Domain: hackread.com
Stories and comments across the archive that link to hackread.com.
Stories · 7
-
MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)
A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version. -
In-Store WiFi Provider Used Starbucks Website To Generate Monero Coins (hackread.com)
hjf writes: On December 2nd, Twitter user Noah Dinkin tweeted a screenshot that showed that Starbucks' in-store "free WiFi" is using their captive portal to briefly mine the Monero cryptocurrency during the 10-second delay splash screen. Starbucks has not yet responded to the tweet, and neither has their wifi provider, Fibertel Argentina. While Dinkin mentioned that the culprit behind the scheme could be Starbucks' in-store wifi provider, it's possible that a cybercriminal could have hacked their website to place CoinHive code secretly. HackRead notes that "just a few days ago researchers identified more than 5,000 sites that were hijacked to insert CoinHive code, yet Starbucks' direct involvement is still unclear." CoinHive is a company that produces a JavaScript miner for the Monero Blockchain that you can embed in your website. Any coins mined by the browser are sent to the owner of the website. -
Hacker Steals 17 Million Zomato Users' Data, Briefly Puts It On Dark Web (hackread.com)
Waqas reports via Hack Read: Recently, HackRead found out a vendor going by the online handle of âoenclayâ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here's a screenshot of the sample data publicly shared by "nclay." Upon testing the sample data on Zomato.com's login page, it was discovered that each and every account mentioned in the list exists on Zomato. Although Zomato didn't reply to our email but in their latest blog post the company has acknowledged the breach. Here's a full preview of the blog post published by Zomato 7hours ago: "Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree." -
Hacker Steals 17 Million Zomato Users' Data, Briefly Puts It On Dark Web (hackread.com)
Waqas reports via Hack Read: Recently, HackRead found out a vendor going by the online handle of âoenclayâ is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace. The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here's a screenshot of the sample data publicly shared by "nclay." Upon testing the sample data on Zomato.com's login page, it was discovered that each and every account mentioned in the list exists on Zomato. Although Zomato didn't reply to our email but in their latest blog post the company has acknowledged the breach. Here's a full preview of the blog post published by Zomato 7hours ago: "Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree." -
LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com)
Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site. -
Ask Slashdot: Should You Use Password Managers?
New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do? -
Texas Traffic Signs Hacked With Anti-Trump and Anti-Hillary Messages (hackread.com)
An anonymous reader writes: Someone is hacking the Texas Department of Transportation (TXDOT) electronic message boards and displaying anti-Trump and anti-Hillary messages. For example, one message read "DONALD TRUMP IS A ... SHAPE SHIFTING LIZARD!" while the other read "HILLARY FOR PRISON." The hacker appears to be a supporter of Bernie Sanders, displaying "BERNIE FOR PRESIDENT" on the message boards. One of the messages read "FREE BARRETT BROWN," an imprisoned U.S. journalist and alleged unofficial spokesperson for Anonymous. Not all the messages have been political, however. In reference to an incident in which Zookeepers shot and killed a rare gorilla after a 3-year-old boy fell into its enclosure at the Cincinnati Zoo, a message read "GORILLA DESERVED IT." The reports mention the defacing occurred a couple of weeks ago.