Discover and read the best of Twitter Threads about #infosecurity

Most recents (10)

@Walmart disrupting the healthcare market and its #cybersecurity implications - #Thread 1/7

That's big news, as Walmart has the power to change this market completely

@lauralovett7 describes it accurately as a shake up in this article on @MobiHealthNews

mobihealthnews.com/news/how-retai…
With over 200M weekly customers and over 4000 stores in medically unserved communities (MUC), this retail giant’s power is enormous.

In fact it’s nothing new, as @amazon is already taking part in the healthcare market via @PillPack, their medicine delivery services. 2/7
The distribution of medical services for this market leader in the coming years will most likely involve cutting edge tech, including AI models and machine learning to allow a full transformation of required data. 3/7
Read 8 tweets
Here is the full Thread for

The iOS 15 Data Experiment Part III

CONFIRMED: THE DATA LIVES ON!

#infosec #ios #iPhone #Apple #bugbountytips #infosecurity #Security
I know i was going to go deeper into the bluetooth connections, but if I don't hold on that I'll never finish! lol, my purpose is to prove that data still exists on your phone even though you have done a "full restore."

OTAUpdateLogs
restore_perform.txt shows the entire process
Not to deviate too much from the task, but I love how straight forward this is...

collecting logs at "/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/sysdiagnose/temp.l1OzUV/brctl"
- sending SIGINFO to cloudd
Read 7 tweets
This is the thread for

The iOS 15 Experiment Part II

CONFIRMED HIDDEN BLUETOOTH DEVICE CONNECTIONS!

#infosec #ios #iPhone #Apple #bugbountytips #infosecurity #Security
As I am looking through the Diagnostics Dump I notice that my phone is already Bluetooth paired with my computer via a (cloudpaird daemon...???)

The image is a screenshot of the data

Yes i'm showing my BT Mac Address...i'm a scientist get over it.
I wanted to show you all I was not looking at the data wrong so I ran

ideviceinfo

then i did a search Bluetooth

The bluetooth mac address on my phone matched the output of ideviceinfo, so we do have a valid data set
Read 10 tweets
1/How @ElevenFinance got hacked? 🧵

The exploit was possible due to a bug in emergencyBurn() function of ElevenNeverSellVault.

There is a transfer of previously deposited funds during the function call, but there is a lack of burning of Nerve shares to account for the transfer Image
2/ In other words, an attacker could double-spend Nerve shares he acquired during initial deposit to the vault.

emergencyBurn() didn’t burn 11NRV Tokens so an attacker used them in “withdrawAll()” to get additional LP Tokens in return.
3/ He burned LP Tokens on PancakeSwap getting the underlying tokens.

After repaying the FlashSwap, attacker was left with funds from burning second time the 11NRV Tokens.

This was done on multiple vaults on ElevenFinance, marking a total loss of $4.5M.
Read 4 tweets
#learn365 Day-21: GraphQL Vulnerabilities (Part-2)
1. Information Disclosure via Error Messages
- Similar to the normal information disclosure via error triggering.
- Provide malformed or unexpected input within GraphQL queries.

#BugBountyTips #appsec #infosecurity

(1/n)
(2/n)
- Sometimes you may observe verbose error messages revealing sensitive information.

2. GraphQL Denial of Service
- Due to an improper limit on the maximum query depth, it might be possible to perform a denial of service in graphql implementation.
(3/n)
- Nest a query to unlimited depth and send this query on a GraphQL endpoint to observe anything suspicious.
- A good example: owasp-skf.gitbook.io/asvs-write-ups…

3. Insecure Direct Object Reference
- Similar to normal API like IDORs
- A good example: owasp-skf.gitbook.io/asvs-write-ups…
Read 4 tweets
15 Jan 2021, If you are using @WhatsApp Web, your Mobile Number and Messages are being index by @Google again. Don't know why WhatsApp is still not monitoring their website and google. This is 3rd time.
#Infosec #Privacy #infosecurity #GDPR #Whatsapp #Privacy #Policy #Google ImageImage
This time, @WhatsApp is actually using a “Robots.txt” file and a “disallow all” setting, so they are instructing @Google not to index anything. Google is still Indexing.
#InfoSec
Mobile Number and Messages on WhatsApp Web Is Being Indexed by Google Again. @Techna @billtoulas
technadu.com/whatsapp-web-i…
#InfoSec
Read 8 tweets
Your @WhatsApp groups may not be as secure as you think they are. WhatsApp Group Chat Invite Links, User Profiles Made Public Again on @Google Again.
Story - gadgets.ndtv.com/apps/news/what…
#Infosec #Privacy #Whatsapp #infosecurity #CyberSecurity #GDPR #DataSecurity #dataprotection ImageImage
Whatsapp also allows users to generate rich preview links of group chat invites that eventually may allow search engine crawlers to identify the links and then index them for future searches. This issue was apparently fixed by Whatsapp last year after becoming public.
Whatsapp Statement on this -
gadgets.ndtv.com/apps/news/what… Image
Read 5 tweets
⚠️URGENT⚠️

Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.

Details: thehackernews.com/2020/12/us-age…

#infosec #cybersecurity #sysadmin
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.

thehackernews.com/2020/12/us-age…

#infosecurity Image
Read 4 tweets
It’s our birthday! #CISAgov was established on November 16, 2018. From elections to COVID-19 to natural disasters and more, year two has been action-packed. Let’s take a trip down memory lane…
Informed by #cyber intelligence and real-world events, we issued several insight products, providing background on #cyber threats, #vulnerabilities, and mitigation activities: cisa.gov/insights #InfoSec
One key insight was in in January when we warned partners about potential Iranian retaliation against U.S. organizations—and advised them on how to assess and strengthen their physical & cyber security. This is the kind of rapid information-sharing we aim for! #InfoSecurity
Read 15 tweets
WARNING 🔥 CVE-2020-1350 (CVSS 10)

A critical 17-year-old 'wormable' RCE #vulnerability affects Windows DNS Servers (2013 to 2019 editions) that could let unauthenticated hackers gain 'Domain Admin' privileges on the targeted servers.

Details — thehackernews.com/2020/07/window…

#infosec
Researchers confirm the new #Windows vulnerability, dubbed 'SigRed,' is a wormable bug, allowing attackers to launch #malware attacks that can spread from one vulnerable computer to another without any human interaction.

#cybersecurity #sysadmins #microsoft #informationsecurity
If exploited, #SigRed Windows Server #vulnerability enables hackers to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials, and eventually compromise an organization's entire IT infrastructure.

thehackernews.com/2020/07/window…
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!