Major Security Breaches and Vulnerabilities Uncovered Across Various Platforms
In recent revelations, journalist Jeffrey Goldberg's phone number found its way into a Signal group chat due to an accidental mix-up involving US National Security Adviser Mike Waltz. According to a detailed report by The Guardian, during the 2024 US election campaign, Goldberg sought to interview the Trump campaign and emailed questions concerning a story he was working on. The email eventually reached Brian Hughes, a campaign staffer, who aimed to ensure that Waltz was aware of Goldberg's inquiries so he could provide insightful comments.
To facilitate this, Hughes forwarded Goldbergâs inquiry, which included the journalist's phone number, to Waltz. At that time, Waltz was acting as a surrogate spokesperson for the Trump campaign. In what would later become a significant oversight, Waltz saved Goldberg's number in his contact list for Hughes.
Months later, after Hughes transitioned to a role at the National Security Council, Waltz included him in a Signal group known as the âHouthi PC small group.â This group was utilized to discuss a planned attack on Houthi rebels in Yemen. Unbeknownst to Waltz, the phone number he had saved was actually Goldberg's, leading to an unsolicited invite for the journalist into sensitive discussions.
This incident has raised eyebrows, especially since Goldberg later reported that officials from the Trump administration preferred using Signal for communications rather than the secure channels designated by the US government. This usage potentially jeopardized sensitive information and may have violated government record-keeping requirements.
The Guardian's report comes on the heels of a separate exposé by Politico, which revealed that Waltz may have established at least 20 group chats on Signal, where discussions involving sensitive government mattersâsuch as strategies related to Ukraine, China, and the Gaza crisisâwere conducted.
As one unnamed source disclosed to Politico, âWaltz built the entire [National Security Council] communications process on Signal,â further underscoring the seriousness of the issue.
Meanwhile, in a separate development within the tech industry, Google faced criticism for its handling of vulnerabilities in its Quick Share data transfer software. According to researchers from SafeBreach, Google initially botched a fix for 10 significant vulnerabilities in the Windows version of Quick Share. These vulnerabilities, discussed at the DefCon conference in August 2024, were serious enough that they could be exploited to achieve full remote code execution on any Windows machine with Quick Share enabled.
Google's response included fixes for vulnerabilities identified as CVE-2024-38271 and CVE-2024-38272. However, a blog post from SafeBreachâs Or Yair revealed that Googleâs patches were insufficient. Yair's team identified two critical shortcomings. The first issue related to a remote denial of service vulnerability triggered by invalid UTF8 continuation bytes in file names. Yair highlighted that Googleâs fix only addressed specific cases they provided as proof of concept, leaving the broader vulnerability unpatched.
The second oversight involved a failure to adequately patch a remote unauthorized file write issue within the exploit chain. According to SafeBreach, Googleâs fix did not prevent unauthorized writes and only removed a single file after a Quick Share session concluded, allowing for potential exploitation.
Google has since issued another Common Vulnerabilities and Exposures (CVE) and update, assuring that Quick Share for Windows version 1.0.2002.2 and later includes the necessary fix. Yair suggests that this situation serves as a cautionary tale for the software industry, emphasizing the importance of addressing the root causes of vulnerabilities instead of merely treating their symptoms.
In other security news, Apache addressed a critical CVSS 10.0 vulnerability (CVE-2025-30065) in its Parquet general-purpose columnar file format, while Cisco issued warnings regarding two flaws in its Smart Licensing Utility that could allow remote attackers to perform administrator-level tasks.
Lastly, a new initiative has emerged for security researchers in the open-source domain. Nivenly, an open-source governance foundation, has launched a limited bug bounty program targeting specific projects within the Fediverse, such as Mastodon, Lemy, and PeerTube. Researchers will be rewarded for identifying vulnerabilities, with payouts reaching up to $500 for critical issues.
In a concerning twist, Baltimore, Maryland, fell victim to a sophisticated vendor fraud scheme, losing nearly one million dollars. Scammers impersonated a vendor employee, utilizing tactics such as altering bank account information, leading the city to process two fraudulent payments. While one payment was recovered, the second remains unaccounted for, highlighting the need for vigilance against increasingly sophisticated scams.
Additionally, WordPress users were once again alerted to vulnerabilities within the platform, specifically targeting the âWP Ultimate CSV Importerâ plugin. Security firm WordFence discovered serious flaws that could allow an authenticated attacker to take control of WordPress sites and compromise critical files. Users are urged to update to the latest version to ensure their sites remain secure.
