CVE-2022-1680

An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature available only on Premium+...

YouTube shows ads for ad blocker, financial scams

After performing local experiments for a few months, YouTube recently expanded its effort to block ad blockers. The move was immediately unpopular with some users, and raised some questions in Europe about whether it was breaking privacy laws. In addition, there are some still some fundamental...

Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads

Threat actors are using malicious Android apps to scam users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills. Jakub Vavra from the threat operations team of security firm Avast uncovered the campaign, which he dubbed UltimaS...

GitLab: Stored XSS in merge request creation page through payload in approval rule name

Summary Hi GitLab team, I found a stored XSS in merge request creation page caused by a payload in the name of an "approval rule". Adding approval rules is a feature that is unlocked for premium subscriptions or above. This does not seem to block it from being used against regular users on for...

SMS Trojan Found in Several Android Apps

Google has removed a group of mobile phone applications from its Android Market after it was discovered that the applications contained code that could be used to send SMS Short Message Service spam. Google’s action came after a security firm in Taiwan published a security alert about the apps on...