#ios

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three "free" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek's design choices -- such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies -- introduce a number of glaring security and privacy risks.

News about USPS suspending shipments from China and Hong Kong may give scammers some ideas to defraud consumers

A technical overview of Cisco Talos' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 133.0.3065.51 2/6/2025 133.0.6943.53/54

# Partial Denial of Service (DoS) **Product:** MobSF **Version:** < 4.3.1 **CWE-ID:** CWE-1287: Improper Validation of Specified Type of Input **CVSS vector v.4.0:** 7.1 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) **Description:** DoS in the Scans Results and iOS Dynamic Analyzer functionality **Impact:** Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable. **Vulnerable component:** urls.py https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401 **Exploitation conditions:** A malicious application was uploaded to the MobSF. **Mitigation:** Check the uploaded bundle IDs against the regex. **Researcher: Oleg Surnin (Positive Technologies)** ## Research Researcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer function...

**Product:** MobSF **Version:** < 4.3.1 **CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.4.0:** 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) **Description:** Stored XSS in the iOS Dynamic Analyzer functionality. **Impact:** Leveraging this vulnerability would enable performing actions as users, including administrative users. **Vulnerable component:** `dynamic_analysis.html` https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 **Exploitation conditions:** A malicious application was uploaded to the Correlium. **Mitigation:** Use `escapeHtml()` function on the `bundle` variable. **Researcher: Oleg Surnin (Positive Technologies)** ## Research Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in ...

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks. "Originally sourced from public

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

Though Windows, iOS, and macOS users won't need to make any changes, Android users are advised to remove their Defender VPN profiles.