The Python code repository was infiltrated by malware bent on data exfiltration from developer apps and more.
Threatpost
Posts tagged "code"
Malicious npm Code Packages Built for Hijacking Discord Servers
The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.
Threatpost
Firefox 95 wants to keep itself safe from code security flaws
The latest version of Mozilla Firefox is including a welcome security upgrade that the company hopes can keep its browser safe from code-based attacks.
Available now, the desktop and mobile editions of Firefox 95 will come with RLBox technology, which looks to prevent and limit any damage caused by code security flaws or bugs.
The “novel sandboxing tool” will look to make Firefox the most secure browser option around, the company claims.
Firefox security
RLBox was developed by Mozilla alongside researchers at the University of California San Diego and the University of Texas.
The tool uses WebAssembly to isolate potentially buggy code, ensuring no possible infections or flaws are able to launch or execute without the user knowing.
Mozilla notes that although all major browsers, including Firefox, run web content in their own sandboxed process, hackers often chain together two vulnerabilities to break through -one to compromise the sandboxed process containing the malicious site, and another to escape the sandbox.
This has previously meant having to hoist subcomponents of a browser into a separate process, but this has some limitations – which is where RLBox comes in.
“Rather than hoisting the code into a separate process, we instead compile it into WebAssembly and then compile that WebAssembly into native code,” Mozilla says.
Although not suitable for every component, Mozilla says it is working on expanding the reach of RLBox as much as it can – including to other browsers. The company shipped a prototype to its Mac and Linux users to test in 2020, showing it can operate effectively across different operating systems.
“RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream,” Mozilla's Bobby Holley wrote in a blog post announcing the news.
“This technology opens up new opportunities beyond what’s been possible with traditional process-based sandboxing, and we look forward to expanding its usage and (hopefully) seeing it adopted in other browsers and software projects.”
- Stay secure online with the best firewall options around
Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover
CloudLinux’ security platform for Linux-based websites and web servers contains a high-severity PHP deserialization bug.
Threatpost
BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution.
Threatpost
Critical Cisco Bugs Allow Code Execution on Wireless, SD-WAN
Unauthenticated cyberattackers can also wreak havoc on networking device configurations.
Threatpost
Bluetooth Bugs Open Billions of Devices to DoS, Code Execution
The BrakTooth set of security vulnerabilities impacts at least 11 vendors’ chipsets.
Threatpost
Why the low code industry is in for a reckoning
We spoke with OutSystems’ CEO about how traditional low code platforms fall short when it comes to meeting business needs.
GitHub open source data repository preserved in Arctic Code Vault
21TB of open source code will be kept in the Arctic World Archive in Svalbard, Norway.
After backlash, Zoom ditches snooping Facebook code from iOS app
Following the revelation by Motherboard on Friday (March 27) that video calling platform Zoom was sharing user information with Facebook via its iOS app, the popular video conferencing service has rolled out an update for iOS users.
Zoom has removed the data-sharing code from the app, telling Motherboard in a statement that the 'Login with Facebook' feature was implemented "in order to provide our users with another convenient way to access our platform".
That login feature – found on several apps – is applied by using a Facebook SDK (software development kit) that connects users of the app to Facebook's Graph API (Application Programming Interface) when the app is launched. The SDK can then share information with third parties, even if a user doesn't have a social media account with Facebook.
Facebook requires app makers to share this information with users in privacy policies, however Zoom's made no explicit mention that the social media company would have access to user data if there was no linked account.
- The best video conferencing software
- How to video chat with friends and family on your phone
- How to hide your background during video conferencing
Stay updated
Zoom says it was "recently made aware that the Facebook SDK was collecting unnecessary device data" and has since removed the code and an updated version of the iOS app is now available on the App Store.
According to Zoom's statement to Motherboard, the app did not share any sensitive information, like user names, emails and phone numbers, but "included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space". This coincides with Motherboard's findings from last week.
Motherboard has since tried out the updated iOS app and found that Zoom has, indeed, stopped sending data to Facebook when the app is launched.
In the 'What's New' section of the app, Zoom says that, despite the Facebook SDK being removed, users will still be able to log in with their Facebook accounts if they have one. Users have been recommended to update the app to enable the changes.
Zoom has issued an apology for the "oversight" and the company says it "takes its users’ privacy extremely seriously".