News

Share

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store. Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites. WooCommerce is one the most popular eCommerce plugins for WordPress that helps websites to upgrade their standard blog to a powerful online store. WooCommerce powers nearly 35% of e-stores on the internet, with more than 4 million installations. The attack takes advantage of the way WordPress handles user privileges and WooCommerce file deletion vulnerability, allowing an account with “Shop Manager” role to eventually reset administrator accounts’ password and take complete control over the website.

 

In WordPress, an account with “edit_users” capability by default allowed to edit an administrator account and reset its password. But to draw a permission-based line between an administrator and a shop manager account, the WooCommerce plugin adds some extra limitations on the shop managers. However, the researcher discovered that if WordPress admin, for some reason, disables the WooCommerce plugin, its configuration that mandated the limitation goes away, allowing Shop Manager accounts to edit and reset the password for administrator accounts. Now, according to Simon, a malicious Shop Manager can forcefully disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.

 

Read more here: thehackersnews.com

 

.

 

Our homes and cities are getting “smarter” – thermostats, video doorbells, sprinkler systems, street lights, traffic cameras, cars. all connected to the internet, collecting and transmitting useful data. And 5G superfast mobile is seen as a catalyst that will light up this massive network.But experts are queuing up to issue stark warnings about security.

“Security around IoT devices hasn’t been very good, so if they’re opened up to better connectivity they’re opened up to more hackers, too,” says Cody Brocious, education lead at security consultancy HackerOne.

The danger is that insecure devices will provide rich pickings for hackers

Read more here: bbc.com

 

 

 

Share

Our homes and cities are getting “smarter” – thermostats, video doorbells, sprinkler systems, street lights, traffic cameras, cars. all connected to the internet, collecting and transmitting useful data. And 5G superfast mobile is seen as a catalyst that will light up this massive network.But experts are queuing up to issue stark warnings about security.

“Security around IoT devices hasn’t been very good, so if they’re opened up to better connectivity they’re opened up to more hackers, too,” says Cody Brocious, education lead at security consultancy HackerOne.

The danger is that insecure devices will provide rich pickings for hackers

Read more here: bbc.com

 

 

Our homes and cities are getting “smarter” – thermostats, video doorbells, sprinkler systems, street lights, traffic cameras, cars. all connected to the internet, collecting and transmitting useful data. And 5G superfast mobile is seen as a catalyst that will light up this massive network.But experts are queuing up to issue stark warnings about security.

“Security around IoT devices hasn’t been very good, so if they’re opened up to better connectivity they’re opened up to more hackers, too,” says Cody Brocious, education lead at security consultancy HackerOne.

The danger is that insecure devices will provide rich pickings for hackers

Read more here: bbc.com

 

 

 

Share

Researchers have spotted the first stage of a new advanced persistent threat (APT) campaign targeting mainly South Korean victims and borrowing code from the notorious Chinese hacking group Comment Crew.

Operation Oceansalt is the first time white hats have seen code associated with the group, also known as APT1, since it was outed in 2013. Crucially, that code was never made public, according to McAfee.

Read more here: infosecurity-magazine.com

Share

Microsoft pulled the Windows 10 October 2018 Update as some users were reporting that they were missing files after the update had finished.

Later in the day, the head of the Windows Insider program, Dona Sarkar,  announced that Microsoft tech support has the tools to recover the missing files. She further suggested that those users who were missing the files call Microsoft support at +1-800-MICROSOFT for assistance.

Read more here: bleepingcomputer.com

 

 

Share

Burger chain Wendy’s is the latest employer to be hit with a potential class-action suit under Illinois’ Biometric Information Privacy Act (BIPA) for using a fingerprint-based time and attendance system allegedly without properly informing employees about how their biometric data will be stored and used, and how long it will be retained, ZDNet reports…

Read more here: biometricupdate.com

 

Share

Bad actors are constantly trying to find ways to penetrate our networks. Recent attacks at LabCorp and the City of Atlanta demonstrate, however, that we are putting the welcome mat out for hackers by leaving key network ports open. This article discusses the severity of this problem, and what we can do to reduce or eliminate it…

Read more here: csoonline.com