New wolfSSL vulnerability and malicious apps expose user data

New wolfSSL vulnerability and malicious apps expose user data

A wolfSSL vulnerability allows certificate forgery while 108 Chrome extensions steal user data. RCI Hospitality also confirms a breach via an IDOR flaw.

wolfSSL critical vulnerability enables certificate forgery

Severity: Critical | CVE: CVE-2026-5194 | Affected systems: Embedded devices, IoT, RTOS platforms

A critical security flaw has been uncovered in the wolfSSL cryptographic library - one of the most widely deployed TLS/SSL implementations in the world. The vulnerability allows threat actors to forge digital certificates, effectively impersonating trusted servers and enabling man-in-the-middle (MitM) attacks at scale.

What makes this vulnerability particularly dangerous

wolfSSL is embedded across billions of devices - from industrial controllers and medical equipment to automotive systems and consumer IoT products. Unlike traditional desktop or server environments where patching is relatively straightforward, embedded systems often run firmware that is difficult or impossible to update remotely, which dramatically extends the window of exposure for any given flaw.

The vulnerability lies in the library's certificate verification logic. Under specific conditions, an attacker can craft a malicious certificate that passes wolfSSL's validation checks without triggering any alerts. This enables them to:

  • Impersonate any trusted server in a communication chain
  • Intercept and decrypt TLS-protected traffic silently
  • Inject malicious payloads into otherwise secure data streams

Who is at risk and what to do now

Any product or platform using an affected version of wolfSSL is potentially vulnerable. Developers and device manufacturers should cross-reference their wolfSSL build version against the official security advisory and prioritize upgrading to the patched release. OEM vendors embedding wolfSSL in hardware firmware should also issue update notifications to end users as a matter of urgency.

If immediate patching is not feasible, network-level controls - including strict certificate pinning and anomaly-based TLS traffic inspection - can help reduce the attack surface in the interim period.

108 malicious Chrome extensions caught stealing Google and Telegram data

A coordinated campaign involving 108 malicious Chrome browser extensions has been uncovered, actively exfiltrating sensitive data from an estimated 20,000 affected users. The extensions were engineered to pass as legitimate browser tools, making detection especially difficult for non-technical users.

How the attack works

Each extension in the cluster communicates with a shared command-and-control (C2) infrastructure that coordinates data collection and exfiltration. Stolen data includes:

  • Login credentials for Google and Telegram accounts
  • Session tokens and cookies, which enable full account takeover without requiring a password
  • Personally identifiable information (PII) harvested from active browsing sessions
  • Complete browsing history, which can be leveraged for targeted phishing or monetized on dark web marketplaces

The reliance on a single shared C2 backend strongly suggests a single organized threat actor or group orchestrating the campaign, rather than independent copycat activity.

How to protect yourself

Browser extensions remain one of the most underestimated attack surfaces in both enterprise and personal security environments. Even extensions with strong review scores and high install counts can be compromised after passing initial platform review.

Practical steps to reduce your exposure include:

  • Audit installed extensions regularly - remove anything you no longer actively use
  • Only install extensions from publishers with a verifiable public presence
  • Review requested permissions carefully before installing - a productivity tool rarely needs access to your Google account data
  • Enterprise teams should enforce extension allowlisting via Chrome Enterprise policies
  • Enable Google's Enhanced Safe Browsing for additional real-time detection

If you suspect you installed one of the malicious extensions, change your Google and Telegram passwords immediately, revoke all active sessions, and review recent account activity for unauthorized logins or data exports.

RCI Hospitality Holdings data breach exposes contractor data via IDOR flaw

RCI Hospitality Holdings has officially confirmed a data breach affecting the sensitive personal information of independent contractors, disclosed through a mandatory SEC Form 8-K filing. The root cause was identified as an insecure direct object reference (IDOR) vulnerability - a deceptively straightforward but highly impactful class of web application security flaw.

Understanding the IDOR vulnerability behind the breach

An IDOR vulnerability occurs when a web application exposes internal object identifiers - such as database record IDs, file paths, or user reference numbers - directly in URLs or API requests, without verifying whether the requesting party is actually authorized to access the referenced resource. In RCI's case, an unauthorized party could manipulate these parameters to retrieve records belonging to entirely different contractors.

This vulnerability class falls under Broken Access Control in the OWASP Top 10, which has held the top spot as the most critical web application risk category for several consecutive years. Despite being well-documented and preventable, IDOR flaws remain persistently common - largely due to insufficient authorization testing during development and pre-release security reviews.

What data was exposed

While the full scope of the breach is still being assessed following the 8-K disclosure, the compromised records contained sensitive personal information belonging to independent contractors. Depending on the data structures involved, this could encompass names, contact details, tax identification numbers, payment or banking information, and contract-specific details - all high-value data for identity theft, fraud, and targeted social engineering.

What this breach signals for web application security

The RCI incident is a pointed reminder that data breaches do not always require sophisticated exploits or nation-state-level tooling. A single preventable architectural oversight was sufficient to expose private contractor records. Organizations handling personal data of contractors, employees, or customers should:

  • Perform IDOR-specific testing as a standard component of web application security assessments
  • Enforce server-side authorization checks on every data access request - client-side restrictions alone are never sufficient
  • Apply least-privilege data access principles across all API endpoints and backend services
  • Ensure penetration testing covers the full OWASP Top 10 before any production deployment

Contractors affected by this breach should monitor financial accounts closely, consider placing a credit freeze with major bureaus, and remain alert to targeted phishing attempts that may exploit the exposed personal data.

Key takeaways

  • A critical flaw in the wolfSSL cryptographic library (CVE-2026-5194) allows attackers to forge TLS certificates and impersonate trusted servers, threatening billions of embedded and IoT devices globally.
  • The wolfSSL vulnerability enables silent man-in-the-middle attacks by bypassing certificate validation logic, with embedded systems facing an extended exposure window due to the difficulty of remote firmware updates.
  • 108 malicious Chrome extensions were confirmed as actively stealing Google and Telegram credentials, session tokens, PII, and full browsing history from approximately 20,000 users.
  • All 108 malicious extensions shared a single command-and-control infrastructure, indicating a coordinated campaign by a single organized threat actor rather than independent attacks.
  • Session token theft allows full account takeover without needing a password, making this Chrome extension campaign especially dangerous even for users with strong credentials.
  • RCI Hospitality Holdings confirmed a data breach of independent contractor personal information via a mandatory SEC Form 8-K disclosure.
  • The RCI breach was caused by an insecure direct object reference (IDOR) vulnerability - a Broken Access Control flaw that ranks #1 in the OWASP Top 10 web application security risks.
  • IDOR vulnerabilities require no advanced malware or exploits; simple URL parameter manipulation is sufficient to bypass authorization and access unauthorized records.

Sources

As an Amazon Associate, I earn commissions from qualifying purchases. This means I may receive a commission when you buy through links on this site.
 avatar
@daniel
Daniel Parkes
Senior Systems & Software Engineer
Daniel Parkes is a software engineer and tech consultant with a relentless builder's mindset and a deep suspicion of anything that cannot survive real-world testing. He tears apart software architectures, audits open-source code, and stress-tests systems to understand exactly how and why things break under pressure. A vocal champion of transparency in tech, he reserves his sharpest skepticism for security claims that have never been independently verified - and his writing arms technically literate readers with the critical tools to evaluate technology on its actual merits, not its marketing copy.
No posts yet