The Register

A lesson in how not to respond to vulnerability reports

Vibe-coding platform Lovable is pooh-poohing a researcher’s finding that anyone could open a free account on the service and read other users' sensitive info, including credentials, chat history, and source code. However, the company’s story keeps changing: First it attributed the publicly exposed info to "intentional behavior" and "unclear documentation," then threw bug-bounty service HackerOne under the bus.…

Installation and pre-approval without consent looks dubious under EU law

One app should not modify another app without asking for and receiving your explicit consent. Yet Anthropic's Claude Desktop for macOS installs files that affect other vendors' applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent.…

Tyler Buchanan admits role in scheme that stole at least $8 million in virtual currency

A Scottish man linked to the Scattered Spider cybercrime crew has pleaded guilty in the US to a phishing and SIM-swap scheme that stole at least $8 million in cryptocurrency.…

Out-of-band or out of control?

Microsoft has pushed out an out-of-band update to address the restart loop that hit some Windows Server devices after its April update.…

Blames outfit called Context.ai, which reckons an agentic OAuth tangle caused the incident

Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess.…

Aren't we all just prompting tokens of linguistic meaning and hoping the other person isn't bullshitting us?

kettle  It's a week of the year, which means there's been the discovery of yet another prompt injection attack that will force supposedly well-guarded AI bots to spill secrets by asking the right way. …

Passing the buck, and the blame, down the road shows lack of AI companies' maturity

OPINION  AI vendors: "You need to use AI to fight AI threats (and do everything else in your corporate IT environment)." Also AI vendors: "That's not a security flaw; it's working as intended."…

Bug hiding in plain sight for over a decade lands on KEV list

CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…

Or, how public information and a €5 tracker exposed an avoidable opsec lapse

Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.…

University student says he plans to move to Android, but concedes iOS engineers acting fast

Apple is finally working on a fix for a bug that has locked some users out of their iPhones for months, The Register understands.…

Pause your Mythos panic because mainstream models anyone can use already pick holes in popular software

Anthropic withheld its Mythos bug-finding model from public release due to concerns that it would enable attackers to find and exploit vulnerabilities before anyone could react.…

Bug or feature?

A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.…

Social engineering: 'low-cost, hard to patch, and scales well'

North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…

Fortune 500 companies and one US defense contractor got taken for $5m in four-year scam

Two Americans have been jailed for a combined 200 months for helping North Korea generate $5 million through fraudulent IT worker schemes.…

Forged metadata made AI reviewer treat hostile changes as though they came from known maintainer

Security boffins say Anthropic's Claude can be tricked into approving malicious code with just two Git commands by spoofing a trusted developer's identity.…

Publisher claims misconfigured Salesforce-hosted page leaked data

Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…

Just migrate already, would you? But if you can't, Redmond will take your cash

Microsoft will keep delivering security updates for old versions of Exchange Server and Skype for Business Server, after admitting that some customers aren't ready to make the move to newer products.…

Your cybersecurity is only as good as the physical security of the servers

PWNED  Welcome back to Pwned, the column where we immortalize the worst vulns that organizations opened up for themselves. If you’re the kind of person who leaves your car doors unlocked with a pile of cash in the center console, this week’s story is for you.…

Browser fingerprinting is everywhere

Google markets its Chrome browser by citing its superior safety features, but according to privacy consultant Alexander Hanff, Chrome does not protect against browser fingerprinting – a method of tracking people online by capturing technical details about their browser.…

Like the majority of the companies participating, it remains a mystery

Last week, Anthropic surprised the world by declaring that its latest model, Mythos, is so good at finding vulns that it would create chaos if released. Now, under the title of Project Glasswing, over 50 selected companies and orgs are allowed to test the hyped up LLM to find security holes in their own products. But just how many problems have they really discovered?…