INTERN(al) MSRC variant hunting: From multi-tenant authorization to Model Context Protocol

When security researchers submit a vulnerability report to MSRC, the Vulnerabilities and Mitigations V&M team reviews it, reproduces the issue, and determines severity. The team reviews all submissions from internal and external security researchers...

CVE-2021-32701

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...

CVE-2025-1146

CrowdStrike uses industry-standard TLS transport layer security to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where o...

CVE-2025-1146 CrowdStrike Falcon Sensor for Linux TLS Issue

CrowdStrike uses industry-standard TLS transport layer security to secure communications from the Falcon sensor to the CrowdStrike cloud. CrowdStrike has identified a validation logic error in the Falcon sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor where o...

Woodpecker's custom environment variables allow to alter execution flow of plugins

Impact The server allow to create any user who can trigger a pipeline run malicious workflows: - Those workflows can either lead to a host takeover that runs the agent executing the workflow. - Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are...

X (Formerly Twitter): Bypassing x profile verification to receive instant blue checkmark and unlimited profile changes

The vulnerability allowed users to bypass the profile verification process on X by upgrading and downgrading their plan immediately after changing their profile picture. This permitted continuous profile picture changes without review...

Reddit: Able to approve admin approval and change effective status without adding payment details .

Summary: In https://ads.reddit.com/ you can create campaign under which you can create ads , once you create new campaign , it is on pending stage and will not be delivered unless you add payment details and is reviewed by admin and approved according to what it says here...

GHSA-PWHF-39XG-4RXW Script injection

Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Even after Google's security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store. Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers' existin...

Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching

Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...

Rogue Chinese iOS App Removed from App Store

Apple removed an iOS application from its Chinese iTunes App Store that allowed users of non-jailbroken iOS devices to install pirated and jailbroken apps. Researchers at Palo Alto Networks, who discovered the rogue application, said the app was not malicious, but presented a serious security ris...

How to Protect Yourself against XcodeGhost like iOS Malware Attacks

Recently, Chinese iOS developers have discovered a new OS X and iOS malware dubbed XcodeGhost that has appeared in malicious versions of Xcode, Apple’s official toolkit for developing iOS and OS X apps. The hack of Apple’s Xcode involves infecting the compiler with malware and then passing that...

Google Now Manually Reviews Play Store Android App Submissions

Google has changed the way it managed apps on the Google Play Store. After years of depending on the automated app check process, the company just made some changes to its Play Store policies that will successfully weed out malicious and undesirable apps from Google Play store. Google has...

Mozilla to Enforce Signing for Firefox Extensions Soon

In an effort to head off the problem of malicious or misbehaving browser add-ons, Mozilla is planning to require developers to have their Firefox extensions signed by the company in the near future. As much of users’ computing has moved into their browsers in the last few years, extensions and...

New Apple vulnerability allows Malicious keylogger App to Record User Inputs

Yet another Apple vulnerability has been exposed by security researchers, that can be exploited to track your finger's every action on iOS Devices i.e. iPhone, iPad etc. The exploit reportedly targets a flaw in iOS multitasking capabilities to capture user inputs, according to Security researcher...

NIST Reviews Crypto Standards Development

The National Institute for Standards and Technology has taken an important step toward repairing what the National Security Agency has allegedly fractured by initiating a review of its cryptographic standards development processes. NIST-sponsored algorithms are at the heart of numerous crypto...

New Android Malware Variant Can Remotely Root Phone

A new version of Android malware has been tweaked so it doesn’t require user interaction for an attacker to own the device, according to research published by Lookout Mobile Security yesterday. An updated variant of the Legacy Native LeNa malware utilizes the GingerBreak exploit to gain root...

Gatekeeper and the Choice of Security for Mac Users

Context is a funny thing. In most segments of society, Apple is seen as an exemplary company, with an unrivaled record of innovation, much-admired ad campaigns and a stock price that is the envy of every company not named Google. But in the security community, Apple is regarded with some...

Apple to Require Mac Apps to Be Sandboxed

Apple has informed developers that, as of March 2012, any app submitted to the Mac App Store will have to include a sandbox. The move is an intriguing one from Apple, which has kept a low profile on security and typically handles Mac security on its own. The statement from Apple comes at a time...