Security Alerts & News
by Tymoteusz A. Góral

History
#729 GoDaddy addresses blind XSS vulnerability affecting online support
Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts.

Researcher Matthew Bryant said that a riff on a cross-site scripting attack called a blind XSS was to blame. A GoDaddy customer, Bryant wrote on Sunday on his blog that Name fields on a particular GoDaddy page accepted and stored a cross-site scripting payload. He left a generic payload behind, akin to leaving a mine that isn’t triggered until someone steps on it.

As it turns out, no one stepped on the mine until Bryant needed to make a legitimate support call to GoDaddy. The rep on the phone could not access his account, and at the same time Bryant was getting email alerts that his almost-forgotten payloads had fired.
Read more
#730 Opera launches 'free and unlimited' VPN app for iOS
#729 GoDaddy addresses blind XSS vulnerability affecting online support
#728 Police allege SWIFT technicians left Bangladesh bank vulnerable
#727 Researcher arrested after reporting pwnage hole in elections site
#726 Bucbi ransomware gets a big makeover
#725 How was this Windows Store app able to download adware to a Windows 10 PC?
#724 ImageMagick vulnerability allows for remote code execution, now patched
#723 On the monetization of crypto-ransomware
#722 Lego-driven robot programmed to hack gesture-based security
#721 Qatar National Bank suffers massive breach
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12