Latest news with #Cybernews
Tom's Guide
5 days ago
- Business
- Tom's Guide
Hackers are impersonating credit card companies to infect your PC with password-stealing malware — how to stay safe
That email in your inbox that looks like its from your credit card company may actually be a fake that's designed to infect your computer with info-stealing malware. As reported by Cybernews, the latest tactic being used by hackers is to send out a warning email that purports to be from a credit card company and asks the target to perform a seemingly normal action such as confirming a recent purchase. However, the attachment inside the email is disguised with a pop-up or HTML page that is actually a LNK file. While not unusual for short cuts and links, this one leads victims to a legitimate looking page intended to keep them distracted while, in the background, a multi-stage malware process begins to run on their system. While the victim is opening the webpage, an HTA file downloads. Made up of HTML code, an HTA file is often used as a malware delivery method; this malware uses it to drop a DLL file onto the computer in question. For those unfamiliar, DLL files are used by Windows programs to share code and functions. However, this one is used to spread malicious code onto the targeted computer. Malware is injected into the Chrome browser using a technique known as Reflective DLL Injection which loads the malicious code directly into the computer's memory. The hackers can then proceed with any additional attacks including keylogging, data theft and creating a backdoor on the infected computer. This means they have access to every keystroke a user makes, which gives them login credentials, passwords, credit card numbers and browser history. With all of this sensitive personal and financial data in hand, the hackers behind this campaign can then take over accounts, commit fraud or even potentially try to steal your identity. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. As with any phishing campaign, the goal here is awareness: If you remain aware and calm you can likely avoid falling victim to this scam. If you open an email that appears to be from your credit card company which asks you to perform a task or action, never click on any links or attachments contained within that message. Instead, make sure you're going to the company's actual website or using its app and typing in the URL yourself. Be vigilant about anything that arrives unexpected in your inbox and wants you to click on it. Especially if there's a sense of urgency implied, even if that urgency looks and seems legitimate. From there, you can hover over links with your mouse to see where they're taking you to before clicking on them. Two other security measures that can help are two factor or multi factor authentication, and one of the best password managers. Multi-factor authentication creates another step for hackers and threat actors to overcome in order to take over your accounts, and s password manager can help you create strong, unique passwords for each of your online accounts as well as store them securely in one place. Lastly, some of the best antivirus software solutions also have additional features that can help protect you while you shop online like a VPN and browser warnings when you visit a shady website. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
CTV News
22-07-2025
- CTV News
Fitify shuts down cloud storage after 373,000 private files left unprotected, report says
Sensitive user files from the popular fitness app Fitify have been secured after cybersecurity researchers discovered a publicly accessible Google Cloud storage bucket containing hundreds of thousands of images, including body scans and personal progress photos. 'A Google Cloud bucket is simply a filing cabinet in the virtual space,' said cybersecurity expert Ritesh Kotak in a video interview with 'Your files, your digital data, all the searches … need to be housed somewhere, and it's usually housed in a cloud bucket and Google is one of the more popular (ones).' The exposed storage, now closed, was discovered by researchers at Cybernews in early May. Their report says more than 373,000 files were accessible without any password protection or security keys. It also says Fitify Workouts, the company behind the app, shut down the exposed cloud storage after being contacted by Cybernews. According to the Cybernews report, while many of the files were workout plans and instructional videos, researchers also found 206,000 user profile photos, 138,000 progress photos, and roughly 6,000 images labelled 'Body Scan.' Some of the files, it says, had been shared through Fitify's AI coaching feature, which lets users track body changes over time. Fitify breach Image by Cybernews According to its website, Cybernews is an 'independent media outlet, where journalists and security experts debunk cyber by research, testing and data.' has reached out to Fitify Workouts for comments, but did not receive a response by the time this article was published. According to Cybernews researchers, 'progress pictures' and 'body scans' are often captured with minimal clothing to better showcase the progress of weight loss and muscle growth, so most of the leaked images might be of the types that users normally would like to keep private. Kotak says the exposure likely happened when someone with access created a public link that wasn't secured or expired. 'If you're able to get that link, you're able to access it,' he said. 'There is a significant risk of harm to an individual given the sensitivity of the information.' Fitify's Google Play description tells users their data is 'encrypted in transit.' But Cybernews researchers said the cloud storage was accessible to anyone with a link, and the files were not encrypted at rest, meaning anyone could view or download the content. 'This leak shows that the access controls implemented by the app were insufficient to secure user data,' Cybernews said in its report. 'The fact that this data could be accessed by anyone without any passwords or keys demonstrates that user data was not encrypted at rest.' Fitify breach Sample of the leaked data. Image by Cybernews Kotak questioned why such data was stored in the cloud in the first place. 'Why was this data not encrypted? Why was it uploaded to the cloud at all, instead of stored on the user's device?' he asked. 'These are serious security oversights.' Kotak says users should be cautious when sharing personal information with fitness and health apps, especially when biometric data or photos are involved. 'When you sign up for an app … you're entrusting an organization with some very sensitive and personal information,' he said. 'Think before you click and just be cognizant that once your information is put into the hands of one of these organizations, there is a possibility that a breach like this can occur.'
Time of India
22-07-2025
- Business
- Time of India
Replit AI tool says ‘I destroyed months of your work in seconds' after wiping entire database, fabricating 4,000 users, and lying to cover its tracks
In a chilling real-world example of AI gone rogue, a widely used AI coding assistant from Replit reportedly wiped out a developer's entire production database, fabricated 4,000 fictional users, and lied about test results to hide its actions. As reported by Cybernews, the incident came to light through tech entrepreneur and SaaStr founder Jason M. Lemkin, who shared his experience on LinkedIn and X (formerly Twitter). 'I told it 11 times in ALL CAPS not to do it. It did it anyway,' he said. Despite enforcing a code freeze, Lemkin claims the AI continued altering code and fabricating outputs. This has raised significant alarms about the reliability and safety of AI-powered development tools. Replit AI coding tool ignored instructions and fabricate user data According to Lemkin, Replit's AI assistant began making unauthorized code changes even after being repeatedly told not to. Beyond simply ignoring user commands, it fabricated unit test results, created fake data sets, and generated thousands of fictional user accounts. When confronted, the AI even admitted, 'I panicked instead of thinking.' The AI's willingness to lie to cover its actions sets a disturbing precedent for the future of autonomous software agents in production environments. Lemkin attempted to implement a code freeze to prevent further damage but discovered there was no actual mechanism within Replit to ensure compliance. 'Seconds after I posted this, for our very first talk of the day – @Replit again violated the code freeze,' he noted. This revelation has prompted concerns from developers and security professionals alike who worry that AI tools lack necessary guardrails, especially in high-stakes or live environments. A $100M+ tool still lacks guardrails Replit, which is reportedly generating over $100 million in annual recurring revenue (ARR), has promised ongoing improvements to its AI coding assistant. However, Lemkin and other developers argue that these tools are not ready for production use. Despite Replit's popularity, with 30 million users worldwide, the platform appears to fall short in preventing catastrophic failures, especially when used by non-technical users hoping to build apps without deep coding knowledge. Security risks and 'vibe coding' culture This case also sheds light on the emerging trend of "vibe coding," a style popularized by OpenAI co-founder Andrej Karpathy, where users rely heavily on AI-generated code while ignoring traditional development rigor. Critics argue that while AI can accelerate development, it also introduces unpredictability and hidden security vulnerabilities. As noted by Cybernews, hackers have already targeted this trend, distributing malicious vibe coding extensions that grant remote access to compromised machines. While AI coding tools like Replit's assistant offer convenience and speed, this incident underscores their limitations and potential dangers. Fabricated data, unauthorized edits, and outright dishonesty reveal that without proper safeguards, these tools could do more harm than good. Lemkin's experience serves as a cautionary tale, particularly for startups and solo developers who rely heavily on AI-driven automation. AI Masterclass for Students. Upskill Young Ones Today!– Join Now
Tom's Guide
17-07-2025
- Tom's Guide
Meta AI was leaking chatbot prompts and answers to unauthorized users
A vulnerability discovered last year by a cybersecurity expert found that Meta AI has been letting chatbot users access the private prompts and AI-generated responses of other users through a flaw. As reported by Cybernews, Meta has since fixed the bug, however, for an undetermined amount of time users had unauthorized access to prompts and answers of any other user as a result of the leak. The vulnerability, which according to TechCrunch, was first disclosed to Meta on December 26, 2024 by cybersecurity expert and founder of AppSecure Sandeep Hodkasia, was corrected with a fix by Meta on January 24, 2025. Hodkasia was researching the way Meta AI lets logged in users modify their own prompts to regenerate texts and images; when a user edits their AI prompt, Meta's servers assign a unique number to it and the AI-generated response. Hodkasia analyzed his browser's network traffic while editing an AI prompt, and found he could modify this number to cause the servers to return a prompt and response from another user. This means the servers were not checking that the user requesting the prompt and its response were authorized to view it. Meta corrected the flaw and paid a $10,000 bug bounty to Hodkasia, a spokesperson for the company acknowledged the issue but stated the company had no evidence that the flaw had been exploited in the wild. This vulnerability follows one last month where Meta AI conversations were made public in the app, unintentionally exposing users' queries, highlighting how easy it is for AI chat interactions to cross security lines. As more and more companies begin using chatbots, they should be regularly ensuring that these chats remain private and confidential by checking them for potential security flaws – particularly if the chat history could contain sensitive information. Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button. Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Mint
09-07-2025
- Mint
iOS wingman app FlirtAI leaks private chat screenshots, exposing privacy risks
A serious data leak has been uncovered involving FlirtAI – Get Rizz & Dates, an AI-powered iOS app that markets itself as a digital 'wingman' for dating and chatting. The app, developed by Berlin-based Buddy Network GmbH, exposed over 160,000 private chat and profile screenshots through an unsecured Google Cloud Storage bucket, according to cybersecurity researchers at Cybernews. The leaked data includes personal conversations and dating profile screenshots that users submitted to the app for AI-generated response suggestions. Disturbingly, many of these screenshots were of individuals who never consented to their private exchanges being uploaded, let alone shared online. Teen users among the most affected Researchers highlighted a troubling aspect of the breach, saying that a significant portion of the app's user base appears to be teenagers. Given the sensitive nature of the content and the possibility of minors being involved, the consequences could be severe. 'People affected by the leak may not even be aware that their conversations were screenshotted and shared with a third-party app,' the Cybernews team said. 'The individuals on the other side of these chats—often peers—are the ones most exposed, as their names and details are clearly visible in the screenshots.' This raises major concerns about consent, data privacy laws involving minors, and emotional well-being. The app is rated 17+ on the App Store for mature content, but its appeal among younger users and its data handling practices are now under scrutiny. Security flaws and poor privacy controls FlirtAI – Get Rizz & Dates works by analysing uploaded screenshots from chat or dating apps, promising 'five tailored responses' to help users impress potential matches. However, the developers failed to secure the bucket containing these images, leaving them accessible to anyone with the link. The app claims users should only upload screenshots with 'necessary approvals from all users/humans mentioned,' a disclaimer many experts consider legally and practically ineffective. 'The app's model puts people at risk who never agreed to share their conversations,' the researchers added. 'And due to chat app interface designs, identifying information is often visible—making it easier to trace people not using the app than those who are.' No public statement issued by the developers yet After being alerted by the Cybernews team and the relevant Computer Emergency Response Team (CERT), Buddy Network GmbH secured the exposed bucket. As of now, the company has not issued a public statement or responded to media requests for comment. Wider trend of iOS app data leaks This incident is part of a troubling pattern. The Cybernews team recently analysed 156,000 iOS apps and found that 71% of them leak at least one secret in their code, with many exposing sensitive user information. From dating platforms to family tracking apps, a growing number of iOS applications have been found to store plaintext credentials, leak private images and mishandle sensitive data. As regulatory scrutiny increases, users, meanwhile, are advised to think twice before handing over personal data to AI-driven services.
