A flaw in popular messenger apps WhatsApp and Telegram , which could allow hackers to gain access to hundreds of millions of accounts using the very encryption software designed to keep them out , has been discovered Vulnerability-related.DiscoverVulnerability by cyber security firm Check Point . The Israeli multinational said it was concerned about vulnerabilities in the messaging apps , following WikiLeaks ’ ‘ Vault 7 ’ release of more than 8,500 CIA documents . “ One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp , Telegram and other end-to-end encrypted chat applications , ” the company said in a blog post . These online versions mirror all messages sent and received by a user ’ s mobile device , which deploys end-to-end encryption so that only those sending and receiving messages can view the content . Hackers could gain access to a user ’ s account , however , by booby-trapping a digital image with malicious code which would be activated once the image is viewed . The code could then spread like a virus by sending infected messages to a user 's contacts . “ This means that attackers could potentially download your photos and or post them online , send messages on your behalf , demand ransom Attack.Ransom , and even take over your friends ’ accounts , ” they added . Check Point said Vulnerability-related.DiscoverVulnerability it alerted Vulnerability-related.DiscoverVulnerability both companies to the problem last week and waited for the issues to be resolved Vulnerability-related.PatchVulnerability before making it public . Both companies have said they ’ ve since patched the problem . “ Thankfully , WhatsApp and Telegram responded quickly Vulnerability-related.DiscoverVulnerability and responsibly to deploy the mitigation against exploitation of this issue in all web clients , ” Check Point Head of Product Vulnerability Oded Vanunu said . The company has advised , however , that WhatsApp and Telegram web users should restart their browser to ensure they ’ re using the latest versions of the service

Updated An independent researcher claims to have uncovered Vulnerability-related.DiscoverVulnerability a security flaw in Microsoft Edge . The issue enables any website to identify someone by their username from another website , according to Ariel Zelivansky . More specifically the bod alleges Vulnerability-related.DiscoverVulnerability that Edge exposes the URL of any JavaScript Fetch response , in contradiction to the specification . This is a problem because it 's possible to identify netizens by crafting a fetch request in a webpage that will redirect to a URL containing the visitor 's username ( e.g . requesting https : //facebook.com/me will pull in https : //facebook.com/username ) . Zelivansky alerted Vulnerability-related.DiscoverVulnerability Microsoft but the software giant said Vulnerability-related.DiscoverVulnerability the issue was not a security problem . El Reg also prodded Redmond only to be told the tech giant had nothing to add beyond its response to Zelivansky . The researcher went public Vulnerability-related.DiscoverVulnerability with his findings and tipped off The Reg earlier this month after Redmond decided the issue didn't merit Vulnerability-related.PatchVulnerability a security fix . The privacy shortcoming has spawned a discussion thread on Reddit . ® Despite Microsoft 's silence , it turns out the Windows giant has decided to assign an engineer to look into the matter – but it is still not being treated as a security vulnerability .

While working on something completely unrelated , Google security researcher , Tavis Ormandy , recently discovered Vulnerability-related.DiscoverVulnerability that Cloudflare was leaking Attack.Databreach a wide range of sensitive information , which could have included everything from cookies and tokens , to credentials . Cloudflare moved quickly to fix Vulnerability-related.PatchVulnerability things , but their postmortem downplays the risk to customers , Ormandy said . The problem on Cloudflare 's side , which impacted Vulnerability-related.DiscoverVulnerability big brands like Uber , Fitbit , 1Password , and OKCupid , was a memory leak . The flaw resulted in the exposure of `` HTTP cookies , authentication tokens , HTTP POST bodies , and other sensitive data , '' Cloudflare said . About an hour after being alerted Vulnerability-related.DiscoverVulnerability by Ormandy , Cloudflare disabled three features on its platform ; email obfuscation , Server-side Excludes and Automatic HTTPS Rewrites , as they were using the broken HTML parser chain determined to be the cause of the problem .

A security lapse at content distribution network provider Cloudflare that resulted in customer data being leaked Attack.Databreach publicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breach Attack.Databreach . The review showed no evidence that attackers had exploited Vulnerability-related.DiscoverVulnerability the flaw prior to it being discovered Vulnerability-related.DiscoverVulnerability and patched Vulnerability-related.PatchVulnerability , Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leaked Attack.Databreach . Cloudflare ’ s inspection of tens of thousands of pages that were leaked Attack.Databreach from its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alerted Vulnerability-related.DiscoverVulnerability Cloudfare to the bug last month . The company claimed it fixed Vulnerability-related.PatchVulnerability the problem in a matter of hours after being notified Vulnerability-related.DiscoverVulnerability of the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick up Attack.Databreach something confidential . The same would have been true for a malicious attacker , who had somehow known about Vulnerability-related.DiscoverVulnerability the bug and exploited Vulnerability-related.DiscoverVulnerability it before Cloudflare ’ s fix Vulnerability-related.PatchVulnerability , he said . The customers most at risk of having their data exposed Attack.Databreach were those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breaches Attack.Databreach and many organizations continue to be exposed Attack.Databreach to the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigated Vulnerability-related.PatchVulnerability by now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leaked Attack.Databreach and the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leaked Attack.Databreach is being deleted as well . That makes it hard to quantify the scope of the data breach Attack.Databreach outside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .