Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America

The Israeli spyware maker, still on the US Commerce Department’s “blacklist,” has hired a new lobbying firm with direct ties to the Trump administration, a WIRED investigation has found.

Wired
Open in Source
#intel#asus#acer#oauth#auth
Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

GHSA-4f8q-mwgc-3mwc: Drupal OAuth2 Server Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

GHSA-6chf-hhqf-749c: Drupal OAuth2 Client Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery. This issue affects OAuth2 Client: from 0.0.0 before 4.1.3.

Cybersecurity Professor Mysteriously Disappears as FBI Raids His Homes

Xiaofeng Wang, a longtime computer science professor at Indiana University, has disappeared along with his wife, and their profiles on the school's website were wiped ahead of recent FBI raids.

CloudSEK Disputes Oracle Over Data Breach Denial with New Evidence

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting…

GHSA-837q-jhwx-cmpv: Parse Server has an OAuth login vulnerability

### Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected. ### Patches The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secu...

GHSA-pwhh-q4h6-w599: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

### Summary The `CacheHandler` class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 The file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. I think `600` is a sensible default. ![image](https://github.com/user-attachments/assets/0b7ebbc1-a27a-4528-ab6a-135c7886766a) ### Details This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. ### PoC Run an application that uses spotipy with client creation like this: ```python from pathlib import Path import spotipy from os import getenv def create_spotify_client(client_id: str, client_secret: str) -> spotipy.Spotify: """Create and return an auth...