Security
Headlines
HeadlinesLatestCVEs

Tag

#google

Hacker in Snowflake Extortions May Be a U.S. Soldier

Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.

Krebs on Security
Open in Source
#xss#vulnerability#web#mac#google#linux#ddos#dos#intel#rce#botnet#auth#ssh#wifi#blog
GHSA-2xcc-vm3f-m8rw: @lobehub/chat Server Side Request Forgery vulnerability

### Summary lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. ### Details * visit https://chat-preview.lobehub.com/ * click settings -> llm -> openai * fill the OpenAI API Key you like * fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#") * then lobe will echo the ssrf result The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web. ![image](https://github.com/lobehub/lobe-chat/assets/55245002/d55e21e0-59d8-4a8e-8c56-4bcda3302dc2) ![image](https://github.com/lobehub/lobe-chat/assets/55245002/86833362-4e9e-4d07-9542-420db541f7a4) ![image](https://github.com/lobe...

My Car Knows My Secrets, and I'm (Mostly) OK With That

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Tips and Tools for Social Media Safety

Protect your social media presence with tools like privacy checkups, monitoring services, and digital footprint scanners. Stay secure by avoiding oversharing, limiting third-party app permissions, and using strong passwords.

GLASSBRIDGE: Google Blocks Thousands of Pro-China Fake News Sites

Google reveals GLASSBRIDGE: A network of thousands of fake news sites pushing pro-China narratives globally. These sites, run by PR firms, spread disinformation and lack transparency.

Spotify, Audible, and Amazon used to push dodgy forex trading sites and more

Cybercriminals are spamming content platforms like Spotify and Amazon with cracks, keygens, and forex trading platforms. We explain why.

Google's New Restore Credentials Tool Simplifies App Login After Android Migration

Google has introduced a new feature called Restore Credentials to help users restore their account access to third-party apps securely after migrating to a new Android device. Part of Android's Credential Manager API, the feature aims to reduce the hassle of re-entering the login credentials for every app during the handset replacement. "With Restore Credentials, apps can seamlessly onboard

99% of UAE’s .ae Domains Exposed to Phishing and Spoofing

Only 1.11% of UAE's 37,926 .ae domains have implemented DMARC, leaving most vulnerable to phishing and and spoofing attacks.

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites

Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.