Fake Android Apps Commit Carrier Billing Fraud for Premium Services
The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.
JavaScript is a scripting language used in web pages and applications, where flaws in code or dependencies can enable attacks and data theft.
Search across headline titles and summaries.
Background for this topic.
JavaScript is a programming language used to add behavior to web pages and to build applications that run outside the browser, including server-side services and tooling. In browsers, scripts can read and modify a page’s content and interact with available web APIs, subject to the browser’s security boundaries.
Its main security risks include cross-site scripting (XSS), in which attacker-controlled input is executed as page code, and DOM-based flaws caused by unsafe handling of data in client-side code. Third-party scripts and package dependencies also expand the code supply chain and may expose user data or introduce vulnerable behavior. Practical controls include context-aware output encoding, avoiding unsafe DOM sinks, restrictive Content-Security-Policy rules, and reviewing, pinning, and monitoring dependencies for vulnerabilities.
Weekly headline count for the current query.
The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.
The NPM package for Axios, a popular JavaScript HTTP client library, was briefly compromised this week, possibly by North Korean threat actors.
A maximum-severity vulnerability affecting the React JavaScript library is under attack by Chinese-nexus actors, further stressing the need to patch now.
The poisoned package, purporting to be a JavaScript utility, threatens the software supply chain with a highly obsfuscated credential stealer.
A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.
Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.
An ongoing cyberattack campaign with apparent ties to China uses a new version of sophisticated JavaScript remote access Trojan JSOutProx and is now targeting banks in the Middle East.
The security vulnerability in a component of a widely used JavaScript implementation of Bitcoin makes passwords guessable via brute-force attacks.
This Tech Tip focuses on best security practices to write secure JavaScript code.
The free tool aims to help organizations meet the requirements of the new version of the payment standard, which takes effect in March 2024.
In the height of tax-return season, a popular tax prep software service leaves a malicious JavaScript file online for weeks.
Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.
Apple iOS in-app ads mainly targeted, injecting malicious JavaScript code to rack up phony views.
About three-quarters of Java and .NET applications have vulnerabilities from the OWASP Top 10 list, while only 55% of JavaScript codebases have such flaws, according to testing data.
New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.
Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format.
TA569 has modified the JavaScript of a legitimate content and advertising engine used by news affiliates, in order to spread the FakeUpdates initial access framework.
The campaign uses a combination of tactics and a common JavaScript obfuscation technique to fool both end users and email security scanners to steal credentials.
New language and framework support empowers developers to analyze front-end code for vulnerabilities throughout the development lifecycle.
New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.