Listen to the whispers: web timing attacks that actually work
Web timing attacks are much more powerful now because HTTP/2 allows tao requests to be sent in the same packet, eliminating the network delay jitter. These attacks are being added to Burp's "param miner" and they can identify hidden parameters, WAFs, server-side injections, and more.Major Chinese hacking group ‘active to this day’ despite US efforts to stop them
Volt Typhoon hasn’t stopped — or even slowed — its hacks of U.S. critical infrastructure. So far the main deterrent is that we've also hacked China's critical infrastructure, so we've got a Mutually Assured Destruction balance.Confusion Attacks in Apache HTTP Server Let Attackers Gain Root Access Remotely
Apache HTTP Server operates through a modular design, where hundreds of small modules work together to handle HTTP requests. These modules rely on a shared request_rec structure for synchronization, communication, and data exchange. The modules’ lack of deep understanding and the absence of stringent development guidelines create gaps and inconsistencies, making the system vulnerable to potential exploitation.Creating Insecure AI Assistants With Microsoft Copilot Studio Is Easy
50,000 organizations are using Microsoft's new Copilot Creation tool to automate workflows and enable more efficient meetings. But the creation tool has many insecure defaults, including being publicly accessible without requiring authentication. Also, they could impersonate a user with ease.How to Weaponize Microsoft Copilot for Cyberattackers
Copilot, like other chatbots, is susceptible to prompt injections that enable hackers to evade its security controls. The new LOLCopilot module, part of powerpwn, performs attacks to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don't open emails or click on links.0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices
The critical vulnerability exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices. Public websites using domains ending in ".com" are able to communicate with services running on the local network and execute arbitrary code on the visitor's host by using the address 0.0.0.0 as opposed to localhost/127.0.0.1.Trump rambles, slurs his way through Elon Musk interview. It was an unmitigated disaster.