Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement. Researchers at the security firm Trustwave discovered the vulnerabilities in September 2015 and have worked closely...

Security researchers are applauding the FBI and the National Highway Traffic Safety Administration for warning the auto industry that cars and trucks are vulnerable to internet-based attacks. But, they argue, more needs to be done by the government and car makers to protect drivers. Last week, in a joint public service announcement, the FBI and NHTSA...

Despite the rush to patch systems at risk to the massive transport layer security (TLS) vulnerability, known as DROWN, hundreds of cloud services are still at risk of attack. According to two independent research firms, Netskope and Skyhigh Networks, a week after the vulnerability was identified DROWN still presents a high risk to companies. Skyhigh...

Anand Prakash could have hacked your Facebook account or anyone else’s. The India-based security researcher found a glaring password-reset vulnerability last month that allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack. But instead of pillaging accounts for financial data, Prakash reported his findings to Facebook...

Cisco Systems issued a “critical” patch on Wednesday for its Nexus 3000 and 3500 series switches that allow remote attackers to access default account and static password information on affected hardware. The vulnerability could allow an unauthenticated user to log in to the affected system with the privileges of a root user. The account is...

Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. “After talking about the way applications can sometimes get APIs wrong, a...

Xen Project dropped the ball on two important security patches when it released a maintenance update for its popular hypervisor software on Tuesday. On its company blog today, Xen acknowledged what it called an “oversight” and attempted to explain what went wrong. However, absent from its updated blog, is a date that Xen Project expects to...

Cloud-based webhost Linode absorbed another body blow on Tuesday when it said it was resetting customer passwords after a suspected breach. The development compounded the company’s existing woes as it continues to battle a distributed denial-of-service attack that began on Christmas. A Linode representative said late Tuesday its executives were unavailable for comment and that...

A new run of Spy Banker banking malware infections has been targeting Portuguese-speaking victims in Brazil. While Spy Banker is an old threat, dating back to 2009 according to some security companies, the latest wrinkle attackers are taking is a new one. The campaign, spotted by researchers at Zscaler, spreads primarily over social media—Facebook for...