Did you know #Project2025 calls for “the entirety of the CISA #Cybersecurity Advisory Committee should be dismissed on Day One.” (page 155).

If you like being able to use computers (or do anything with organizations that use computers, including have your vote counted in elections) that’s a very bad idea.

#infosec #security #USpol #politics #political

Threat actor #emo, who has the nerve to claim he answers to God while robbing people, said "unsecured API endpoint used to steal the data provided an easy way to verify each impacted user's email address, name, and phone number."

More than 400,000 #Life360 user phone numbers leaked via unsecured API https://www.bleepingcomputer.com/news/security/over-400-000-life360-user-phone-numbers-leaked-via-unsecured-android-api/ @BleepingComputer @serghei #infosec #cybersecurity

It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”

https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/

Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.

TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.

Some highlights:

• Eleven pre-installed browser extensions but only two visible to users.
• Two extensions unnecessarily relax Content-Security-Policy protection.
• One of these two extensions also requesting all privileges possible, despite not actually using them.
• Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
• One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
• The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
• To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).

Enjoy!

#avast #avg #avira #ccleaner #securebrowser #infosec

How insecure is Avast Secure Browser?

Another look into Avast Secure Browser shows a massive attack surface, with some issues mentioned five years ago only partially addressed, all while new ways to attack the browser have been added.

^{Almost Secure}

Doxing kann euer Leben auf den Kopf stellen: Zum Beispiel, wenn plötzlich eure Adresse öffentlich einsehbar ist und ihr euch dadurch bedroht fühlt oder unerwünschte Post bekommt. Seid darum vorsichtig mit persönlichen Informationen online und haltet sensible Daten geheim. Wir zeigen heute, wie es geht! 🔒

#DeutschlandDigitalSicherBSI #IT #ITSicherheit #Sicherheit #CyberSecurity #ITSecurity #InfoSec #CyberCrime