Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

WhatsApp to Roll Out Username Feature, No Mobile Number Required

WhatsApp will launch a new feature where users can opt for usernames and connect with others without putting mobile numbers. The feature is ...

All the recent news you need to know
Zero-Day Exploit
Argument Injection Credential Theft Cyber Threats Git Repository Security Gogs Vulnerability Open Source Security Remote Code Execution Supply Chain Attack Zero-Day Exploit

Gogs Zero-Day Vulnerability Raises Alarm Over Server Security


 

Researchers have discovered a zero-day vulnerability in Gogs, the widely used self-hosted Git repository management platform, that may allow authenticated users to escalate their privileges on vulnerable servers by leveraging this vulnerability to execute remote code. 

In addition to affecting current Gogs releases, this vulnerability is classified as a critical argument injection weakness that poses a particular risk to distributed software development and collaboration deployments that are Internet-accessible. As a result of security analysis, the attack can be carried out without administrative privileges and, under default configurations, the attacker may only need a standard user account to compromise the underlying host. 

The finding highlights the fact that seemingly routine source code management operations can become high-impact attack vectors when exploitable flaws intersect with permissive default settings and exposed development infrastructure, which has not been officially patched at the time of disclosure. Due to the close alignment between the attack path and Gogs' default deployment behaviour, the exposure becomes especially significant. 

A Rapid7 researcher stated that open registration of users and the creation of unrestricted repositories enable an external actor to establish the necessary conditions for exploitation without requiring privileged access or assistance from other users. An application-wide flaw exists in the application's handling of repository merge operations. If the branch name is specially crafted, malicious arguments can be injected into the git rebase process during the "Rebase before merging" workflow by using a specially crafted branch name. 

By abusing Git's --exec parameter, an attacker can force arbitrary shell commands to run on the host system under the security context of the Gogs service account. As researchers noted, the consequences of the compromise extend far beyond a single repository compromise, allowing threat actors to access private repositories belonging to other users, extract sensitive credentials such as password hashes, API tokens, SSH keys, multi-factor authentication secrets, and move laterally across connected systems, as well as alter source code stored on the system. 

While Burgess indicates that Gogs has addressed several argument injection vulnerabilities in recent years, this newly discovered vulnerability stems from a different code path within the Merge() function, which was not addressed. Moreover, users with write permissions in repositories with rebase merging are also at risk of exploiting this vulnerability, while environments which restrict repository creation remain vulnerable if attackers can obtain write access to qualifying projects. 

While the flaw was reported to the maintainer in March 2026, it remains unpatched as of the date of publication, making deployments across Windows, Linux, and macOS vulnerable to exploitation. Approximately 1,100 Gogs instances are currently exposed to the internet, according to Rapid7, but the true number is likely to be substantially greater due to the prevalence of deployments that operate behind VPNs and internal enterprise networks.

Additionally, the disclosure has brought to the vendor's attention concerns relating to its response timeframe. In March 2026, Burgess reported the vulnerability to the Gogs maintainers and received an acknowledgement on March 28, but no security update has been released since then. Given the platform's existing exposure footprint, this delay is particularly noteworthy. 

Data from Shadowserver indicates that more than 2,400 publicly accessible Gogs instances are currently located in Asia and Europe, with the highest concentrations occurring in the region, while Shodan indexes over 1,000 internet-facing systems that exhibit identifiable Gogs signatures. An incident of this type is reminiscent of one that occurred with CVE-2025-8110, another remote code execution vulnerability that was exploited by hackers before patches were available. 

A vulnerability discovered by Wiz Research during an investigation into a compromised Gogs deployment ultimately led to the U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA), which classified it as actively exploited and directed federal agencies to secure affected systems, resulting in a significant threat model. 

In addition, this new flaw undermines the trust boundaries underlying shared Git hosting environments, making it a similar serious threat model. It is common for businesses, universities, and development teams to deploy multi-user software environments, where a single, authenticated account can control the underlying server infrastructure without having to gain access to another user's repository. 

If code execution is achieved, an attacker will be able to access all repository files hosted on the instance, extract authentication credentials stored within the backend databases, enter adjacent network resources, and manipulate source code on the file system. 

Gogs service accounts usually maintain unrestricted read and write rights across repositories that are stored under the same repository root; therefore, malicious modifications can bypass platform-level audit mechanisms and are difficult to identify in environments where commit-signing enforcement does not exist. It was also noted that exploitation can be highly practical and automated using publicly available tools, enabling attacks to be carried out within seconds with minimal forensic evidence remaining. 

Gogs' implementation of the "Rebase before merging" feature has resulted in the issue, as it internally invokes the git rebase command to create a linear project history by replaying commits. With the --exec parameter, Git executes shell commands after each replayed commit, creating the exploitation primitive when malicious input is incorrectly handled. 

While the rebase merge functionality is disabled by default, the repository can enable the feature through the project owner's settings, and new repositories are automatically assigned ownership to their creators, ensuring that abuse does not occur. Despite deployments that restrict repository creation, vulnerable code paths can still be exploited to execute remote commands by users who have access to repositories that support rebase merging.

Newly disclosed vulnerabilities in development platforms such as Gogs serve as a timely reminder that these platforms can magnify the impact of a single security weakness across entire software ecosystems. Considering the lack of a patch and the requirement for limited user privileges to exploit Gogs in common deployment configurations, organisations relying on Gogs should carefully evaluate repository permissions, disable unnecessary registration and repository creation features, and closely monitor merging activity. 

In light of the continued reliance on software supply chains as a critical component of business operations, the security of source code infrastructure has become more than an issue of development it has become a fundamental security priority that requires continuous monitoring, prompt remediation, and proactive defence.
Read more »
US Troops
Ad Tracking Cyber Security National Security Threat Intelligence US Troops

Ad Tracking Puts US Troops at Risk on the Battlefield

 

The ad-tracking industry is facing fresh scrutiny after reports said commercial location data has been used to expose US soldiers in active war zones. US Central Command reportedly confirmed that it has received multiple threat reports about adversaries exploiting this data to target or surveil American personnel in theater. What began as a routine part of online advertising has now become a battlefield concern, showing how everyday mobile tracking can turn into a national security risk. 

At the center of the problem is a vast ecosystem of apps, brokers, and intermediaries that collect location signals from smartphones and other devices. This data is often sold through complex ad-tech pipelines, where device IDs, GPS points, and behavioral signals can be packaged and resold many times over. Even when users disable location settings, officials warn that geolocation may not be fully switched off on some commercial products, leaving sensitive traces behind. For military personnel, those traces can reveal patterns of life that make them easier to watch, map, or attack. 

The warning is especially serious because location data can help adversaries identify where troops congregate and infer operational routines. According to the reporting, such information could be used to support missile, drone, roadside bomb, or counterintelligence operations. That makes an ordinary privacy issue suddenly a security issue, since the same tracking systems used to deliver personalized ads can also expose people in conflict zones. 

Lawmakers have responded by pressing the Pentagon to strengthen protections on military devices and reduce exposure to tracking systems. Privacy advocates have long argued that the ad-tech sector creates a massive reserve of sensitive data that can be abused by both criminals and governments. Earlier incidents, including public mapping of military activity through fitness trackers, showed that location leaks are not theoretical. The new concern is that the same weaknesses may now be affecting troops in active combat areas at scale.

The broader lesson is simple: data collected for convenience can become dangerous when it falls into the wrong hands. For civilians, that means rethinking app permissions and privacy settings; for militaries, it means treating commercial tracking data as an operational threat. As the line between advertising technology and intelligence gathering keeps blurring, the ad industry may need far stricter rules on what it collects, sells, and shares.
Read more »
Malware attacks
7Zip Archive Critical Systems Security Critical Vulnerability Cyber Attacks Malicious Codes Malware attacks

Critical 7-Zip Vulnerability Exposes Millions of Systems to Potential Malware Attacks

 

A fresh disclosure highlights a security weakness in the popular 7-Zip tool, stirring unease within cyber defense circles due to its potential misuse for spreading harmful software. Though limited to outdated builds of this open compression program, the flaw might let hackers run unauthorized scripts when someone opens manipulated archive files. Because user interaction triggers the problem, deception becomes part of the attack path - simply opening a corrupted file may be enough. 

While patches exist for current releases, unpatched systems remain exposed through seemingly harmless data containers. Since many rely on legacy installations unknowingly, risk lingers across personal and business setups alike. Earlier this year, researchers uncovered a weakness labeled CVE-2026-48095, also tracked under GHSL-2026-140. This problem lies in how 7-Zip handles NTFS volume images. 

Instead of managing memory safely, it allows excess data to spill past set limits - a behavior known as heap-based buffer overflow. Because memory gets corrupted during file processing, attackers might exploit this to run unauthorized code. Experts warn such flaws carry high risk due to their potential for system takeover. Though details remain limited, the core danger stems from improper boundary checks during archive extraction. Opening an archive with a specially designed NTFS image file sets off the exploit, studies show. 

When handling such files, certain editions of 7-Zip fail to compute buffer sizes correctly - evidence points to flawed logic during parsing. As a consequence, allocated memory falls short, leading software to overwrite nearby regions by mistake. Such instability opens paths where malicious inputs might run unchecked or force sudden halts in operation. Back in April, someone alerted the 7-Zip developers about the issue without going public. After that report came through, the team put out version 26.01 - fixing the weakness and shutting down the danger it posed. 

Not long afterward, they shared an official notice with everyone; included was a working Python example showing exactly what attackers might do on outdated versions. One way this flaw plays out depends heavily on what kind of setup it's found in, along with how much computing power sits nearby. Sometimes attackers might run their own programs from afar; other times they simply knock apps offline or freeze them completely. 

Even when effects differ, moving to the newest 7-Zip build is seen as essential - no workarounds exist once a version falls inside the risk zone. What makes the situation more serious is how common 7-Zip has become. With hundreds of millions of downloads, it runs on many Windows and Linux machines. 

Because so much automation depends on its built-in tools, companies often embed its compression features into larger programs. One reason 7-Zip poses risk is how common it has become - flaws could reach millions. When updates lag, experts say, those gaps catch hackers’ attention. Old setups might open doors without warning, especially if archives appear safe at first glance.
Read more »
WhatsApp
AI Ecosystem Business Creators Facebook Instagram Meta Technology WhatsApp

Meta Rolls Out Paid Plans for Facebook, Instagram, and WhatsApp

 




Meta has announced a wide expansion of its subscription business, introducing new paid plans for Facebook, Instagram, and WhatsApp users while preparing additional premium offerings aimed at artificial intelligence users, content creators, and businesses.

The move reflects the company's broader effort to build new revenue streams beyond advertising and provide advanced tools for users willing to pay for additional functionality across Meta's ecosystem.

The newly launched consumer subscriptions are being rolled out globally under the names Instagram Plus, Facebook Plus, and WhatsApp Plus. The plans are priced at $3.99 per month for Instagram and Facebook, while WhatsApp Plus will cost $2.99 per month.

According to Meta, subscribers will gain access to features that are not available to regular users, including greater profile customization, enhanced engagement tools, audience insights, and personalization options. The company also indicated that additional capabilities are expected to be introduced over time as the service evolves.

Meta's Head of Product, Naomi Gleit, said the company intends to continue expanding the feature set available through these premium subscriptions.


New Features for Instagram Users

Among the three services, Instagram Plus introduces the largest collection of new tools.

Subscribers will be able to access expanded analytics for Stories, including data showing how often a Story has been replayed. The platform is also removing restrictions on custom Story audiences by allowing users to create multiple audience groups rather than relying solely on the existing Close Friends feature.

The subscription further provides options to increase content visibility. Users can spotlight one Story each week to reach a larger audience, extend the lifespan of Stories beyond the standard 24-hour period, and review Stories privately without appearing in viewer lists.

Additional management tools allow users to search through Story viewers more efficiently and publish content directly to profile highlights without distributing it through followers' feeds.

Instagram Plus also includes cosmetic and personalization features such as exclusive app icons, custom fonts for profile biographies, additional profile pins, and animated "Super Heart" reactions for Stories.

Many of these additions appear designed to help creators better understand audience behavior while giving active users more control over how their content is presented and shared.


Facebook Plus and WhatsApp Plus

Facebook Plus will offer many of the same social and personalization tools available through Instagram Plus.

WhatsApp Plus, however, focuses on messaging customization rather than content creation. Subscribers will gain access to interface themes, personalized notification sounds, premium sticker packs, expanded chat pinning capabilities, customized lists, and other features intended to make the messaging experience more flexible.


Separate From Meta Verified

Meta clarified that the new Plus subscriptions will operate independently from Meta Verified, the company's existing paid verification service.

Meta Verified currently focuses on identity verification, protection against impersonation attempts, and access to customer support benefits. The company has not announced plans to discontinue the service, meaning both subscription products will remain available simultaneously.


Meta One to Become Central Subscription Platform

Alongside the rollout of Plus subscriptions, Meta revealed plans for a broader subscription framework called Meta One.

The initiative will eventually bring together the company's growing collection of premium offerings under a single brand, covering consumer subscriptions, creator tools, business services, and artificial intelligence products.


AI-Focused Subscription Plans Enter Testing

Meta also plans to begin testing dedicated subscription plans for users of Meta AI.

The first tier, Meta One Plus, will be priced at $7.99 per month, while Meta One Premium will cost $19.99 monthly.

Both plans are expected to provide enhanced AI capabilities, but the Premium version will offer access to greater computing resources for more demanding requests. This includes support for deeper reasoning on complex tasks as well as increased image-generation and video-generation capacity across Meta's applications.

The company emphasized that Meta AI will continue to be available free of charge for casual users. The paid plans are intended primarily for those who require more advanced functionality or heavier usage limits.

Testing of the AI subscriptions is scheduled to begin next month in Singapore, Guatemala, and Bolivia. Meta also stated that future benefits may extend to users of its AI-powered smart glasses.


New Tools for Businesses and Creators

Separate subscription programs are also being developed for businesses and professional creators.

The first option, Meta One Essential, will cost $14.99 per month and includes account verification, protection against impersonation, and an expanded profile links page that allows users to direct audiences to websites and other online destinations.

A higher-tier offering called Meta One Advanced will be available for $49.99 per month.

Subscribers to this plan will receive all Essential benefits alongside additional growth and promotion tools. These include improved visibility within Facebook feeds, higher placement in Facebook and Instagram search results, enhanced "Follow" buttons on Reels, and automated invitations encouraging viewers to follow creator accounts.

The Advanced tier also introduces expanded analytics capabilities, including deeper audience insights and competitive performance data. Additional features include scheduling tools, account-sharing controls for moderators, and notifications when content is reused by others, enabling creators to request attribution for original material.


Future Strategy 

Initial testing of the creator and business subscriptions is expected to take place in Bangladesh, Thailand, Morocco, and Saudi Arabia.

While Meta described several of these offerings as experimental, the company's long-term objective appears clear: establishing a subscription ecosystem that extends beyond social networking and includes creator services, business growth tools, and advanced artificial intelligence capabilities.

The announcement signals Meta's expanding focus on paid digital services as competition intensifies across social media and AI markets. By introducing multiple subscription tiers aimed at different user groups, the company is positioning itself to generate recurring revenue while offering specialized tools to users seeking more advanced functionality than its free services provide.

Read more »
VPN
Canada Data Privacy signal surveillance technology VPN

Signal and Other Firms Oppose Canada's Proposed Surveillance Law

 




A developing number of technology companies are raising concerns over Canada's proposed lawful access legislation, arguing that some provisions could force them to choose between complying with government requirements and maintaining the privacy standards promised to users.

The debate centers on Bill C-22, a proposed law that would expand the government's ability to obtain digital information during investigations. The legislation would allow regulations requiring certain service providers to preserve specified metadata for up to one year and maintain technical capabilities that could assist law enforcement and intelligence agencies in accessing information when legally authorized.

Among the companies voicing opposition is Signal, the encrypted messaging platform known for its strong privacy protections. During a recent parliamentary committee hearing, Signal representatives warned that the bill, in its current form, could fundamentally alter how secure communication services operate. The company stated that if compliance ultimately required weakening user protections, it would consider leaving the Canadian market rather than changing its security model.

Several technology firms and privacy advocates have expressed concern that the legislation's language could create pressure to build or preserve technical access mechanisms within encrypted systems. Critics argue that any capability designed to bypass or weaken security protections could eventually become a target for cybercriminals or other malicious actors.

Legal experts have also questioned the broader implications of the proposal. Some argue that service providers have a responsibility to protect customer information and maintain secure systems, while the bill could require additional government involvement in digital infrastructure that may conflict with those obligations.

Under the proposed framework, certain telecommunications and communications providers would be required to maintain capabilities that support lawful access requests. The legislation would also allow the Public Safety Minister to issue orders requiring providers to develop specific technical capabilities, even if they do not fall within the category of designated core providers. Those orders would not be publicly disclosed, and approval would come through the Intelligence Commissioner rather than a traditional court warrant process.

Industry representatives have warned that compliance could involve significant operational costs. Companies may be required to redesign systems, expand data retention capabilities, and implement new technical controls. Some experts believe those costs could ultimately be passed on to consumers.

VPN providers have emerged as some of the bill's most vocal critics. NordVPN has publicly stated that it would not compromise its encryption or privacy protections and may reevaluate its Canadian presence if the legislation proceeds without substantial revisions. Windscribe, a Canadian-based VPN provider, has also indicated that it could relocate operations rather than modify core privacy features.

DuckDuckGo confirmed that its VPN service could be withdrawn from Canada if the bill becomes law in its current form. Meanwhile, executives at networking company Tailscale have warned that the legislation could affect international business decisions, investment flows, and where future infrastructure is deployed.

Many of the companies opposing the bill note that they do not routinely store logs containing user metadata such as IP addresses or location information. They argue that introducing mandatory retention requirements would require major changes to their existing privacy practices.

The concerns extend beyond smaller privacy-focused firms. Representatives from Apple and Google recently told lawmakers that the proposal could create uncertainty around encryption protections. Apple pointed to actions it previously took in the United Kingdom after government demands related to access to encrypted cloud data. Google similarly warned that the legislation could challenge longstanding commitments to end-to-end encryption.

Meta has also criticized the bill, arguing that some provisions could be interpreted in ways that require providers to weaken encryption or modify security architectures. The company further stated that the legislation lacks clear mechanisms for challenging problematic government orders, creating uncertainty about how the powers could be used in practice.

Canadian officials have defended the proposal as a necessary modernization of investigative authorities. Public Safety Minister Gary Anandasangaree recently indicated that amendments are being prepared to clarify that the legislation is not intended to undermine encryption. However, the government has signaled that it plans to retain the proposed one-year metadata retention requirement, arguing that investigators often need historical records to support complex criminal investigations.

Civil liberties organizations remain unconvinced. A recent analysis published by researchers at Citizen Lab and the Canadian Civil Liberties Association argued that the sections dealing with metadata retention and ministerial orders should be removed entirely. The report contends that the current framework grants broad government authority while providing limited judicial oversight and accountability mechanisms.

As lawmakers continue to reassess the legislation, the dispute highlights a growing challenge facing governments worldwide: balancing investigative powers and national security objectives with encryption, privacy protections, and the cybersecurity expectations of users and service providers.

Read more »
sensitive data
AI Agent AI Security claw Patrol Cyber Security Firewall sensitive data

Deno Releases Open-Source Firewall to Limit AI Agent Access to Sensitive Data

Deno has introduced an open-source security framework called Claw Patrol, a tool designed to help organizations control how AI agents interact with databases, business applications, cloud services, and other external systems.

The release comes as companies increasingly deploy AI agents to perform tasks that involve accessing internal resources, executing commands, and communicating with third-party services. While these capabilities can automate routine work, they also create security concerns if an AI system is manipulated, makes an incorrect decision, or gains access to information it should not handle.

According to Deno, Claw Patrol operates as an intermediary between an AI agent and the systems it needs to access. Instead of providing the agent with direct access to credentials such as API keys, authentication tokens, or database passwords, those secrets remain stored on a dedicated gateway server. When an authenticated request is required, the gateway supplies the credentials automatically, preventing the AI agent from viewing or storing them.

This approach is intended to reduce the risk of credential theft and prompt injection attacks, a technique where attackers attempt to manipulate AI models into revealing sensitive information or performing unauthorized actions. Even if an agent is tricked into executing a malicious instruction, the underlying credentials remain isolated from the model itself.

Beyond protecting credentials, Claw Patrol gives administrators the ability to define rules that determine exactly what actions an AI agent is allowed to perform. Organizations can block potentially dangerous database commands, restrict connections to unauthorized external services, or require additional approval before sensitive operations are executed.

For tasks that carry greater risk, the platform supports human review workflows. This allows certain requests to be paused until they are approved by an administrator, adding an additional layer of oversight before changes are made to critical systems.

Deno also states that the firewall can use large language model-based evaluation to assist with policy enforcement in situations where static rules may not be sufficient. This enables security controls to assess requests dynamically while still operating within predefined boundaries established by administrators.

To help organizations monitor AI activity, Claw Patrol includes tools that provide visibility into agent behavior. Administrators can review active sessions, inspect actions performed by agents, monitor resource consumption, and investigate unusual activity through a centralized monitoring interface. These capabilities are designed to support auditing and incident response efforts.

The platform is configured using HashiCorp Configuration Language (HCL), which allows administrators to define security policies, credentials, access permissions, and system endpoints. Deno says the framework supports multiple credential types and can be extended through custom plugins to meet specialized requirements.

Claw Patrol also incorporates role-based access controls, enabling organizations to assign permissions according to job responsibilities. This helps limit access to sensitive resources and reduces the likelihood of unauthorized activity within AI-powered workflows.

For secure communications, the platform can integrate with technologies such as WireGuard and Tailscale, allowing AI agents to connect to protected environments without exposing internal infrastructure directly to public networks. Deno has also included testing capabilities that allow administrators to evaluate policy changes against real-world actions before deploying them into production systems.

While the project introduces several security-focused capabilities, some challenges remain. Organizations unfamiliar with firewall administration or HCL-based configuration may face a learning curve during deployment. The current version also relies heavily on configuration files, and some users may prefer a graphical interface for managing rules and credentials. Additionally, certain networking features may require further refinement as the project matures.

Despite these limitations, the release reflects a growing focus on AI security as autonomous systems gain broader access to enterprise environments. By separating credentials from AI agents, restricting actions through policy controls, and providing continuous monitoring, Claw Patrol aims to give organizations greater control over how AI systems interact with critical business resources.

The project has been released as open-source software, allowing developers and security teams to inspect its code, modify its capabilities, and adapt it to their own operational requirements.

Read more »
Subscribe to: Posts (Atom)

Featured