minute read
Share this article:
WhatsApp aimed to clear the air about its updated privacy policy after reports of mandatory data sharing with Facebook drove users to Signal and Telegram in troves.
WhatsApp is making explicit clarifications around its updated privacy policy, after reports ran amok about the messaging app mandating all-encompassing data-sharing with parent company Facebook.
The app’s new privacy policy and terms of service, which will go into effect Feb. 8, says that WhatsApp will share certain data with Facebook, along with other Facebook products. These updates, announced last week, sparked widespread ire from users, who feared WhatsApp would mandate all data including private user data to be shared with Facebook – and caused a mass exodus from the app onto competing apps, including Telegram and Signal.
minute read
Share this article:
Two security vulnerabilities one a privilege-escalation problem and the other a stored XSS bug afflict a WordPress plugin with 40,000 installs.
Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.
According to researchers at Wordfence, the first flaw (CVEs are pending) is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical. Authenticated attackers with contributor level access or above can elevate themselves to administrator status and potentially take
minute read
Share this article:
Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found inits AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W, and RV215W small business routers.
A high-severity flaw in Cisco’s smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.
The vulnerability is part of a number of patches issued by Cisco addressing 67 high-severity CVEs on Wednesday. This included flaws found in Cisco’s AnyConnect Secure Mobility Client, as well as Cisco RV110W, RV130, RV130W, and RV215W small business routers.
minute read
Share this article:
The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands.
A webshell called BumbleBee has taken flight in an ongoing xHunt espionage campaign that has targeted Microsoft Exchange servers at Kuwaiti organizations.
According to researchers at Palo Alto Networks’ Unit 42, BumbleBee (so named because of its color scheme) was observed being used to upload and download files to and from a compromised Exchange server back in September.
“We found BumbleBee hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server, as well as on two internal IIS web servers at two other Kuwaiti organizations,” researchers explained in a Monday blog.