Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience - Your computer's mouse might not be as innocent as it looks - and one ransomware crew has ... https://grahamcluley.com/smashing-security-podcast-438/ #smashingsecurity #vulnerability #surveillance #ransomware #databreach #dataloss #malware #podcast #privacy #mouse

The AI Fix #71: Hacked robots and power-hungry AI - In episode 71 of The AI Fix, a giant robot spider goes backpacking for a year before star... https://grahamcluley.com/the-ai-fix-71/ #artificialintelligence #securitythreats #vulnerability #theaifix #podcast #ai

Hackaday Links: October 5, 2025 - What the Flock? It’s probably just some quirk of The Almighty Algorithm, but ever ... - https://hackaday.com/2025/10/05/hackaday-links-october-5-2025/ #licenseplatereader #hackadaycolumns #hackadaylinks #humandistress #vulnerability #self-driving #restoration #humanoid #robotaxi #exploit #gunshot #unitree #slider #botnet #datsun #scream #alexa #flock #waymo #240z #wifi #ble #ai

Smashing Security podcast #437: Salesforce’s trusted domain of doom - Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerabi... https://grahamcluley.com/smashing-security-podcast-437/ #smashingsecurity #vulnerability #databreach #salesforce #dataloss #podcast #ai

Your favourite phone apps might be leaking your company’s secrets - Most of the apps on your phone is talking to a server somewhere - sending and receiving d... https://www.fortra.com/blog/favourite-phone-apps-might-leaking-companys-secrets #vulnerability #encryption #guestblog #dataloss #android #mobile #ios

Unitree Humanoid Robot Exploit Looks Like a Bad One - Unitree have a number of robotic offerings, and are one of the first manufacturers... - https://hackaday.com/2025/09/30/unitree-humanoid-robot-exploit-looks-like-a-bad-one/ #vulnerability #robotshacks #unitree #worm #ble

Maybe some of you are not aware about the @enisa_eu Known Exploited Vulnerabilities Catalog. In any case, it is now available via Vulnerability-Lookup:

https://vulnerability.circl.lu

and with the API:
https://vulnerability.circl.lu/api

Since #Microsoft does not care, and the grace period is over, here is the Hardened Runtime bypass they introduced through .NET MAUI on #macOS. All applications built with it are vulnerable. The #vulnerability has existed probably since 2019.

https://afine.com/breaking-hardened-runtime-the-0-day-microsoft-delivered-to-macos/

Smashing Security podcast #434: Whopper Hackers, and AI Whoppers - Ever wondered what would happen if Burger King left the keys to the kingdom lying around ... https://grahamcluley.com/smashing-security-podcast-434/ #smashingsecurity #vulnerability #burgerking #databreach #lawℴ #dataloss #podcast #privacy #xai #ai

My new article is out, this time it’s about internet-connected cameras, mostly being marketed as spy cameras. While the cameras themselves are very different, the common factor is the LookCam app used to manage them.

There is already a considerable body of research on these and similar P2P cameras, so it shouldn’t be a surprise that their security is nothing short of horrible. Still, how the developers managed to make all the wrong choices here on every level (firmware, communication protocol, cloud functionality) is quite something.

https://palant.info/2025/09/08/a-look-at-a-p2p-camera-lookcam-app/

#ArgoCD: Max severity Argo CD API #vulnerability CVE-2025-55190 leaks repository credentials:
#DevOps
#DevSecOps
#SoftwareSupplyChainSecurity

https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-flaw-leaks-repository-credentials/

Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.

What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code

The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders

Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.

Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus

#Django: Patches released to fix CVE-2025-57833 SQL injection #SQLi
#vulnerability :

https://cybersecuritynews.com/django-sql-injection-vulnerability/

Interesting #vulnerability research writeup (that was published a few months ago)

Compromising #OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection

https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/#fnref:2

#WhatsApp patches zero-click #vulnerability CVE-2025-55177 in iOS and macOS WhatsApp apps exploited in sophisticated attacks:

https://www.bleepingcomputer.com/news/security/whatsapp-patches-vulnerability-exploited-in-zero-day-attacks/

Hacked China's Biggest Robotics Company (Pudu Robotics)

Pudu makes those cat-faced BellaBot robot waiters you see in restaurants, plus cleaning robots, disinfection bots, and even FlashBots with mechanical arms for offices.

Found critical vulnerabilities in their app controlling their entire global fleet:

• Zero authentication on APIs
• Could control any robot worldwide
• Accept 20k store IDs in single request, no rate limiting
• Could steal food, documents, redirect hospital medicine delivery
• FlashBot with arms could grab files & use elevators

Reported Aug 12. Sent emails to sales, support, tech teams - all ignored.

Had to email Skylark Holdings (7000+ restaurants) and Zensho directly about their compromised robots.

Pudu responded in 48hrs with obvious ChatGPT template - forgot to replace "[Your Email Address]" placeholder. Fixed 2 days later.

Thousands of robots (BellaBots, KettyBots, FlashBots, etc) in hospitals, restaurants, offices worldwide were vulnerable for a long time.

Full Technical Writeup: https://bobdahacker.com/blog/hacked-biggest-chinese-robot-company

#Citrix: Urgent fixes released to address a Critical Remote Code Execution (#RCE) #vulnerability CVE-2025-7775 which is being actively exploited in attacks along with two other high severity flaws. Patch now!
#zeroday

https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/

Hacked Monster Energy

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#Docker: If you are using Docker for Desktop you need to update it TODAY to v4.44.3. Critical CVE-2025-9074 #vulnerability in previous versions allows malicious containers to access host system:

https://www.heise.de/en/news/Docker-Desktop-Critical-vulnerability-allows-host-access-10560707.html

Smashing Security podcast #431: How to mine millions without paying the bill - In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer ca... https://grahamcluley.com/smashing-security-podcast-431/ #smashingsecurity #cryptocurrency #vulnerability #cryptomining #lawℴ #microsoft #malware #podcast #amazon #cloud