{"uuid": "1bd2e634-abee-4976-a842-35e661747e10", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-8451", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-d4861f50-d397a0c8dd7527dd", "content": "This Week in Security: Windows 10 Gets Another Year, SmartTV Botnets, Hiding Payloads, and LastPass Customer Leak\nUnsurprisingly to many of us, app stores for smart televisions are also trash. Perhaps even more full of trash than other app stores due to the smaller ecosystem and fewer reviewers.\nSpur analyzed the LG smart TV app store, and found that almost half of the apps available contain proxy software, turning your TV into a node in their proxy network. Are these apps malware? Many of the analyzed apps provided a thin veneer of user consent: they offer you the tradeoff of seeing an ad every 15 seconds, or allowing their \u201coccasional web indexing\u201d to run permanently in the background. Watch the fishtank app for five minutes, join their proxy network for life.\nSpur notes that the proxy SDK in use appears to block connections to private network ranges (internal IP ranges like 192.168.x.x and 10.x.x.x), but that the SDK restricting access to those ranges is the only protection against accessing whatever network the TV is connected to.\nAmazon and Roku ban proxy apps on their devices. Samsung and LG do not.\nWin 10 Security Updates Extended\nMicrosoft has added another year of security updates to Windows 10. Despite trying to kill the platform, so many users remain on Windows 10 that Microsoft likely has no choice.\nThe extended support program was previously due to end in October 2026 but has now been pushed to October 2027. The security updates will be available for free in the UI, but users in other regions must activate OneDrive and sync system settings, or pay 1000 Microsoft credits (about $30).\nThe death of Windows 10 is near, but for those unwilling or unable to let go, it shuffles along.\nSignal Phishing Attempts\nBleeping Computer has an article about increased phishing attempts from hacker groups in Russia targeting Signal users.\nThe phishing messages target politicians, government officials, military, and other high-profile intelligence targets, and claim that Signal is introducing mandatory two-factor authentication, before prompting the target to enable remote Signal backups. A second follow-up phishing attempt then prompts the user to copy the backup authentication tokens from Signal and provide them to the attacker.\nSignal remote backups are a relatively recent addition to the messenger, making a backup on the Signal servers of a users messages and images, encrypted with a key known only to the user. While convenient, and likely fundamentally secure given the track record of the Signal team, this phishing campaign highlights a major weakness: once private content is accessible somewhere else, an attacker simply needs to obtain the keys to access it, which is significantly simpler than obtaining the message content directly from the victims phone.\nPayloads in WiFi and LoRa\nSasha Romijn presented an excellent talk at OrangeCon on embedding attack payloads in unusual places.\nSasha found poor input handling of content from DNS servers, TLS certificates, server headers, DHCP host names, LoRa Mesh node names, WiFi network names, and more. In many cases, it seems to be as simple as embedding JavaScript or CSS inside a string; many sites and utilities don\u2019t sanitize against escaped HTML, and the standards allow it.\nThey then go on to demonstrate more serious impacts, such as compromising the management accounts of two Europe-based hosting providers by injecting content into TLS certificates, and gaining root on some OpenWRT devices via a WiFi SSID which loads a hostile JavaScript into the LUCI web management interface, which then uses the web management system to install a backdoor root shell.\nSasha continues the tour-de-exploits by demonstrating multiple cross-site scripting injections into the Ripe NCC database which then allow browser manipulation of users on the RIPE website. This has enormous implications, because Ripe NCC is the Internet allocation organization for Europe and the Middle East: the company who assigns and manages IP address blocks.\nBe sure to check out the full presentation, and let this be a lesson to always treat all data as hostile, even from what would seem to be your own services!\nCollecting Boot Console Info\nOne of the first steps in getting access to an embedded device is to look for a serial port, or serial port test points. Often this can give an idea what sort of code is running on the system, and in some cases, give direct access via the boot loader or a Linux login console.\nBoot Intel is a web-based tool to automate scraping boot messages from embedded devices, looking for exposed logins and vulnerable services. Boot Intel can take pasted boot logs, or directly connect to the device via WebSerial.\nWhile Boot Intel is a paid service, there is a free version for hackers to explore devices.\nCitrixBleed, again\nwatchTowr Labs is back with another excellent write-up on CitrixBleed, continuing the trend of memory leaks in Citrix Netscaler devices.\nThis collection of vulnerabilities allow leaking internal memory from the Citrix servers, which can expose logs, customer data, encryption keys, or anything else found in server memory. Netscaler devices offer SSL offloading, application acceleration, VPN and remote access, and load balancing; all installations where leaking memory is likely very bad.\nThe watchTower write-up maintains their trend of providing entertaining reads about highly technical topics.  Do yourself a favor and be sure to give it a look!\nBits and Bytes\nLastPass marketing partner Klue was compromised this week, impacting the customer data of multiple companies. Customer data such as email, phone numbers, addresses, and support tickets were exposed, however the LastPass vaults themselves were not impacted. While LastPass has revoked access to the impacted partner, the stolen data could assist phishing attacks against customers.\nThe open source self-hosted video sharing platform PeerTube has released an emergency update which addresses multiple vulnerabilities. While the release notes quote \u201cmedium to high severity\u201d vulnerabilities, there are no specific details. If you run a PeerTube server, upgrade now!\nBoth Apple AirDrop and Google Quick Share have new vulnerabilities reported this week, with fixes coming soon. Both protocols are designed to allow file sharing to nearby devices, and accordingly, the issues found on them can be triggered on nearby devices. Researchers were able to find six vulnerabilities in macOS, iOS, Windows, and Android implementations of the sharing protocols. All of the discovered vulnerabilities led to crashes, but not full exploit and code execution. Sustained denial of service attacks were possible however, with nearby attackers able to keep the services unreachable and unusable for the duration. \nhackaday.com/2026/07/03/this-w\u2026", "creation_timestamp": "2026-07-03T14:25:52.695979Z"}