Chrome update may have shipped with a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled, including machines that do not support SIP.
We recently proceeded to security tests on Gogs (Go Git Service) application and found multiple security problems, among those a private repository information disclosure in its API interface.
Affected version are 0.11.53 (current) and older.
Tests were completed using Gogs Version: 0.11.53.0603
Vendor has been contacted on June 26th 2018 regarding the API private information disclosure vulnerability.
Gogs is available for download at this address : https://gogs.io/
We recently started a new library for php implementation of the Bitcoin BIPS articles, an early version was released yesterday on Github. While most of the web integration of bitcoin wallets are done and present all over Github, we intends to simply implement the ongoing improvements. The BIPS (Bitcoin Improvements Papers) are technical propositions made by the users to improvement various aspects of the Bitcoin technology.
A team at the MIT has described a possible attack on IOTA, one of the top crypto currency available, IOTA has a market capital over 1 billion USD. The weakness was fixed in August 2017 but we find interesting to note how it could have affected IOTA.
The problem came from the signature algorithm used, not from the hash algorithm used in the blockchain. Every transaction is signed by the block owner in order to publicly record that transaction. For some reason, IOTA initialy used Curl hash algorithm to sign its transactions. That hash algorithm had known collisions and the MIT team provided an extensive paper on how to exploit it.
The transition to the new signature algorithm is described here :
IOTA issued comments on the MIT paper here :
From inside the Linux sandbox described in Tor 7.0 release notes, it is still possible to talk to the X server without any restrictions. This means that a compromised browser can e.g. use the XTEST X protocol extension to fake arbitrary keyboard and mouse events, directed at arbitrary windows. This permits a sandbox breakout, but injecting keypresses into a background window.