home.social

#vulns — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #vulns, aggregated by home.social.

  1. @kdkorte well more cve last year and on pace this year for record exploits is metric i am using, related #vulns

    Short answer:
    CVE volume has grown very steeply, especially since ~2016. Annual counts are now multiple times higher than a decade ago, and growth is still accelerating.

    🧮 Rough Year-by-Year Scale (Recent Verified Data Points)

    (Some earlier years vary by source, but the trend direction is consistent.)

    Year Approx CVEs Published Notes
    ~2015–2016 ~6k–8k Baseline before major surge era
    2020 ~18k Beginning of modern “explosion” phase
    2022 ~25k Strong upward acceleration
    2023 ~28.8k Continued record highs
    2024 ~40k Huge YoY jump (~38%)
    2025 ~48k ~21% YoY increase
    2026 (forecast) ~59k+ Potentially far higher

  2. Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

    My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

  3. Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

    My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

  4. Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

    My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

  5. Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

    My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

  6. Maybe I'll go apply to #TikTok, and secure the american app and fix it. TikTok's current #algorithm is #insidious, I think designed to create #division and #radicalize people. Soon TikTok will tell me its #secrets, but I have to work on some #vulns system for a few weeks. Designing some brains for other important non-hobby smtask lol

    My initial #scans for #TikTok are #worrying and I was concerned after my initial scans. My #AI systems were flagging everything. The #content never scored high like other #socialmedia platforms. The content is worrying not just from #radical left or right. There is something non-biased about how it tries to #radicalize. Like it is learning based off #heuristics, like time spent hovering over a #videotile. This triggers an #alert, where you didn't interact but it detected the most likely #video. Then provided more #content. It also gives a heavy weight to #interactions. Which then changes the #algorithm and how it provides #content. None of this is really bad, it is trying to be helpfulful. What I find concerning is the videos it provides. Like a stream of #bothsides #content. Trying to figure you out and provide more content. There isn't even #educational poop on TikTok. So most of the content is #madness Lol

  7. My keynote from CypherCon 7 is now online: 25 Years of Years of Vulnerability. Thanks again to Michael Goetzman and the whole @CypherCon crew for a warm welcome and an amazing event!

    youtube.com/watch?v=qcyIyLrQGL

    #infosec #conference #vulns

  8. I wrote a blog about ongoing exploitation of CVE-2023-22527, an Atlassian Confluence vulnerability from January of this year. What the attacker's up to, what their payload does, etc. (TL;DR: it's crypto.. it seems like it's always crypto these days)

    labs.greynoise.io/grimoire/202

    #vulns #vulnerabilities #atlassian #confluence #poc #greynoise

  9. The second vulnerability impacting #OSDP our researchers discovered: downgrade attack potential.

    As Dan Petro writes, "Just because an OSDP controller and reader support encryption doesn’t mean that they both enforce that it actually be used. One of the first things that happens when a reader comes online is that it transmits a list of capabilities to the controller. This tells the controller all sorts of things, such as whether it has a fingerprint reader, tactile buttons, and (importantly) whether it supports encryption. For chicken-and-egg reasons, this message cannot itself be encrypted. Thus, an intercepting device in the wire can modify this capability message to lie about the reader’s capabilities and claim that it does not support #encryption."

    Check out the breakdown of the other #vulns in the write-up. bfx.social/3OFWOsT

  10. Question for the #infosec #vulns folks: is there a name / CWE / etc. for code that fails to return/abort after an error condition?

    Like, attacker sends bad input X. The server catches it, returns a 400 bad request (or whatever), but still parses the data instead of stopping? I've seen it several times but I don't know what to call it.

  11. This is what your #software should never ever under any circumstances do:

    1. Overflow a buffer
    2. Allow XSS
    3. Allow SQL injection
    4. Allocate, then free memory, without erasing its content
    5. Allow command injection

    cwe.mitre.org/top25/archive/20

    #cybersecurity #security #vulns

  12. @briankrebs Even if such breach and bug notices are only given because they're mandated, I have to say, I like seeing them better than I liked the world where nobody cops to the vuln.

    Consider how the imminent European Cyber Resilience Act is going to hit cases like this, and up the stakes. (TL;DR: like a ton of bricks.) #vulns #CRA

  13. via: @campuscodi

    QiAnXin published a report on the recent attacks of #OceanLotus (#APT32) that targeted Chinese organizations throughout 2021.

    The group allegedly used 3 zero-day #vulns:

    +1 in an unnamed antivirus product
    +2 in an unnamed workstation management system. More here (in Chinese): mp.weixin.qq.com/s/pd6fUs5TLdB | #infosec #espionage #malware

  14. via: @campuscodi

    QiAnXin published a report on the recent attacks of #OceanLotus (#APT32) that targeted Chinese organizations throughout 2021.

    The group allegedly used 3 zero-day #vulns:

    +1 in an unnamed antivirus product
    +2 in an unnamed workstation management system. More here (in Chinese): mp.weixin.qq.com/s/pd6fUs5TLdB | #infosec #espionage #malware

  15. via: @campuscodi

    QiAnXin published a report on the recent attacks of #OceanLotus (#APT32) that targeted Chinese organizations throughout 2021.

    The group allegedly used 3 zero-day #vulns:

    +1 in an unnamed antivirus product
    +2 in an unnamed workstation management system. More here (in Chinese): mp.weixin.qq.com/s/pd6fUs5TLdB | #infosec #espionage #malware

  16. Yeah, I see this, and the #ZeroTrust world is gonna have an issue. How many devices are going to be missed?
    Also since it seems to affect version 3.0 and higher, how many people are going to start spouting anti-patch and anti-update sentiment?
    #infosec #vulns #vulnspotlight

  17. I've lost track, am I still supposed to be disabling #hyperthreading if I care about #infosec and the #vulns? I don't want to find myself on the wrong end of the #lulz.

  18. the main utility of a repo i used #nodejs in: being notified about security alerts 😂
    #vulns #js

  19. "The root cause of the Spectre and Meltdown vulnerabilities was that processor architects were trying to build not just fast processors, but fast processors that expose the same abstract machine as a PDP-11. This is essential because it allows C programmers to continue in the belief that their language is close to the underlying hardware." #security #malware #vulns #compsci queue.acm.org/detail.cfm?id=32