Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Weekly Digest #14

Weekly Digest #14

Share via:

The NSA Warns That Russia Is Attacking Remote Work Platforms

VMWare vulnerability has prompted a warning that companies and government agencies need to patch as soon as possible.

2020 was not an easy year, an unprecedented portion of the world’s office workers was forced to work from home as a result of the COVID-19 pandemic. This situation has created countless opportunities for hackers who are taking full advantage.

The National Security Agency said that Russian state-sponsored hacker groups had been actively attacking a vulnerability in enterprise remote-work platforms developed by VMware.

Organizations are struggling to adapt to remote work by offering employees secure remote access to corporate systems. But the change comes with different risks and has created new exposures versus traditional office networks.

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code.

The 28 extensions contained code that could perform several malicious operations. What they do:

redirect user traffic to phishing sites
redirect user traffic to ads
collect browsing history
download further malware onto a user’s device
collect personal data

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

Check if you have any of these extensions.

Most businesses are tracking customers yet don’t tell them

While most businesses claim to have well-defined consumer privacy policies that are strictly enforced, more than three out of five US and Canadian companies do not inform customers that they allow third-party service codes to be tracked on their websites.

Apple is cracking down on apps that track users without their permission. Still, new survey data shows this type of consumer data privacy abuse is also happening within the enterprise tech space.

The findings show how frequently unethical data collection tactics are used without consumer knowledge to capture information – especially in the B2B space.

It discovered that three in five (62%) of businesses do not inform customers about third-party ad trackers collecting their data.

Partial Gmail outage resolved: Users reported a variety of problems Tuesday

I think many have noticed this week’s problems in the work of services from Google. They fixed multiple problems with its services, but less than a day later, IT administrators and users started seeing another rash of Gmail problems.

Google confessed, “We’re aware of a problem with Gmail affecting a significant subset of users. The affected users are able to access Gmail but are seeing error messages, high latency, and/or other unexpected behavior. We will provide an update by 12/15/20, 5:30 PM [Eastern US]detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change.”

At 6:51 PM Eastern, Google reported the Gmail problem had been resolved.

The SolarWinds and US government breach is not a marketing opportunity

The size and scope of SolarWinds as an IT software provider and the nature of the breach announced on December 13 rocked the IT and security world — rightfully so. While security leaders guide their companies to respond, there’s some generalized advice for the vendor world about this.

Throughout 2020, product security failures have happened month after month, but most focused on consumer-facing products and services. Enterprise B2B vendors didn’t get quite as much attention, but the scale balanced out with the SolarWinds breach.

Companies competing with SolarWinds on providing critical infrastructure, monitoring, and security products and security vendors should focus on the following:

Low product security efforts risk market share for B2B firms.
Vendors should NOT use the SolarWinds breach as a marketing opportunity.
Even a security-mature software supplier could have missed this
SolarWinds’ degree of transparency with its customer list might need to change

Sextortionist Campaign Targets iOS, Android Users with New Spyware

This week researchers discovered new spyware is targeting iOS and Android frequenters of adult mobile sites by posing as a secure messaging application in yet another twist on sextortionist scams.

The spyware, dubbed Goontact, targets users of escort-service sites and other sex-oriented services – particularly in Chinese-speaking countries, Korea and Japan.

The ploy and malware can ultimately be used to exfiltrate data from targets. Data siphoned from devices include phone numbers, contact lists, SMS messages, photos, and location information.

Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails

Microsoft product last week was under attack. Legitimate emails from compromised accounts are being sent to numerous enterprise employees to steal their Office365 credentials.

The hackers behind the attack leveraged hundreds of compromised, legitimate email accounts to target organizations with emails, which pretended to document delivery notifications.

The attack starts with a simple convincing email recipient that they received a document. The email impersonates businesses like eFax, which is an internet fax service making it easy to receive faxes via email or online.

Zero-day XML mutation flaws in Go programming language can lead to authentication bypass

A trio of unpatched XML round-trip mutation vulnerabilities in Go’s standard library could lead to SAML authentication bypass in downstream projects, security researchers have revealed.

The open-source programming language’s security team have found the critical vulnerabilities, which were traced to Go’s encoding/XML package, fiendishly difficult to resolve.

With Go’s blessing, researchers from messaging platform Mattermost coordinated public disclosure because the vulnerabilities’ root causes “cannot be reliably addressed”, and mitigations planned for an upcoming Go release risked making the flaws public anyway.