Chaining together five low security bugs has allowed Russian security researcher Egor Homakov to steal user sessions and increase the scope of OAuth tokens from GitHub, giving Homakov the ability to access and delete private GitHub repositories and Gists.
Detailing the process of linking the five bugs together in a blog post, Homakov called his exploit the "perfect crime".
A feature in the Twitter API (application programming interface) can be abused by attackers to launch credible social engineering attacks that would give them a high chance of hijacking user accounts, a mobile application developer revealed Wednesday at the Hack in the Box security conference in Amsterdam.
‘Tis the season to be hacked, I guess. Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users. While the data that was allegedly exposed, including encrypted/salted versions of passwords, was not as bad as in some other attacks recently, Twitter did take some proactive measures in resetting passwords (and letting the users know that they need to set a new one) and revoking session tokens.
