akkiliON

La mul?i ani !

23-01-2012 :/

Felicit?ri. E în program ?i youtube.com https://www.google.com/about/appsecurity/reward-program/

It's not every day you find a CSRF-RCE, where sending an admin to a malicious webpage gives you a shell on their server, but that's what I discovered while exploring the security of the Oculus developer portal. But I’m getting ahead of myself. Oculus, known best for their Oculus Rift virtual reality headset, was founded in 2012 and quickly grew, raising over $2 million through Kickstarter for their first VR development kit, the DK1. Development continued towards the DK2, and in March 2014 Facebook announced that they would acquire Oculus VR for $2 billion, placing the Oculus websites in scope of the Facebook whitehat bug bounty programme in August 2014. That's when I decided to take a look. It started with a BSQLi There are many places to try to inject SQL during a pentest; parameters, cookies, headers, etc. The latter, header injection doesn't often pay off, but in this case the Oculus developers had decided that somewhere down the line in certain scripts they'd insert the X-Forwarded-For header into the database. Without proper escaping. A little single-quote magic and we're in. With a little help from sqlmap, I enumerated the structure of the Oculus database and noticed something rather interesting. While Oculus passwords are stored in some bizarre multi-hashed format making cracking a tough route to go down, user session information is stored unprotected in a table in the database. Opening up sqlmap again, I built an SQL query to extract the freshest session token for the admin user and plugged it in. Bingo. How could I resist Having got this far it was hard to turn back and I decided to push on. The Oculus admin user has access to a special admin panel containing all sorts of goodies. I could edit users and projects, add news articles, edit the dashboard, upload SDK files, all sorts. I was about to try uploading a PHP shell when something else caught my eye. In PHP, the eval() function is a dangerous thing. It allows you to directly execute a string as PHP code, which in turn lets you do fun things like execute system() commands, so I was surprised to find it used freely in the admin portal. I'll let the screenshot speak for itself, but suffice it to say I now had a shell on the Oculus development centre server. I was even more surprised to find that the AJAX eval() preview script called from the Oculus database management tab wasn't protected by a CSRF token, allowing anybody to force an admin user to call the script. For example, a malicious attacker could embed an image on a forum pointing to the script. When the admin loaded the page, the image would load and trigger execution of the attacker's commands on the server. Ouch. You and I were inseparable I enjoyed finding the first exploit and Facebook's quick and friendly responses, so I thought I'd keep looking. I subsequently found another couple of blind SQL injection vulnerabilities, an XSS in an old script, and a logic issue which allowed me to reset the admin password and re-gain access to the admin panel. The logic problem - an insecure direct object reference - was probably the most fun vulnerability. In the Oculus developer portal, any user who is a company admin can manage other users working for the same company. With a little playing around I discovered that the username passed to the management script didn't have to belong to the current company, allowing me to move the admin user into my company and manage the account. I reset the password and logged in. All said and done, I gained access to personal information belonging to couple of hundred thousand Oculus Rift developers (including myself!) and could plant malicious code on the server and in Rift SDK releases to be downloaded and installed on individual developers' machines. For the first vulnerability and privilege escalation attack the Facebook security team awarded $15,000; for subsequent SQLis and the admin account takeover vulnerability they awarded $5,000 each. All in all, it's been a pretty productive week Sursa: https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal

Security Incident Response Team - Tapatalk

Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. Not by serving fake post, neither by providing malicious video link, instead this time scammers have used a new way of tricking Facebook users into injecting or placing malicious JavaScript or client-side code into their web browsers. This malicious code could allow an attacker to gain access to victims’ accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims’ friends. This technique is known as Self Cross-site Scripting or Self XSS. Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability, basically designed to trick Facebook users’ into providing access to their account. Once an attacker or scammer gets access to users’ Facebook account, they can even post and comment on things on users’ behalf. In order to infect Facebook user, the cyber crooks send a phishing message via an email or a Facebook post from one of the friends in the list of the targeted victim claiming, in this case, a way to hack any Facebook user by following some simple steps. The posted scam looks as follows: Hack any Facebook account following these steps: Go to the victim’s profile Click right click then click on inspect element and click the “Console” tab. Paste the code into the box at the bottom and press Enter. The code is in the web site: http://textuploader .com****/ Good luck: * Don’t hurt anybody… [*] Once you self inject this malicious script to your account, it will give away the access of your whole account to the one who could do a variety of malicious activities, basically spreading all sorts of malicious campaigns. The hackers can also infect victim’s computer with malware that can collect banking details and send them to a remote location controlled by them. Spotting these scams and reporting them are the best way to protect yourself, but if you fall victim to one of these attacks, don't panic! Follow the link to learn more about protecting your Facebook account. Facebook is also working with various browser vendors to add protection in the browser in an effort to prevent this vector from being exploited. Facebook Self-XSS Scam Fools Users into Hacking Themselves Me when I saw this: http://media-cache-ec0.pinimg.com/736x/a9/75/fd/a975fd06905ccf698c5bc7e8db7ff8f6.jpg

Eu ti-l recomand pe @Gecko ! Daca cumva te mai intereseaza. Home | Gecko's portfolio

Volkswagen Jetta - 2011. Poate te intereseaza acest model. Gebrauchtwagen: Volkswagen, Jetta, 1.2 TSI Comfortline, Benzin, € 10.000,- AutoScout24 Detailansicht Despre logan, nu vreau sa zic nimic.

Dac? e cel din send sms message, e vechi. Nu o s? prime?ti nimic. L-am raportat ?i mi-or dat duplicate.

Florine, ne-am sc?pat de asta.

AM LUAT BACU !

Doar tu ai avut probleme cu contu' de Paypal ? Si eu am avut probleme iar pân? la urm? a trebuit s? îmi fac alt cont. ?tiu c? sunt foarte mul?i utilizatori care au probleme cu Paypal ?i ?tiu c? nu e ceva nou ... cum spui tu. Am postat pentru utilizatorii mai noi care folosesc Paypal ... s? vad? ?i ei cum st? treaba.

ProtonMail an End-to-End Encrypted email service developed by MIT, Harvard and CERN researchers, who already received over $275,000 from a crowdfunding campaigns to their PayPal account, and was so much excited to launch its beta version, but just before that PayPal freezes their account without any warning. At this time, it is not possible for ProtonMail to receive or send funds through PayPal,” ProtonMail co-founder Andy Yen announced this morning. “ No attempt was made by PayPal to contact us before freezing our account, and no notice was given. ProtonMail is a new super-secure email service that encrypts the data on the browser before it communicates with the server, this means only encrypted data is stored in the email service servers. GO HOME PAYPAL, YOU ARE DRUNK ProtonMail service is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data. But a representative from the American payment service, PayPal told the company that the payment service is not at all sure if ProtonMail is legal or not and asked them for the necessary government approvals to encrypt emails. ProtonMail said in a blog postNo doubt, it is completely legal to encrypt emails and as far I know, no such government approval is required. NEW PAYPAL POLICIES FOR CROWDFUNDED PROJECTS Few months back Paypal updated its policies for Crowdfunded Projects [page Deleted by Paypal], that use Paypal as a payment option on crowdfunding platforms like Indiegogo and Kickstarter. According to new policies, Paypal may ask fundraisers to provide supporting documentation to confirm their identity and/or business or to confirm how the money from the campaign will be used. Individuals or organizations have to submit following information to Paypal: Full legal name and Date of Birth Address and Government issued photo identification Tax Identification number or Social Security number Website address associated with your campaign Proof of tax exempt status if you’re a nonprofit Your business plan and mission statement Names of your business owners and executives Marketing strategy and Vendor, supplier, manufacturer, or distributor information PayPal doesn't want to deal with upset customers in case a campaign turns out to be a scam or if it fails to develop a final product, because many crowdfunding websites allow owners to pull funds before they reach their final goal. PROTONMAIL vs NSA SURVEILLANCE ProtonMail was supposed to be an easy end-to-end email encryption tool that will hopefully give an end to Internet surveillance around the world. ProtonMail will implement AES, RSA and OpenPGP encryptions and moreover, there is even a “self-destruct” feature in the email service which ensures your emails are only available for a limited period of time. ProtonMail is still crowdfunding, but it’s only taking credit card and Bitcoin payments and it has gained over US$10,000 in Bitcoin donations alone. Surs?: PayPal Freezes $275,000 Campaign Funds of Secure-Email Startup 'ProtonMail' - The Hacker News

ATT has confirmed a security data breach in which attackers have compromised the security of a number of its mobile customers and stolen personal information including Social Security numbers and call records. Back in April this year, AT&T suffered a data breach in which some of its customer information, including birth dates and Social Security numbers had been inappropriately accessed by three employees of one of its third-party vendors, in order to generate codes that could be used to unlock devices. Moreover, the hackers would have also been able to access its users’ credit report with Customer Proprietary Network Information (CPNI) during the process without proper authorization, that means the information related to what subscribers purchase from AT&T would also have been compromised. The Dallas-based telecommunications giant did not specify the number of customers or type of information affected by this data breach, but state law requires such disclosures if an incident affects at least 500 customers in California. Neither it revealed that why it took so long to confirm the breach. AT&T sent a letter to the California Attorney General explaining the recent data security breach to its mobile customers, and said that the third-party contractor’s employees who were responsible for the breach were terminated and will no longer for the company. Many mobile phone providers are provided by carriers with a software lock that prevents the devices from being used on other competitors’ networks. AT&T allows its users to typically request an "unlock code" that unlock their devices from its network and to do this the customers have to provide their own account information to verify their identities. According to the company, the company discovered the data breach on 19 May, and it believes the alleged employees were trying to obtain the unlock codes of the devices so that they could remove devices from AT&T's network to other cellphone networks around the world for second-hand markets resale. AT&T had reported the matter about the data breach to the law enforcement of United States and thereby announced that it would offer one year of free credit monitoring service for affected users. Surs?: http://thehackernews.com/2014/06/at-suffers-data-breach-customers.html

Tocmai s-a anuntat dublarea vitezei la abonamentele Fiberlink 50 si Fiberlink 100, la 100 Mbps si 200 Mbps, in conditiile prelungirii contractului cu 12 luni. Mai mult, abonamentele actuale de 500 si 1000 s-au ieftinut putin. Mai precis, cel de 500 Mbps costa acum 45 RON/luna (redus de la 49 RON) si cel de 1000 Mbps costa 45 RON/luna daca ai si un abonament de TV si telefonie (mobila sau fixa). Ramane de vazut daca noutatea aduce cu ea si necesitatea schimbarii tipului de conexiune, din UTP in FTTH (Fiber To The Home), cum se intampla daca doresti un abonament FB 500 sau FB 1000. Am pus intrebarea asta la RDS, astept un raspuns. Surs?: RDS-RCS dubleaza abonamentele Fiberlink 50 & 100 | Arena IT

Am scris mai sus c? nu m-am încadrat. b3hr0uz a fost recompensat pe 2 vulnerabilit??i grave care le-a g?sit în yahoo.net. Nu e singurul care a fost recompensat. Am dat doar un exemplu. https://hackerone.com/reports/2127 - HK.Yahoo.Net Remote Command Execution. https://hackerone.com/reports/3039 - SQL Injection ON HK.Promotion Asta e. Ce zici de asta ? https://hackerone.com/reports/4836

Salut tuturor, A trecut o vreme de când n-am mai facut show-off. În data de 05.09.2014 (27 zile) am g?sit o vulnerabilitate în https://tw.admin.gamedb.games.yahoo.net ! Mai exact, am g?sit un SQL Injection în panoul de logare de la admin iar pân? la urm? am reusit sa fac bypass ! A?a am luat acces la site ?i puteam s? modific/uploadez ce vroiam eu. Din p?cate vulnerabilitatea care am raportat-o nu a fost eligibil? pentru o recompens?. Dovad?: P.S: Se pare c? am fost ad?ugat în lista cu Top Hackers de la Yahoo. [ https://hackerone.com/yahoo ] Mul?umesc pentru timpul acordat.

New challenge: JavaScript code challenge – Hola

Multiple Serious vulnerabilities have been discovered in the most famous ‘All In One Seo Pack‘ plugin for WordPress, that put millions of Wordpress websites at risk. WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘All in One SEO Pack‘ Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6 Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service. More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization. According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s meta information, that could harm its search engine ranking negatively. In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. Sucuri said. Also the reported cross-site-scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later." Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks. Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack Wordpress plugin to the latest version immediately. Surs?: http://thehackernews.com/2014/05/vulnerabilities-in-all-in-one-seo-pack.html

OFF: Dac? nu ?ti?i, cei de la Coinbase au program Bug Bounty. Poate v? intereseaz?. Link: https://hackerone.com/coinbase

Seems legit.

It’s more than a month since we all were warned of the critical OpenSSL Heartbleed vulnerability, but that doesn't mean it disappeared. The critical bug compromised many popular websites and after been discovered the problem was solved. But is that so? No, not at all! A recent finding from the security researcher Robert David Graham claims that there are still more than 300,000 servers apparently remain vulnerable to the most critical OpenSSL bug, Heartbleed, which is admittedly down in numbers from the previous which resulted in over 600,000 systems a month ago. Graham announced on the Errata Security blog that he arrived at the number through a recently done global internet scan (or at least the important bits: port 443 of IPv4 addresses), which reveals that exactly 318,239 systems are still vulnerable to the OpenSSL Heartbleed bug and over 1.5 million servers still support the vulnerable "heartbeat" feature of OpenSSL that allowed the critical bug. "The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed "attacks" and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that)," Graham wrote in the blog. Heartbleed is a critical bug in the popular OpenSSL cryptographic software library that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS (Datagram TLS) heartbeat extension (RFC6520). The count may be even larger as these mentioned number counts are only the confirmed cases. Graham may have escaped other systems either because of spam blocking or unorthodox OpenSSL setups. But it’s really shocking that after availability of Heartbleed fixes, this number has come up. "Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL", he wrote. Now that the bug has been openly revealed and known to everybody, anyone can simply use it to carry out attacks against the still affected systems and 300,000 is really a troubling number. One can imagine the danger and damages caused by the bug if exploited. Heartbleed is the encryption flaw that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers, forcing some security researchers to warn internet users against using even their everyday sites for the next few days until the problem is fully solved. A large majority of services including many popular and major services patched their servers almost immediately, but this new global internet scan suggests that cyber criminals could still do plenty of damages against the unpopular and less technically efficient services as well. Once attackers identified the vulnerable server, they could exploit the Heartbleed vulnerability to steal sensitive data and private keys, eavesdrop on passwords in transit, or hijack a session entirely. Software vulnerabilities may come and go, but this bug is more critical and probably the biggest Internet vulnerability in recent history as it left the contents of a server's memory, where the most sensitive data is stored exposed to the cyber attackers. This new scan was done only on port 443 and Graham said that he will try to scan for other well-known SSL ports, like SMTP and will post the results. Stay Tuned! Surs?: 300,000 Servers Still Vulnerable to Heartbleed Vulnerability After One Month - TheHackernews