π
Attacks & Vulnerabilities
The Not-So-Silent Type (20 minute read)
A report from Citizen Labs assessing the security of nine major cloud-based pinyin keyboard apps. The researchers found critical vulnerabilities in eight out of the nine assessed apps that would allow a passive network eavesdropper to decipher the user's keystrokes. Together with a previous report on Sogou, Citizen Labs estimates that up to one billion users are affected by these vulnerabilities.
How to Block Executable File Uploads in PHP (4 minute read)
This post explains how you can prevent executable file uploads in PHP by calling a free API during the upload process that verifies file formats. By setting $allow_executables to false and optionally providing a $restrict_file_types whitelist, the API checks against 17+ million virus/malware signatures and rigorously verifies accepted formats, blocking executables and other threatening file types.
Securing millions of developers through 2FA (7 minute read)
GitHub CSO Mike Hanley writes about their journey to implement a 2FA initiative to enhance software supply chain security by requiring developers to enable 2FA. The results showed a significant increase in 2FA adoption and a focus on secure authentication methods like passkeys. GitHub continues to prioritize user experience and aims to further improve account security measures in the future.
π§βπ»
Launches & Tools
Nagomi Security (Product Launch)
Nagomi Security has developed a proactive defense platform that enables security teams to optimize their existing cybersecurity solutions to identify risks, threats, and adversaries and their techniques.
BforeAI (Product Launch)
BforeAI monitors most of the internet to establish a baseline for anomaly detection and stay ahead of cyber threats and prevent attacks before they happen. It autonomously maps and predicts malicious infrastructure to provide customers with preemptive defense and safeguard data, digital assets, users, and IT and OT networks.
Google's controversial move to kill the web cookie just got delayed until 2025 (3 minute read)
Google is further postponing its plan to phase out third-party cookies on Chrome, citing ongoing challenges in reconciling feedback from the industry, regulators, and developers. The long-delayed move to remove the small data files used for cross-site user tracking and ad targeting was originally announced in 2020 but has faced multiple delays due to significant considerations raised by various stakeholders.
Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries (5 minute read)
More than 1,000 samples of the prolific Godfather mobile banking Trojan are circulating worldwide, targeting hundreds of banking apps across dozens of countries. First spotted in 2022, Godfather can record screens, intercept 2FA, initiate transfers, and more. Its developers are automatically generating new samples at scale to evade detection.
(The) Postman Carries Lots of Secrets (6 minute read)
Postman's Public API Network is unknowingly leaking thousands of live credentials from popular SaaS and cloud providers. The exposure of sensitive information is due to an unclear UI, ambiguous taxonomy, and the practice of publicly forking collections containing live API keys. Despite Postman's basic secret scanner, there is a significant risk of leaking secrets due to insufficient scanning and misleading terminology like "secret" environment variables.