Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

Security researcher Bill Demirkapi found more than 15,000 hardcoded secrets and 66,000 vulnerable websites—all by searching overlooked data sources...

19 million plaintext passwords exposed by incorrectly configured Firebase instances

Three researchers scanned the internet for vulnerable Firebase instances, looking for personally identifiable information PII. Firebase is a platform for hosting databases, cloud computing, and app development. Its owned by Google and was set up to help developers build and ship apps. What the...

inDrive: Host Header Injection - internal.qa.delivery.indrive.com

A vulnerability was found where the Host header was not properly validated or escaped, allowing an attacker to inject arbitrary Host header values and manipulate server-side behavior. This could allow redirection to malicious sites for phishing...

IBM Security Verify Access Cross-Site Scripting Vulnerability (CNVD-2022-87651)

IBM Security Verify Access ISAM is a service from IBM USA that improves user access security. The service enables secure and simple access to platforms such as Web, mobile, IoT and cloud technologies through the use of risk-based access, single sign-on, integrated access management controls,...

Hackers can take over accounts you haven’t even created yet

Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts before they are even created? Thats something youd never think possible—but it is. Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a...

Researchers Find Backdoor in School Management Plugin for WordPress

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out o...

Melody - A Transparent Internet Sensor Built For Threat Intelligence

Melody Monitor the Internet's background noise Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring. Features Here are some key features of Melody :...

JavaScript Fraud: More Than Just Magecart and Skimming

The global pandemic has driven a sharp rise in online traffic that provides fertile ground for attackers to execute a growing number of more sophisticated client-side attacks. For example, Magecart-style attacks are used to steal sensitive information by skimming data either through a first-party...

Gener8: Clickjacking to change email address

Summary Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of the...

Open .Git Directories Leave 390K Websites Vulnerable

A scan of more than 230 million web domains worldwide has uncovered 390,000 web pages with open .git directories – a worrying state of affairs that can expose a range of sensitive information. Researcher Vladimír Smitka at Lynt Services performed the scan, starting first in his native Czech...

Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago. Security researcher Troy...

WordPress Users Warned of Malware Masquerading as ionCube Files

Security researchers are warning WordPress and Joomla admins of a sneaky new malware strain masquerading as legitimate ionCube files. The malware, dubbed ionCube Malware, is used by cybercriminals to create backdoors on vulnerable websites allowing them to steal data or plant more malware. In the...

A Man-in-the-Middle Attack against a Password Reset System

This is nice work: "The Password Reset MitM Attack," by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan: Abstract: We present the password reset MitM PRMitM attack and show how it can be used to take over user accounts. The PRMitM attack exploits the similarity of the registration...

Uber: Brute Force Amplification Attack

The websites on following hosts - newsroom.uber.com - eng.uber.com - brand.uber.com are vulnerable to Wordpress Brute Force Amplification Attack where an attacker can try a large number of Wordpress usernames and password login combinations in single HTTP request more at...

WordPress FR0_theme theme Arbitrary File Download Vulnerability

Exploit for php platform in category web applications +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Title : WordPress FR0theme theme Arbitrary File Download Vulnerability Author : alieye designer Homepage : http://english.gg.go.kr/ Contact : email protected Risk : High Class: Remote...

Automattic: Open Redirect in WordPress Feed Statistics {Affected All Versions}

Hi, Feed Statistics Plugin is vulnerable to Open Redirect and effecting large amount of Websites. Which is the reason it should be patched swiftly. Detail description is given below: Tested on: Wordpress 3.9.1 Vulnerable Plugin: Feed Statistics Plugin Link:...

Businesses Remain Scared of Spear-Phishing as Attackers Study Behavior

Scared is a strong word, but the reality, according to a Websense analysis by Patrik Runald, is that spear-phishers, like the ones that compromised a White House network last week, are implementing new evasion tactics, fundamentally changing their attack strategies, and revolutionizing the target...

PersianSoft SQL Injection Vulnerability

Exploit for php platform in category web applications + Author: TUNISIAN CYBER + Home: 1337day.com Inj3ct0r Exploit DataBase + Exploit Title: PersianSoft SQL Injection Vulnerability + Date: 07-09-2012 + Category: WebApp + Google Dork: intext:Powered & Designed By PersianSoft.org newsview.php?id= ...

Article Dashboard SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title: Article Dashboard sql injection Date: 3-5-2012 Author: b0y h4ck3r Version: no more than this Category: webapps Google dork: inurl:ezineready.php?id= intext:Powered by Article Dashboard Tested on: windows7 Demo site:...

20 Famous websites vulnerable to Cross Site Scripting (XSS) Attack

20 Famous websites vulnerable to Cross Site Scripting XSS Attack Most of the biggest and Famous sites are found to be Vulnerable to XSS attack . Cross-site scripting XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web...