News

From URL to UR-Hell

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.…

'The impact is full remote command execution as root on both master and all minions'

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable.…

Make sure you update your software with these critical fixes

Adobe has emitted fixes for multiple remote code execution holes in Illustrator and its Bridge code.…

Slurp everyone's details and you create a hugely valuable hacker target

A group of nearly 175 UK academics has criticised the NHS's planned COVID-19 contact-tracing app for a design choice they say could endanger users by creating a centralised store of sensitive health and travel data about them.…

Ooo, double irony!

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.…

Case that has rumbled on since 2016 may have to be started again from scratch

The man accused of hacking LinkedIn, Dropbox and the Formspring Q&A forum, and later selling the stolen data of hundreds of millions of users, has seen his trial disrupted a third time by the coronavirus pandemic.…

Democratising mass surveillance, one snafu at a time

Exclusive  In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.…

'The average Windows 10 PC has 14 weaponized bugs'

A study of vulnerabilities - bugs that can be a gateway for malware or allow privilege escalation by an intruder - shows that Windows platforms have the most by far, but that they also tend to be fixed quickly, compared to Linux systems or appliances like routers, printers and scanners.…

Why do it at all? Easier to audit and adapt, apparently

Analysis  The UK has decided to break with growing international consensus and insist its upcoming coronavirus contact-tracing app is run through centralised British servers – rather than follow the decentralized Apple-Google approach.…

Phone model recorded, unique ID infrequently refreshed – but Atlassian's Mike Cannnon-Brookes says use it and two million peeps agree

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.…

Proof-of-concept vuln patched a week ago

A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.…

As European nations back decentralised plan that leaves data on the device until users call in sick

Apple and Google have revealed a little more about their plans to support COVID-19 contact-tracing apps and changed up some of their security plans.…

Needs bank staff to sort things out, but a certain virus means the contact centre is rather busy right now

Rabobank’s Australian outpost has messed up its Android app, leaving an unknown number of users unable to access their bank accounts on mobile devices.…

COVIDSafe application lands for Android, iOS – sans source code

Australia has released its promised COVID-19 contact-tracing app.…

Plus Office 2016, 2019 patches – and a barn-load of other security bits and bytes

Roundup  It's time to dig in to another Register security roundup.…

States can claim immunity, contractors can't, social biz argues

Attorneys for Facebook and its WhatsApp subsidiary have challenged a plea from spyware maker NSO Group to dismiss the high-level hacking case the two are fighting out, arguing it has immunity from procesution.…

L’ACEI lance le Bouclier canadien dans le but de protéger gratuitement la vie privée et la sécurité des Canadiens en ligne

The organization that oversees .CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy.…

Static analyzer proves its worth with discovery of null-pointer error

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.…

Extraordinary surveillance powers set to be injected into govt orgs

It has been called the “most extreme surveillance in the history of Western democracy.” It has not once but twice been found to be illegal. It sparked the largest ever protest of senior lawyers who called it “not fit for purpose.”…

Focus, train and engage your remote teams to stay safe, gratis

Promo  As toilet paper stocks begin to recover, we all figure out the sweet spot for our government-mandated daily walk or trot, and fence off sections of our homes from our significant others for "me time," it’s time to begin the next phase of social isolation: adjusting sensibly to our environment with an actual plan.…