#ios

### Summary The lack of sanitization of URLs protocols in the `createLink.openLink` function enables the execution of arbitrary JavaScript code within the context of the parent page. ### Details https://github.com/FrontFin/mesh-web-sdk/blob/cf013b85ab95d64c63cbe46d6cb14695474924e7/packages/link/src/Link.ts#L441 The `createLink.openLink` function takes base64 encoded links, decodes them, and then sets the resulting string as the `src` attribute of an `iframe`. It’s important to note that the protocol part is not validated, so a payload, which is a valid URL, such as `javascript:alert(document.domain)//`, can be provided to the function. ### PoC 1. Extract [poc-mesh-web-sdk.zip](https://github.com/user-attachments/files/22223079/poc-mesh-web-sdk.zip) 2. Run `yarn install` and then `yarn start` 3. Paste this payload inside the input box: `amF2YXNjcmlwdDphbGVydCh3aW5kb3cucGFyZW50LmRvY3VtZW50LmJvZHkuZ2V0RWxlbWVudHNCeVRhZ05hbWUoImgyIikuaXRlbSgwKVsiaW5uZXJIVE1MIl0pLy8=` 4. Click on the _Ope...

Zelle scams are back, or perhaps they never went away. Here's what to look out for.

Major EU airports such as Heathrow were disrupted over the weekend after a cyberattack hit the provider of check-in kiosk software, which caused delays and flight cancellations.

The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach. This week’s recap explores the trends driving that constant churn: how threat

Cyberattack on Collins Aerospace check-in system disrupts major European airports, causing flight delays and cancellations across hubs.

New York, New York, 19th September 2025, CyberNewsWire

The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. "Phishing-as-a-Service (PhaaS) deployments have risen significantly recently," Netcraft said in a new report. "The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases,

### Impact The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the system. ```golang var pieceDigests []string for i := int32(0); i < t.TotalPieces; i++ { pieceDigests = append(pieceDigests, t.Pieces[i].Md5) } digest := digest.SHA256FromStrings(pieceDigests...) if digest != t.PieceMd5Sign { t.Errorf("invalid digest, desired: %s, actual: %s", t.PieceMd5Sign, digest) t.invalid.Store(true) return ErrInvalidDigest } ``` Alice, a peer in the DragonFly2 system, creates two images: an innocent one, and one with malicious code. Both images consist of two pieces, and Alice generates the pieces ...

Learn what Codeless Testing Tools are and how effective they are in detecting common security vulnerabilities, along with understanding their strengths and limitations.

Researchers have discovered a large ad fraud campaign on Google Play Store.