HTTP Request Smuggling Vulnerability Riddled HAProxy

andreasc
-
0
HTTP Request Smuggling Vulnerability Riddled HAProxy
[ad_1]

A serious security vulnerability existed in HAProxy that could allow HTTP request smuggling attacks. The vulnerability affected almost all HAProxy versions, which the maintainer patched accordingly.

HAProxy Vulnerability Could Trigger HTTP Content Smuggling

The HAProxy maintainer, Willy Tarreau, has recently shared details about a serious HTTP request smuggling vulnerability in HAProxy.

HAProxy is a dedicated high-performance, open-source load balancer and reverse proxy tool for HTTP and TCP applications. It distributes workloads and improves the website’s performance via reduced response times and increased throughput.

According to Tarreau’s notice, he came to know of the vulnerability following a report from a team of researchers.

Briefly, the flaw existed in HAProxy header processing, allowing HTTP content smuggling attacks. A maliciously crafted HTTP request could trigger HAProxy to “drop some important headers fields” after parsing. In turn, it would create extra requests to the server, letting the subsequent requests bypass HAProxy filters.

An adversary could exploit the flaw to access restricted content, bypass URL authentication, or achieve other malicious purposes on a target website.

Tarreau explained that crafting such an attack was not trivial. But it wasn’t impossible either, particularly for an attacker acquainted with HTTP internals.

Bug Fix Released

HAProxy’s maintainer confirmed that the vulnerability affected almost app versions. These include HTX-aware versions 2.0 and above and non-HTX versions 1.9 and before or version 2.0 in legacy mode. However, the impact of the vulnerability isn’t the same across all versions.

Upon confirming the vulnerability, Tarreau started working on a fix, releasing it across all HAProxy versions. The patched versions include 2.8-dev4, 2.7.3, 2.6.9, 2.5.12, 2.4.12, 2.2.29, and 2.0.31.

For HAProxy users, the recommends upgrading to the patched version of their relevant branch as the best strategy to stay safe. Nonetheless, for those who cannot manage immediate upgrades, Tarreau has shared a workaround that rejects requests attempting to trigger the flaw with a 403 error. The admins can then note the rising 403 error entries in the log to identify exploitation attempts.

While this workaround serves well, it cannot guarantee foolproof security. So, upgrading to a patched version is the ultimate permanent solution.

Let us know your thoughts in the comments.


[ad_2]
Source link

Realme GT3 can fully charge in less than 10 minutes: video

andreasc
-
0
Realme GT3 can fully charge in less than 10 minutes: video
[ad_1]

The upcoming Realme GT3 can fully charge in less than 10 minutes. The company decided to show us proof, so it released a new YouTube video. The phone fully charged in only 9 minutes and 37 seconds.

The Realme GT3 can fully charge in less than 10 minutes, as shown in the video

The Realme GT3 is set to become the world’s fastest-charging smartphone, as it utilizes OPPO’s 240W SuperVOOC charging. The phone actually includes a 4,600mAh battery on the inside, in case you were wondering.

It managed to reach a 20% charge in only 80 seconds. After 4 minutes, it stood at a 50% charge, before it finally reached a 100% charge status after 9 minutes and 37 seconds. You can check that out in the video embedded below.

The Realme GT3 is actually a global variant of the Realme GT Neo5, a phone that was launched in China. To be more accurate, it’s a global variant of the GT Neo5 240W, as two variants were announced.

The other variant supports 150W charging, which is also blazing fast. It also includes a 5,000mAh battery. We still don’t know if we’ll get a 150W variant of the Realme GT3 (global model), we’ll have to wait and see.

The device will launch on February 28

The Realme GT3 will become official on February 28. Realme will launch the phone at MWC 2023, in Barcelona. Now, its charging is its main selling point, but this phone will deliver really compelling specs in general.

It will include the Snapdragon 8+ Gen 1 SoC, along with LPDDR5X RAM and UFS 3.1 flash storage. A 6.74-inch AMOLED display will also be in use, and it will support a 144Hz refresh rate.

A 50-megapixel main camera will sit on the back of the phone, while Android 13 will come pre-installed on the phone. All in all, it will be quite a compelling smartphone.


[ad_2]
Source link

Microsoft readying Teams 2.0 with massive performance boost

andreasc
-
0
Microsoft readying Teams 2.0 with massive performance boost
[ad_1]

Microsoft is readying a major update for its remote collaboration and communication app Teams. The company has reportedly rebuilt the service from scratch to bring a significant boost in performance. Internally known as Microsoft Teams 2.0 or 2.1, the Windows giant is currently testing the updated version among employees. It plans to release a public preview next month.

Microsoft has rebuilt Teams for improved performance

Microsoft Teams is one of the most popular business communication services out there. The company regularly updates the platform to add new features and make improvements. With the launch of Windows 11, it integrated Teams into the system to enable faster loading and more efficient performance. Talking about the improvements, Microsoft’s then-head of engineering for Teams had said that the service will employ a new architecture that will help the company “add support for multiple accounts, work-life scenarios, release predictability, and scale up for the client”. Rish Tandon, who has since left Microsoft for Meta added that “it will be a journey but with Windows 11 we have taken key first steps.”

The so-called Microsoft Teams 2.0 is the end product of that journey. As Tandon previously revealed, the new version will move away from the Electron framework to Microsoft’s Edge Webview2 technology. This would give the company more control over the platform. The Windows maker is also switching to the React Javascript library from Angular. Last but not least, Teams 2.0 is leveraging Apollo GraphQL and will be powered by Microsoft Edge. All of these changes will bring a host of functional and aesthetic improvements.

Overall, the new Microsoft Teams will “significantly improve its system resource usage on PCs and laptops”. We are talking about a 50 percent drop in memory usage, while Teams will also tax the CPU less and effectively consume less power. This will improve the battery life of laptops. All in all, Microsoft Teams will open faster and feel smoother to use on your computer. It shouldn’t lag even on aging PCs or laptops, making remote collaboration and communication a more seamless experience.

The updated Microsoft Teams will be available to the public next month

Apart from Tandon’s announcement back in June 2021, Microsoft hasn’t shared many details about the new version of Teams. But sources familiar with the matter recently told The Verge that the company is broadly testing the service among employees, with a public preview planned for late March. It will reportedly offer a toggle to switch back to the current version of Teams if the update breaks something for users, or if they feel the need to for some other reason. We should hear more about Microsoft Teams 2.0 in the coming weeks.


[ad_2]
Source link

TikTok incentivizes content creators to post longer videos with new monetization program

andreasc
-
0
TikTok incentivizes content creators to post longer videos with new monetization program
[ad_1]

Popular short-video sharing platform TikTok seems to be ironically asking creators for videos longer than one minute, reports 9to5Mac. There’s a new TikTok Creativity Program that incentivizes content creators on the platform to strive for longer videos so that they can be eligible to earn more money.

Is TikTok changing course? Encouraging creators to post longer videos


Well, isn’t that strange? When TikTok first started, videos on the platform were allowed to be up to 15 seconds long. The short-video format that other social media platforms are now trying to push people into got popular from TikTok. However, the length of the videos allowed on the app has grown since the launch of TikTok. In 2017, the duration of allowed videos grew to one minute (with many users choosing to post 30-second videos), and back in 2021, the maximum video length was increased to three minutes.

And now, TikTok has announced a new Creativity Program, which encourages selected creators to make videos longer than one minute.

For now, it seems the TikTok Creativity Program is an invitation-only beta, but the company has stated that the program will be open to all “eligible US creators” in the next few months.

In order to be eligible for the Creativity Program, content creators need to be at least 18 years old and have a minimum follower and video view requirements (those are not specified at this time), and also an account “in good standing”.

In its official announcement, TikTok states that the new program will help creators boost their creativity and find more ways to monetize their content on the platform. The content that creators who want to benefit from this program have to publish has to be high-quality original content that’s longer than one minute.

TikTok doesn’t specify when exactly the program will become open to all eligible US creators, it only says “in the coming months”.

As 9to5Mac rightfully notes, this seems to be rather peculiar as a move from a company whose app become so popular because of short-form videos. Actually, as many of you may probably know, ever since TikTok stormed the internet with its short videos, many other social media platforms have been looking to copy it.

Instagram, for one, has created its Reels and is encouraging creators to use short-form videos to express themselves. Even YouTube, with a popularity level that isn’t going anywhere anytime soon, has opted in for the short-vid craze with its own YouTube Shorts.

It’s no secret to anyone that these short-form video features on YouTube and Instagram are created to compete with the raging popularity of TikTok. So yes, TikTok now trying to somewhat move to longer videos does come as a surprise.


[ad_2]
Source link

Samsung New Feature to Protect Users From Zero-click Exploits

andreasc
-
0
Samsung New Feature to Protect Users From Zero-click Exploits
[ad_1]
Samsung Message Guard

Samsung recently unveiled a cutting-edge addition to their feature suite, known as Message Guard. This new feature is specifically designed to offer an enhanced level of security to users against malware and spyware. 

Its advanced technology provides safeguards that protect users from zero-click attacks, a form of cyberattack that can infect a device without any interaction from the user.

This security solution proactively ensures the security of users’ devices, and it operates by restricting the exposure of users to covert threats that are concealed within image attachments. 

By adopting this preemptive approach, Samsung aims to provide users with a layer of protection against potential security breaches that might otherwise go unnoticed.

EHA

It is at the moment limited to the Samsung Galaxy S23 series of smartphones, and this security feature is available in Samsung Messages as well as Google Messages. 

However, Samsung has confirmed that later this year they are also planning to expand this to other Galaxy devices that are running on One UI 5.1 or higher.

Zero-click Attacks

Zero-click attacks are designed to be extremely precise and complex, and not only that even they are a growing concern in the cybersecurity community.

These attacks leverage previously undiscovered vulnerabilities in software to automatically execute malicious code, without any need for user engagement or interaction.

Unlike conventional attack methods that require users to take some action to activate the malicious payload, these attacks exploit vulnerabilities in software or systems that allow for the automatic execution of malicious code. 

This approach not only allows attackers to bypass the need for social engineering but also makes the attacks more stealthy and difficult to detect.

Most of the zero-click exploits aim to exploit vulnerabilities found in messaging, SMS, or email applications that receive and process data that can’t be trusted.

In case an application has a security vulnerability in the way it interprets incoming data, a malicious actor could take advantage of this weakness to create a harmful image that automatically executes the code embedded in it upon being sent to the target’s device.

Offering a More Secure Environment

As threats evolve, Samsung’s mobile security also evolves to keep up with the changing threats. The Samsung Knox platform provides Samsung Galaxy smartphone users with robust safeguards against a range of potential threats. 

Among these, attacks that use video and audio formats are already covered, ensuring that users can enjoy a safer, more secure mobile experience.

In addition to the powerful protection offered by Samsung Knox, the Samsung Message Guard feature takes the security of your device to the next level. 

By proactively shielding against invisible threats that may be disguised as image attachments, this feature helps to limit your exposure to potential security risks, providing you with greater peace of mind when using your Samsung device.

A number of image formats are supported by Samsung’s Message Guard, including the following:-

  • PNG
  • JPG
  • JPEG
  • GIF
  • ICO
  • WEBP
  • BMP
  • WBMP

As a further layer of protection, the Samsung Message Guard feature also operates as a sandbox, isolating any images received through the app from the rest of the device’s operating system. 

This quarantine function helps to prevent any potentially malicious code from infiltrating other areas of your device, keeping your personal data and sensitive information safe from harm.

There is no need to worry about any potential threats hidden inside picture files because Samsung Messaging Guard automatically eliminates them before they can inflict any harm to you.

Additionally, it operates silently and invisibly in the background without the user having to pay attention to it, and does not require any user interaction.

Samsung has consistently demonstrated its commitment to delivering cutting-edge security solutions for its users. 

With the addition of Samsung Message Guard to its suite of protective features, Samsung continues to push forward in the field of mobile device security, offering users the peace of mind that comes from knowing that their personal information and data are always kept safe and secure.

Network Security Checklist – Download Free E-Book


[ad_2]
Source link

A week in security (February 13

andreasc
-
0
A week in security (February 13
[ad_1]

white keyboard with tags of the days of the week

Posted: by

The most interesting security related news from the week of February 13 to 19.

Last week on Malwarebytes Labs:

Stay safe!


[ad_2]
Source link

Samsung releases Camera Assistant for Galaxy S23, S21 & more

andreasc
-
0
Samsung releases Camera Assistant for Galaxy S23, S21 & more
[ad_1]

Last week, Samsung announced a major update for its Camera Assistant app, adding a host of new features. The company also said that the app will be available for more Galaxy smartphones in the coming weeks. The updated version with wider compatibility is now rolling out via the Galaxy Store.

Samsung launched Camera Assistant as a new optional camera app for high-end Galaxy smartphones in October last year, following the launch of Expert RAW in 2021 as a solution geared towards photography professionals and enthusiasts. The new app debuted with the stable Android 13 (One UI 5.0) update for the Galaxy S22 series. It was a beta version that remained exclusive to the 2022 flagship trio until recently.

Now, with the release of One UI 5.1, the Korean firm is bringing Camera Assistant to several other Galaxy devices. Version 1.1.00.4 of the app, which is available on the Galaxy Store, is compatible with the Galaxy S23 series, Galaxy S21 series, Galaxy S20 series, Galaxy Z Fold 4, and Galaxy Z Flip 4. While the Galaxy S23 arrived earlier this month running One UI 5.1 out of the box, Samsung recently updated other models to the new One UI version.

Of course, One UI 5.1 isn’t available globally for all of these devices yet. So you may need to wait longer. But if you are using a compatible model and have received the update, you can install Camera Assistant (link below) to unlock new features that aren’t available on the stock camera app. Samsung will release the app for more Galaxy devices in the coming weeks. The company has officially confirmed support for the Galaxy Note 20 series, Galaxy Z Fold 3, Galaxy Z Flip 3, and Galaxy Z Fold 2. One UI is already live for these phones. So Camera Assistant should also arrive soon.

Camera Assistant adds to your Galaxy phone’s camera capabilities

Samsung’s stock camera app offers a lot of cool features that you can play with and capture amazing shots. But if you want more, the Korean firm also has Camera Assistant (plus Expert RAW for professional-grade smartphone photography). Camera Assistant gives you additional image softening modes, a balance between image quality and shutter speed, screen dimming while recording long videos, automatic lens switching, more efficient timer settings, and more.

You can click the button below to download the latest version of the app from the Galaxy Store. Remember, you need a compatible Galaxy smartphone running One UI 5.1 to use Camera Assistant.

DOWNLOAD CAMERA ASSISTANT


[ad_2]
Source link

Can it be an alternative to a dollar-dominated financial system?

andreasc
-
0
Can it be an alternative to a dollar-dominated financial system?
[ad_1]

How can the Digital Yuan perform against the current US dollar-based global financial system? Well, read this piece to understand the details.

Some central banks worldwide are already working on digital currencies, and China isn’t lagging. The Chinese digital Yuan is the leading one currently. The digital Yuan’s development is in its final phases, with the Chinese government already putting it to various local uses. For example, this Central Bank Digital Currency (CBDC) has been subject to transactions like payment of bus fares and train tickets.

But digital Yuan isn’t the only CBDC under development now. Other major economies, such as the UK, Japan, and the US, are also working on their CBDCs. While the projects are equally promising, they trail the Chinese digital Yuan project in many aspects. Most countries developing central bank digital currencies are still in the research phases. On the other hand, the Chinese version is already undergoing real-world tests and might become fully operational soon.

So the US, UK, and others still have much catching up on work. They must speed up their projects or surrender to the digital Chinese Yuan, which has already seen the light. And while doing so, they must not repeat the same mistakes that compromised Bitcoin’s initial performance. In addition, governments must ensure their digital currencies are immune to massive financial crises like the great depression that occurred in 2008.

Understanding the Current US dollar-Based Financial System

Even though it has had some challenges, the current traditional financial system has made tremendous achievements. For instance, it’s one of the most secure transaction methods today. Moreover, conventional economic systems are the most reliable due to government control. The US dollar, Euro, and Japanese Yen facilitate thousands of international transactions daily.

But despite the above benefits of government-issued money, there have been numerous problems. For example, the over-reliance on the US dollar has landed several countries deep financial problems. They can’t exercise their sovereignty fully because they’re vulnerable to US economic sanctions. No government wants to do anything that could prompt the US president to impose sanctions because they know the repercussions.

While the economic sanctions cause devastating problems to the target countries, they help ensure adherence to international laws by rogue states. The only problem is that the US government sometimes uses such sanctions to achieve its global political goals. Additionally, too much reliance on the US dollar for international trade seriously threatens various financial markets. For instance, any mistakes the Fed makes affect everyone globally.

What Does the Upcoming Digital Yuan Bring on Board?

Like other cryptocurrencies, the Chinese digital Yuan has a lot to offer. It’ll help countries to evade unfair economic sanctions and conduct international trade more seamlessly. Presently, countries use the SWIFT platform to receive or make cross-border payments. Unfortunately, the US government essentially controls SWIFT. That is where the digital Yuan will kick in. There’d be no more restrictions or too much political control with the Chinese CBDC.

Digital Yuan’s transactions will be faster because it’s like Bitcoin and other cryptocurrencies. Additionally, people will likely invest in the digital Yuan as they do with Bitcoin on renowned exchanges like the Yuan Pay App. The digital version will also increase flexibility and efficiency. For example, it’s possible to send digital Yuan from one user to another just by tapping two phones.

Even with the many advantages, Digital Yuan will face several challenges to emerge as the ultimate global currency. For instance, China controls just below 3% of the total foreign reserves in the world. Also, people will need to trust the Chinese digital currency, like the US dollar, for years. Creating the necessary digital infrastructure and promoting the digital Yuan will also take China a lot of time.

The Bottom Line

Many countries are currently developing their Central Bank Digital Currencies. These include the US, China, Japan, and the UK. China’s project is the leading one, with the digital Yuan already in the final stages. The Digital Yuan has immense potential, but it will take years to become the ultimate global currency. Some of the challenges it faces are; a lack of full-scale international cryptocurrency adoption at the moment, a lack of digital infrastructure, and China’s limited control over foreign reserves.


[ad_2]
Source link

YouTube has new podcast features in the works, currently testing with select creators

andreasc
-
0
YouTube has new podcast features in the works, currently testing with select creators
[ad_1]

YouTube has quietly launched a new feature experiment, reports 9to5Google. The new experiment is centered on podcast creation and more tools for podcast makers.

YouTube tests new tools for podcasts


As you may probably know, YouTube has been eyeing the podcast scene for quite some time. Now, the platform is taking another step towards becoming a more podcast-friendly place for all those who would like to get into podcasting or work as podcasters. The new tools that are now in testing are, from what it seems, everything a content creator would need to start podcasts on the platform: from uploading a podcast episode to looking into analytical data about the podcast’s performance.

The users who are a part of the test will see a new option to upload a podcast under the “create” button, which usually gives you the option to upload a video, create a text post, or start a live stream.

But that’s not all! Creators would also see podcasts under a new “Podcasts tab” found in the content menu. Also, existing playlists will be able to be set as podcasts with a new option that’s found in the three-dots menu.

And last but not least, YouTube Studio will show podcast analytics on a desktop. Among the analytics, you will be able to view the performance of a specific podcast show, audience numbers, and revenue insights.

For now, a small number of creators are part of the experiment.

YouTube’s into podcasting, a little background


YouTube’s efforts to become a more prominent platform in the podcast scene have been showing ever since 2021. Back then, a report showed that YouTube was looking into hiring executives with experience on podcasts (via Bloomberg). This meant that YouTube was starting to take podcasts seriously.

Actually, even before that, YouTube was one of the places that people looked at when interested in podcasts in general. However, at the time, the platform wasn’t optimized for podcast listeners, so YouTube looked to make everything organized and manage the millions of podcasts on its platform.

In 2022, YouTube became even more serious about the endeavor as some leaked slideshows were detailed (via 9to5Google). These plans included new “search and discovery” tools, as well as a “podcast destination page” and “official podcast cards”. Later, the company also published a guide for creators that were looking into podcasting on YouTube.

All in all, YouTube is definitely becoming more popular for podcasters and podcast fans alike. We’ll have to wait and see what other features the platform may get for podcast fans.


[ad_2]
Source link

Twitter Restricts SMS-based 2FA To Twitter Blue Users

andreasc
-
0
Twitter Restricts SMS-based 2FA To Twitter Blue Users
[ad_1]

Twitter has recently announced a change that baffled many users previously using SMS-based two-factor authentication for account sign-ins. Starting March 2023, Twitter will only allow Twitter Blue subscribers to use SMS-based 2FA. Nonetheless, other multi-factor authentication methods will remain available to all users.

Onwards, Twitter Users Cannot Use Phone Numbers For 2FA

Recently, Twitter users expressed their anger for losing access to the SMS-based 2FA feature. As it turns out, the social media giant has decided to limit SMS-based verification to paying users only.

According to a recent post, starting March 20, 2023, Non-Twitter Blue subscribers will no longer be able to use their phone numbers for verifying account logins. Twitter has reasoned the security risks associated with OTPs to restrict this service.

While historically a popular form of 2FA, unfortunately, we have seen phone-number based 2FA be used – and abused – by bad actors.

Hence, Twitter has already stopped enrolling new non-Twitter Blue accounts for SMS-based 2FA. Whereas the existing SMS-based 2FA users (non-Twitter Blue) will lose access to it after March 20, 2023, unless they subscribe to Twitter Blue.

Nonetheless, it doesn’t mean non-Twitter Blue users will have to leave their accounts vulnerable. Instead, they can switch to other authentication methods, such as the authenticator apps or security key, to ensure secure logins.

Is SMS-based 2FA Safe For Twitter Blue Users?

Maybe not – but that’s not what Twitter has advocated for, either!

In fact, Twitter’s justification behind this inaccessibility of SMS-based verification for free users as the “abuse” of phone number verification sounds pretty weird. Nonetheless, it does syncs with the hype around Twitter’s cost-cutting strategies Elon Musk proposed earlier.

During Twitter’s takeover, Elon Musk highlighted the loss of around USD 60 million Twitter had to bear due to “SMS texts”. Soon after this mention, Musk’s announcement for paid Twitter Blue checks clarified how he decided to manage the financial losses with Twitter.

Also, it hinted at the possible changes Twitter users would experience when using their Twitter accounts with phone numbers. And now, the recent restriction of this cost-incurring SMS-based 2FA to the paid subscribers sounds more like a balancing strategy than a security change.

Whatever the reason is, the fact remains that SMS-based verification is a risky authentication method. Therefore, regardless of Twitter Blue subscriptions, users should ideally consider using safer authentication techniques, like authenticator apps and security keys, across any platform they use, including Twitter.


[ad_2]
Source link
1...1,4361,4371,438...1,476Page 1,437 of 1,476
© Newspaper WordPress Theme by TagDiv