Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: security – Page 3

Thousands of websites are accidentally broadcasting sensitive data, study finds

Researchers have discovered a major security leak hiding in plain sight on the internet that could expose the personal data and financial records of millions of people. In a paper published on the arXiv preprint server, Nurullah Demir of Stanford University and colleagues analyzed 10 million websites to see how often API (application programming interfaces) credentials are exposed. These are digital keys or tokens that enable different software programs to communicate and are often used to process bank payments and access cloud storage.

The team used a huge database called the HTTP Archive, which tracks how millions of real websites work. They looked at live, running versions of sites to monitor how data is processed as pages load.

By examining the websites while they were active, the researchers identified API credentials that appear only when a user visits a site. These credentials are specific strings of text that a website uses to identify itself to services like banks or cloud providers.

GitHub adds AI-powered bug detection to expand security coverage

GitHub is adopting AI-based scanning for its Code Security tool to expand vulnerability detections beyond the CodeQL static analysis and cover more languages and frameworks.

The developer collaboration platform says that the move is meant to uncover security issues “in areas that are difficult to support with traditional static analysis alone.”

CodeQL will continue to provide deep semantic analysis for supported languages, while AI detections will provide broader coverage for Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems.

PolyShell attacks target 56% of all vulnerable Magento stores

Attacks leveraging the ‘PolyShell’ vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores.

According to eCommerce security company Sansec, hackers started exploiting the critical PolyShell issue en masse last week, just two days after public disclosure.

“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec says.

Physicists just turned glass into a powerful quantum security device

Scientists have turned simple glass into a powerful quantum communication device that could safeguard data against future quantum attacks. The chip combines stability, speed, and versatility—handling both ultra-secure encryption and record-breaking random number generation in one compact system.

Superconducting chip generates tunable terahertz waves for compact imaging

A tiny crystal chip which uses terahertz radiation to see clearly through a wide range of materials could find applications in health care, biological research, and security screening. Researchers from Scotland and Japan have developed a lightweight superconducting chip, which they say could unlock the full potential of terahertz imaging technologies and lead to the development of more powerful and portable devices.

The team’s paper, titled “Terahertz Imaging System with On-Chip Superconducting Josephson Plasma Emitters for Nondestructive Testing,” is published in IEEE Transactions on Applied Superconductivity.

Terahertz radiation lies between the microwave and infrared frequencies of the electromagnetic spectrum. It passes easily and harmlessly through a wide range of materials, and can be used to identify the characteristic “fingerprint” of molecules and biological materials as it does so, allowing them to be detected and analyzed.

New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores

A newly disclosed vulnerability dubbed ‘PolyShell’ affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.

There are no signs of the issue being actively exploited in the wild, but eCommerce security company Sansec warns that “the exploit method is circulating already” and expects automated attacks to start soon.

Adobe has released a fix, but it is only available in the second alpha release for version 2.4.9, leaving production versions vulnerable. Sansec says that Adobe offers a “sample web server configuration that would largely limit the fallout,” but most stores rely on a setup from their hosting provider.

New “Darksword” iOS exploit used in infostealer attack on iPhones

A new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet apps.

DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the Coruna exploit chain disclosed earlier this month.

Researchers at mobile security company Lookout discovered DarkSword while investigating the infrastructure used for the Coruna attacks. Google’s Threat Intelligence Group and iVerify also collaborated for a more comprehensive analysis of this previously unknown threat and the adversaries leveraging it.

Apple pushes first Background Security Improvements update to fix WebKit flaw

Apple has released its first Background Security Improvements update to fix a WebKit flaw tracked as CVE-2026–20643 on iPhones, iPads, and Macs without requiring a full operating system upgrade.

The CVE-2026–20643 flaw allows malicious web content to bypass the browser’s Same Origin Policy.

Apple says the flaw is a cross-origin issue in the Navigation API that was addressed with improved input validation.

/* */