GitHub has said a bug exposed some user passwords -- in plaintext. The code repository site, with more than 27 million users as of last year, sent an email to affected users Tuesday.
"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email, received by some users. The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. "We have corrected this, but you'll need to reset your password to regain access to your account," the email added.Read more
Malicious app developers can secretly abuse a macOS API function to take screenshots of the user's screen and then use OCR to programmatically read the text found in the image.
The function is CGWindowListCreateImage, often utilized by Mac apps that take screenshots or live stream a user's desktop. According to Fastlane Tools founder Felix Krause, any Mac app, sandboxed or not, can access this function and secretly take screenshots of the user's screen. Krause argues that miscreants can abuse this privacy loophole and utilize CGWindowListCreateImage to take screenshots of the screen without the user's permission.Read more
If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely. Starting from Windows 10 Anniversary Update, Microsoft added a new feature called Content Delivery Manager that silently installs new "suggested apps" without asking for users’ permission.
According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called "Keeper," on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.Read more
If you're running macOS High Sierra, don't let anyone near your Apple Mac. It's possible for anyone to login to the Mac and get the admin level of access to change passwords, get access to all data on the main account and lock the original user out.
Fortunately, there's a fix that should solve the problem, even as Apple works to patch. First, the bug. In what may go down as one of the most embarrassing vulnerabilities in Apple history, all a "hacker" needs to do is sign in as an "Other" user, type in "root" for a username and no password. Then they're in. Experts tested the vulnerability and found it wide open, allowing a change of passwords for other accounts on the Mac.Read more
The regional internet registrar that administers IP addresses for the Asia Pacific region accidentally leaked Whois database data, including hashed passwords, forcing it to reset all passwords for objects in its Whois database.
According to Asia Pacific Network Information Center, the organization that maintains domains for the region, it experienced a technical error in June and accidentally leaked the data. APNIC was alerted to the problem on Oct. 12 when it said a security researcher from eBay’s Red Team reported that the downloadable Whois data was being republished on a third party website.Read more
One of iOS' rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task.
The prompts have grown so common most people don't think twice about them. Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup.Read more
Disqus has confirmed its web commenting system was hacked. The company, which builds and provides a web-based comment plugin for news websites, said that hackers stole more than 17.5 million email addresses in a data breach in July 2012.
About a third of those accounts contained passwords which has largely been deprecated in recent years in favor of stronger password scramblers. The data also contained sign-up dates and the date of the last login. Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service.Read more
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.
The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security.Read more
Parliament has been hit by a cyber attack, officials at Westminster say. The "sustained" hack began on Friday night, prompting officials to disable remote access to the emails of MPs, peers and their staff as a safeguard.
The parliamentary authorities said hackers had mounted a "determined attack" on all user accounts "in an attempt to identify weak passwords". Government sources say it appeared the attack has been contained but it will "remain vigilant". A parliamentary spokeswoman said they were investigating the attack and liaising with the National Cyber Security Centre.Read more
Passwords belonging to British politicians, diplomats and senior police officers have been traded by Russian hackers, it has been reported.
Security credentials said to have belonged to tens of thousands of government officials, including 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office staff were in the troves sold or swapped on Russian-speaking hacking sites. The majority of the passwords are said to have been compromised in a 2012 hacking raid on the business social network LinkedIn, in which millions of users' details were stolen.Read more