#security-vulnerability

#security-vulnerability

Pairing Bluetooth devices can be a pain, but Google Fast Pair makes it almost seamless. Unfortunately, it may also leave your headphones vulnerable to remote hacking. A team of security researchers from Belgium's KU Leuven University has revealed a vulnerability dubbed WhisperPair that allows an attacker to hijack Fast Pair-enabled devices to spy on the owner. Fast Pair is widely used, and your device may be vulnerable even if you've never used a Google product.

Turns out anyone with an internet connection, and not even a password, could access the feeds of a line of the Flock surveillance cameras that are currently all the rage with the SFPD and Oakland Police Department. Below we see pictured what is likely one of those Flock Safety automated license plate reader cameras, one of the 400 of these new security cameras in SF that are are taking three million surveillance photos every day.

I watched a man leave his house in the morning in New York," Jordan says in his video.

The bug meant it was possible for anyone to obtain the information about jurors who are selected for service. To log into these platforms, a juror is provided a unique numerical identifier assigned to them, which could be brute-forced since the number was sequentially incremental. The platform also did not have any mechanism to prevent anyone from flooding the login pages with a large number of guesses, a feature known as "rate-limiting."

Security researchers are shining the spotlight on a serious security vulnerability that could enable stalkers to track victims using their own Tile tags, as well as other unwanted violations of security and privacy. Research outlined by Wired shows that Tile's anti-theft mode, which makes its trackers "invisible" on the Tile network, counteracts measures to prevent stalking. Bad actors could also potentially intercept unencrypted information sent from the tags, like their unique IDs and MAC addresses,

While making test phone calls, TechCrunch's Zack Whittaker said he saw a list of his recent calls and how much money each call earned. That's the way the app is supposed to work. But using a network analysis tool, Whittaker uncovered details not available through the app, including a transcript of the call and a URL to the audio files, information anyone could view as long as they had the link.

"If you are an Entra ID admin," wrote Mollema, "that means complete access to your tenant."

Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it's likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else.

In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization's connected cloud environment without leaving easily detectable and auditable traces.

Microsoft has issued an urgent warning about a critical zero-day vulnerability in SharePoint Server, registered as CVE-2025-53770, allowing remote code execution.

"CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS."

The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules.

The vulnerability discovered in OpenPGP.js enables spoofing of both signed and encrypted messages, undermining the purpose of public key cryptography.

The sophisticated phishing scam uses Google’s own infrastructure to create deceptive emails and landing pages that appear legitimate, making attacks harder to identify.