Browser vendors continuously tweak and refine browser functionalities to improve security. Implementing same-site cookies is a prime example of vendors’ efforts to mitigate Cross-Site Request Forgery (CSRF) attacks. However, not all security measures are foolproof. In their quest to combat Cross-Site Scripting (XSS), browser vendors introduced features that, while well-intentioned, ... Read More

TL;DR This blog unveils a remote code execution vulnerability, identified as CVE-2023-22524, in Atlassian Companion for macOS, which has recently been patched. This critical vulnerability stemmed from an ability to bypass both the app’s blocklist and macOS Gatekeeper, potentially allowing the execution of harmful code. Users are advised to upgrade ... Read More

Cloud service providers are now fundamental elements of internet infrastructure, granting organizations and individuals the ability to scale and efficiently store, manage, and process data. DigitalOcean is one such provider, well-regarded for its simplicity and developer-friendly platform, and often catering to small to medium-sized businesses and individual developers. With increasing ... Read More

The last year has seen an unprecedented surge in the use of Artificial Intelligence (AI) and its deployment across a variety of industries and sectors. Unfortunately, this revolutionary technology has not just captivated the good actors– the darker corners of the internet are awash with bad actors exploiting the buzz ... Read More

TL;DR The Imperva Red Team discovered a vulnerability in TikTok, a popular social media platform with more than one billion users worldwide, that could allow attackers to monitor users’ activity on both mobile and desktop devices. This vulnerability, which has now been fixed, was caused by a window message event ... Read More

TLDR Recently, a cross-site search vulnerability was discovered affecting the popular NFT marketplace OpenSea. When successfully exploited, this issue allows for the deanonymization of OpenSea users by linking an IP address, a browser session, or an email in certain conditions to a specific non-fungible token (NFT) and, therefore, a wallet ... Read More

The Imperva Red Team recently disclosed a vulnerability, dubbed CVE-2022-3656, affecting over 2.5 billion users of Google Chrome and Chromium-based browsers. This vulnerability allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials. Introduction Chrome is the most widely used browser, with a 65.52% market ... Read More

The Imperva Red Team recently discovered and disclosed CVE-2022-40764, a command injection vulnerability affecting Snyk CLI. Snyk is a security company best known for its dependency vulnerability management software. The disclosed command injection vulnerability affects the Snyk command-line interface tool that helps developers find and fix vulnerabilities. Exploitation of CVE-2022-40764 ... Read More

Although new messaging apps like WhatsApp, Telegram, and Messenger have taken a large chunk of our day to day communications, email remains one of the most popular ways we communicate. In this post we’ll talk about the post exploitation of a vulnerability we recently disclosed to one of the most ... Read More

A now-patched vulnerability in the web version of Google Photos allowed malicious websites to expose where, when, and with whom your photos were taken. Background One trillion photos were taken in 2018. With image quality and file size increasing, it’s obvious why more and more people choose to host their ... Read More