All news with #information disclosure tag

🔍 A Taboola tracking pixel approved by a bank silently redirected authenticated users to a Temu tracking endpoint without the bank's knowledge, user consent, or any security control flagging a violation. Reflectiz discovered the chain during a February 2026 audit: an initial GET to sync.taboola.com returned a 302 to a temu.com pixel and included Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests. Conventional tools missed the behavior because they validate the declared script origin rather than runtime redirect destinations. Organizations should inspect browser runtime behavior, tighten CSPs, and consider sandboxing third-party scripts on authenticated pages.

🔍 A new report named BrowserGate alleges that LinkedIn injects hidden JavaScript into user sessions to probe browsers for installed extensions and collect device characteristics. BleepingComputer independently observed a randomized script that attempted to detect 6,236 extensions by checking extension resource URLs and also harvested CPU, memory, screen, timezone, battery, audio, and storage details. LinkedIn says it looks for extensions that scrape content or violate its Terms and uses detection to inform defenses and enforcement, while the report warns this scanning could map competitors' customers and enable profiling. The use and sharing of the collected data have not been independently verified.

🔍 LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.

🔒 Unit 42 disclosed a permissions flaw in Vertex AI where the default Per-Project, Per-Product Service Agent (P4SA) can expose credentials and OAuth scopes via the metadata service. Researchers showed attackers could use those credentials to pivot into customer projects, read Google Cloud Storage buckets, and download images from restricted Artifact Registry repositories. Google updated docs and advises using BYOSA and least-privilege scopes; organizations should validate agent permissions before deployment.

⚠️ A software defect introduced during a routine overnight update on 12 March at Lloyds Banking Group briefly exposed transactions and account information belonging to as many as 447,936 customers across Lloyds, Halifax and Bank of Scotland mobile apps. Approximately 114,182 users clicked transactions that displayed other customers' details, which could include payment references and national insurance numbers. The bank reported the issue to regulators within required timeframes, paid £139,000 to 3,625 customers in compensation, and said it found no evidence of financial loss or fraud.

🔒 CISA warns of multiple high‑severity vulnerabilities in Automated Logic WebCTRL servers that could allow attackers to read, intercept, or modify BACnet communications. Known affected releases include versions earlier than v8.5, and WebCTRL 7 is end‑of‑life and unsupported. The advisory describes three CVEs — CVE-2026-25086 (port binding impersonation), CVE-2026-32666 (BACnet packet spoofing), and CVE-2026-24060 (cleartext transmission, CVSS 9.1) — and urges operators to upgrade to supported releases with BACnet/SC, implement TLS/mutual authentication where available, and apply network segmentation, access controls, and vendor secure configuration best practices to reduce exposure.

🔒 Schneider Electric disclosed a hard‑coded credentials vulnerability in EcoStruxure IT Data Center Expert (DCE) that can lead to information disclosure and remote compromise when the SOCKS Proxy feature is enabled. Exploitation requires administrative access plus knowledge of PostgreSQL credentials; SOCKS Proxy is disabled by default. The issue is tracked as CVE‑2025‑13957 with a CVSS v3.1 base score of 7.2. Administrators should apply vendor updates or implement interim mitigations per the vendor handbook.

⚠️ CISA has added a medium-severity information-disclosure bug, CVE-2025-47813, affecting Wing FTP to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw can leak the application's installation path when a long value is supplied in the UID session cookie and impacts versions up to 7.4.3. Vendor fixes were released in May with Wing FTP 7.4.4, which also addresses a separate critical RCE (CVE-2025-47812). Federal agencies are advised to apply updates by March 30, 2026.

🛡️ CISA has added CVE-2025-47813, an information disclosure vulnerability affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is frequently abused by threat actors and poses a notable risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV items by the specified due dates. CISA urges all organizations to prioritize timely remediation as part of standard vulnerability management.

🛡️ Microsoft’s March Patch Tuesday addresses 78 vulnerabilities, led by three high-severity flaws in Microsoft Office, including an Excel information-disclosure bug (CVE-2026-26144) and two remote-code-execution issues (CVE-2026-26113, CVE-2026-26110). While Microsoft reports no known zero-day exploitation, experts urge expedited patching, restricting outbound Office traffic, and limiting AI automation such as Copilot Agent to mitigate potential silent exfiltration and preview-pane attack vectors.

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.

🔎 Three recent papers show that encrypted LLM traffic can leak sensitive information through timing, packet-size, and speculative-decoding side channels. The studies demonstrate that attackers can infer conversation topics, fingerprint prompts, and in some cases recover PII or confidential datastore tokens on open-source and production systems. The authors evaluate mitigations such as padding, batching, and token aggregation, but find trade-offs and no complete solution yet.

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.

⚠️ Schneider Electric published an advisory about a side‑channel vulnerability disclosed by Intel (CVE-2018-12130) that affects EcoStruxure Foxboro DCS Virtualization Server (V91) and Standard Workstation (H92). An authenticated user with local access could exploit the CPU issue to enable information disclosure, risking loss of system functionality or unauthorized access. Schneider Electric directs customers to migrate to updated server (V95) and workstation (Dell D96) hardware or, if immediate migration is not feasible, to apply BIOS and OS security patches and follow layered defense-in-depth recommendations.

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.

🔒 Researchers showed that tapping what looks like a Telegram username can trigger the app to auto-connect to a proxy and reveal your real IP address. The issue arises from how MTProto proxy links (t.me/proxy?...) are parsed on Android and iOS: the client performs an automatic test connection before the proxy is added. Attackers can host malicious proxies and disguise links as benign usernames or URLs to log IPs for location, profiling, or DDoS. Telegram says IP visibility is not unique to its platform and will add warnings for proxy links; users should be cautious with unfamiliar t.me links.

🔐 A backup of the BreachForums MyBB users table and an associated PGP key were published in a 7Zip archive, exposing 323,988 account records and administrator key material. The leaked archive includes a databoose.sql users table and a passphrase-protected PGP private key; without the passphrase the key cannot be used to sign messages. Analysis found most IPs were set to a local loopback (127.0.0.9), but roughly 70,296 records map to public IPs, creating OPSEC risks for affected users and potential intelligence value for law enforcement. The forum administrator acknowledged the leak, saying the files were temporarily left in an unsecured folder during recovery and recommending disposable email addresses for members.

🔒 A high-severity vulnerability in MongoDB can allow unauthenticated clients to read uninitialized heap memory by exploiting mismatched length fields in zlib-compressed protocol headers. Tracked as CVE-2025-14847 with a CVSS score of 8.7, the flaw stems from improper handling of inconsistent length parameters. It affects a broad set of releases from 3.6 through 8.2, and MongoDB has published fixes (including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30); administrators unable to upgrade immediately are advised to disable zlib compression or restrict compressors to snappy or zstd.