Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files
https://alexschapiro.com/security/vulnerability/2025/12/02/filevine-api-100k
#HackerNews #ReverseEngineering #LegalAI #ConfidentialFiles #Security #Vulnerability #DataBreach
Okta's NextJS-0auth troubles
https://joshua.hu/ai-slop-okta-nextjs-0auth-security-vulnerability
#HackerNews #Okta #NextJS #0auth #troubles #security #vulnerability #OAuth #NextJS
Researchers discover security vulnerability in WhatsApp
https://www.univie.ac.at/en/news/detail/forscherinnen-entdecken-grosse-sicherheitsluecke-in-whatsapp
#HackerNews #WhatsApp #Security #Vulnerability #Researchers #Cybersecurity #Privacy #News
Frédéric Jacobs
boosted
My old #Rust in #Android team just published a blog post showing Android continues to improve #security by pushing for more memory safe code: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html
The results are amazing: Android now writes more Rust than C++, and the **Rust changes land faster** due to fewer revisions and faster code reviews. Medium and large changes are **rolled back about 4 times less** than changes written in C++.
My old #Rust in #Android team just published a blog post showing Android continues to improve #security by pushing for more memory safe code: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html
The results are amazing: Android now writes more Rust than C++, and the **Rust changes land faster** due to fewer revisions and faster code reviews. Medium and large changes are **rolled back about 4 times less** than changes written in C++.
hukl
and 3 others
boosted
This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10
This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10
Norway reviews cybersecurity after remote-access feature found in Chinese buses
#HackerNews #Norway #cybersecurity #Chinese #buses #remote #access #technology #vulnerability
Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).
Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.
The root cause of this bug is the incorrect use of == to match the password hash:
if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )
The fix is to use === for the comparison.
This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php
pvergain (framapiaf)
boosted
Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.
cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA
#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity
Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.
cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA
#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity
Understanding the Worst .NET Vulnerability
#HackerNews #Understanding #.NET #Vulnerability #Request #Smuggling #CVE-2025-55315 #Cybersecurity
Security update: Hollo 0.6.12 is now available
We've released #Hollo 0.6.12 to fix a critical privacy #vulnerability where direct messages were being exposed in the replies section of public posts. Please update your instances immediately to ensure your private conversations remain private.
Cory Doctorow
boosted
🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.
🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code
The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂
Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.
Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus
#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability
🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.
🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code
The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂
Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.
Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus
#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability
deutrino
boosted
Interesting #vulnerability research writeup (that was published a few months ago)
Compromising #OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/#fnref:2