Security
Headlines
HeadlinesLatestCVEs

Tag

#apple

Over 40,000 iOS Apps Found Exploiting Private Entitlements, Zimperium

A new report from Zimperium is alerting users about growing threats facing iOS devices, particularly those tied to…

HackRead
Open in Source
#vulnerability#ios#mac#apple#git
FrigidStealer Malware Hits macOS Users via Fake Safari Browser Updates

FrigidStealer malware targets macOS users via fake browser updates, stealing passwords, crypto wallets, and notes using DNS-based data…

Apple to Pay $95 Million in Siri Snooping Lawsuit – Here’s How to Apply

Did Siri record you? Apple is paying $95 million over Siri snooping allegations. Find out if you’re eligible…

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's

WhatsApp hack: Meta wins payout over NSO Group spyware

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

GHSA-x39x-9qw5-ghrf: Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL

### Summary During a manual source code review, [**ARIMLABS.AI**](https://arimlabs.ai) researchers identified that the `browser_use` module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications. ### Details **File:** `browser_use/browser/context.py` The `BrowserContextConfig` class defines an `allowed_domains` list, which is intended to limit accessible domains. This list is checked in the `_is_url_allowed()` method before navigation: ```python @dataclass class BrowserContextConfig: """ [STRIPPED] """ cookies_file: str | None = None minimum_wait_page_load_time: float = 0.5 wait_for_network_idle_page_load_time: float = 1 maximum_wait_page_load_time: float = 5 wait_between_actions: float = 1 disable_security: bool = True browser_window_size: Browse...

Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi

Cybersecurity researchers have disclosed a series of now-patched security vulnerabilities in Apple's AirPlay protocol that, if successfully exploited, could enable an attacker to take over susceptible devices supporting the proprietary wireless technology. The shortcomings have been collectively codenamed AirBorne by Israeli cybersecurity company Oligo. "These vulnerabilities can be chained by

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.

A week in security (April 27 – May 3)

A list of topics we covered in the week of April 27 to May 3 of 2025