Aggregator

Three years ago security researcher Eaton Zveare discovered a vulnerability in Jacuzzi's SmartTub interface allowing access to the personal data of every hot tub owner. Now Zverae says flaws in an unnamed carmaker's dealership portal "exposed the private information and vehicle data of its customers," reports TechCrunch, "and could have allowed hackers to remotely break into any of its customers' vehicles." Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of a ["national"] admin account that granted "unfettered access" to the unnamed carmaker's centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars' functions from anywhere. Zveare said he doesn't plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands. In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information... The flaws were problematic because the buggy code loaded in the user's browser when opening the portal's login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker. When logged in, the account granted access to more than 1,000 of the carmakers' dealers across the United States, he told TechCrunch... With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars' functions from an app, such as unlocking their cars... "The takeaway is that only two simple API vulnerabilities blasted the doors open, and it's always related to authentication," said Zveare. "If you're going to get those wrong, then everything just falls down." Zveare told TechCrunch the portals even included "telematics systems that allowed the real-time location tracking of rental or courtesy cars... "Zveare said the bugs took about a week to fix in February 2025 soon after his disclosure to the carmaker." Thanks to long-time Slashdot reader schwit1 for sharing the article.

Read more of this story at Slashdot.

Russell Crowe has spoken of his 'regret' over a 2005 incident that saw him arrested for assault. 

He learned how to make the greatest cocktails in the world

On Saturday night, MSNBC host Antonia Hylton made a swipe at Karoline Leavitt's appearance after she accompanied the president on the high-stakes summit.

The city broker made a name for himself when he appeared on the inaugural series of Big Brother, with viewers watching on in shock as he attempted to manipulate nominations.

Critics claimed that casting an actor without a physical impairment as the lead role of Quasimodo for the London West End show was an example of 'ableism'.

While the channel is storming ahead with plans for its new series, it has been hit by fresh scandal, with claims bosses have called in police to investigate a new allegation.

From the French newspaper Le Monde: Odorless, quiet, sustainable. On the last day of July, passengers boarded Barcelona's V3 bus line with no idea where its fuel came from. Written in large letters on the bus facade, just below its name "Nimbus," a sign clearly stated: "This bus runs on biomethane produced from eco-factory sludge." Still, the explanation was likely too vague for most to grasp its full meaning. The moist matter from wastewater treated at the Baix Llobregat treatment plant was used to produce the biomethane. In other words: the human waste of more than 1.5 million residents of the Catalan city.

Read more of this story at Slashdot.

Lancashire Constabulary issued the advice to business owners amid a surge in thefts, with nearly three a minute reported in England and Wales.

Adults and young children were spotted surrounding the solitary male dolphin, who was officially named Reggie, despite serious calls to avoid the mammal for their own safety and his.

Homeowners in the US have been posting horrifying images of a virus spreading among squirrels. The animals may be catching it from a common garden object.

The Irish drugs syndicate has muscled its way back to being the dominant force in the cocaine trade, becoming the main supplier to almost all major gangs across the country once again.

Sophia Yasin, from Middlesbrough, North Yorkshire, was delighted to discover that she was expecting a child shortly after buying a house with her husband, Lewis Osborne, 29, last year.

A Richard Madeley lookalike competition baffled Stockport locals this weekend - and the winner of the contest was very unexpected indeed.

Emergency services were called to Wacker Quay on the River Lynher in Antony near Torpoint, Cornwall, at about 6pm yesterday following concerns for a person in the water.

Follow Mail Sport's live blog for the latest score, team news and updates from the two Sunday 2pm Premier League games of  Chelsea vs Crystal Palace and Nottingham Forest vs Brentford.

On the back of parking ticket machines and signs in Llanberis, Wales, are stickers bearing sinister messages for the tourists, clearly intended to send them packing.

Alan Wilkinson, 85, bought Ravenswood in Staffordshire during the late 1970s and settled there with his wife Gillian but moved out when HS2 planned to build a tunnel under his hillside village.

New research has thrown light on one of the world's greatest genetic oddities - a DNA marker which shows up in Europe and America, but nowhere else.

Brits have been urged to avoid sharing certain household items amid an increase in cases of MRSA being contracted in the community.