Hacking Apple for 3 months - 55 vulnerabilities discovered, with $288,500 in bug bounties awarded security Article 9230 words 10 votes
An exploration of Project Zero Issue 2046, a seemingly unexploitable and simple bug in the V8 JavaScript engine that turns out to be exploitable in a very complex manner security Article 6983 words 7 votes
Reversing Lyft’s ride history API to analyze 6 years worth of rides security Article 643 words, published Jul 3 2020 4 votes
GitLab Support will no longer process MFA resets for free accounts as of August 15th, 2020 - make sure you have a valid backup recovery method set up security Article 411 words 14 votes
Twilio's TaskRouter JavaScript SDK was in a world-writeable S3 bucket, and had what appears to be a precursor to a payment-card skimmer inserted for about 12 hours security Article 552 words 10 votes
How the Nintendo Switch prevents downgrades by irreparably blowing its own fuses security hardware Article 578 words 17 votes
The impending doom of expiring root Certificate Authorities and legacy clients security Article 4120 words 6 votes
Critical RCE vulnerabilities in SaltStack result in server breaches for LineageOS, Ghost, DigiCert, and more security Article 444 words 15 votes
Explanation of how a one-line change in the Windows 10 kernel enabled a sandbox escape in Chrome/Edge/Firefox security Article 3077 words 6 votes
Multiple vulnerabilities affecting the default Mail application on iOS since at least January 2018, with evidence of being exploited in targeted attacks security Article 3931 words 10 votes
The main Avast antivirus service contained a custom JavaScript interpreter, enabling wormable pre-auth RCEs. Avast has now disabled the emulator in response to a vulnerability report security Link 13 votes
Have I Been Pwned is no longer being sold, and Troy Hunt will continue running it independently security Article 4603 words 29 votes
OpenSSH 8.2 released - disables the legacy "ssh-rsa" algorithm, adds support for FIDO/U2F hardware tokens security Link 12 votes
Transparent and verifiable electronic elections are technically feasible, but the techniques used are not actually viable for running most elections—and definitely not for remote voting security Article 4355 words 5 votes
Locking down the EC2 Instance Metadata Service: Announcing imds-filterd security Article 969 words 2 votes
Multiple vulnerabilities discovered in TikTok enabling sending arbitrary links through SMS, exposing private account data, and more security Article 2034 words 11 votes
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections security linux Article 2891 words 7 votes
Kaspersky vulnerabilities: uninstalling any Chrome extension, tracking users in incognito or different browsers, and controlling functionality with links security Article 2761 words 9 votes
Multiple Fortinet products communicate with FortiGuard services while only "encrypting" sensitive user data using XOR with a hardcoded key security privacy Article 912 words 9 votes
Bad Binder: A use-after-free exploit in Binder in the Android kernel that was being exploited in the wild security Article 2653 words 5 votes
Explanation and proof-of-concept exploitation of a vulnerability in the "docker cp" command that enabled full container escape and root control of the host security Article 1487 words 6 votes
Infectious Executable Stacks and GCC's extension that allows closures in C programming languages security Article 922 words 7 votes
Announcing GitHub Security Lab: securing the world’s code, together security open source Article 922 words 5 votes
Bytecode Alliance: Building a secure by default, composable future for WebAssembly security web development Article 5026 words 9 votes
The benefits of test-case reduction, and tools that can help do it automatically security Article 4756 words 3 votes
Chrome 0-day exploit CVE-2019-13720 used a race condition and a Use-After-Free to install persistent malware on Windows security Article 1264 words 10 votes
Cloudflare's implementation of the Network Time Security protocol, written in Rust security Article 2545 words 8 votes
Certbot usability case study: Making it easier to get HTTPS certificates security Article 6227 words 12 votes
Critical security issue identified in iTerm2 as part of Mozilla open source audit security Article 453 words 12 votes
How a double-free bug in WhatsApp for Android could be turned into a remote code execution vulnerability security Article 1104 words 6 votes
New DDoS vector observed in the wild leveraging WS-Discovery for amplification, attacks hitting 35 Gbps security Article 2577 words 11 votes