Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week.

The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards.

images from Hacker News

Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic.

“Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created,” Trend Micro said in a report published last week.

“These CAPTCHA-solving services don’t use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers.”

CAPTCHA – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation.

images from Hacker News

In this day and age, vulnerabilities in software and systems pose a considerable danger to businesses, which is why it is essential to have an efficient vulnerability management program in place. To stay one step ahead of possible breaches and reduce the damage they may cause, it is crucial to automate the process of finding and fixing vulnerabilities depending on the level of danger they pose. This post will discuss the fundamental approaches and tools to implement and automate risk-based vulnerability management. To make this process easier, consider using an all-in-one cloud-based solution right from the start.

images from Hacker News

A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign.

The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGPT, and Premium versions of YouTube, Netflix, and Instagram.

“Once installed on a victim’s device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials,” cybersecurity firm CloudSEK said in a Monday report.

“It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device’s cameras.”

images from Hacker News

Researchers have discovered an inexpensive attack technique that could be leveraged to brute-force fingerprints on smartphones to bypass user authentication and seize control of the devices.

The approach, dubbed BrutePrint, bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework.

The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

The result is a “hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking,” researchers Yu Chen and Yiling He said in a research paper. “BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment].”

The goal, at its core, is to be able to perform an unlimited number of fingerprint image submissions until there is a match. It, however, presupposes that a threat actor is already in possession of the target device in question.

Additionally, it requires the adversary to be in possession of a fingerprint database and a setup comprising a microcontroller board and an auto-clicker that can hijack data sent by a fingerprint sensor to pull off the attack for as low as $15.

images from Hacker News