Private Chats, Photos of Celebs Exposed in Suspected Stalkerware Leak

Private chats and photos of celebrities and influencers were exposed after a suspected stalkerware setup left a database open, revealing sensitive messages and files...

A laughing RAT: CrystalX combines spyware, stealer, and prankware features

Introduction In March 2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS malware‑as‑a‑service with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel...

CVE-2026-32924 OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu

OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chattype are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group...

Discourse 安全漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse before 2025.12.2, 2026.1.1, and 2026.2.0 have security vulnerabilities. These vulnerabilities stem from...

CVE-2025-6792

CVE-2025-6792 affects the WordPress plugin One to one user Chat by WPGuppy. The vulnerability is due to a missing capability check on the REST endpoint /wp-json/guppylite/v2/channel-authorize, affecting all versions up to and including 1.1.4. This allows unauthenticated attackers to intercept and...

PT-2026-8061

The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to...

A week in security (February 2 &#8211; February 8)

Last week on Malwarebytes Labs: Apple Pay phish uses fake support calls to steal payment details Open the wrong "PDF" and attackers gain remote access to your PC Flock cameras shared license plate data without permission Grok continues producing sexualized images after promised fixes Firefox is...

16 Fake ChatGPT Extensions Caught Hijacking User Accounts

A coordinated campaign of 16 malicious GPT optimisers has been caught hijacking ChatGPT accounts. These tools steal session tokens to access private chats, Slack, and Google Drive files...

Millions of (very) private chats exposed by two AI companion apps

Cybernews discovered how two AI companion apps, Chattee Chat and GiMe Chat, exposed millions of intimate conversations from over 400,000 users. This is not the first time we have to write about AI "girlfriends" exposing their secrets—and it probably won't be the last. This latest incident is a...

Dark Web Roast - July 2025 Edition

Dark Web Roast - July 2025 Edition By Trellix Advanced Research Center · August 19, 2025 Executive Summary July 2025 delivered a masterclass in cybercriminal mediocrity that would make even the most charitable threat intelligence analyst weep into their coffee. After extensive hunts across the da...

5 Ways to Make Your Instant Messaging More Secure

Make sure your chats are kept as private as you want them to be...

CVE-2023-33983

The Introduction Client in Briar through 1.5.3 does not implement out-of-band verification for the public keys of introducees. An introducer can launch man-in-the-middle attacks against later private communication between two introduced parties...

SUSE CVE-2016-7553

The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file...

BigBlueButton 跨站脚本漏洞

BigBlueButton is a Web conferencing system. versions prior to BigBlueButton 2.4.8 and prior to 2.5.0 have a cross-site scripting vulnerability that stems from the fact that users in private chat-enabled conferences are vulnerable to cross-site scripting attacks. An attacker could exploit the...

The EU Wants Big Tech to Scan Your Private Chats for Child Abuse

Europe’s proposed child protection laws could undermine end-to-end encryption for billions of people...

CVE-2020-35456

The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to view private chat messages and media files via logcat because of excessive logging...

Google Play Diibear 安全漏洞

Google Play Diibear is an application from Google Play. It provides a feature that allows parents to use the application to stay in touch with the kindergarten and get information about their children's learning and play as well as kindergarten newsletters and announcements. A security...

Hackers Leak Personal Data from Hundreds of German Politicians On Twitter

Germany has been hit with the biggest hack in its history. A group of unknown hackers has leaked highly-sensitive personal data from more than 100 German politicians, including German Chancellor Angela Merkel, Brandenburg's prime minister Dietmar Woidke, along with some German artists, journalist...

New WhatsApp flaws let attackers hack chats to spread fake news

By Waqas Spreading fake news through WhatsApp was never so easy before. According to the latest research from Check Point security firm, WhatsApp users are at the risk of getting their private chats and group conversations hacked and exploited. Researchers discovered a new wave of attacks that...

CVE-2016-7553

The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file...