惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
Project Zero
Project Zero
K
Kaspersky official blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
Y
Y Combinator Blog
Recorded Future
Recorded Future
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
H
Help Net Security
S
Schneier on Security
P
Palo Alto Networks Blog
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
SecWiki News
SecWiki News
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Hacker News
The Hacker News
C
Check Point Blog
L
LangChain Blog
腾讯CDC
小众软件
小众软件
T
Tenable Blog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
About on SuperTechFans
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
雷峰网
雷峰网
美团技术团队
D
DataBreaches.Net
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Full Disclosure
博客园_首页

Malwarebytes

Carnival confirms data breach impacting nearly 6 million Kali365 phishing kit bypasses MFA and steals Microsoft logins Company bragged phone mics could listen to conversations. They couldn’t. Fake LinkedIn emails abuse Adobe to track victims Fake software on GitHub and SourceForge distribute Deno RAT 700+ education and tech websites hijacked in huge ClickFix malware campaign Scammers pretending to be Microsoft had help from US executives A week in security (May 18 – May 24) Update Chrome now: Critical bugs could let attackers run code Microsoft Defender vulnerabilities are being exploited in the wild TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety Catch spyware in the act with Windows Webcam Monitoring Researchers left AI agents alone in a virtual town and watched it all unravel Fake malware-signing service Fox Tempest dismantled by Microsoft Firefox 151 packs big privacy upgrades into a small update Biometrics, diagnoses, and bank details exposed in major healthcare breach Facebook scam promises cheap Aldi meat boxes, steals payment info instead YouTube wants your face to fight deepfakes Microsoft is changing Edge’s plaintext password behavior A week in security (May 11 – May 17) AI is distorting the Holocaust (Lock and Code S07E10) Attackers replaced JDownloader installer downloads with malware Meta’s confusing new approach to chat privacy Why Malwarebytes blocks some Yahoo Mail redirects Deepfake sextortion forces schools to remove student photos from websites Texas sued Netflix over claims it secretly collected and sold users’ data May 2026 Patch Tuesday: no zero-days but plenty to fix Fake Claude search results lure Mac users into ClickFix attack 1 in 8 employees have sold company logins or know someone who has Stolen Canvas data was “returned” after hacker agreement, Instructure says A week in security (May 4 – May 10) Microsoft says Edge’s plaintext password behavior is “by design” ShinyHunters escalates Canvas attacks with school login defacements Massive AI investment scam network spans 15,500 domains If a fake moustache can fool age checks, is the Online Safety Act working? Google Chrome’s silent 4GB AI download problem Attackers adopt JavaScript runtime Bun to spread NWHStealer Millions of students’ personal data stolen in major education breach Update WhatsApp now: Two new flaws could expose you to malicious files Cyberattacks are raising your prices (Lock and Code S07E09) Thousands of Facebook accounts stolen by phishing emails sent through Google The 2026 World Cup scam economy is already running before the first whistle A week in security (April 27 – May 3) 3 easy-to-miss cybersecurity risks for small businesses Actively exploited cPanel bug exposes millions of websites to takeover More PayPal emails hijacked to deliver tech support scams Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do Researchers built a chatbot that only knows the world before 1931 Microsoft won’t patch PhantomRPC: Feature or bug? Scam-checking just got a lot easier: Malwarebytes is now in Claude Fake CAPTCHA scam turns a quick click into a costly phone bill Chinese engineer stole US military and NASA software for years A week in security (April 20 – April 26) Medical data of 500,000 UK volunteers listed for sale on Alibaba How cyberattacks on companies affect everyone Apple fixes iOS bug that kept deleted notifications, including chat previews Roblox clamps down on chats and age checks as legal pressure builds Malicious trading website drops malware that hands your browser to attackers Researcher claims Claude Desktop installs “spyware” on macOS Fake Google Antigravity downloads are stealing accounts in minutes Real Apple notifications are being used to drive tech support scams Android 17 ends all-or-nothing access to your contacts Big Tech can stop scams. They just don’t (Lock and Code S07E08) Mythos: An AI tool too powerful for public release A week in security (April 13 – April 19) This old-school scam is still working “Your shipment has arrived” email hides remote access software Browser Guard gets even better with Access Control “iCloud storage is full” scam is back, and now it wants your payment details A fake Slack download is giving attackers a hidden desktop on your machine Booking.com breach gives scammers what they need to target guests AI clickbait can turn your notifications into a scam feed Fake YouTube copyright notices can steal your Google login From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere April Patch Tuesday fixes two zero-days, including one under active attack Credit Resources Vault: Why this credit email set off our scam alarms Omnistealer uses the blockchain to steal everything it can ChatGPT under scrutiny as Florida investigates campus shooting Simply opening a PDF could trigger this Adobe Reader zero-day A week in security (April 6 – April 12) Fake Claude site installs malware that gives attackers access to your computer ClickFix finds a new way to infect Macs Scammers pose as Amazon support to steal your account NSFW app leak exposes 70,000 prompts linked to individual users 30,000 private Facebook images allegedly downloaded by Meta employee This fake Windows support website delivers password-stealing malware Your extensions leak clues about you, so we made sure Browser Guard doesn’t Russian hacking group targets home and small office routers to spy on users Timeshare owners warned to watch out for cartel-linked scams Traffic violation scams swap links for QR codes to steal your card details Support platform breach exposes Hims & Hers customer data A week in security (March 30 – April 5) Killer robots are here. Now what? (Lock and Code S07E07) That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands “DarkSword” patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI agent row likely just the beginning of the bot-ocalypse WhatsApp on Windows users targeted in new campaign, warns Microsoft Why we’re still not doing April Fools’ Day
Yarbo responds to robot flaws that could mow down their owners
2026-05-11 · via Malwarebytes

A researcher found that Yarbo yard robots came with a host of vulnerabilities which, among others, allowed an attacker to harvest WiFi passwords.

Security researcher Andreas Makris found he could remotely hijack thousands of Yarbo yard robots worldwide, and proved it by having his mower run him over. The root cause was a cluster of “legacy” design choices: every robot shared the same hardcoded root password, remote tunnels were left open, and Message Queuing Telemetry Transport (MQTT) messaging was so weakly protected that once you had one device, you effectively had the worldwide fleet.

An attacker could pull GPS coordinates, email addresses, and Wi‑Fi passwords, turn cameras into remote spying tools, and even re‑arm the mower after someone hit the emergency stop. 

All of this was enabled by a persistent backdoor tunnel that users could neither see nor meaningfully control. The risks fell into three very different buckets:

  • A heavy mower with remotely controllable blades and an emergency stop that can be bypassed is a real-world safety hazard.
  • Exposed telemetry meant attackers could map where devices were, see who owned them, and in some reports even view camera feeds.
  • Network abuse through shared root credentials meant compromised robots could scan local networks, steal more data, or be folded into a botnet.

Yarbo’s public response is unusually detailed for a consumer Internet of Things (IoT) vendor. It’s also refreshingly blunt in admitting that the researcher’s core findings were accurate. The company temporarily disabled the remote diagnostic tunnels, reset root passwords, locked down unauthenticated endpoints, and began ripping out unnecessary legacy access paths.

More importantly, Yarbo promises structural changes:

  • Unique per‑device credentials.
  • Over-the-Air  (OTA) credential rotation.
  • Audited, allowlist‑based remote diagnostics.
  • Dedicated security contact, with a possible bug bounty to follow.

That is the sort of long‑term security hygiene we rarely see spelled out this clearly after an IoT fiasco.

From a disclosure and remediation standpoint, Yarbo is doing many things right: crediting the researcher, apologizing, prioritizing fixes, and explaining both short‑term patches and long‑term architectural changes in human language. For buyers of connected devices with blades, that level of transparency is a positive precedent.

But Yarbo has explicitly chosen to keep a remote access tunnel, although wrapped in better controls and logs, instead of offering users the option to remove or fully opt out of it.

How to secure IoT devices

The vulnerabilities uncovered in the Yarbo case present an almost a live-action demo of what the IoT Cybersecurity Improvement Act is trying to prevent in US government deployments. While the Act doesn’t apply to Yarbo directly, its National Institute of Standards and Technology (NIST)-driven requirements map neatly onto what went wrong here.

So, it’s still up to users to make sure you:

  • Change the default credentials.
  • Check if the vendor will make updates available and how easy it is to install them before buying an IoT product. And then install the updates when available.
  • If you can, put your IoT devices on a separate network. Use a guest Wi‑Fi or separate VLAN when available.
  • Disable what you don’t need. Turn off UPnP, remote access, cloud control, and unnecessary services if you’re not actively using them.
  • If your router or security suite logs connections from IoT devices, skim those logs for odd spikes or unknown destinations.

Let’s face it, an incognito window can only do so much. Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

About the author

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.