Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy. Researcher Arne Swinnen privately disclosed the flaws in December and in February respectively. One bug was patched in February, while the other went through two rounds of fixes before the issue was resolved on...

If you’ve been to DEF CON or any number of other technical hacker conferences, you’re familiar with Capture the Flag contests. These events pit teams of hackers and researchers against each other in a series of challenges until a winner is determined. Capture the Flag is also a valuable teaching tool, providing some with hands-on...

Accessing Facebook over Tor may seem to be a contradiction, but apparently that’s not the case for a million or so users of the anonymity service. Facebook on Friday said that in April, for the first time, there were more than one million people accessing Facebook over Tor in a 30-day period. As a comparison...

WhatsApp’s addition of end-to-end encryption is a good start, but does not present users with a complete solution that protects against the prying eyes of intrusive governments and nosey third-parties. That’s the consensus among privacy and security experts that commend Facebook-owned WhatsApp for flipping the switch on end-to-end encryption for its one billion users worldwide....

Facebook was quick to fix an issue earlier this month that could’ve let an attacker break into four percent of all active, locked Instagram accounts, meaning it affected approximately one million users. Belgium-based IT security consultant Arne Swinnen discovered the issue two weeks ago when he stumbled upon two bugs, a combination of missing authentication and an insecure...

Anand Prakash could have hacked your Facebook account or anyone else’s. The India-based security researcher found a glaring password-reset vulnerability last month that allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack. But instead of pillaging accounts for financial data, Prakash reported his findings to Facebook...

Yahoo has announced it will follow in the footsteps of Twitter and Facebook and begin warning users when it believes their accounts have been targeted by a state-sponsored actor. Bob Lord, who was hired as the company’s new CISO in October, discussed the initiative in a blog post Monday. Lord said Yahoo will only notify users...

Google has announced its timeline for deprecating SHA-1 certificates, despite concerns expressed recently that sunsetting the broken encryption hashing algorithm will disconnect millions from the Internet. SHA-1’s demise has been accelerated in recent months since researchers published a paper explaining that practical collision attacks could be months, instead of years, away. Google, on Friday, announced...

A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network’s bug bounty program, but also prompted threats of legal and criminal action. Wesley Wineberg, a contract employee of security company Synack, said today in a personal blogpost and in emails...