News

Web server threats and application attacks

• December 13, 2017 13 Dec'17

  Return of Bleichenbacher: ROBOT attack means trouble for TLS

  A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago.

• October 31, 2017 31 Oct'17

  Google Buganizer flaw reveals unpatched vulnerability details

  A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities.

• October 05, 2017 05 Oct'17

  Yahoo data breach found to affect all 3 billion users

  Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe.

• September 15, 2017 15 Sep'17

  Apache Struts vulnerability blamed for Equifax data breach

  Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens.

• May 04, 2017 04 May'17

  Google Docs phishing attack grants attacker full Gmail access

  A Google Docs phishing attack abused OAuth to give malicious actors full access to a victim's Gmail account and contacts, but Google claims to have blocked the attacks.

• March 03, 2017 03 Mar'17

  Cloudflare security team calms fears over Cloudbleed bug

  Cloudflare security researchers continue investigations as CEO calms fears over potential exposure of sensitive personal data by the Cloudbleed bug, though doubts remain.

• February 24, 2017 24 Feb'17

  Project Zero discovers Cloudflare bug leaking sensitive customer data

  The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords.

• January 26, 2017 26 Jan'17

  Heartbleed bug still found to affect 200,000 services on the web

  Researchers found the infamous Heartbleed bug is still unpatched on as many as 200,000 services connected to the internet and experts don't expect that number to change.

• December 29, 2016 29 Dec'16

  Critical PHPMailer library vulnerability patched, and repatched

  A bypass for the patch of a remote code execution vulnerability in the PHPMailer library prompted a second patch release for the popular library used by millions of websites.

• December 14, 2016 14 Dec'16

  Facebook Certificate Transparency Monitoring tool will help secure web

  A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.

• October 13, 2016 13 Oct'16

  Researchers demonstrate undetectable encryption backdoor in crypto keys

  Academic researchers show how to place undetectable encryption backdoors in cryptographic keys and passively decrypt data, which could undermine confidence in certain algorithms.

• September 28, 2016 28 Sep'16

  ICANN grinds forward on crucial DNS root zone signing key update

  Domain name system watchdog ICANN has begun the process of updating the DNS root zone signing key to strengthen DNSSEC protection against man-in-the-middle attacks.

• July 18, 2016 18 Jul'16

  Responsible disclosure of latest named vulnerability, 'httpoxy'

  Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.

• May 19, 2016 19 May'16

  ImageMagick calls into question responsible disclosure reporting

  The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.

• January 29, 2016 29 Jan'16

  OpenSSL patch fixes encryption flaw and strengthens Logjam defense

  A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability.