Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. From a report: Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Issues have been reported on numerous platforms, such as PayPal's forums, Reddit, Twitter, and Google Pay's Russian and German support forums. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.

Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. From a report: Moreover, the company announced that its community almost doubled in the past year to 600,000 registered hackers. The announcement comes as the cybersecurity industry struggles with a workforce shortage, which is in turn compounded by growing cyberattacks that could cost the industry $6 trillion by 2021. As companies invest significant resources in battling external threats, HackerOne aims to pay good actors to find bugs before bad actors enter the fray, reducing the need for costly remediation measures further down the line.

Founded in 2012, HackerOne essentially connects companies with security researchers, or "white hat hackers," who receive cash incentives to find and report software vulnerabilities. The San Francisco-based company has raised north of $100 million since its inception, including a $36.4 million tranche a few months back, and has paid out $82 million in bounties since its inception. According to HackerOne, U.S.-based hackers earned 19% of all bounties in 2019, followed by hackers in India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%). These figures were released as part of HackerOne's annual hacker report, which included a survey of 3,150 hackers.

A powerful antibiotic that kills some of the most dangerous drug-resistant bacteria in the world has been discovered using artificial intelligence. The Guardian reports: To find new antibiotics, the researchers first trained a "deep learning" algorithm to identify the sorts of molecules that kill bacteria. To do this, they fed the program information on the atomic and molecular features of nearly 2,500 drugs and natural compounds, and how well or not the substance blocked the growth of the bug E coli. Once the algorithm had learned what molecular features made for good antibiotics, the scientists set it working on a library of more than 6,000 compounds under investigation for treating various human diseases. Rather than looking for any potential antimicrobials, the algorithm focused on compounds that looked effective but unlike existing antibiotics. This boosted the chances that the drugs would work in radical new ways that bugs had yet to develop resistance to.

Jonathan Stokes, the first author of the study, said it took a matter of hours for the algorithm to assess the compounds and come up with some promising antibiotics. One, which the researchers named "halicin" after Hal, the astronaut-bothering AI in the film 2001: A Space Odyssey, looked particularly potent. Writing in the journal Cell, the researchers describe how they treated numerous drug-resistant infections with halicin, a compound that was originally developed to treat diabetes, but which fell by the wayside before it reached the clinic. Tests on bacteria collected from patients showed that halicin killed Mycobacterium tuberculosis, the bug that causes TB, and strains of Enterobacteriaceae that are resistant to carbapenems, a group of antibiotics that are considered the last resort for such infections. Halicin also cleared C difficile and multidrug-resistant Acinetobacter baumannii infections in mice. Three days after being set loose on a database of about 1.5 billion compounds, the algorithm returned a shortlist of 23 potential antibiotics, of which two appear to be particularly potent.

"[The senior researcher] now wants to use the algorithm to find antibiotics that are more selective in the bacteria they kill," adds The Guardian. "This would mean that taking the antibiotic kills only the bugs causing an infection, and not all the healthy bacteria that live in the gut. More ambitiously, the scientists aim to use the algorithm to design potent new antibiotics from scratch."

An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.

However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.

Slashdot reader golden_donkey quotes Forbes: Are you booting up your Windows 10 machine and discovering you can't log in to your profile? It appears you're not alone. Reports are increasing across Twitter and Microsoft forums that following the most recent Patch Tuesday update (KB4532693), users are complaining that their profiles and desktop files are missing, and that custom icons and wallpaper have all been reset to their default state...

The KB4532693 update is allegedly causing much more serious headaches for some users. A newer report by Windows Latest cites multiple users in their comments section complaining that the data is nowhere to be found and allegedly not recoverable.
Microsoft has now "yanked KB4524244 from its update servers..." reports ZDNet, "after acknowledging reports of 'an issue affecting a sub-set of devices.'" Microsoft says customers who have successfully installed the update don't need to take any further steps. Those who have configured PCs to defer installation of updates by at least four days should also be unaffected.

For those who are experiencing issues related to this update, Microsoft recommends uninstalling the update.
Forbes also shared a video "on a related note." Its title? "How To Choose A Linux Distro That's Right For You..."

An anonymous reader quotes a report from The Guardian: Two scientific studies of the number of insects splattered by cars have revealed a huge decline in abundance at European sites in two decades. The survey of insects hitting car windscreens in rural Denmark used data collected every summer from 1997 to 2017 and found an 80% decline in abundance. It also found a parallel decline in the number of swallows and martins, birds that live on insects.

The second survey, in the UK county of Kent in 2019, examined splats in a grid placed over car registration plates, known as a "splatometer." This revealed 50% fewer impacts than in 2004. The research included vintage cars up to 70 years old to see if their less aerodynamic shape meant they killed more bugs, but it found that modern cars actually hit slightly more insects. [...] The stream research, published in the journal Conservation Biology, analyzed weekly data from 1969 to 2010 on a stream in a German nature reserve, where the only major human impact is climate change. "Overall, water temperature increased by 1.88C and discharge patterns changed significantly. These changes were accompanied by an 81.6% decline in insect abundance," the scientists reported. "Our results indicate that climate change has already altered [wildlife] communities severely, even in protected areas."

On January 16th, Facebook users received an error message when posting in Jinghpaw, a language spoken by Myanmar's ethnic Kachin and written with a Roman alphabet. From a report: "We couldn't post this. Tap for more info," the message said. When clicking, a second appeared: "Your request couldn't be processed. There was a problem with this request. We're working on getting it fixed as soon as we can." A Facebook representative told The Verge that the issue was caused by "a bug in our language infrastructure," and coincided with the launch, the same day, of an updated language identification model supporting ten new languages, including Jinghpaw. The representative said Facebook fixed the issue within hours of receiving reports on January 17th. But while the disabling of Jinghpaw was not an active move of censorship, it alerted many Kachin people that Facebook had the capability to identify their language, an alarming thought for the embattled minority group. That realization has evoked a visceral reaction from the Kachin, and brought forth new calls for the company to be more transparent about its technology and the ways it will be used.

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population. From a report: The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week. The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST). According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online. Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.

Earlier this week, searching in Windows 10 was broken, "with a black bar showing where search results should be, even for those who tried to perform a local search of their files." Microsoft issued a fix and blamed the issue on a "third-party networking fiber provider".

But unfortunately, Microsoft's fix isn't working for everyone -- and that's just the beginning. Long-time Slashdot reader Futurepower(R) shares Forbes' report: Second, and more worryingly, Microsoft's explanation doesn't add up and it has prompted serious questions to be asked about how the operating system works and what personal data it is sharing. Popular Microsoft pundit Woody Leonard led the charge, writing: "If you believe that yesterday's worldwide crash of Windows 10 Search was caused by a bad third-party fiber provider, I have a bridge to sell you."

In an open letter to new Windows head Panos Panay, Susan 'Patch Lady' Bradley was similarly sceptical, noting that today "we all found out that our local search boxes are somehow dependent on some service working at Microsoft." She attacked the company for a lack of transparency and gave it a maximum 'Pinocchio score' for a lack of trust... Similarly, Engadget writer Richard Lawler revealed that users were now trying to hack the Windows 10 registry to disconnect their local file searches from Microsoft servers "and I can't say I blame them after this episode. Microsoft owes users a better explanation than this and should make sure it's impossible for offline features to get taken out when the cloud is having an issue."
In fact, Forbes writes that "the aforementioned Windows 10 registry hack appears to be the only 100% fix for this issue and it also disconnects Bing and Cortana online services from Windows 10 search."

And then on Saturday the Windows Latest blog also noticed that Microsoft's release notes for Windows 10 20H1 Build 19035 reveal that Microsoft is apparently now delaying the roll-out of a widely-anticipated "Optional Updates" option. "It appears that the new Optional updates experience will come out in October/November 2020, not this spring as previously planned."

An anonymous reader writes: A weird bug of unknown origins has been hitting Windows 7 computers this week, according to multiple reports online. Windows 7 users have been reporting that they are receiving a popup message that reads "You don't have permission to shut down this computer" every time they attempt to shut down or reboot their systems...

Windows 7 reached official end of life (EOL) on January 14, 2020 and is not scheduled to receive new fixes. Last month, Microsoft made an exception to this rule when it provided a fix for a bug that broke wallpaper display for Windows 7 users. Seeing that rebooting or shutting down your computer is a more important OS feature than wallpaper support, Microsoft will most likely need to make a another exception and deliver a second post-EOL update pretty soon.

An anonymous reader quotes a report from ZDNet: Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms. Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device. However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets. The bug can lead to remote code execution and the hijacking of a device. Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week. Android 9 and earlier are impacted.

A second software problem during a CST-100 Starliner test flight is prompting a NASA safety panel to recommend a review of Boeing's software verification processes. Space News reports: That new software problem, not previously discussed by NASA or Boeing, was discussed during a Feb. 6 meeting of NASA's Aerospace Safety Advisory Panel that examined the December uncrewed test flight of Starliner that was cut short by a timer error. That anomaly was discovered during ground testing while the spacecraft was in orbit, panel member Paul Hill said. "While this anomaly was corrected in flight, if it had gone uncorrected, it would have led to erroneous thruster firings and uncontrolled motion during [service module] separation for deorbit, with the potential for a catastrophic spacecraft failure," he said.

The exact cause of the failure remains under investigation by Boeing and NASA, who are also still examining the timer failure previously reported. Those problems, Hill said, suggested broader issues with how Boeing develops and tests the software used by the spacecraft. "The panel has a larger concern with the rigor of Boeing's verification processes," he said. The panel called for reviews of Boeing's flight software integration and testing processes. "Further, with confidence at risk for a spacecraft that is intended to carry humans in space, the panel recommends an even broader Boeing assessment of, and corrective actions in, Boeing's [systems engineering and integration] processes and verification testing." The panel added that all those investigations and reviews be completed as "required input for a formal NASA review to determine flight readiness for either another uncrewed flight test or proceeding directly to a crewed test flight."

An anonymous reader quotes a report from Ars Technica: Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems. The vulnerability, tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command.

"Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled," an advisory published by sudo developers said. "The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password." The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn't ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn't properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length. As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn't reset correctly when write errors result from line erasures, the stack buffer can be overflowed. The report notes the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. "Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical," reports Ars. "Those who can't update right away can prevent exploits by making sure pwfeedback is disabled."

Google security engineers said last week they have successfully cut down the "patch gap" in Google Chrome from 33 days to only 15 days. From a report: The term "patch gap" refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library. In today's software landscape where many apps rely on open source components, the "patch gap" is considered a major security risk. The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openness of most open source projects. Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch. If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can't deal with.

If you used Google Takeout to download an archive of your Google Photos content, there's a chance that someone else may have ended up with your videos. From a report: The company has admitted that for a few days in November last year, "some videos in Google Photos were exported to unrelated users' archives." This means that not only could your videos have ended up on a stranger's computer, but also that you may have received random videos belonging to someone else. Google is not making much of the "technical issue" which it says has now been resolved. But the company apologizes for the "inconvenience" that may have been caused for people downloading their Google Photos archive between November 21 and 25, 2019.

This week a remotely-exploitable vulnerability (granting root privileges) was discovered in OpenSMTPD (OpenBSD's implementation of server-side SMTP).

ZDNet notes that the library's "portable" version "has also been incorporated into other OSes, such as FreeBSD, NetBSD, and some Linux distros, such as Debian, Fedora, Alpine Linux, and more." To exploit this issue, an attacker must craft and send malformed SMTP messages to a vulnerable server... OpenSMTPD developers have confirmed the vulnerability and released a patch earlier Wednesday -- OpenSMTPD version 6.6.2p1...

The good news is that the bug was introduced in the OpenSMTPD code in May 2018 and that many distros may still use older library versions, not affected by this issue. For example, only in-dev Debian releases are affected by this issue, but not Debian stable branches, which ship with older OpenSMTPD versions.

Technical details and proof of concept exploit code are available in the Qualys CVE-2020-7247 security advisory.
Hackaday has a more detailed description of the vulnerability, while the Register looks at the buggy C code.

Interestingly, Qualys researchers exploited this vulnerability using a technique from the Morris Worm of 1988.

An anonymous reader quotes a report from TechCrunch: A social media boosting startup, which bills itself as a service to increase a user's Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in -- simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account -- and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information with relative ease. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

"The spreadsheet contained about 4,700 complete sets of Instagram usernames and passwords," the report says. "The rest of the records contained just the user's name and their email address."

An anonymous reader shares a report: Google has paid out over $21 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $6.5 million to 461 different security researchers, almost double the previous record set in 2018: $3.4 million to 317 different security researchers. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.

A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look. The cached search result only returned one document -- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.

A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions. "While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."