»WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar«.

Der heise-Artikel und auch der PoC auf GitHub geben leider keine Auskunft darüber, was man bei Signal einstellen kann, um das Risiko zu minimieren. Wenn es die gleiche/ähnliche Einstellung wie bei WhatsApp ist, dürfte aber helfen: Einstellungen -> Datenschutz -> Unbekannte (Nummern) blockieren: Aktivieren. (Aktuell nur beim Signal-Fork Molly verfügbar).

https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Tracker-Software-verfuegbar-11117533.html

https://github.com/Xh4H/WhatsApp-device-activity-tracker

#whatsapp #signal #vulnerability

/kuk

Linux Kernel Rust Code Sees Its First CVE Vulnerability

https://www.phoronix.com/news/First-Linux-Rust-CVE

#HackerNews #LinuxKernel #RustCVE #Vulnerability #CyberSecurity #OpenSource #TechNews

»WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar«.

Der heise-Artikel und auch der PoC auf GitHub geben leider keine Auskunft darüber, was man bei Signal einstellen kann, um das Risiko zu minimieren. Wenn es die gleiche/ähnliche Einstellung wie bei WhatsApp ist, dürfte aber helfen: Einstellungen -> Datenschutz -> Unbekannte (Nummern) blockieren: Aktivieren. (Aktuell nur beim Signal-Fork Molly verfügbar).

https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Tracker-Software-verfuegbar-11117533.html

https://github.com/Xh4H/WhatsApp-device-activity-tracker

#whatsapp #signal #vulnerability

/kuk

Siemens reports critical flaw in IAM Client on multiple industrial products

Siemens is reporting a critical vulnerability (CVE-2025-40800) in its IAM client component affecting multiple industrial software products, which allows unauthenticated attackers to conduct man-in-the-middle attacks due to improper certificate validation. Patches are available for most affected products.

**Make sure all your industrial systems are isolated from the internet and accessible from trusted networks only. If you are using COMOS, NX, Simcenter 3D, Simcenter Femap, Solid Edge plan a quick update for them. Not an urgent thing, but don't ignore this one. Someone will find a way to hack them.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/siemens-reports-critical-flaw-in-iam-client-on-multiple-industrial-products-1-d-o-3-h/gD2P6Ple2L

Siemens reports critical flaw in IAM Client on multiple industrial products

Siemens is reporting a critical vulnerability (CVE-2025-40800) in its IAM client component affecting multiple industrial software products, which allows unauthenticated attackers to conduct man-in-the-middle attacks due to improper certificate validation. Patches are available for most affected products.

**Make sure all your industrial systems are isolated from the internet and accessible from trusted networks only. If you are using COMOS, NX, Simcenter 3D, Simcenter Femap, Solid Edge plan a quick update for them. Not an urgent thing, but don't ignore this one. Someone will find a way to hack them.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/siemens-reports-critical-flaw-in-iam-client-on-multiple-industrial-products-1-d-o-3-h/gD2P6Ple2L

Home Depot GitHub token exposed for a year, granted access to internal systems

https://techcrunch.com/2025/12/12/home-depot-exposed-access-to-internal-systems-for-a-year-says-researcher/

#HackerNews #HomeDepot #GitHubToken #SecurityBreach #InternalAccess #Vulnerability #TechNews

NextJS Security Vulnerability

https://nextjs.org/blog/CVE-2025-66478

#HackerNews #NextJS #Security #Vulnerability #NextJS #Security #Vulnerability #Cybersecurity #WebDevelopment #SoftwareSecurity #CVE2025

Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files

https://alexschapiro.com/security/vulnerability/2025/12/02/filevine-api-100k

#HackerNews #ReverseEngineering #LegalAI #ConfidentialFiles #Security #Vulnerability #DataBreach

RCE Vulnerability in React and Next.js

https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

#HackerNews #RCE #Vulnerability #in #React #and #Next.js #ReactJS #NextJS #Vulnerability #Cybersecurity #SoftwareSecurity

Okta's NextJS-0auth troubles

https://joshua.hu/ai-slop-okta-nextjs-0auth-security-vulnerability

#HackerNews #Okta #NextJS #0auth #troubles #security #vulnerability #OAuth #NextJS

Researchers discover security vulnerability in WhatsApp

https://www.univie.ac.at/en/news/detail/forscherinnen-entdecken-grosse-sicherheitsluecke-in-whatsapp

#HackerNews #WhatsApp #Security #Vulnerability #Researchers #Cybersecurity #Privacy #News

My old #Rust in #Android team just published a blog post showing Android continues to improve #security by pushing for more memory safe code: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

The results are amazing: Android now writes more Rust than C++, and the **Rust changes land faster** due to fewer revisions and faster code reviews. Medium and large changes are **rolled back about 4 times less** than changes written in C++.

#rustlang #cpp #productivity #safety #vulnerability

My old #Rust in #Android team just published a blog post showing Android continues to improve #security by pushing for more memory safe code: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html

The results are amazing: Android now writes more Rust than C++, and the **Rust changes land faster** due to fewer revisions and faster code reviews. Medium and large changes are **rolled back about 4 times less** than changes written in C++.

#rustlang #cpp #productivity #safety #vulnerability

This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10

#rust #vulnerability #sudo_rs

This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10

#rust #vulnerability #sudo_rs

Norway reviews cybersecurity after remote-access feature found in Chinese buses

https://scandasia.com/norway-reviews-cybersecurity-after-hidden-remote-access-feature-found-in-chinese-buses/

#HackerNews #Norway #cybersecurity #Chinese #buses #remote #access #technology #vulnerability

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).

Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.

The root cause of this bug is the incorrect use of == to match the password hash:

if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )

The fix is to use === for the comparison.

This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php

#CVE_2025_47776 #infosec #cybersecurity