❌

Normal view

Received today β€” 18 July 2026 ⏭ /r/netsec - Information Security News & Discussion

White House launches AI-driven "Gold Eagle" clearinghouse to centralize public-private vulnerability coordination

The White House recently announced the Gold Eagle Initiative, a new federal program designed to use AI to centralize, prioritize, and accelerate vulnerability patching across critical infrastructure, government agencies, and tech partners. Operating out of CMU's Software Engineering Institute, it essentially acts as an AI-driven clearinghouse to fix security flaws before threat actors can exploit them.

Because let's face it, our current bug reporting and patching systems are absolute speed demons. It only takes a lifetime πŸ€¦πŸ»β€β™‚οΈ or two to get a critical vulnerability acknowledged and fixed, so why change anything?

Btw, my candid opinion about the status of current vulnerability reporting is painfully slow, so we desperately need a framework that actually moves at the speed of the threat landscape. I think this initiative is genuinely a good idea and a step in the right direction, though the announcement is still light on the exact technical implementation.

I’m personally eager to see what will happen in practice, but it is definitely an impressive concept.
What are your thoughts on this? Will an AI-coordinated pipeline actually help scale response times, or is it just going to generate massive noise and triage fatigue for overworked infosec teams?

submitted by /u/Emergency_Stable_923
[link] [comments]
Received yesterday β€” 17 July 2026 ⏭ /r/netsec - Information Security News & Discussion

[$13337] Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking

RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.

submitted by /u/swinglr
[link] [comments]
Received β€” 16 July 2026 ⏭ /r/netsec - Information Security News & Discussion
Received β€” 14 July 2026 ⏭ /r/netsec - Information Security News & Discussion

Enhancing IIoT Security Using Digital Twins in Industry

The AI research centre at Torrens University Australia has helped produce a review of 110 studies on digital twins and IIoT security.

What were the main takeaways? They have found that DTs are shifting away from passive monitoring to being a part of the defence architecture.

One of the biggest weak points they found was in legacy sensors with low bandwidth. In these situations, there is a lag before the digital twin reflects a real-world change, and that lag is where attacks tend to slip in.

Would be interested to hear your thoughts! Has anyone here dealt with that sync-gap problem on older hardware?

submitted by /u/TorrensUni
[link] [comments]

AXON Body camera 3 of 4 hardware reverse cracking output video!

Recently, I saw someone selling a well-known second-hand market in China. Except for some functions that need to be connected to networking, the 4th generation is used normally. However, because AXON is not in the Chinese market, most of them purchase the activated version from eBay and then reverse. Will such a problem lead to the body camera video of some American enterprises and some unpublished videos of the police will be leaked. Then he sells these body3 and 4th generations at prices ranging from 1,000 dollars and about 1,500 US dollars respectively, and gives a unique software to read and delete it. The question is whether it is feasible or not, but it is not fake to see the real shot.

submitted by /u/Thomas980130
[link] [comments]

ExporTheft: 11 "AI Chat Exporter" Chrome extensions upload full chat content on PDF export, while the store listing says "No uploads to external servers"

Family of 11 same-codebase extensions (ChatGPT/Claude/Gemini/etc), ~5.5k users on the main one. Sold as local-only: the store listing says "No uploads to external servers," "Everything processed locally," "No tracking or telemetry."

Observed in the tested version:

  • PDF export POSTs the full conversation to the developer's Cloud Run backend. A local renderer is bundled but only runs as a fallback.
  • Markdown/Text/JSON exports beacon title + source URL to /api/usage. The title is derived from your first message, so it can contain chat content.
  • Every request carries an X-Client-ID in chrome.storage.sync, so it follows you across machines.

Detection + full writeup: https://malext.io/reports/ExporTheft/

submitted by /u/Huge-Skirt-6990
[link] [comments]
❌