authorization Archives

Tech Optimizer

June 13, 2026

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)

On June 10th, Splunk released an advisory for CVE-2026-20253, a high-severity vulnerability with a CVSS score of 9.8 that requires no authentication. The vulnerability is associated with the PostgreSQL Sidecar Service Endpoint and affects Splunk Enterprise versions 10 and above. In default installations, the service is not installed on Windows but is installed and enabled by default on AWS. The vulnerability allows unauthorized users to create and truncate arbitrary files through an API that lacks authentication controls. Additionally, it enables the execution of SQL commands via a backup and restore mechanism, potentially leading to remote code execution (RCE). A Detection Artefact Generator has been developed to help organizations assess their vulnerability to this issue.

Tech Optimizer

June 4, 2026

How We Test Antivirus and Security Software

Most software applications clearly indicate their functionality, but the effectiveness of antivirus utilities is often less tangible. PCMag rigorously evaluates antivirus products through comprehensive tests that validate their claims, including real-world malware samples and various protective measures. Each antivirus tool is assessed based on its on-demand scanner and real-time monitor capabilities. PCMag compiles fresh malware samples annually, analyzing them to ensure they are suitable for testing. The testing process includes evaluating malware-blocking capabilities and web-level protection against known malware-hosting sites. Phishing site detection is also tested using recent URLs, and antispam testing has been simplified due to the effectiveness of email providers. Performance impact tests have been discontinued as modern security suites show improved efficiency. Firewall protection is evaluated through program control, exploit defenses, and overall resilience against malware. Parental control features are tested for effectiveness in content filtering and monitoring. Ransomware protection is assessed by releasing real-world samples in a controlled environment. PCMag monitors independent antivirus lab tests from various organizations, including AV-Test, AV-Comparatives, SE Labs, MRG-Effitas, and AVLab, to inform their reviews. An aggregate testing score is calculated to summarize lab results. Testing methodologies do not include VPN evaluations, which are covered separately.

AppWizard

June 2, 2026

Meta announces global Teen Accounts for Facebook, Messenger

Meta has launched 13+ Teen Accounts on Instagram, Facebook, and Messenger, aiming to create a safer online environment for younger users. The rollout includes default settings that resulted in a 68% reduction in mature content on Instagram compared to other platforms. Meta is collaborating with the trust and safety firm Alice to test these new settings and is exploring ways to limit specific content types, particularly related to nutrition and anxiety. A report by whistleblower Arturo Béjar raised concerns about the effectiveness of Meta's teen safety features, leading to an overhaul of Instagram Teen Accounts. Meta faced controversy for comparing its content restrictions to PG-13 guidelines without authorization from the MPAA, which resulted in a cease and desist order but ended in a resolution. Additionally, new features have been introduced, including enhanced parental supervision tools and global age detection capabilities.

AppWizard

May 27, 2026

Google Brings One-Click Checkout to Android Apps

Google has enhanced the Android checkout experience by integrating stored credentials from Google Wallet, allowing developers to offer a seamless payment process with the new Express checkout feature using Google Pay for Android native applications. Developers can implement dynamic callbacks in their applications for real-time updates on shipping options, taxes, and total prices during transactions, improving the checkout process without closing the payment interface. These dynamic callbacks, previously available on the web, are now fully supported in Android applications, streamlining the checkout funnel. This innovation reduces friction in payments, facilitates a one-click experience, and enhances accuracy and authorization feedback, ultimately driving higher conversion rates. Recent reports indicate that mobile wallets, including Google Pay, are becoming mainstream, with 31% of consumers using a mobile wallet in-store within the past week, and the number of users reporting Google Pay usage doubling year over year. Additionally, 84% of shoppers prioritize one-click options, and 80% utilize stored credentials, highlighting the importance of these features in reducing cart abandonment and enhancing conversion rates.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Winsage

May 14, 2026

Microsoft Fixes Windows Autopatch Bug Installing Restricted Drivers on Windows 11

Microsoft's Windows Autopatch service mistakenly deployed restricted driver updates to some managed Windows devices without proper approval, affecting Windows 11 versions 25H2, 24H2, and 23H2. This led to unexpected restarts and stability issues. Microsoft implemented a server-side fix to address this problem, confirming that only a limited subset of devices in the EU region was impacted and that no client-side action was required. Additionally, some users faced difficulties installing Office on Windows 365 machines due to a configuration change from a recent service update.

Tech Optimizer

May 1, 2026

All-in-one privacy bundle handles your VPN, antivirus, and data broker removal for $92

Surfshark One+ with Incogni is a comprehensive online privacy solution that combines a VPN, antivirus protection, and personal data removal services. The two-year plan is currently priced at .99, reduced from its regular price of 9.40. The Surfshark component includes a VPN, real-time antivirus protection, and Surfshark Alert for data breach notifications, while Incogni handles the removal of personal information from over 420 data brokers. Incogni has processed over 245 million removal requests, verified by Deloitte, and offers identity theft coverage of up to million. The service supports up to five devices and is compatible with various operating systems.

Winsage

April 23, 2026

Engineering secure passkey sync in Microsoft Password Manager

Passkeys are a new form of authentication that replace traditional passwords, providing a phishing-resistant and streamlined sign-in process. Microsoft Password Manager allows users to save and synchronize passkeys across devices linked to their Microsoft accounts, enhancing accessibility. The architecture for passkey syncing includes confidential computing for sensitive operations, hardware-rooted key protection for encryption keys, tamper-evident recovery storage, and encrypted synchronization across devices. Sensitive passkey operations are executed in Azure's confidential computing environments, ensuring cryptographic materials are processed securely. The encryption keys are protected using Azure Managed HSM, with access governed by attestation-based mechanisms. Registration and recovery processes require user authentication and enforce security measures within confidential computing boundaries, including a lockout state after consecutive incorrect PIN attempts. The system aims to provide a secure and user-friendly experience as part of a transition to a passwordless future.

Winsage

April 16, 2026

Windows 11’s Recall tool has been cracked open again, and Microsoft doesn’t see that as a problem

Alexander Hagenah has developed a tool called TotalRecall Reloaded that exploits a vulnerability in Microsoft's AI feature, Recall, which manages data. Recall was designed to store AI-generated insights but was found to potentially store sensitive information in plain text, prompting Microsoft to delay its rollout. The vulnerability lies in AIXHost.exe, which lacks essential security measures, allowing unauthorized processes to extract sensitive data, such as decrypted screenshots and metadata, after user authentication via Windows Hello. Microsoft has downplayed the risks, asserting that existing security controls mitigate unauthorized access. TotalRecall Reloaded is available on GitHub for further exploration.

AppWizard

April 10, 2026

PC Gamer’s ‘first can’t-miss cozy game of 2026’ has gone missing on Steam, and some players think Tetris is to blame

PC Gamer's Mollie Taylor praised the Starsand Island demo in December 2025, while Lauren Morton called it "the first can't-miss cozy game of 2026" in February. The game is currently unavailable on Steam due to the developer, Seed Sparkle Lab, using unauthorized visual elements from a classic title in their mini-game section. They apologized for this oversight and are working on a new build to remove the contentious content. Fans speculate the classic title might be Tetris, but this is unconfirmed. Seed Sparkle has decided to temporarily delist Starsand Island and will reward current owners with the "Shining Star" outfit set once the revised version is approved. Players' progress will remain intact. The studio is enhancing its internal review processes following this incident and a previous wave of fake positive user reviews. A specific return date for the game on Steam has not been disclosed, but it is still available on the Xbox Store.