Michael Mimoso


PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

Attackers infiltrated a webserver belonging to the open source Piwik website analytics project and injected backdoor malware into a zip file update on Monday. Users who downloaded the Piwik update 1.9.2 between 15:43 UTC to 23:59 UTC are urged to check piwik/core/Loader.php file for the following code string:

Password woes apparently aren’t limited to endpoints. US-CERT issued an advisory Tuesday warning users of Samsung printers, including some Dell printers manufactured by Samsung, that a hardcoded password could enable remote code execution.“Samsung printers contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility,” the CERT advisory said.

A new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts is for sale in an exclusive underground market for $700, less than half of market value according to the hacker.The attack steals session cookies for Yahoo email and could allow an attacker to access the account and read or send messages, said Krebs on Security which reported the vulnerability to Yahoo.

The saga of the latest zero-day vulnerability and exploit for the Google Chrome browser took another mysterious turn over the weekend. The 19-year-old Georgian security researcher who found the vulnerability in the browser was called up for compulsory military duty in his country and was unable to deliver his presentation Saturday at the Malcon security conference in India.