Listen to the whispers: web timing attacks that actually work
Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them.
Threat Intelligence Feed
Aggregating 4292 articles from trusted cybersecurity sources
Latest News
Fickle PDFs: exploiting browser rendering discrepancies
Imagine the CEO of a random company receives an email containing a PDF invoice file. In Safari and MacOS Preview, the total price displayed is £399.
A hacking hat-trick: previewing three PortSwigger Research publications coming to DEF CON & Black Hat USA
We're delighted to announce three major research releases from PortSwigger Research will be published at both Black Hat USA and DEF CON 32.
onwebkitplaybacktargetavailabilitychanged?! New exotic events in the XSS cheat sheet
The power of our XSS cheat sheet is we get fantastic contributions from the web security community and this update is no exception.
Firefox will upgrade more Mixed Content in Version 127
Most of the web already supports HTTPS: In fact, 93% of requests made by Firefox are already HTTPS. As a reminder, HTTP over TLS (HTTPS) fixes the security s...
Refining your HTTP perspective, with bambdas
When you open a HTTP request or response, what do you instinctively look for? Suspicious parameter names?
Introducing SignSaboteur: forge signed web tokens with ease
Signed web tokens are widely used for stateless authentication and authorization throughout the web.
Rapidly Leveling up Firefox Security
At Mozilla, we believe in an open web that is safe to use. To that end, we improve and maintain the security of people using Firefox around the world.
Making desync attacks easy with TRACE
Have you ever found an HTTP desync vulnerability that seemed impossible to exploit due to its complicated constraints?
Using form hijacking to bypass CSP
In this post we'll show you how to bypass CSP by using an often overlooked technique that can enable password theft in a seemingly secure configuration. What...
Top 10 web hacking techniques of 2023
Welcome to the Top 10 Web Hacking Techniques of 2023, the 17th edition of our annual community-powered effort to identify the most innovative must-read web s...
Hiding payloads in Java source code strings
In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to concea...
Data Breaches
Vercel Confirms Security Breach Affecting Customer Accounts
Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the company says the incident affected a limited number...
Luxury Cosmetics Giant Rituals Discloses Data Breach
The company is notifying My Rituals members that hackers downloaded part of their data, including names and addresses. The post Luxury Cosmetics Giant Ritual...
RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace
Leaked data from RAMP reveals Russia’s ransomware ecosystem, analyzing 1,732 threads, 7,707 users, and 340,000 IP records from the forum. RAMP was not just a...
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled ...
Xinference PyPI Breach Exposes Developers to Cloud Credential Theft
A severe supply chain attack has compromised the popular Python package Xinference, exposing developers to massive data theft. Threat actors uploaded malicio...
Agoda refutes claims of massive data breach
Asia-centric booking platform Agoda has denied the alleged theft of 82 million records from its systems just a week after its parent firm Booking Holdings di...
Almost 600K reportedly impacted by separate US healthcare breaches
Three healthcare providers across the U.S.
Discord-Linked Group Accessed Anthropic’s Claude Mythos AI in Vendor Breach
Anthropic is investigating a vendor breach after a Discord-linked group accessed its Claude Mythos AI model, with no evidence of impact on core systems.
Adaptavist Group investigates security breach amidst ransomware claims
The breach was detected in late March when an attacker exploited compromised login details.
Cyberattack on French government agency triggers phishing alert
France Titres, a French government agency, has disclosed a data breach that may have exposed user data from its online portal. France Titres, also known as t...
Bluesky Back Online After DDoS Attack, as Iran-Linked 313 Team Takes Credit
Bluesky is back online after a roughly 24-hour DDoS attack disrupted services, with the Iran-linked 313 Team claiming responsibility and no data breach repor...
SEC cybersecurity disclosure rules: What security leaders must know
SEC rules require fast breach reporting and stronger cyber risk disclosures.