security – Page 5

WordPress plugin flaw puts ‘millions of websites’ at risk

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks. Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.
https://www.theregister.com/2023/05/08/wordpress_plugin_vulnerability/?td=rt-3a

Twitter alternative Hive shuts down its app to fix critical security issues

Image Credits: Hive

The team at the newly popular Twitter alternative Hive is in over its head. The company has now taken the fairly radical step of fully shutting down its servers for a couple of days in response to concerns raised by security researchers who discovered a number of critical vulnerabilities on Hive, several of which they say remain unfixed. The issues they found would allow attackers access to all data, including private posts and messages, shared media and even deleted direct messages, as well as the ability to edit other people’s Hive posts.
https://techcrunch.com/2022/12/01/twitter-alternative-hive-shuts-down-its-app-to-fix-critical-security-issues/

Overwatch 2 will no longer require legacy players to verify their phone number

Blizzard

“Blizzard originally made SMS Protect, which requires players to link a phone number to their Battle.net accounts, a requirement to access Overwatch as a way to make it harder for people to cheat or to troll others. It doesn’t always work with numbers associated with prepaid plans, though, and therein lies the problem. While some Mint customers were able able to link their numbers to SMS Protect just fine, players on Cricket seem to be completely locked out of the game. As Kotaku reports, fans feel like they’re being punished or shamed for ‘being poor.'”
https://www.engadget.com/overwatch-2-no-longer-requires-legacy-players-verify-phone-number-114017280.html

Rockstar Games confirms GTA 6 footage leak

Rockstar Games has confirmed that it recently “suffered a network intrusion” that resulted in the massive leak of 90 videos of early development versions of Grand Theft Auto 6. The company said in an official statement on Monday morning that the intrusion resulted in “an unauthorized third party illegally” accessing and downloading “confidential information from our systems,” though it adds that they don’t anticipate this will have any effect on its ongoing live game services or development timeline.
https://techcrunch.com/2022/09/19/rockstar-games-confirms-gta-6-footage-leak/

Careless Errors in Hundreds of Apps Could Expose Troves of Data

These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company’s website or run text through a translation service at a user’s request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components.
https://www.wired.com/story/mobile-apps-cloud-credentials-exposed/

Mailchimp says an internal tool was used to breach hundreds of accounts

https://techcrunch.com/2022/04/04/mailchimp-internal-tool-breach/

Log4j Software Vulnerability Expected to Persist, Possibly for Months

PHOTO: FRED TANNEAU/AGENCE FRANCE-PRESSE/GETTY IMAGES

A flaw in a widely used piece of free internet software is prompting companies to rush to update their systems and prevent cyberattacks, but the technology’s ubiquity means the threat could affect businesses for months, security researchers say.

Corporate security executives say they hurried over the weekend to assess whether and how their computer networks use the software, Log4j, while waiting for vendors to disclose the risk to their own technologies and issue software updates to mitigate the threat. The bug was disclosed Thursday.

Log4j is used on computer servers to keep records of users’ activities so they can be reviewed later by security or software development teams. The nonprofit Apache Software Foundation, a group that distributes the open-source tool at no cost, has said it has been downloaded millions of times.
https://www.wsj.com/articles/log4j-software-vulnerability-expected-to-persist-possibly-for-months-11639436434