-
Posts
1202 -
Joined
-
Last visited
-
Days Won
61
Everything posted by akkiliON
-
Am emailuri de danemarca ( db ) , fr , au , it ,ca - vreau sa vand
akkiliON replied to leboncoin's topic in Cosul de gunoi
Off: vreau si eu emailuri de danarmeca, urukaina Nu puteam sa ma abtin ) -
If you're making a lot of money and you want to keep records of your transactions, then using Paypal's Reporting system you can effectively measure and manage your business. Nir Goldshlager, founder of Breaksec and Security Researcher reported critical flaws in Paypal Reporting system that allowed him to steal private data of any PayPal account. Exploiting the vulnerabilities he discovered, allowed him to access the financial information of any PayPal user including victim's shipping address Email addresses, Phone Number, Item name, Item Amount, Full name, Transaction ID, Invoice ID, Transaction, Subject, Account ID, Paypal Reference ID etc. He found that PayPal is using the Actuate Iportal Application (a third party app) to display customer reports, so Nir downloaded the trial version of this app for testing purpose from its official website. After going deeply through the source code of trial version, Nir located a file named getfolderitems.do that allowed him to access user's data without credentials. Nir found that, Getfolderitems.do file having an ID parameter of 7-8 numeric characters which can be manipulated get the secret token id of respective user with same ID. i.e getfolderitems.do?id=392302. i.e URL : https://business.paypal.com/acweb/getfolderitems.do?folder=/users/tokenidofthevictim/ , where tokenidofthevictim is the secret token of the victim. This flaw that has been exploited for demo purpose only, is now fixed by Security team of Paypal. Hacking PayPal accounts to steal user Private data - TheHackerNews
-
Google will release details of any zero-day flaws it finds in software, if the affected vendor fails to issue a patch or disclose the issue itself within a week. Now, Google is shortening that timeline a good bit to just 7 days. ”Based on our experience...we believe that more urgent action within 7 days is appropriate for critical vulnerabilities under active exploitation”, wrote Google Security engineers Chris Evans and Drew Hintz in a blog spot. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised." Right now, companies use either responsible disclosure or full disclosure when dealing with vulnerabilities. Responsible disclosure allows a company as much time as they want to patch an exploit, and the details surrounding the bug aren't revealed to the public until a patch is issued. Full disclosure, on the other hand, means the company and the public are given information about the flaw at the same time. Many zero-day vulnerabilities are used against specific groups of individuals in targeted attacks that are often more serious than broader ones, the Google security engineers said. However, Google realizes that seven days is not enough time to patch all vulnerabilities. Even if a company can't address the bug in seven days, the researchers could still publish the details of the software flaw after a week so that the public can protect itself. Large software vendors like Microsoft, Adobe and Oracle, whose products are a frequent target of zero-day attacks, have experience in dealing with such incidents and have processes in place that allow them to respond in a timely manner most of the time. However, smaller vendors might be less prepared to deal with zero-day vulnerabilities and alert their customers. Earlier this month, Google security engineer Tavis Ormandy exposed a Microsoft flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver Win32k.sys, was featured in a Full Disclosure mailing list on May 17. Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-).." The same deadline will apply to those bug hunters who discover vulnerabilities in Google products too, they said. Google sets 7 Day deadline for vulnerability disclosure - TheHackerNews
-
- 1
-
Tu când ai ap?rut aici ?
-
Nu e nici un pusti Am vazut profilul lui de pe un site de socializare !
-
Deci sunt lamurit cu cei de la Paypal Nu are rost sa cauti nimic la ei.. Muieeeee Paypal.
-
Ok. No problem !
-
Deci ai mai primit raspuns de la ei ca or reparat problema ?
-
eBay au XSS-uri multe ! Am mai gasit un XSS Persistent !
-
Uite aici pagina ! Du-te jos de tot si o sa vezi un formular ! Bafta ! Report a Security Vulnerability @dirtycash Nu acolo trebuie sa raportezi vulnerabilitatile !
-
Eu as zice sa iti instalezi Kali Linux ! E mai stabil decat Back Track ! Acuma faci cum vrei ! Parerea mea
-
Nu prea cred ca se poate fura parametrul HttpOnly T=
-
epic comment )
-
[XSS]+[Sqli]se.gob.hn Secretaria de Educacion
akkiliON replied to Destroyer.'s topic in Cosul de gunoi
Daca tot ai gasit SQLi posteaza si sintaxa ... macar scoate versiunea sau ceva (nu neaparat sa pui username-ul si parola de la admin) ! Ai pun un ' si gata ! Ai facut o treaba buna ! -
Nu e nici un XSS Nu stiu ce vezi tu acolo !
-
Full Path Disclosure Tutorial (+Noob Friendly)
akkiliON replied to wewe's topic in Tutoriale in engleza
Serios ? Sigur acest tutorial e scris de ei ! -
Bine ca nu am avut bani la astia )
-
A Romanian man serving a five-year jail sentence in Romania for his involvement in an ATM skimming scheme, has developed a device designed to protect ATMs from such attacks. 33-year-old Valentin Boanta who is being detained in a prison from Vaslui, Romania, after he was convicted on charges of bank card fraud in 2009, developed what he calls the SRS (Secure Revolving System) which changes the way ATM machines read bank cards to prevent the operation of skimming devices that criminals hide inside ATMs. When I got caught I became happy. This liberation opened the way to working for the good side Boanta said. Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction Boanta said. ATM skimmers work by installing a second, concealed card reader over the one that's built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card's magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card's data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser. I've seen many different ATMs, they have ageing designs so they are prone to vulnerability, they are a very weak side of the banking industry said Boanta in a workshop. Every ATM can be penetrated through a skimming crime. My security solution, SRS, makes an ATM unbreachable Romania has a deep well of technical expertise stemming from the time of communist dictator Nicolae Ceausescu, who backed computer research and technical education. Romanian hackers stole about $1 billion from U.S. accounts in 2012, according to the U.S. embassy in Bucharest. Hacker jailed for ATM skimming invented ATM security scheme - TheHackerNews
-
A website that can be described as "DDoS for hire" is perfectly legitimate, according to the owner. Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether. Ragebooter, is one of many sites that accepts payment through Paypal in order to flood sites with junk traffic, overloading servers and denying others access. The service uses a technique called DNS Reflection to flood a website and amplify the amount of traffic directed at an address. Investigation shows the site operator is a guy named Justin Folland located in Memphis Tennessee. "Since it is a public service on a public connection to other public servers this is not illegal. Nor is spoofing the sender address. If the root user of the server does not want that used they can simply disable recursive DNS. My service is a legal testing service. How individuals use it is at their own risk and responsibilities. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product. How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days." He claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else. It is not clear if it is a guy who works with the FBI, but what is certain is that the service is alive and kicking. An FBI spokesman would neither confirm nor deny the claim. FBI sponsored Ragebooter DDoS attack service - TheHackerNews