Articles about Bug

Now in its fifth year, the GitHub Security Bug Bounty has been updated to offer larger rewards to those who find bugs. At the same time, the scope of the program is being expanded and protections for researchers have been added through new Legal Safe Harbor terms.

As well as expanding the program to cover any of its "first-party services", GitHub has effectively removed any upper limit on the size of reward pay-outs for critical bugs.

Continue reading →

A disgruntled security researcher has revealed a one-click exploit that takes advantage of a macOS vulnerability to reveal all of the passwords stored in a Mac's keychain.

Linus Henze developed an exploit tool called KeySteal that uses a 0-day bug to extract keychain passwords on macOS Mojave and older. He stresses that neither root access nor administrator privileges are required, and no password prompts are generated by the tool. Henze is not going to help Apple to fix the problem because the company does not offer a bug bounty program for macOS.

Continue reading →

Apple has issued an apology for the recently-discovered bug that made it possible to eavesdrop on people via FaceTime.

The company had promised that a software update would be delivered later this week, but the interim solution was to simply disable the group FaceTime feature server-side. Apple now says that the problem has been fully fixed, but a software update that re-enables the group function will not be issued until next week.

Continue reading →

If you have enabled Windows 10's built-in administrator account, and upgrade from build 1803 to 1809 -- that is, the April 2018 Update to the October 2018 update -- you will find that a bug has been introduced that disables the account.

Microsoft says that it is aware of the problem, but the company does not plan on releasing a fix for it until the end of the month.

Continue reading →

A security researcher has released proof-of-concept code for a zero-day exploit in Windows 10. The bug was revealed by SandboxEscaper, a researcher who has exposed Windows vulnerabilities in the past.

The latest bug makes it possible to overwrite files with arbitrary data, and while there are numerous criteria that must be met in order for the vulnerability to be exploited, it is still potentially serious. SandboxEscaper warned Microsoft about the problem on Christmas day, before publishing the PoC a couple of days later.

Continue reading →

Twitter has discovered what it describes as "unusual activity" stemming from China and Saudi Arabia. The social networking company says that it noticed a large number of enquiries involving a support API coming from individual IP addresses in the two countries.

The discovery came as Twitter investigated a bug in a support form. The problem, Twitter says, dates back to November 15, and it was fixed the next day, but a security researcher says he reported the issue two years ago. As a result of the bug, Twitter says that the country code of users' phone numbers could have been discovered by malicious actors.

Continue reading →

Another week and yet another in a seemingly endless stream of Facebook privacy issues. The social networking giant has found itself apologizing, yet again, for leaking users' private data. This time around, an API bug meant that private photos of millions of users may have been exposed to app developers.

The bug was present for nearly two weeks and it went further than simply giving developers access to photos users had posted to their accounts -- it also exposed photos that had been uploaded but not actually posted.

Continue reading →

A security researcher has developed an attack that exploits a Firefox bug, making it possible to crash the web browser.

Sabri Haddouche used his Browser Reaper website to share a live test version of the exploit -- the site is also home to exploits for Chrome and Safari. The Firefox attack uses JavaScript to crash or freeze the browser, with the effect of the exploit depending on whether the browser is running on Linux, Windows or macOS.

Continue reading →

It's a little over a week since a vulnerability in the Windows Task Scheduler was revealed. A patch for the 0-day has been released by third party security firm 0patch, but there's bad news for anyone who hasn't secure their system against the security threat -- malware writers are already taking advantage of the flaw.

The exploit was partly facilitated by the fact that the source code for a proof-of-concept exploit for the ALPC LPE vulnerability -- as well as a binary -- was published on GitHub. Now a group that has been named PowerPool has been spotted using the code in a malware campaign.

Continue reading →

Just 24 hours after a zero-day bug in Windows task scheduler was revealed by @SandboxEscaper on Twitter, the vulnerability has been patched. While Microsoft said it would "proactively update impacted advices as soon as possible" the patch has not come from the Windows-maker.

Instead, it was left to micro-patching specialists 0patch to produce a fix for the Task Scheduler ALPC Local Privilege Execution (VU#906424) security flaw -- one that is a mere 13 bytes in size.

Continue reading →

If you have a Samsung Galaxy S9, S9+ or Note 8, you might want to check that your contacts haven't got hold of some of your photos. Some owners of the handsets are reporting that the Samsung Messages SMS app has been sending out images from their camera rolls to random contacts.

Worryingly, many people who were affected by the privacy-invading leaks were only made aware of the problem when their friends asked about the images they'd received -- the Messages app does not reveal that anything has been sent. Samsung says that it is aware of the issue and is investigating what is happening.

Continue reading →

Bugs found in software are often a little quirky, but the latest discovery of a bug in the Google Android app is very peculiar indeed. Use the app to perform certain searches, or make a typo when entering a URL, and you may well find that you see a list of your text messages rather than the page you were expecting.

At the moment it seems that the bug only affects Android users, with the iOS version of the Google app appearing to be functioning normally. If you get strange results if you try to visit the1975..com or search for "zela viagens", you might want to change your app permissions as a precaution.

Continue reading →