Researchers from Mysk reported that WhatsApp uses a shared container linked to Meta applications, identified as group.com.facebook.family. On Apple devices, app group containers allow applications from the same developer to share data and resources.

Because Facebook, Instagram, and WhatsApp belong to the same ecosystem, the shared architecture could introduce privacy and security concerns if exploited alongside operating system vulnerabilities.

Shared Containers Raise Privacy Concerns

The researchers found that WhatsApp chat databases stored inside these containers are not encrypted at rest. This means the data may remain readable if attackers gain access to the device or exploit weaknesses in the operating system.

According to the report, the following risks were identified:

• Chat histories may be stored in plaintext
• Other Meta-owned apps could theoretically access shared data
• Users receive no alerts when such access occurs
• The issue affects both macOS and iOS environments

Researchers also demonstrated that WhatsApp chat histories could be extracted from iPhone backups, where the same unencrypted storage structure was observed.

The findings highlight an important distinction in security design. While WhatsApp uses end-to-end encryption to protect messages during transmission, that protection does not automatically secure data stored locally on the device.

macOS Vulnerability Increases Exposure Risk

The risk becomes more serious when combined with a recently disclosed macOS vulnerability tracked as CVE-2026-28910. The flaw affected Apple’s Archive Utility tool and reportedly allowed attackers to bypass App Sandbox protections.

By abusing this vulnerability, attackers could potentially:

• Access protected application containers
• Extract sensitive information from apps
• Bypass Apple’s Transparency, Consent, and Control protections
• Access chat histories from applications like WhatsApp

Researchers presented a proof-of-concept demonstration showing how the vulnerability could be combined with WhatsApp’s storage behavior to retrieve chat data.

Security Debate Around the Findings

Not all experts agree on the severity of the issue. WABetaInfo stated that although the databases may not be encrypted locally, Apple’s sandboxing system still provides strong isolation between applications.

From this perspective, attackers would still require elevated system privileges or a separate operating system exploit to access the stored data.

However, researchers at Mysk argue that shared app group permissions between Meta applications reduce isolation boundaries and increase the potential attack surface.

The discussion highlights broader concerns about local data protection in modern mobile ecosystems, especially when multiple applications share common storage environments.

Recommendations for Users

Security experts recommend several steps to reduce potential exposure risks:

• Enable encrypted Finder or iTunes backups
• Keep macOS and iOS updated with the latest security patches
• Use strong device passcodes and device encryption
• Limit unnecessary applications from the same developer ecosystem
• Regularly review application permissions and backup settings

At the time of reporting, there were no confirmed cases of widespread exploitation linked to the findings. However, the research highlights the importance of protecting sensitive data not only during transmission but also while stored on devices.

The post WhatsApp Chat Data Found Stored Without Encryption appeared first on First Hackers News.

Apache OFBiz is a widely used open-source ERP platform used to manage enterprise business operations and workflows. Researchers from Aretiq AI discovered that attackers could abuse the platform’s password-change mechanism to gain unauthorized access and execute malicious code on vulnerable servers.

Authentication Bypass Through Password Reset Logic

The issue originates from the way Apache OFBiz handles forced password-change workflows. Normally, accounts marked with requirePasswordChange=Y should remain restricted until the password reset process is completed.

However, researchers found that the LoginWorker.checkLogin() method incorrectly treats the requirePasswordChange response as a successful login instead of an authentication failure.

The vulnerability becomes more dangerous because the requirePasswordChange value is read directly from user-controlled HTTP request parameters rather than securely validated against database records.

By abusing this behavior, attackers can:

• Inject password-change parameters into a crafted HTTP request
• Create an authenticated session without completing a proper login process

Researchers also warned that many OFBiz deployments still contain default demo accounts such as admin, flexadmin, and demoadmin, often configured with default credentials like ofbiz.

Remote Code Execution and Security Fixes

The authentication bypass can be chained with another vulnerability affecting ProgramExport.groovy. In vulnerable versions, the component allows execution of user-supplied Groovy code without proper sandboxing or permission checks.

This allows attackers to execute arbitrary system commands directly on the server. Researchers successfully demonstrated remote code execution on OFBiz 24.09.05 using a single crafted POST request targeting /webtools/control/ProgramExport.

Successful exploitation could allow attackers to:

• Execute malicious commands on the server
• Deploy malware or backdoors

Apache fixed the issue in version 24.09.06 by removing unsafe password-change handling, adding stricter permission checks, and introducing a secure Groovy sandbox to block dangerous command execution patterns.

Organizations are strongly advised to upgrade immediately, remove default demo accounts, change weak credentials, and restrict access to sensitive OFBiz administrative endpoints.

The post Apache OFBiz Vulnerability Enables Authentication Bypass appeared first on First Hackers News.

ExifTool is widely used to read and modify metadata in images, PDFs, and multimedia files. Because the tool is heavily integrated into media workflows, automation pipelines, and digital asset management systems, the vulnerability creates a significant security risk in environments that handle untrusted files.

The implications of the ExifTool vulnerability extend to various sectors, where data integrity and security are paramount.

How the Vulnerability Works

The issue is linked to improper sanitization of metadata fields related to file creation dates on macOS. Researchers found that attackers can embed malicious commands inside image metadata fields such as FileCreateDate or DateTimeOriginal.

When ExifTool processes the manipulated file under specific conditions, the hidden command can be executed through the system shell.

The vulnerability becomes exploitable when:

• ExifTool processes raw metadata values using the -n flag
• Malicious metadata is copied through the -tagsFromFile feature
• Unsafe input reaches a system() execution call without proper filtering

Researchers observed that ExifTool internally builds system commands using metadata values extracted directly from files. While most parameters are sanitized, one execution path allowed unfiltered user-controlled data to be passed into a shell command.

This creates a command injection scenario where attackers can run arbitrary commands with the privileges of the user processing the file.

Security Risks and Patch Information

The vulnerability is especially dangerous for organizations using automated image-processing workflows, newsroom environments, or media management platforms where files are processed automatically.

Because the malicious payload is hidden inside metadata, the image itself may appear legitimate and bypass traditional security checks.

If exploited successfully, attackers could:

• Execute malicious commands on macOS systems
• Deploy malware or backdoors
• Steal sensitive information
• Move laterally across internal networks

Researchers from Kaspersky identified the vulnerability, and ExifTool developers addressed the issue in version 13.50.

The patched release changes how system commands are executed by replacing unsafe string-based command construction with safer argument-based execution methods. This prevents shell interpretation and significantly reduces the risk of command injection.

Users and organizations are strongly advised to update to ExifTool 13.50 or later immediately. Security experts also recommend processing untrusted files inside isolated environments such as sandboxes or virtual machines to reduce exposure to malicious media files.

The incident highlights an ongoing cybersecurity challenge where even trusted file-processing tools can become attack vectors if user-controlled input is not handled securely.

The post ExifTool Flaw Allows Mac System Compromise appeared first on First Hackers News.

Researchers found that VoidStealer can extract encryption keys directly from browser memory, allowing attackers to steal active sessions and access accounts even on fully updated systems.

How VoidStealer Bypasses Chrome Protections

Google introduced App-Bound Encryption in Chrome 127 to strengthen protection around sensitive browser data such as cookies, passwords, and session tokens. The feature was designed to prevent malware running with normal user privileges from accessing Chrome’s encryption keys.

Unlike older protection methods based on DPAPI, ABE binds encryption keys directly to the Chrome application. A dedicated system process validates that only Chrome can request access to those keys.

However, VoidStealer avoids interacting with Chrome through official APIs. Instead, it targets the moment when Chrome decrypts sensitive data in memory.

Researchers observed that the malware:

• Attaches itself to the Chrome process as a debugger
• Monitors the browser’s decryption workflow
• Pauses execution when encryption keys are loaded into memory
• Extracts the decrypted keys directly from RAM

Because the attack focuses on runtime behavior rather than stored files, it bypasses many of the protections implemented by App-Bound Encryption.

Impact on Chromium Browsers and Security Risks

Once attackers obtain the decrypted session data, they can hijack active sessions without needing usernames or passwords. This allows threat actors to access accounts as if they were the legitimate user.

The malware affects multiple Chromium-based browsers, including:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi

Researchers also noted that VoidStealer is being distributed through a malware-as-a-service model, allowing cybercriminals to rent the malware and scale attacks more easily.

The discovery highlights an ongoing challenge in browser security. Even with stronger encryption mechanisms, attackers continue to focus on runtime memory access, where sensitive data must temporarily exist in decrypted form during legitimate browser operations.

To reduce exposure, security experts recommend avoiding untrusted software downloads, keeping browsers fully updated, using strong endpoint protection, and storing credentials in dedicated password managers instead of directly in browsers.

The post VoidStealer Steals Chrome Browser Data appeared first on First Hackers News.

Security researchers from Wordfence identified the flaw and warned that attackers could gain administrator-level access without needing valid login credentials.

Authentication Bypass Creates Major Risk

The vulnerability, tracked as CVE-2026-8181, affects Burst Statistics versions 3.4.0 through 3.4.1.1. It carries a critical CVSS score of 9.8 due to the ease of exploitation and the level of access it provides.

The issue is linked to improper authentication handling within the plugin’s MainWP integration. In certain cases, the plugin incorrectly accepts invalid authentication responses as successful, allowing attackers to bypass security checks.

By sending specially crafted requests to WordPress REST API endpoints, attackers can impersonate an administrator if they know a valid admin username. No password cracking or credential theft is required.

This significantly lowers the barrier for exploitation and increases the risk of automated internet-wide attacks targeting vulnerable websites.

Potential Website Takeover and Security Response

Once exploited, attackers could create new administrator accounts and gain persistent access to the website. From there, they may modify content, inject malicious code, redirect visitors, or deploy additional malware.

Because the attack only requires knowledge of an administrator username, exposed websites could become easy targets for mass scanning campaigns.

Researchers acted quickly after discovering the issue, and firewall protections were rapidly deployed for users of Wordfence security products. The plugin developer also responded quickly by releasing version 3.4.2, which properly validates authenticated WordPress user sessions before granting access.

Website owners using the Burst Statistics plugin are strongly advised to update immediately to the latest patched version to prevent unauthorized access and possible site compromise.

The post WordPress Plugin Bug Exposes Websites appeared first on First Hackers News.

The flaw was identified during internal security testing by MongoDB and primarily impacts core MongoDB Server deployments, particularly in self-managed environments.

Technical Overview of the Vulnerability

The vulnerability enables arbitrary code execution, a class of flaws that allows threat actors to run malicious instructions directly on the host system. This effectively bypasses standard security boundaries and can grant attackers control over the database server.

Given that MongoDB often stores centralized and high-value data, exploitation of this flaw could lead to unauthorized data access, credential exposure, and system-level compromise. Attackers may also leverage the compromised host to establish persistence or pivot laterally within the network.

The issue affects MongoDB versions 5.0 and later in self-hosted deployments, where patch management depends entirely on the organization’s update practices.

Impact and Mitigation

Managed cloud users of MongoDB Atlas are not impacted, as the vulnerability has already been addressed across the platform through centralized patch deployment.

However, self-hosted environments remain exposed until updates are applied. MongoDB has released patched versions, including updates in recent release cycles such as 7.0.31, 8.0.20, and 8.2.7, to mitigate this risk.

Although there is currently no evidence of active exploitation, the nature of arbitrary code execution vulnerabilities makes them highly attractive to attackers. Systems that remain unpatched could be quickly targeted once exploit techniques become publicly available.

Organizations should ensure their MongoDB deployments are updated to the latest secure versions and aligned with current security baselines. Maintaining timely patching and monitoring practices is essential to reduce the risk of compromise.

The post MongoDB Vulnerability Allows Arbitrary Code Execution appeared first on First Hackers News.

The vulnerabilities allow attackers with basic local access to increase their privileges and operate with administrative-level control. In real-world scenarios, this type of access is often used as a stepping stone for larger attacks, including lateral movement and data exfiltration.

Privilege Escalation Risks in Windows Environments

Two high-severity vulnerabilities, each rated with a CVSS score of 7.8, impact Zoom’s Windows-based components.

The first issue affects Zoom Rooms for Windows and is caused by an untrusted search path vulnerability within the installer. This means the application may load files from unintended locations, allowing attackers to inject malicious code during execution.

The second flaw targets the Zoom Workplace VDI Plugin. It stems from improper control over file names and paths in the installation process. By manipulating these paths, an attacker can execute arbitrary code and escalate privileges.

These vulnerabilities are particularly dangerous because they require minimal effort to exploit once initial access is obtained. Attackers can leverage them to:

• Disable or bypass endpoint security controls
• Access and extract sensitive enterprise data
• Maintain persistence within the environment
• Move laterally across systems inside the network
• Deploy additional payloads such as ransomware

Such privilege escalation flaws are highly valuable in targeted attacks, especially in corporate environments where Zoom is widely used.

iOS Vulnerability and Overall Impact

A separate vulnerability affects Zoom Workplace on iOS devices, though its severity is significantly lower. This issue involves a failure in a protection mechanism that could allow limited data exposure.

However, exploitation requires physical access to the device, which reduces the likelihood of large-scale attacks. Still, it highlights the importance of securing mobile endpoints alongside desktop systems.

The key concern across all these vulnerabilities is the potential for unauthorized access to sensitive data and system resources, particularly in organizations that rely heavily on collaboration tools.

To address these risks, Zoom Video Communications has released security patches for all affected components. Because these flaws are now publicly disclosed, unpatched systems may become targets for active exploitation.

Users and organizations should immediately update:

• Zoom Rooms for Windows to version 7.0.0 or later
• Zoom Workplace VDI Plugin to version 6.6.11 or newer
• Zoom Workplace for iOS to version 7.0.0 or above

Timely patching, combined with proper access controls and endpoint monitoring, is essential to prevent these vulnerabilities from being exploited in real-world attacks.

The post Zoom Vulnerability Allows Privilege Escalation Attacks appeared first on First Hackers News.

All three vulnerabilities carry a CVSS score of 7.5, indicating a high impact on data confidentiality. The issues can be exploited remotely with low complexity and do not require prior privileges or user interaction.

As AI assistants become tightly integrated into enterprise environments, these types of vulnerabilities increase the risk of unintended data exposure across emails, documents, and internal communications.

Technical Breakdown of the Vulnerabilities

The vulnerabilities originate from improper input and output handling within the AI processing pipeline. Attackers can exploit these weaknesses using prompt injection techniques, where specially crafted inputs manipulate the model’s behavior.

The identified vulnerabilities include:

• CVE-2026-26129 – Improper neutralization of special elements (CWE-138), allowing manipulation of how Copilot parses structured input
• CVE-2026-26164 – Injection vulnerability (CWE-74) affecting downstream components, potentially causing unintended data disclosure
• CVE-2026-33111 – Command injection flaw (CWE-77) in Copilot Chat within Microsoft Edge, enabling execution of unauthorized commands

These vulnerabilities primarily impact confidentiality, with no direct effect on system integrity or availability.

Enterprise Risk and Attack Impact

Because Microsoft 365 Copilot has deep access to enterprise data sources such as emails, Teams conversations, Word documents, and SharePoint files, exploitation could act as a silent data exfiltration channel.

By submitting carefully crafted prompts, an attacker could:

• Extract sensitive financial or operational data
• Access internal communications and documents
• Retrieve personally identifiable employee information

This type of attack leverages the AI model’s context awareness, making it difficult to detect through traditional security controls.

The vulnerabilities have been addressed by Microsoft at the service level. Since Copilot operates as a cloud-managed platform, security patches and input validation improvements were deployed centrally without requiring user action.

Organizations using Microsoft 365 Copilot and Copilot Chat in Edge are automatically protected, highlighting the advantage of centralized patch management in cloud-based AI services.

The post Microsoft 365 Copilot Bug Risks Data Exposure appeared first on First Hackers News.

After the release of DeepSeek v4 and growing online attention, the tool quickly became a target for attackers. They took advantage of its popularity to trick users into downloading malicious files.

Users must remain vigilant against these threats, particularly the risks associated with downloading files that may contain Fake DeepSeek malware.

Fake GitHub Repositories Spreading Malware

Attackers created fake GitHub repositories that look very similar to the real project. These pages appear legitimate, making it hard for users to notice the difference.

Users who download files from these fake repos end up installing malware. In this case, the malicious file was hidden inside a 7z archive on the Releases page, just like a normal software download.

Researchers from QiAnXin Threat Intelligence Center discovered that this attack is linked to a previous campaign known as OpenClaw. Both attacks use similar techniques and infrastructure, suggesting the same threat actor is behind them.

The attackers also used fake installer names related to other AI tools like Claude, Grok, WormGPT, and FraudGPT to spread the malware further.

Malware Behavior and Persistence Techniques

The main malware file, named DeepSeek-TUI_x64.exe, first checks if it is running in a secure or virtual environment. If it detects analysis tools, it stops execution to avoid being detected.

If the system looks like a real user machine, the malware continues its attack. It disables key Windows Defender protections, modifies firewall settings, and connects to external servers to download more malicious components.

These components help the attacker stay in the system. Some create scheduled tasks, others add registry entries for persistence, and some run silently in memory to avoid detection.

The malware uses multiple techniques to remain active, making it difficult to remove once installed. It can survive reboots and continue running without the user noticing.

Indicators of Compromise (IoCs):-

The post DeepSeek Repositories Scam Spreads Malware appeared first on First Hackers News.

Instead of relying on fake domains or compromised mail servers, attackers use Google AppSheet to send emails through Google’s own infrastructure. These messages are generated as part of automated workflows, meaning they pass authentication checks like SPF, DKIM, and DMARC without raising suspicion.

As a result, security tools and spam filters see them as trusted communications, allowing phishing messages to land directly in inboxes of targeted users—often business account owners managing Facebook pages.

Multi-Layered Attack Strategy

The campaign is not a single phishing page but a structured, multi-stage system designed to increase success rates. Victims are first directed to pages hosted on Netlify, where attackers replicate the Facebook Help Center with high accuracy. These pages are customized per victim using unique subdomains, making them difficult to block using traditional security measures.

From there, users are guided through a series of steps that collect not only login credentials but also deeper identity information such as date of birth and even government-issued ID images. In some cases, the attackers shift tactics by offering fake incentives, like verification badges, hosted on platforms such as Vercel. These pages are designed to look dynamic and legitimate, while quietly bypassing detection systems using techniques like hidden Unicode characters.

The operation becomes more advanced in later stages. Attackers host phishing documents on Google Drive, presenting them as official Meta notifications. These documents, often designed using Canva, contain embedded links that redirect victims into interactive phishing environments. These environments are powered by real-time communication frameworks, allowing attackers to actively engage with victims during the login process.

This live interaction is a critical aspect of the campaign. Instead of passively collecting credentials, attackers can request one-time passwords, monitor user actions, and even capture browser sessions as they happen. This significantly increases the likelihood of successful account takeover, even when multi-factor authentication is enabled.

Real-Time Data Exfiltration and Attribution

Once credentials are captured, they are immediately transmitted through a centralized system built around Telegram bots. This allows operators to monitor incoming data in real time and quickly take control of compromised accounts before victims notice suspicious activity.

Analysis of the infrastructure shows a strong operational scale, with thousands of records flowing into attacker-controlled channels. Most victims are concentrated in regions like the United States and Europe, indicating a focus on high-value targets such as businesses and influencers.

Investigators were also able to trace elements of the campaign back to Vietnamese actors. This attribution is supported by metadata found in phishing documents and developer comments embedded within the malicious code, providing insight into the origin of the operation.

A Shift Toward Industrialized Phishing

AccountDumpling reflects a broader shift in cybercrime, where phishing is no longer a simple tactic but part of a larger, industrialized ecosystem. Attackers are combining trusted services, automation, and real-time interaction to create highly effective campaigns that are difficult to detect and disrupt.

Compromised accounts are rarely the end goal. They are often reused for further scams, advertising fraud, or additional phishing attacks, creating a cycle that sustains and expands the operation. This approach shows how modern threat actors are leveraging legitimate platforms at scale, turning them into tools for widespread abuse while staying under the radar.

The post Facebook Phishing Campaign Targets Business Accounts appeared first on First Hackers News.