A security researcher says he bagged $10,000 after discovering and reporting a serious flaw in Yahoo! Mail that could have been exploited by crooks to read victims' messages.
The hacker says he reported the vulnerability in Yahoo! Mail via bug-bounty organizers HackerOne. "The impact of the bug is similar to the one I reported last year, which also brought a $10k bounty" the hacker said. "It allowed an attacker to, for example, read a victim's email."
The flaw – fixed in production late last month – could be exploited simply by tricking your target into opening a booby-trapped email. The same vulnerability could also be abuse to spread malware.
The root cause of the problem was a failure to sanitize user-supplied values in dynamic content.
For this latest programming blunder, Pynnönen supplied proof-of-concept exploit code to Yahoo!'s security team in the form of an email that, when viewed, would use AJAX to read the user's inbox contents and send it to an attacker's server.
Source: www.theregister.co.uk
Sent to us by: Roy W. Nash
Anyone still using a Samsung Galaxy Note 7 has five days to return their device for a refund before Samsung kills the handset for good. Literally.
The South Korean electronics giant says that an over-the-air update set for release on December 19 will effectively brick the devices for good, shutting off all phone and data connections and preventing the Android-powered handset from accepting a recharge.
This, Samsung hopes, will kill off the 7 per cent of sold Galaxy Note 7 units that have not yet been returned for a refund.
While the Note 7 is still legal to own (so long as you're not flying), Samsung has been extremely aggressive with the voluntary recall for the fire-prone handset.
Not everyone, however, will see their Note 7 go dark on December 19. Verizon says that it will not be taking part in the mass shutdown, but will continue to request that customers bring their handsets in to swap out for a new device.
Source: www.theregister.co.uk
Sent to us by: Roy W. Nash
Fitbit, the world's bestselling wearable tech-maker, has confirmed it is buying the inventions that power Pebble's smartwatches.
However, the deal does not include any of Pebble's products, and work on several crowdfunded devices that have yet to be made has been cancelled.
Pebble said it would try and refund backers of the Time 2, Core and Time Round gadgets by March 2017.
It also warned those who already owned its gear to expect less support.
Fitbit has said that "key personnel" from Pebble would join its company. The founder of Pebble will not be among them.
The approach makes the acquisition appear to be one to obtain patents, software and personnel, leaving Pebble users in its dust.
Source: www.bbc.com
Sent to us by: Roy W. Nash
According to a group of researchers from Newcastle University, fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network.
The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined.
The research team says, unlike rival Mastercard, Visa does not detect the flood of requests across multiple sites.
They call it a "distributed guessing attack" and proved its effectiveness against the top 400 payment sites.
The attacks rely on card-not-present fraud, in which merchants do not require the three-digit CVV number to authorise a transaction.
The researchers said, "This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions."
The researchers say all merchants should use standard payment authorisation fields to knock out the ability for the attacks to scale.
Source: www.theregister.co.uk
Sent to us by: Roy W. Nash
RT @TheAmpHour: “The role of most prototypes is to try to kill the idea” ~ @zackfreedman This week Zack joins @Chris_Gammell on a crossov…
Open TweetRT @Category5TV: There are amazing, powerful alternatives to #RaspberryPi in full supply! We look at the @khadas_official #VIM4 and talk ab…
Open TweetThere are amazing, powerful alternatives to #RaspberryPi in full supply! We look at the @khadas_official #VIM4 and… https://t.co/cf4sCrqh9p
Open TweetWhy do TV remotes still have so many buttons (most of which are useless) in 2022? I mean, digital cable killed the… https://t.co/7NlPxrqOGE
Open TweetAn overnight dry rub, 9 hours on the smoker, followed by a quick grilling. I've finally nailed it. As good as any r… https://t.co/Lrb9MK9syS
Open Tweet