Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


kandykidd last won the day on January 10

kandykidd had the most liked content!

Community Reputation

131 Excellent

About kandykidd

  • Rank
    Registered user


  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. When hunting for security issues, the pursuit for uncharted assets and obscure endpoints often ends up taking the focus away from obvious, but still critical, functionality. If you approach a target like you are the first person to ever perform a security assessment on it, and check everything thoroughly, I believe you are bound to find something new — especially if the code you are testing has been in continuous development for a while. This is the story of a high-severity bug affecting what is probably one of PayPal’s most visited pages: the login form. Initial discovery While exploring PayPal’s main authentication flow, I noticed a javascript file containing what appeared to be a CSRF token and a session ID: This immediately drew my attention, because providing any kind of session data inside a valid javascript file usually allows it to be retrieved by attackers. In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file. Sure enough, a quick test confirmed the XSSI vulnerability and, although a javascript obfuscator was used to randomize variable names on each request, the interesting tokens were still placed in fairly predictable locations, making it possible to retrieve them with just a bit of extra work. However, a secret is only as good as the damage you can do with it. I immediately set out to find out what exactly _csrf and _sessionID were and if they could actually be used in a real attack. Digging further After countless attempts to replace regular CSRF tokens inside authenticated requests on PayPal’s platform with the value of _csrf, I came to the conclusion that a classic cross-site request forgery attack was not possible using this specific token. Similarly, a victim’s _sessionID was unfortunately not enough to impersonate them on PayPal’s site. Next, I went back to the vulnerable script and followed the tokens to find what they were actually used for. This led to a deep dive into one of PayPal’s main protection mechanisms used to prevent brute force attacks, the security challenge. While this functionality is used in many places, I will be focusing on the main login form. The idea is pretty simple: After a few failed login attempts, you are required to solve a reCAPTCHA challenge before you can try again. The implementation, however, may raise some eyebrows. Upon detecting a possible brute-force attempt, the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validatecaptcha is initiated. The familiar _csrf and _sessionID are present in the request body, as well as two other values, which we will get to a bit later. The response to the captcha validation request is meant to re-introduce the user into the authentication flow. To this end, it contains a self-submitting form with all the data provided in the user’s latest login request, including their email and plain text password. I realized that, with the correct timing and some user interaction, knowing all the tokens used in this request was enough to get the victim’s PayPal credentials. In a real-life attack scenario, the only user interaction needed would have been a single visit to an attacker-controlled web page. So I went back and tried to figure out what the missing parameters were. This was easier than expected: The value of jse was not validated at all. recaptcha was the token provided by Google upon solving a reCAPTCHA challenge. It was not tied to a specific session, so any valid token— for example, from an automated solving service — would be accepted. Exploitation Putting all this together, I created a proof of concept that demonstrated the whole process, except for integrating a captcha solving service. First, the proof of concept would exploit the initial XSSI vulnerability to get a set of tokens which were valid in the victim’s session. It would then launch a few authentication requests with random credentials from the victim’s browser, simulating a brute force attempt, which would trigger the security challenge flow. Once the victim logged in to PayPal using the same browser, the cached random credentials would be replaced by the user’s own email and password. The last step was obtaining a fresh reCAPTCHA token, after which the plain text credentials would be retrieved from the /auth/validatecaptcha endpoint and displayed on the page. The final page shown by my proof of concept code contained your email and password I later found that the same vulnerable process was also used on some unauthenticated checkout pages, allowing plain text credit card data to be leaked using the same technique. Disclosure The proof of concept, along with all relevant information, was submitted to PayPal’s bug bounty program on the 18th of November 2019, and was validated by HackerOne 18 days later. Following a quick acknowledgement by the PayPal team and a few additional questions, I was awarded a $15,300 bounty on the 10th of December. The reward amount corresponds with the bug’s 8.0 (High) CVSS score, which is the same score that I had initially suggested when submitting the report. A patch was applied around 24 hours later, meaning that the bug was fixed only five days after PayPal became aware of it — quite an impressive turnaround time. Fix and prevention advice The /auth/validatecaptcha endpoint now requires an additional CSRF token, which cannot be leaked using cross-site script inclusion. While this properly fixes the vulnerability, I believe that the whole thing could have been prevented when designing the system by following one of the oldest and most important pieces of infosec advice: Never store passwords in plain text. By the way, I am looking to do security assessments and bug bounty program management work. I have experience in security testing, vulnerability triage, as well as a background in software development. Does this sound of interest to you? You can get in touch via alex@ethicalhack.ro. Source https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9
  2. https://www.cnet.com/news/nordvpn-user-accounts-were-compromised-and-passwords-exposed-report-says/ Cred ca mai merg
  3. Nu m-am interesat de unde sunt, pentru ce il folosesc eu nu prea conteaza.
  4. Sincer versiunea "prime" merge destul de bine. Tinand cont ca nu ma conectez din aceasi tara mi se pare chiar ok. Same country as connection
  5. WindScribe is definitely one of the most popular VPN service among users worldwide (check in-depth review -> Googlce trends). The company is famous for its fully functional FREE version with 10 GB data, dedicated servers for streaming, unlimited bandwidth and unique technology called R.O.B.E.R.T. (“Remote Omnidirectional Badware Eliminating Robotic Tool”) which helps to blocks Ads, trackers and malware. With a strong AES-256 encryption the company doesn’t have a huge pool of servers but spread them over 55 countries and 100 cities. Another innovative thing about WindScribe is the ability to build your own subscription plan, so the price can start from $1/month. So any additional location will cost you $1/month and add 10 GB on top of your allowed monthly bandwidth. Also you can select “unlimited bandwidth + R.O.B.E.R.T.” for additional $1/month. The company also runs promotions, special offers and deals from time to time so you can save some extra. A good time to find exclusive WindScribe coupon or promo code is Black Friday, New Year, Halloween, etc. So don’t miss a chance to save big on a top rated VPN service "HOWTO" WindScribe - build a custom plan with "Build a Plan" option and save upto 90% off of the original price
  6. Two Romanian hackers namely Bogdan Nicolescu and Rady Miclaus will be spending 20 and 18 years respectively in prison for infecting 400,000 computers with cryptominers and stealing sensitive financial and credential data. The duo is said to have stolen millions of dollars from countless unsuspected users. Both the accused are members of the infamous Romanian hacking group called Bayrob. Nicolescu was the group leader whereas Miclaus served as the co-conspirator. The third accused, Tiberiu Danet, is also a member of the same group. In November 2018, Danet pleaded guilty to eight of the charges and will be sentenced on January 8, 2020. See: Dutch Police Nabs Romanian Gang for Stealing $590K worth of iPhones According to the official press release, the duo was found guilty of 21 counts of money laundering, wire fraud, identity theft, and malware development for mining bitcoin and monero cryptocurrencies through utilizing host computers’ resources apart from other crimes. “These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” said FBI Special Agent in Charge Eric Smith. “Despite the complexity and global character of these investigations, this investigation and prosecution demonstrate the commitment by the FBI and our partners to aggressively pursue these individuals and bring justice to the victims.” The Bayrob Group was founded in 2007 and operated actively until the apprehension and extradition of its key members, including the group leader Nicolescu, in 2016. This group operated from the outskirts of Bucharest and carried out different hacking and malware campaigns including spam emails loaded with dangerous Trojans sent as harmless messages from renowned firms and enterprises. The emails mostly contained attachments hiding the Bayrob botnet, and were sent from the IRS, Norton, and Western Union. As soon as the user clicked on the attachment, the computer got infected with the malware, and all the installed malware protection tools got disabled while access to websites of law enforcement agencies was also blocked. The attackers copied the email contacts of the victim through the malware and sent the infected emails to them as well. Through the botnet, the Romanian hacker group managed to steal $4 million. Moreover, the group also developed crypto miners to mine for Bitcoin and Monero and scan and transfer the victims’ crypto wallet ownership along with the funds. They also stole personal data from the infected computers including credit card information, login credentials, and usernames/passwords on different websites. Furthermore, the malware enabled the system to register AOL accounts, which were used to send more malicious emails. The duo got 100,000 email accounts registered through this method and subsequently sent out tens of millions of infected emails. They also replaced legitimate websites like eBay with fake replicas and when the victim accessed these websites, they were tricked into entering their credentials to the fake webpage instead of the authentic ones. It did not end here; the group also used eBay for their nefarious objectives. The duo placed over 1,000 fake listings of motorbikes and automobiles on eBay and uploaded malware-infected images on these listings. Users who clicked on the images were redirected to fake eBay ordering pages where the victims were encouraged to pay for the items. A person was hired to play the role of fictional eBay Escrow Agent whose only job was to collect the money from the victim and transfer it to the hacker duo. “These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” added Special Agent Smith. Source https://www.hackread.com/20-years-prison-romanian-hackers-infected-computers/
  7. The official Cayman Islands tourism website brags about the territory's stunning beaches, exotic wildlife and contemporary art museums. Yet, it's probably better known for the allegations of money laundering made against it by other governments, including that of the United States, which is what makes the claim that hackers published 2TB of the Cayman National bank's confidential data interesting. A pseudonymous Twitter account called Distributed Denial of Secrets--a play on the distributed-denial of service attacks that can bring down even the largest websites-- said on Saturday that it was releasing "copies of the servers of Cayman National Bank and Trust." The account has also claimed to have released more information over the last few days and to have upgraded its servers to cope with traffic spikes. Cayman National operates numerous branches in the Cayman Islands proper, Isle of Man and Dubai. Distributed Denial of Secrets claimed that it's "allegedly been used for money laundering by Russian oligarchs and others" as well, which is why it published the bank's confidential data. The goal appears to be giving people access to private information that could prove or disprove those allegations of wrongdoing. Distributed Denial of Secrets said it didn't hack Cayman National itself. Instead, the data appears to have been stolen by someone called "Phineas Fisher," and its revelation was announced by HackBack alongside an explanation of Fisher's actions. A copy of the original statement can be found in the tweets discussing this leak and a report from Unicorn Riot; a translated version was also shared to Pastebin. Cayman National doesn't appear to have acknowledged the alleged leak on its website or social media profiles. It does say on its website that it's requiring clients to share additional information "in connection with the regulations of the global financial industry," however, and that many of its services would be unavailable on November 17 because of "a major upgrade and maintenance programme." The company also offered a helpful tip on its Facebook profile earlier today: "Refrain from accessing Online Banking through open and public access points, such as Internet cafes, public libraries, etc." That's a remarkably odd thing to share on Facebook while people on platforms like Twitter and Hacker News discuss a purported leak of terabytes' worth of private information. Phineas Phisher - Hack Back - Bank https://pastebin.com/8rXhtqgr More info https://unicornriot.ninja/2019/massive-hack-strikes-offshore-cayman-national-bank-and-trust/ Full archive and backups
  8. https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-the-vbulletin-rce-cve-2019-16759-exploit/
  9. Vechime: 2012 Balanta: 45.00 € Ultima plata: 2017 Pret: 100 € Tara aprobare: Spania Nu a mai avut activitate de 2 ani aprox. A fost generat cu continut legal in limba spaniola si engleza. Plata de prefertat in crypto: ETH, BTC, XLM
  10. Amazon has thousands of workers around the world who listen to and review private Alexa conversations with the goal of helping improve the speech assistant’s technology, according to Bloomberg. The report said the Amazon team transcribes the recordings and shares the conversations with other parts of the company in order to make Alexa’s “understanding of human speech” better. The team is spread across different regions, including Boston, India, and Romania, Bloomberg said, and some of the workers review up to 1,000 audio clips per shift. Amazon has never publicly disclosed the role of this group or the fact that human interference is part of Alexa’s voice technology. An Amazon spokesperson noted that employees don’t have direct access to information that can identify the people speaking or the account that the snippet came from. However, Bloomberg reported that recordings are associated with account numbers, device serial numbers and the owner’s first name. The spokesperson said: Source: https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio
  11. Am vazut ca nu vrei py, dar mie mi s-a parut super simplu si usor de folosit, in caz ca te razgandesti. Eu in python am folosit selenium + pyvirtualdisplay (poti emula si rezolutia dorita)
  12. Ai incercat http://www.nirsoft.net/utils/fastresolver.html ? Script in powershell. https://gallery.technet.microsoft.com/scriptcenter/Resolve-IP-Addresses-from-df4cbbe5#content
  13. The world’s most popular Free Web Hosting company 000Webhost has suffered a major data breach, exposing more than 13.5 Million of its customers' personal records. The stolen data includes usernames, passwords in plain text, email addresses, IP addresses and last names of around 13.5 Million of 000Webhost's customers. According to a recent report published by Forbes, the Free Hosting service provider 000Webhost was hacked in March 2015 by an anonymous hacker. In a post on its official Facebook page, the hosting company has acknowledged the data breach and posted the following statement: "We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information." The stolen data was obtained by Troy Hunt, an Australian security researcher, who received the data from an anonymous source and also confirmed the authenticity of the data. "By now there's no remaining doubt that the breach is legitimate and that impacted users will have to know," Hunt wrote in a blog post published Wednesday. "I'd prefer that 000webhost be the ones to notify [its customer] though." 000Webhost Ignored Data Breach Warnings Continuously 000Webhost web Hosting company repeatedly failed to pay attention to the early warnings by Troy Hunt and the Forbes journalist, but the company ultimately decided to ignore them. What's even Worse? The Web Hosting company did not even follow fundamental and standard security practices to ensure the security of its customers. Data breaches are common these days. Just a few days back, we reported about a serious data breach at TalkTalk – the biggest phone and broadband provider in the UK that put the personal data of its 4 Million customers at risk. But, What could a Security Breach lead to? Severe damage to company's reputation Loss of consumer trust Thousands of dollars in penalties and fines Personal data loss cost infinite Temporary or Permanent Closure Note: At the time of writing, 000webhost.com website is temporarily down. What Should You Do Now? For security reasons, the team at Free Hosting service has changed all customers' passwords to the random values and implemented encryption, without giving any direct notice to its affected customers. That means, if you are one of those 13.5 Million 000webhost clients, then you need to follow the password reset process to generate a new password in order to access your account. However, 000Webhost said: "We removed all illegally uploaded pages as soon as we became aware of the [data] breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future." Storing customers passwords in plain text, ignoring early warnings, and then implementing encryption to prevent further damages. SOURCE
  14. Baietii nu se jucau. https://www.facebook.com/PolitiaRomanawww.politiaromana.ro/videos/794474967330406/
  • Create New...