All news with #security misconfiguration tag

🔒 New research examines whether cloud-based password managers can be misused by those controlling servers. Researchers reverse-engineered and closely analyzed Bitwarden, Dashlane, and LastPass, finding that features such as account recovery, shared vaults, and group organization can be abused so a server operator or a compromised server can extract credentials or entire vaults. The study also describes protocol-level attacks that can weaken encryption, potentially converting ciphertext into plaintext. The author contrasts these cloud models with Password Safe, a local-only manager that avoids recovery features and the cloud.

🔓 PayPal is notifying customers that a software error in its PayPal Working Capital loan application exposed sensitive personal information, including Social Security numbers, for nearly six months. The company says the issue, present from July 1 to December 13, 2025, was caused by a code change that was rolled back after discovery on December 12. PayPal has reset passwords for affected accounts, refunded unauthorized transactions for some users, and is offering two years of Equifax credit monitoring.

⚠️ Microsoft says a software error in its email security system incorrectly flagged thousands of legitimate URLs as phishing links, preventing users from opening messages across Exchange Online and Teams. The issue, which began on February 5 and persisted until February 12, caused some emails to be quarantined and generated false "potentially malicious URL click" alerts for administrators. Microsoft traced the fault to a logic error in heuristic detection rules intended to catch credential phishing and said it will publish a final report after full remediation.

⚠️ Koi Security found that an abandoned Outlook add-in, AgreeTo, was hijacked to run phishing kits that captured roughly 4,000 Microsoft account credentials. The attacker claimed an orphaned Vercel subdomain referenced in the add-in’s XML manifest and replaced live content with a fake sign-in page while retaining mailbox permissions. Microsoft had validated and signed the original manifest but does not re-review hosted content fetched at runtime. Users should remove AgreeTo and reset affected passwords immediately.

⚠️ New York’s 2026–2027 executive budget bill proposes a blocking technology requirement for all 3D printers sold or delivered in the state. The provision would require firmware or software to scan every print file with a firearms blueprint detection algorithm and refuse prints flagged as potential firearms or components. While intended to curb illicit weapon production, critics say it resembles DRM, will be technically ineffective, and would impose significant burdens on makers, educators, and small manufacturers.

🔓 Pentera Labs identified nearly 2,000 intentionally vulnerable training and demo applications exposed on public cloud infrastructure, many linked to active cloud identities and overly permissive roles. Tools such as OWASP Juice Shop and DVWA were frequently deployed with default settings and minimal isolation, allowing attackers to install crypto-miners, webshells, and persistence tooling. The findings warn that labeling environments as training does not remove their real-world risk when they are publicly accessible and integrated with privileged cloud accounts.

🔐 Microsoft will introduce smartphone-style permission prompts in Windows 11 to request user consent before apps access sensitive resources such as files, cameras, and microphones. The company is also launching a Windows Baseline Security Mode to enable runtime integrity safeguards by default while still permitting targeted overrides for specific apps. These changes are part of the Secure Future Initiative and will roll out in phases with developer, enterprise, and ecosystem feedback. Users and IT administrators will be able to view, grant, or revoke app permissions and will receive clearer prompts when apps attempt to install unwanted software or access protected data.

🏭 The imminent retirement of experienced OT staff is causing a widespread loss of institutional knowledge that directly threatens operational continuity and cybersecurity in industrial environments. Successors often inherit undocumented legacy systems, hidden VLANs, bespoke protocol tweaks and undocumented routing rules that were never captured in official diagrams. That mismatch increases the risk of outages during modernization, lengthens implementation timelines and can unintentionally expand the attack surface through misconfigured segmentation or firewalls. Prioritizing structured knowledge transfer, thorough documentation and OT-aware security practices helps reduce single points of failure and vendor dependence.

⚠️ Microsoft confirmed that a shutdown bug first reported on Windows 11 also affects Windows 10 devices with Virtual Secure Mode (VSM) enabled after recent January updates. The issue was initially tied to Windows 11 23H2 with KB5073455 and System Guard Secure Launch; emergency patches were issued shortly afterward. Affected users can temporarily force a shutdown using the command shutdown /s /t 0 while Microsoft prepares a broader fix.

🔒 Microsoft has resolved a Windows 11 sign-in issue that caused the password icon to disappear from lock screen options after installing August 2025 updates and later. Affected users with multiple sign-in methods could still sign in by hovering over the placeholder to reveal the hidden button. The fix is included in the optional January 2025 KB5074105 preview update released January 29; install via Settings > Windows Update or the Microsoft Update Catalog.

🔒 NationStates has confirmed a data breach after taking its browser-based game offline following a player-reported vulnerability that resulted in remote code execution on the production server. The attacker exploited a double-parsing and input sanitization flaw in the Dispatch Search feature to copy application code and user data, including email addresses, MD5 password hashes, login IPs, and browser User-Agent strings. NationStates says telegram contents were likely partially exposed, is wiping and rebuilding the production environment, has reported the incident to authorities, and expects service to be restored within two to five days.

⚠️ Microsoft says recent Windows 11 boot failures following the January 2026 cumulative update are tied to earlier failed attempts to install the December 2025 security update, which left some systems in an "improper state." After applying KB5074109, affected devices showed a BSOD with stop error UNMOUNTABLE_BOOT_VOLUME. Microsoft is working on a partial resolution to prevent new no-boot cases, but it warns this fix will not repair devices already unable to boot or stop systems from entering the improper state. The company also says the issue appears limited to physical machines.

⚠️Microsoft is investigating reports that some Windows 11 devices fail to boot with the UNMOUNTABLE_BOOT_VOLUME stop error after installing the January 13, 2026 cumulative update KB5074109. Affected systems running Windows 11 25H2 and all editions of 24H2 display a black crash screen and cannot start without manual recovery. Microsoft says only physical devices are impacted so far and asks affected users to submit feedback via the Feedback Hub. The company also released emergency out‑of‑band updates to address an Outlook PST cloud storage freeze.

🧰 Intruder used AI to draft a honeypot for its Rapid Response service and deployed it as intentionally vulnerable infrastructure. Weeks later logs revealed attacker payloads where IP addresses should be, exposing that the AI trusted client-supplied IP headers. Static tools like Semgrep and Gosec did not flag the issue; the flaw required contextual human judgement. The incident underscores risks of over-relying on AI-generated code and the need to adapt code review and CI/CD practices.

🔒 New research from Pentera Labs shows that internal testing, demo, and training applications left in default or misconfigured states are being used as entry points into enterprise cloud environments. The team found popular vulnerable apps such as Hackazon, DVWA, and OWASP Juice Shop exposed on major cloud platforms and sometimes tied to overly permissive IAM roles. Attackers have leveraged these exposures to deploy crypto miners, webshells, and persistence mechanisms; Pentera recommends inventorying assets, enforcing least privilege, isolating labs from production, and expiring temporary test environments.

🔒 Unit 42 researchers discovered an Azure Private Endpoint DNS behavior that can unintentionally or deliberately produce denial-of-service conditions for Azure services. In several scenarios — accidental internal, accidental vendor, and malicious actor — linking a Private DNS zone to a virtual network can force name resolution to the private zone and fail when no A record exists, breaking connectivity to otherwise public endpoints. Microsoft documents a partial mitigation (fallback to internet); alternatives include manually adding DNS records and performing comprehensive discovery with Resource Graph.

⚠️ Organizations should treat the Y2K38 'Epochalypse' as an actionable vulnerability with a fixed deadline: 19 January 2038 at 03:14:07 UTC. Caused by 32‑bit signed Unix epoch counters overflowing, it can roll devices back to 1901 and disrupt payments, medical equipment, industrial control, and certificate validation. Effective mitigation requires a comprehensive inventory, vendor coordination, isolated testing, and migration to 64‑bit time or replacement.

🔒 Cloudflare patched a logic flaw in its ACME HTTP-01 handling that could disable certain WAF protections for specific challenge paths. The issue was reported by researchers from FearsOff through Cloudflare’s bug bounty program on October 13, 2025, and affected requests to /.well-known/acme-challenge/*. In some cases, challenge requests could reach customer origins when they should have been blocked because WAF features were incorrectly disabled. Cloudflare implemented a code change to ensure WAF disabling only occurs when Cloudflare will serve a valid ACME challenge response; no customer action is required and there is no known abuse.

🔊 Google acknowledged a software bug that causes volume buttons to control the device's Accessibility volume instead of the Media volume when the Select to Speak accessibility service is enabled. The issue also prevents using volume keys as a shutter shortcut in the Camera app. Google has not specified which Android versions or how many users are affected, nor provided an ETA for a permanent fix. A temporary workaround is to disable Select to Speak via Settings → Accessibility.

🔒 The Illinois Department of Human Services (IDHS) said that misconfigured privacy settings on a public mapping website exposed personal and health-related information for nearly 700,000 residents. Maps intended for internal resource planning were publicly accessible for years, revealing addresses, case numbers, demographics, and plan names for many Medicaid and Medicare Savings Program recipients, and additional identifying details for some rehabilitation services customers. IDHS restricted access, reviewed exposed maps, blocked future uploads of identifiable customer data to public mapping platforms, and has notified affected individuals and regulators.