Space Rogue
It took 30 years but I was just beginning to think Microsoft had changed. Guess I was wrong. #fulldisclosure #microsoft #eclipse
Harry Sintonen#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.
This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.
TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.
Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt
WIRED - The Latest in Technology, Science, Culture and Business [Unofficial]SpaceX IPO Filing Reveals Anthropic Is Paying $15 Billion a Year to Access Its Data Centers
https://web.brid.gy/r/https://www.wired.com/story/spacex-ipo-anthropic-compute-finances-risks/
Hacker NewsFull Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
https://trustedsec.com/blog/full-disclosure-a-third-and-fourth-azure-sign-in-log-bypass-found
#HackerNews #FullDisclosure #Azure #SignIn #LogBypass #CyberSecurity #Vulnerability #TechNews
DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders
https://fed.brid.gy/r/https://www.wired.com/story/cbp-privacy-threshold-analysis-foia/
Plethore of critical #Linksys MX4200 Wi-Fi router vulnerabilities (that were originally reported to Linksys nearly a year ago!) are still unfixed:
- [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal https://seclists.org/fulldisclosure/2026/Feb/10
- [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function https://seclists.org/fulldisclosure/2026/Feb/11
- [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection https://seclists.org/fulldisclosure/2026/Feb/12
- [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/13
- [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/18
- [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel
https://seclists.org/fulldisclosure/2026/Feb/19
On first read it might appear that many of these vulnerabilities would only be exploitable by accessing the device non-WAN interface(s) from inside the local network. However, due to the SYSS-2025-014 vulnerability the normally "LAN only RCE" vulnerabilities (SYSS-2025-010 and -011) and SQL injection (SYSS-2025-009) can be performed from the WAN interface (read: the internet). The attacker merely needs to make the connection originate from port 5222 (which is trivial to arrange via local bind before connect).
Update: Users of Linksys MX4200 should upgrade to firmware version 2.0.7.216620 or later. While not all of the security issues are fixed, it at least should stop the attacks via the WAN interface (SYSS-2025-014). https://support.linksys.com/kb/article/952-en/
#linksys #fulldisclosure #vulnerability #infosec #cybersecurity
Alexandre DulaunoyFull disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
Nate Cochrane
BillI gave no idea, zero (0), how they got a high severity CVSS out of missing response headers. I mean, are they important? Sure! Don't you put that on reports, Bill? You bet! 8.3 severity? I'd be laughed out of the readout call.