Leaderboard

Create post on any Facebook page Pouya 12:17 PM No comments Create an invisible post on any Facebook page You may know that you can create many types of posts on your Facebook feed. one of them is called "invisible" which unlike other types cannot be seen on your feed, but like others, it has a link and id. These types of posts are not shown on the feed timeline but are accessible via a direct link. the main impact of these types of posts is that the page admins cannot view or delete them since they don't have any links. At Creative Hub we can create ads and use collaboration to complete them. Facebook creates an invisible post on the selected page for previewing them to the users. I intercepted the request and change the "page_id" to the victim's "page_id" and it saves without any error or issue. The permission here has been checked before generating the preview so you should definitely have the advertiser role. (above image) Also, the Share Feature (image below) has been added to Facebook's Creative Hub recently, therefore, I started digging deeper into it again. After clicking on the share button the API will answer with a new shareable URL like this: https://www.facebook.com/ads/previewer/__PREVIEW_KEY__ The gotcha is that the permission-check is missing before generating a preview post on the share page. Changing page_id before saving the mockup in Graphql request and then getting back the sharable link for it, gives us the ability to create a post on any page. All we need to do is to find the post_id that exists on any ad preview endpoints. Finally, we created an invisible post on the victim page without their knowledge! POC: Facebook fixed this vulnerability after I reported it but still, I was able to bypass the fix by using another approach. // This request will create a post page plus sending a notification to the mobile device AsyncRequest.post('/ads/previewer/notify_mobile/__PREVIEW_KEY__',{}) The "send to mobile" feature creates a preview again without checking permission. Bypass POC: Timeline: November 6, 2020 – Report Sent November 6, 2020 – Triaged November 11, 2020 – Fixed November 12, 2020 – Bypass Sent November 12, 2020 – Triaged November 20, 2020 – Fixed December 16, 2020 – $30,000 Bounty awarded Sursa: https://www.darabi.me/2020/12/create-invisible-post-on-any-facebook.html

Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks. But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it. The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections. "The adversary can sign in to the victim's application account without the U2F device, and without the victim noticing," NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis. "In other words, the adversary created a clone of the U2F device for the victim's application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials." The whole list of products impacted by the flaw includes all versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40. Besides the security keys, the attack can also be carried out on NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants. The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful. An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account. "It is still safer to use your Google Titan Security Key or other impacted products as a FIDO U2F two-factor authentication token to sign in to applications rather than not using one," the researchers said. To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that's used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller. Once this is achieved, the researchers say it's possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that's performed when a U2F key is registered for the first time to work with a new account. A side-channel attack typically works based on information gained from the implementation of a computer system, rather than exploiting a weakness in the software. Often, such attacks leverage timing information, power consumption, electromagnetic leaks, and acoustic signals as a source of data leakage. By acquiring 6,000 such side-channel traces of the U2F authentication request commands over a six-hour period, the researchers said they were able to recover the ECDSA private key linked to a FIDO U2F account created for the experiment using an unsupervised machine learning model. Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable. "Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it," the researchers concluded. "Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Source: https://thehackernews.com/2021/01/new-attack-could-let-hackers-clone-your.html

Why everyone should be using Signal instead of WhatsApp The Signal protocol underpins WhatsApp's encryption, but Facebook's ubiquitous messaging service doesn't hold a candle to Signal itself By K.G ORPHANIDES Thursday 16 April 2020 WIRED WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016. To do so it cooperated with Moxy Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have also used the protocol, widely regarded as the gold standard in encrypted communications. Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation's flagship Signal app provides fully-fledged and easy to use secure communications in its own right. It has direct and group messaging, as well as one-to-one audio and video chat, and there are very good reasons to opt for secure messaging's Cool Original flavour over WhatsApp. In February, the European Commission advised its staff to do exactly that. Here’s why you should use Signal for any conversation where privacy matters – even if that’s just giving your family the shared Disney+ password – and why your friends should, too. 1. Signal has more up-to-date security features New security features come to Signal first. For example, Signal has had disappearing messages – which are automatically deleted after a specified period of time – since 2016 but the feature is still being tested with small numbers of WhatsApp users. Other mainstream and beta Signal features that WhatsApp users don’t have include view-oncemedia messages, encrypted profiles, an incognito keyboard switch for Android to keep Gboard from sending your typing history back to Google, and backups that don’t default to unencrypted storage in Google Drive or Apple iCloud. Signal also has a slightly broader range of clients, with a dedicated client for Linux desktop users – likely to appeal to those in the security and data analysis fields, while WhatsApp directs them to its web app. 2. Signal is open source All of Signal’s source code is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that you can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for. 3. Signal has less potential for hidden vulnerabilities As a larger platform, WhatsApp is more inviting to malicious actors to start with, but the fact that its codebase is a proprietary closed box means that it may take longer for dangerous vulnerabilities to be detected. Any application can and eventually will suffer vulnerabilities – Signal has resolved a few of its own. But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A particularly worrying example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019. 4. You can run your own Signal server (but probably shouldn’t) Another advantage of open source software is that you can play with it, if you’re that way inclined. You probably won’t want or need a Signal server of your own for either personal or business reasons. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment. But if you’re technically minded, you can learn a lot about how a system functions by building a test instance and poking it with a stick. It’s non-trivial, but community guides are available to help users get a Signal server up and running and some interesting forks exist, including a decentralised messaging system. 5. How much can you trust Facebook? Perhaps the most compelling reason to use Signal is Facebook's long-standing lack of respect for its users' privacy. Facebook has an appalling history when it comes to data collection and handling, from the Cambridge Analytica affair to its practice of sharing data about users with phone manufacturers. It’s already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators took action against Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented. WhatsApp co-developer Brian Acton, who left Facebook in 2017 and went on to co-found the Signal Foundation with Marlinspike, has harshly criticised Facebook’s approach to privacy and revealed that Facebook coached him “to explain that it would be really difficult to merge or blend data between [WhatsApp and Facebook]” when giving information to EU regulators in 2014. Facebook’s desire to insert adverts and commercial messaging into WhatsApp and potentially compromise its security prompted Acton to leave Facebook early, sacrificing some $850 million in stock in the process. Acton’s fellow WhatsApp dev, Jan Koum, also walked out on Facebook following reported disputes with the company over its efforts to weaken encryption. Mark Zuckerberg has since publicly supported end-to-end encryption, saying it will also be added to its Messenger app. Facebook was until recently still vacillating over plans to introduce adverts to WhatsApp, with the latest reports indicating that the plan has finally been scrapped. Although it's not clear what will eventually happen to the service when Facebook merges WhatsApp with Instagram messaging and Messenger. Sursa: https://www.wired.co.uk/article/signal-vs-whatsapp

Relevant

Sincer argumentele nu mi se par foarte solide. Da, WhatsApp e closed source, dar nu inseamna neaparat ca are spyware si logging pe absolut orice. Desigur ca privacy concern la cel mai inalt nivel face sens sa folosesti Signal, dar din paperul de la facebook iti dai seama ca incearca sa asigure o securitate cat mai mare pentru mesaje. Exista riscul ca pe viitor whatsapp sa fie mai putin secure dar pe moment nu cred ca existaa mari dovezi de nereguli. Cat despre "At no time does the whatsapp server have access to client's private keys" a fost scos presupun din cauza Business API. "The WhatsApp server has no access to the client’s private keys, though if a business user delegates operation of their Business API client to a vendor, that vendor will have access to their private keys - including if that vendor is Facebook." Stupid. Dar nu neaparat malicious.

An audit is underway into the Judiciary's Case Management/Electronic Case Files system. The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised. In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents, particularly sealed filings. With the investigation ongoing, Judiciary said federal courts across the country will be adding new security procedures aimed at protecting highly sensitive confidential documents filed with the courts. Moving forward, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a "secure electronic device", such as a thumb drive, and stored in a "secure, stand-alone computer system". The documents will not be uploaded to CM/ECF. Filings not considered highly sensitive will continue to be sealed in CM/ECF "as necessary". The Judiciary said following guidance from the Department of Homeland Security, its courts have suspended all national and local use of SolarWinds Orion products. Earlier this week, the US Department of Justice (DOJ) confirmed that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees. The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450. The DOJ said it has now blocked the attacker's point of entry. Four US cybersecurity agencies on Monday released a joint statement formally accusing the Russian government of orchestrating the SolarWinds supply chain attack. US officials said that "an advanced persistent threat actor, likely Russian in origin" was responsible for the SolarWinds hack, which officials described as "an intelligence gathering effort". Via zdnet.com