotely on some Android devices. The attack is the result of a failure on the part of Google’s Play Store Web application to completely enforce the X-Frame-Options...

Android Browser RCE Through Google Play Store XFO

This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting UXSS vulnerability present in versions of Android's open source stock browser the AOSP Browser prior to 4.4. Second, th...

Adware Android Apps Found in Google Play With Millions of Downloads

With the rise in mobile market, last year we have seen sharp growth in malicious 'adware' — the most prevalent mobile threat in the world. And now, security researchers have once again found Google Play Store offering malicious apps that are infecting millions of Android users with adware. It’s n...

Google Offers Bug Bounty Vulnerability Research Grants

Google last week announced that it has instituted a program for 2015 in which researchers can receive up to 3,133.70 in grant money for bug hunting. Researchers must apply for the grants, which will be an up-front award that will be paid out before a bug is submitted, Google said. “Researchers’...

I-O DATA DEVICE NP-BBRM Denial of Service Vulnerability

The I-O DATA DEVICE NP-BBRM is a router product from I-O DATA DEVICE Japan. A security vulnerability exists in the I-O DATA DEVICE NP-BBRM router. A remote attacker can exploit this vulnerability by sending UPnP requests to cause a denial of service SSDP reflection...

Google Engineer Explains Company's Decision Not to Patch Bug in Older Android Versions

Google has taken quite a bit of heat in recent weeks for its decision not to patch a vulnerability in the WebView component of Android in older versions, leaving hundreds of millions of users exposed to potential attacks. Now, a Google engineer is explaining the company’s reasoning, saying that...

NP-BBRM vulnerable in UPnP functionality

Overview NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality. Impact The device may be used in a DDoS attack, as a SSDP reflector. Solution Disable UPnP Disable UPnP functionality from the management configuration in the settings...

GCHQ Releases 'Cryptoy' App for Kids to Teach Encryption

British government surveillance agency GCHQ – counterpart of NSA – has fired-up another debate over the Internet by launching Android application to encourage teenagers to tackle emerging cybersecurity threats. The newly launched Android app, dubbed "Cryptoy", was developed by STEM science,...

Android Malware Installs Pirated Assassin's Creed App

A pirated version of the Assassin’s Creed application for Android is bundled with malware according to the security-as-as-service from Zscaler. Assassin’s Creed is a popular, open-world series of adventure games available in various iterations on the XBOX, PlayStation, PC and other gaming...

CVE-2014-4880

Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header...

CVE-2014-4880

CVE-2014-4880 describes a buffer overflow in Hikvision DVR RTSP handling that enables remote code execution. The NVD entry notes a vulnerability in Hikvision DVR DS-7204 firmware (2.2.10 build 131009) and other models, exploitable via a long RTSP PLAY request with an oversized Authorization heade...

CVE-2014-4880

Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header...

[SECURITY] Fedora 20 Update: deluge-1.3.10-1.fc20

Deluge is a new BitTorrent client, created using Python and GTK+. It is intended to bring a native, full-featured client to Linux GTK+ desktop environments such as GNOME and XFCE. It supports features such as DHT Distributed Hash Tables, PEX =C2=B5Torrent-compatible Peer Exchange, an d UPnP...

CVE-2014-6980

The LINE PLAY aka jp.naver.lineplay.android application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Information disclosure

The LINE PLAY aka jp.naver.lineplay.android application 2.3.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...