Software vulnerabilities are at the core of pen testing—and our "Under the Hoodie" report provides insights and advice one can only get in the trenches.

During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be Abusing ‘by design’ behaviour to gain the ability to hijack millions of WiFi networks through saved credentials…

Passwordless Authentication Wallet (PAW) is key-based authentication for the web. The library helps manage identities, their associated public/private keypairs, and signing operations in the browse...

On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company.

Interactive Cybersecurity Training. HackEDU offers comprehensive online Secure Development Training for your developers, engineers, and IT personnel to assist your organization in laying a foundation of security and application vulnerability prevention, assessment…

Cisco addressed a dozen and high severity vulnerabilities affecting the company's RV series, SD-WAN, Umbrella, and other products.

FireEye identified a new exploit kit that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

Some hosting providers implemented http-01 having one part of the challenge key reflected in the response. This resulted in a huge amount of websites being vulnerable to XSS just because of their quirky implementation of the http-01 ACME-challenge.

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls…

TL;DR Persistence can be achieved with Appx/UWP apps using the debugger options. This technique will not be visible by Autoruns. Two different approaches exists (registry keys). Listed below are th…

Hotstar is a  premium streaming platform like Netflix and Amazon Prime Videos. The security controls for restricting premium content were implemented at client side as frontend React JS logic. We were able to bypass these access controls and view paid premium…

In the near future, Google Chrome and Mozilla Firefox will...

This post is the second in a series of technical posts we are writing about Open Source Intelligence(OSINT) gathering.

Hi Guys,

WPA3, Enhanced Open, Easy Connect: The Wi-Fi Alliance's trio of new protocols explained

A week or so I discovered that Android P has DNS over TLS
support! It piqued my curiousity - could it finally be that DNS encryption goes mainstream?

In this post we’ll survey DNS over TLS, implement a client and share some thoughts!

1 vote and 5 comments so far on Reddit

In the previous article about the Unimania spyware campaign I promised to tell you more about the privacy issues discovered during our automated scan of many Google Chrome extensions. This took me a while, and I apologize for the delay. The reason for the…