Hostrisk

iOS 15.3 & iPadOS 15.3 fix the Safari browser flaw that could have spilled users’ browsing data, plus a zero day IOMobileFrameBuffer bug exploited in the wild.

https://threatpost.com/apple-zero-day-security-exploited/178040/

The information-disclosure issue, affecting Macs, iPhones and iPads, allows a snooping website to find out information about other tabs a user might have open.

https://threatpost.com/apple-safari-bug-browsing-data-google-ids/177809/

Attackers can access audio and files uploaded to the MY2022 mobile app required for use by all winter games attendees – including personal health details.

https://threatpost.com/beijing-olympics-app-flaws-allow-man-in-the-middle-attacks/177748/

UniCC controlled 30 percent of the stolen payment-card data market; leaving analysts eyeing what’s next.

https://threatpost.com/carding-marketplace-unicc-shuts-down/177688/

The flaw could allow attackers to bypass Privacy preferences, giving apps with no right to access files, microphones or cameras the ability to record you or grab screenshots.

https://threatpost.com/macos-bug-snooping-microsoft/177551/

Fertility Centers of Illinois’ security measures protected electronic medical records, but the attackers still got at extremely intimate data in admin files.

https://threatpost.com/cyberattackers-data-80k-patients-fertility-centers-illinois/177467/

The Pacific Northwest hospitality stalwart is also still operationally crippled by a Dec. 12 ransomware attack.

https://threatpost.com/mcmenamins-data-breach-employee-info/177336/

Security flaws in the recently released Fisher-Price Chatter Bluetooth telephone can allow nearby attackers to spy on calls or communicate with children using the device.

https://threatpost.com/toy-christmas-spying/177288/

A look back at what was hot with readers in this second year of the pandemic.

https://threatpost.com/5-top-threatpost-stories-2021/177278/

“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.

https://threatpost.com/malicious-exchange-server-module-outlook-credentials/177077/

We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive poll!

https://threatpost.com/cloud-security-challenges-poll/176702/

Cyberattackers made off with addresses, insurance information, dates of birth, and most worryingly, clinical information, such as diagnosis, procedures, and/or prescription information.

https://threatpost.com/planned-parenthood-breach-attacks/176718/

Cyberattackers had unfettered access to the technology giant’s file server for four months.

https://threatpost.com/panasonic-data-breach-questions/176660/

A temporary fix has been issued for CVE-2021-24084, which can be exploited using the LPE exploitation approach for the HiveNightmare/SeriousSAM bug.

https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/

Despite tight security measures by Google/Apple, cybercriminals still find ways to bypass fake app checks to plant malware on mobile devices. Dave Stewart, CEO of Approov, discusses technical approaches to defense against this.

https://threatpost.com/defend-app-impersonation/176519/

Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.

https://threatpost.com/godaddy-breach-widens-reseller-subsidiaries/176575/

Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company’s woes.

https://threatpost.com/apple-nso-lawsuit-pegasus-spyware/176565/

The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.

https://threatpost.com/godaddys-latest-breach-customers/176530/

The leak included model information, chat messages and payment details.

https://threatpost.com/adult-cam-model-user-records-exposed-stripchat-breach/176372/

Meanwhile, Zerodium’s quest to buy VPN exploits is problematic, researchers said.

https://threatpost.com/us-ban-cyberattack-tools-zerodium/175654/