Tag:

flaw

Tile trackers reportedly have a security flaw that can let stalkers track your location

by admin September 29, 2025

Researchers have discovered major security flaws with Tile tracking tags, according to a report by Wired. These flaws could allow both the company itself and tech-savvy stalkers to track a user’s location. The security issue could also let a malicious actor falsely frame a Tile owner for stalking, as the flaw can make it appear as if a particular tag is constantly in the vicinity of somebody else’s tag.

The issue pertains to how Tile tags transmit data during use. Tile tags transmit a lot of data beyond that of other trackers, including the static MAC address and the rotating ID. According to reporting, none of this stuff is encrypted. The rotating ID changes all of the time, but a MAC address doesn’t.

Researchers believe that all of this information is stored in cleartext, making it easy for hackers to get ahold of. This also would theoretically give Tile itself the ability to track its users, though the company says it doesn’t have this capability.

It gets worse. Anyone with a radio frequency scanner can allegedly intercept all of this information as it’s being transmitted, creating another potential security hole. Also, this problem might not even be solved if Tile decides to stop transmitting the MAC address. This is because the company generates its rotating ID in such a way that future codes can be reliably predicted from past ones.

“An attacker only needs to record one message from the device,” one of the researchers behind the findings said, adding that a single recorded message will “fingerprint it for the rest of its lifetime.” The researcher said this creates a risk of systemic surveillance.

The security researchers, who are involved with the Georgia Institute of Technology, reached out to Tile’s parent company Life360 in November of last year to report the findings. Wired said the company stopped communicating with the researchers in February. The company did say it has made a number of improvements to its security but didn’t elaborate further.

Source link

September 29, 2025 0 comments

Gaming Gear

Call-recording app Neon goes offline after security flaw uncovered

by admin September 25, 2025

Neon is an call-recording app that pays users for access to the audio, which the app in turn sells to AI companies for training their models. Since its launch last week, it quickly rose in popularity, but the service was taken offline today. TechCrunch reported that it found a security flaw that allowed any logged-in user to access other accounts’ phone numbers, the phone numbers called, call recordings and transcripts.

TechCrunch said that it contacted Neon founder Alex Kiam about the issue. “Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse,” the publication reported. The app went dark “soon after” TC contacted Kiam. Neon does not appear to have a timeline about if or when the service will resume or what additional security protections it may add.

The full report from TechCrunch is here and certainly worth reading if you’ve used Neon.

Source link

September 25, 2025 0 comments

Gaming Gear

This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now

by admin September 22, 2025

Actor tokens allowed cross-tenant impersonation without logging or security checks
CVE-2025-55241 enabled Global Admin access via deprecated Azure AD Graph API
Microsoft patched the flaw in September 2025; actor tokens and Graph API are being phased out

Security researchers have found a critical vulnerability in Microsoft Entra ID which could have allowed threat actors to gain Global Administrator access to virtually anyone’s tenant – without being detected in any way.

The vulnerability consists of two things – a legacy service called “actor tokens”, and a critical Elevation of Privilege bug tracked as CVE-2025-55241.

Actor tokens are undocumented, unsigned authentication tokens used in Microsoft services to impersonate users across tenants. They are issued by a legacy system called Access Control Service (ACS) and were originally designed for service-to-service (S2S) authentication.

Deprecating and phasing out

According to security researcher Dirk-jan Mollema who discovered the flaw, these tokens bypass standard security controls, lack logging, and remain valid for 24 hours, which makes them exploitable for unauthorized access without detection.

Mollema demonstrated that by crafting impersonation tokens using public tenant IDs and user identifiers, he could access sensitive data and perform administrative actions in other organizations’ environments.

These actions included creating users, resetting passwords, and modifying configurations – all without generating logs in the victim tenant.

“I tested this in a few more test tenants I had access to, to make sure I was not crazy, but I could indeed access data in other tenants, as long as I knew their tenant ID (which is public information) and the netId of a user in that tenant,” Mollema explained.

As it turns out, Azure AD Graph API, a deprecated system that’s slowly being phased out, was accepting the tokens from one tenant and applying them to another, bypassing conditional access policies and standard authentication checks.

Mollema reported the issue on Microsoft, which acknowledged it in mid-July 2025, and patched within two weeks. CVE-2025-55241 was given a severity score of 10/10 (critical), and was officially addressed on September 4.

Azure AD Graph API is being deprecated, while the tokens, which Microsoft refers to as “high-privileged access” mechanisms used internally, are being phased out.

Via BleepingComputer

Source link

September 22, 2025 0 comments

Gaming Gear

‘Microsoft has become like an arsonist selling firefighting services to their victims’ says US senator, referring it to the FTC for a cybersecurity flaw, though Microsoft says it has a plan

by admin September 12, 2025

US senator Ron Wyden has written a letter to the FTC requesting that the organisation investigate Microsoft for what he calls “gross cybersecurity negligence.” His complaint is primarily related to a form of encryption still supported by the company’s Windows operating system, which the senator’s office believes is vulnerable to ransomware attacks.

In the letter [PDF warning], Senator Wyden reveals that an investigation his office conducted into a ransomware breach of healthcare provide Ascension last year found that support of the RC4 encryption cipher was a direct contributor to the attack (via Ars Technica).

“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” said Wyden.

“Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”

RC4, or Rivest Cipher 4, was developed in 1987 by mathematician and cryptographer Ron Rivest, and was considered a protected method of encryption until 1994, when it was compromised as a result of a leaked technical description. Despite this, RC4 was widely used in common encryption protocols until around a decade ago, and is still used by Microsoft to secure Active Directory, a Windows component used by system administrators to configure user accounts.

(Image credit: Witthaya Prasongsin via Getty Images)

While Windows will use AES encryption by default, the senator’s office discovered that Windows servers will still respond to RC4-based authentication requests, which potentially opens them up to “Kerberoasting.” This is a technique in which administrative privileges are gained via exploiting encryption on one affected machine in order to install ransomware on others.

In the case of Ascension, the senator claims that a contractor clicking on a malicious link led to hackers “moving laterally” within its server network, exploiting the weak encryption in order to push ransomware to thousands of other other computers in the organisation and ultimately stealing the sensitive data of 5.6 million patients.

While the senator says that his office contacted Microsoft about the vulnerability, and that the company eventually posted a blog post with actions that organisations could take to protect against it, a promised security update to fix the issue is yet to arrive.

(Image credit: Future)

“The Ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards,” the senator continues.

“There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion dollar secondary business selling cybersecurity add-on services to those organizations that can afford it. At this point, Microsoft has become like an arsonist selling firefighting services to their victims”

The senator ends his letter by urging the FTC to investigate Microsoft, and hold the company responsible for what the senator claims is the “serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector.”

(Image credit: Maciej Toporowicz, NYC via Getty Images)

Microsoft has since released a statement to multiple outlets, including Ars Technica, directly addressing the senator’s claims:

“RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic. However, disabling its use completely would break many customer systems,” the company said.

“For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible. We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.”

Microsoft also says that in the first quarter of 2026, “Any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default, meaning any new domain will inherently be protected against attacks relying on RC4 weaknesses. We plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services.”

Best gaming PC 2025

All our current recommendations

Source link

September 12, 2025 0 comments

How Will the Israel-Iran Conflict End? Here's What AI Models Predict

NFT Gaming

Perplexity Comet Flaw Exposed User Data to Attackers, Brave Reports

by admin August 25, 2025

In brief

In a demo, Comet’s AI assistant followed embedded prompts and posted private emails and codes.
Brave says the vulnerability remained exploitable weeks after Perplexity claimed to have fixed it.
Experts warn that prompt injection attacks expose deep security gaps in AI agent systems.

Brave Software has uncovered a security flaw in Perplexity AI’s Comet browser that showed how attackers could trick its AI assistant into leaking private user data.

In a proof-of-concept demo published August 20, Brave researchers identified hidden instructions inside a Reddit comment. When Comet’s AI assistant was asked to summarize the page, it didn’t just summarize—it followed the hidden commands.

Perplexity disputed the severity of the finding. A spokesperson told Decrypt the issue “was patched before anyone noticed” and said no user data was compromised. “We have a pretty robust bounty program,” the spokesperson added. “We worked directly with Brave to identify and repair it.”

Brave, which is developing its own agentic browser, maintained that the flaw remained exploitable weeks after the patch and argued Comet’s design leaves it open to further attacks.

Brave said the vulnerability comes down to how agentic browsers like Comet process web content. “When users ask it to summarize a page, Comet feeds part of that page directly to its language model without distinguishing between the user’s instructions and untrusted content,” the report explained. “This allows attackers to embed hidden commands that the AI will execute as if they were from the user.”

Prompt injection: old idea, new target

This type of exploit is known as a prompt injection attack. Instead of tricking a person, it tricks an AI system by hiding instructions in plain text.

“It’s similar to traditional injection attacks—SQL injection, LDAP injection, command injection,” Matthew Mullins, lead hacker at Reveal Security, told Decrypt. “The concept isn’t new, but the method is different. You’re exploiting natural language instead of structured code.”

Security researchers have been warning for months that prompt injection could become a major headache as AI systems gain more autonomy. In May, Princeton researchers showed how crypto AI agents could be manipulated with “memory injection” attacks, where malicious information gets stored in an AI’s memory and later acted on as if it were real.

Even Simon Willison, the developer credited with coining the term prompt injection, said the problem goes far beyond Comet. “The Brave security team reported serious prompt injection vulnerabilities in it, but Brave themselves are developing a similar feature that looks doomed to have similar problems,” he posted on X.

Shivan Sahib, Brave’s vice president of privacy and security, said its upcoming browser would include “a set of mitigations that help reduce the risk of indirect prompt injections.”

“We’re planning on isolating agentic browsing into its own storage area and browsing session, so that a user doesn’t accidentally end up granting access to their banking and other sensitive data to the agent,” he told Decrypt. “We’ll be sharing more details soon.”

The bigger risk

The Comet demo highlights a broader problem: AI agents are being deployed with powerful permissions but weak security controls. Because large language models can misinterpret instructions—or follow them too literally—they’re especially vulnerable to hidden prompts.

“These models can hallucinate,” Mullins warned. “They can go completely off the rails, like asking, ‘What’s your favorite flavor of Twizzler?’ and getting instructions for making a homemade firearm.”

With AI agents being given direct access to email, files, and live user sessions, the stakes are high. “Everyone wants to slap AI into everything,” Mullins said. “But no one’s testing what permissions the model has, or what happens when it leaks.”

Generally Intelligent Newsletter

A weekly AI journey narrated by Gen, a generative AI model.

Source link

August 25, 2025 0 comments

flaw

Deprecating and phasing out

You might also like

In brief

Generally Intelligent Newsletter