API security

GPS locations of K-12 students and parent contact info could be pulled from the Parent Portal API.

Mobile banking users in Indonesia, Vietnam, and Thailand have been targeted in attacks deploying the novel FjordPhantom Android banking trojan.

Default passwords enabled the Iranian-linked APT to compromise Israeli-made control systems at water and wastewater facilities, a public aquarium and a brewery.

One of the seven security updates Google released Nov. 28 for its Chrome browser is under active exploitation in the wild.

Cybersecurity firm NSFOCUS has identified a new advanced persistent threat actor group named DarkCasino, which was behind the attacks that exploited a zero-day flaw in the WinRAR archiving tool, The Hacker News reports.

SecurityWeek reports that more than 17,000 WordPress sites, including 9,000 sites vulnerable to the recently addressed TagDiv Composer front-end page builder plugin flaw, tracked as CVE-2023-3169, have been infected as part of the long-running Balada Injector campaign.

Poor practices and quick shortcuts are at the root of passwordless vulnerabilities and undetectable software flaws, two researchers said at the BSides Las Vegas security conference.