Google has advised Gmail users to sign out and back in to invalidate session tokens after a password change-resistant hack was discovered. Attackers exploited an undocumented authentication endpoint to maintain access to Google accounts by restoring expired session cookies. Despite the persistence of the exploit, Google asserts that stolen sessions can be invalidated and recommends users enable Enhanced Safe Browsing in Chrome for additional protection. The company has taken steps to secure compromised accounts and suggests that resetting passwords and signing out of all browser profiles can help prevent unauthorized access.
A vulnerability in Google's OAuth protocol, named "MultiLogin," was exploited by a malware developer, allowing cyber-criminals to hijack Google accounts by synchronizing them across services. The exploit enables persistent access to Google services even after a password reset, by generating valid session cookies. Google has acknowledged the issue and taken steps to secure affected accounts, advising users to log out to invalidate stolen tokens and recommending the use of Enhanced Safe Browsing in Chrome for additional protection.
Researchers have developed an AI tool named "Masterkey" that can automate the process of jailbreaking other chatbots, finding new ways to bypass safety and content filters. This tool was trained using common jailbreak prompts and can generate new prompts with a higher success rate than previously known methods. The research aimed to help companies identify and fix vulnerabilities in chatbot systems, and the findings have been shared with affected companies for them to patch the loopholes. The study highlights the ongoing challenge of securing AI chatbots against misuse, as they do not truly understand content but rely on statistical models to generate responses.
LastPass is enforcing a new security measure requiring all users to have a master password of at least 12 characters. This change, effective from April 2023 for new accounts and password resets, now extends to all accounts to enhance security following two breaches in 2022. The company will also check new or updated master passwords against a database of credentials leaked on the dark web. Additionally, LastPass faced issues with a forced multi-factor authentication re-enrollment process in May 2023. These security updates come after LastPass experienced significant breaches in 2022, which led to the theft of source code and customer vault data, and were later linked to a cryptocurrency theft totaling $4.4 million. LastPass is widely used, with over 33 million individual users and 100,000 businesses.
LibreWolf is a web browser that enhances privacy and security beyond what Firefox offers. It removes tracking elements from URLs, deletes cookies and website data on closure, uses privacy-respecting search engines, and includes robust anti-fingerprinting measures. While it may break some websites that rely on tracking and fingerprinting, it's ideal for sensitive activities like banking. LibreWolf is available for Linux, MacOS, and Windows, but manual updates are required for MacOS and Windows. The installation process is straightforward, with additional steps for Linux users. If prioritizing online privacy is essential for you, LibreWolf could be a valuable tool.
Android users are being warned about the Chameleon banking trojan, a sophisticated malware that can bypass biometric security measures and steal PINs and banking information. The malware disguises itself as legitimate apps and can even circumvent Android 13's restricted setting feature. To protect against this threat, users should only download apps from official stores, keep their Android system updated, install reliable antivirus software, and avoid sideloading apps. If compromised, it's advised to change passwords using another device, use identity theft protection services, contact banks, alert contacts, and consider restoring the device to factory settings.
December saw a flurry of security updates across major tech firms. Apple patched iOS vulnerabilities, including a WebKit browser engine flaw and a Kernel issue, and added protections against a Bluetooth-based attack. Google addressed nearly 100 security issues in Android, including critical Framework and System flaws, and patched an exploited Chrome zero-day vulnerability. Microsoft's Patch Tuesday was lighter, focusing on over 30 vulnerabilities, including a spoofing issue in Power Platform Connector. Mozilla fixed 18 Firefox security issues, and Apache patched a critical Struts 2 framework flaw. Atlassian and SAP also released critical patches for their respective software, addressing RCE vulnerabilities and privilege escalation bugs.
Kaspersky has uncovered details about "Triangulation," a highly sophisticated iOS spyware that exploited previously unknown Apple hardware features and zero-day vulnerabilities. The malware, which affected iPhones on iOS 15.7 and earlier, could activate without user interaction and access the device's physical memory, leaking sensitive data like microphone recordings and location. Although the latest Apple firmware patches these vulnerabilities, the origin and knowledge of the exploits used by the spyware remain a mystery, with some speculating on possible internal sources or reverse engineering by hackers. Apple has updated its devices to fix the security flaws, but the implications of the spyware's capabilities continue to raise concerns.
Microsoft has taken action to disable the ms-appinstaller protocol handler by default due to its exploitation by hackers to deploy malware, including ransomware. The company observed four threat actors, including Storm-0569 and FIN7, using the handler to bypass security mechanisms and distribute malware through fake ads and phishing via Microsoft Teams. The handler is now disabled in App Installer version 1.21.3421.0 or higher to prevent further abuse. This follows previous incidents where MSIX files were used for malware distribution, highlighting ongoing cybersecurity challenges.
Apple has released an urgent update for all iPhone operating systems after researchers discovered a new security breach exploited by Israeli NSO's Pegasus spyware, prompting concerns about potential backlash from the United States.
