#git

Security researchers have discovered billions of exposed records online, calling it the "mother of all breaches". Check what data of yours has been exposed online with our free tool.

By Uzair Amir In today’s ever-evolving cyberspace, organizations face an ever-increasing number of cyber threats. Malicious actors are constantly seeking to… This is a post from HackRead.com Read the original post: Data Security: Leveraging AI for Enhanced Threat Detection and Prevention

### Summary API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. ### Details WatchHistory resource does not have `@auth.check_token` annotation, which means it can be accessed without providing `x-api-key` header. https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156 ### PoC 1. Get list of watch with `x-api-key`: ```sh $ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch {"uuid": ...} ``` 2. Call for history of snapshots without `x-api-key`. Expected - 401/403 error. Actual - list of snapshots is listed. ```sh $ curl http://localhost:5000/api/v1/watch/uuid/history {"timestamp": "/path/to/snapshot.txt"} ``` ### Impact Anybody can check one's watch history. However, because unauthorized party first needs to know watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minima...

### Impact If a user should not be able to see a record, but that record can be added to a `GridField` using the `GridFieldAddExistingAutocompleter` component, the record's title can be accessed by that user. ### References - https://www.silverstripe.org/download/security-releases/CVE-2023-48714

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and

By Deeba Ahmed TeamViewer has been identified as the access point in two separate ransomware attacks targeting different companies. This is a post from HackRead.com Read the original post: TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

### Impact When using `tuitse_html` without quoting the input, there is a html injection vulnerability. It should use the django version `django.utils.html.format_html`, instead of `string.format()` ### Patches Upgrade to version 1.3.2. ### Workarounds Sanitizing Taigi input with HTML quotation. ### References https://github.com/i3thuan5/TuiTse-TsuSin/pull/22

By Waqas The latest Trezor data breach places users at risk of phishing scams, potentially leading to the theft of additional login credentials. This is a post from HackRead.com Read the original post: Trezor Data Breach Exposes Email and Names of 66,000 Users

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.