Search the Community

A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source. The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain. “This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need? A token. No worries we just need to register a new user to get one,” Sopas wrote in a post explaining the bug and exploitation technique. “Next step: Insert the batch command we want to use in the user account Bio field [and maybe others]. I’ll try to open a Chrome new window with a malicious page disabling most the protections from this browser.” Sopas found that the technique works on Chrome, Opera, Chrome for Android, the Android stock browser and Firefox in some circumstances. In order to make it work, he also constructed a specific filename, and when a victim clicks on a link in the attacker’s Instagram message, she will be taken to an attacker-controlled page with a file that appears to be on an Instagram domain. The video above demonstrates the technique. The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority. “Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email. “[imagine] a phishing campaign where the link of the email is really from Instagram?” Source

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently. Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google’s Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google’s security team before Microsoft planned to patch them. The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox. According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls. "It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote. The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. Source

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently. Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google’s Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google’s security team before Microsoft planned to patch them. The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox. According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls. "It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote. The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. Source.

<?php function image_upload($image, $status){ require ('tmhOAuth.php'); //https://github.com/themattharris/tmhOAuth $tmhOAuth = new tmhOAuth(array( 'consumer_key' => "sfdgdsgsdfg", 'consumer_secret' => "dsfgdsfgdsfgsd", 'user_token' => "sdfsdfsdf", 'user_secret' => "fgdgdfgdf", )); $code = $tmhOAuth->request( 'POST','https://api.twitter.com/1.1/statuses/update_with_media.json', array( 'media[]' => "@{$image};type=image/jpeg;filename={$image}", 'status' => $status, ), true, // use auth true // multipart ); return $code; } echo image_upload('/var/www/crawl/img/62845745.jpg','Postat prin API'); ?> 1. creati o aplicatie in twitter developer si adaugati tokenurile 2. rulati functia image_upload('calea/absoluta/a/pozei','Postat prin API'); 3. il puteti cupla cu cel de facebook 4. adaugati in cron

În acest tutorial voi descrie pa?ii necesari pentru a crea o interfa?? API, ce va oferi informa?ii despre IP-ul, ?ara, regiunea, ora?ul ?i coordonatele (?ti?i voi: adresa, blocul, etajul, apartamentul) utilizatorului. De asemenea, v-a fi verificat dac? acesta folose?te un proxy sau dac? IP-ul lui nu este un proxy public. ?i pentru ca lista s? fie complet?, se vor ob?ine ?i informa?iile despre versiunea browser-ului, limba setat? ?i referer-ul acestuia. Pentru cei ner?bd?tori, vreau s? men?ionez c? la final rezultatul returnat de interfa?a API va ar?ta în felul urm?tor, iar un exemplu de aplica?ie ce folose?te acest API poate fi g?sit aici: My IP Vreau s? men?ionez c? interfa?a va fi dezvoltat? cu ajutorul unei aplica?ii pentru Google App Engine, iar limbajul de programare va fi Python. Dac? nu cunoa?te?i Python, pute?i utiliza Java sau Go (desigur, va trebui s? v? descurca?i singuri). Pasul 1. Înregistrarea unei noi aplica?ii Pentru început e nevoie s? înregistr?m o nou? aplica?ie. Acest lucru poate fi f?cut accesând aceast? adres? URL https://appengine.google.com/start/createapp — unde trebuie s? alegem identificatorul unic ?i numele aplica?iei. Pentru op?iunea „Storage Options” bif?m „High Replication” (Master/Slave e considerat? „învechit?” ?i probabil în viitorul apropiat aplica?iile ce utilizeaz? aceast? metod? nu vor mai fi func?ionabile). Pasul 2. Desc?rcarea ?i instalarea SDK-ului Dup? ce am înregistrat aplica?ia, desc?rc?m SDK-ul pentru Google App Engine de pe pagina Downloads. Aici alegem SDK-ul pentru limbajul de programare dorit (în cazul meu Python) ?i sistemul de operare (în cazul meu Windows). Pasul 3. Crearea unei noi aplica?ii Acum, dup? ce am desc?rcat ?i instalat SDK-ul GAE, cre?m o nou? aplica?ie local?. Pentru aceasta rul?m executabilul Google App Engine Launcher ?i din meniul „File” alegem op?iunea „Create New Application”. În fereastra ce apare, introducem identificatorul ales la pasul 1, loca?ia unde dorim s? salv?m aplica?ia, introducem portul necesar ?i ap?s?m „Create Application”. Vreau s? men?ionez c? eu am ales portul 8090, astfel pentru exemplele de mai jos voi folosi acest port. Pasul 4. Testarea aplica?iei ?i acum a venit timpul s? rul?m aplica?ia implicit? pentru a fi siguri c? totul e ok: select?m aplica?ia creat? ?i ap?s?m click pe „Run”. A?tept?m pu?in, ?i dac? a fost indicat calea corect? ?i un port liber — aplica?ia va deveni activ?. Iar pentru a fi siguri c? totul func?ioneaz? perfect, ap?s?m butonul „Browse” sau acces?m http://localhost:8090/ — dac? browser-ul arat? mesajul „Hello world!” — atunci e ok, ?i putem trece la urm?torul pas. Pasul 5. Preg?tirea spa?iului de lucru Deschidem folderul unde am salvat aplica?ia (acest lucru poate fi f?cut ?i cu ajutorul SDK-ului: din meniul „Edit” alegem „Open in Explorer”) ?i ?tergem fi?ierele de care nu mai avem nevoie: favicon.ico main.py main.pyc Deschidem fi?ierul app.yaml ?i înlocuim con?inutul acestuia cu urm?torul cod: # Identificatorul aplicatiei (ales la pasul 1) application: json-api # Despre chestiile de mai jos (si multe alte lucruri utile) puteti citi accesand URL-ul # https://developers.google.com/appengine/docs/python/config/appconfig version: 1 runtime: python27 threadsafe: false api_version: 1 handlers: # Indicam ca in folderul /static sunt salvate fisiere statice precum imagini, css, js si altele - url: /static static_dir: static # Daca utilizatorul acceseaza /ip.js atunci executam scriptul ip.py - url: /ip\.js script: ip.app # Pentru celelalte pagini accesate de catre utilizator afisam pagina implicita - url: /.* static_files: static/html/index.html upload: static/html/index.html Dup? aceasta, cre?m fi?ierul static/html/index.html în care scriem mesajul de întâmpinare (sau folosim sursa paginii de aici http://json-api.appspot.com/). Acces?m http://localhost:8090/ dac? apare mesajul introdus, mergem mai departe. Exact la fel proced?m ?i cu fi?ierul static/html/ip.html (sursa o g?sim aici http://json-api.appspot.com/static/html/ip.html) care va fi folosit pentru a afi?area informa?iei ob?inute de la interfa?a API. Dat fiind faptul c? cu ajutorul Google App Engine putem ob?ine doar ini?ialele ??rii, cre?m un fi?ier static/js/iso3166_codes.js folosind datele de aici http://json-api.appspot.com/static/js/iso3166_codes.js care vor fi folosite la ob?inerea numelui ??rii. De asemenea, cre?m ?i fi?ierul static/js/ip.js (sursa http://json-api.appspot.com/static/js/ip.js) care va avea rolul de a primi ?i afi?a datele returnate de interfa?a API. Pasul 5. Crearea interfe?ei API Cre?m fi?ierul ip.py în care copiem urm?torul cod: #!/usr/bin/env python # -*- coding: utf-8 -*- # Includem bibliotecile necesare import webapp2, json, urllib2, re class InitApp(webapp2.RequestHandler): def get(self): req = self.request # Lista variabililor pe care o va returna interfata API info = { 'ip' : req.remote_addr, 'country' : req.headers.get('X-AppEngine-Country'), 'region' : req.headers.get('X-AppEngine-Region'), 'city' : req.headers.get('X-AppEngine-City'), 'coordinates' : req.headers.get('X-AppEngine-CityLatLong'), 'browser' : req.headers.get('User-Agent'), 'lang' : self.getLang(), 'referer' : req.referer, 'isproxy' : self.isProxy(), } # Verificam daca utilizatorul nu foloseste un proxy "transparent" if req.headers.get('X-Forwarded-For'): info['realip'] = req.headers.get('X-Forwarded-For').split(',')[0] # Obtinem reprezentarea JSON pentru variabilele necesare result = json.dumps(info) # Verificam daca utilizatorul a specificat o functie callback. Exemplu: # Request : http://json-api.appspot.com/ip.js?varname=data # Rezultat : callback({...}); if req.get('callback'): result = '{0}({1});'.format(self.getVar('callback'), result) # Verificam daca utilizatorul a specificat o variabila. Exemplu: # Request : http://json-api.appspot.com/ip.js?varname=data # Rezultat : var data = {...}; elif req.get('varname'): result = 'var {0} = {1};'.format(self.getVar('varname'), result) # Afisam rezultatul ca fiind plain-text self.response.headers['Content-Type'] = 'text/javascript; charset=utf-8' self.response.out.write(result) # Eliminam caracterele nevalide din numele functiei callback si numele variabilei def getVar(self, var): return self.filter(self.request.get(var)) # Obtinem initialele pentru limba folosita def getLang(self): lang = self.request.headers.get('Accept-Language') return self.filter(lang.split(',')[0]) # Eliminam caracterele non-alfanumerice def filter(self, str): return re.sub('[^a-z_\.0-9]', '', str, flags=re.IGNORECASE) # Verificam utilizatorul foloseste un proxy public def isProxy(self): # Intrebam pe domnul Google folosind sintaxa inurl:proxy 127.0.0.1 # daca IP-ul nu este un proxy public q = urllib2.quote('inurl:proxy ' + self.request.remote_addr) url = 'http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=' + q # Folosim contructia try pentru a ne feri de erorile imprevizibile try: # Obtinem un sir JSON returnat de catre serverul Google str = urllib2.urlopen(url).read() # Convertim intr-o variabila datele JSON data = json.loads(str) # Verificam daca au fost gasite mai mult de 5 rezulate return (data['responseData']['cursor']['resultCount'] > 5) except: pass # Deja nu mai are importanta - au fost ceva erori sau Google nu a gasit nimic - # consideram ca IP-ul nu este un proxy return False app = webapp2.WSGIApplication([('/ip.js', InitApp)], debug=True) Pasul 6. Înc?rcarea aplica?iei pe server Dup? ce am salvat toate fi?ierele ?i am testat aplica?ia accesând URL-ul http://localhost:8090/static/html/ip.html putem înc?rca toate fi?ierele pe serverul appspot cu un simplu click pe butonul „Deploy”. În fereastra ce apare, introducem adresa de email ?i parola pentru contul Google. Dup? înc?rcarea fi?ierelor, putem accesa aplica?ia noastr? folosind adresa http://json-api.appspot.com/ (în loc de json-api folosi?i identificatorul ales la pasul 1). Pasul 7. Final Pentru cei un pic mai leno?i, sursa aplica?iei poate fi desc?rcat? accesând adresa URL http://json-api.appspot.com/static/zip/json-api.zip Enjoy!

<script language="JavaScript" src="http://j.maxmind.com/app/geoip.js"></script> <br>Country Code: <script language="JavaScript">document.write(geoip_country_code());</script> <br>Country Name: <script language="JavaScript">document.write(geoip_country_name());</script> <br>City: <script language="JavaScript">document.write(geoip_city());</script> <br>Region: <script language="JavaScript">document.write(geoip_region());</script> <br>Region Name: <script language="JavaScript">document.write(geoip_region_name());</script> <br>Latitude: <script language="JavaScript">document.write(geoip_latitude());</script> <br>Longitude: <script language="JavaScript">document.write(geoip_longitude());</script> <br>Postal Code: <script language="JavaScript">document.write(geoip_postal_code());</script> sursa: http://www.maxmind.com/app/javascript_city Teoretic cica ar trebui sa pui link catre maxmind daca il folosesti pe site dar nu cred ca stau sa verifice... EDIT: uz posibil: <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script> $(function() { ( detect = ( function() { if(typeof geoip_country_code != "function") return setTimeout ( function() { detect(); } , 10); $.post("track.php" , { "cc": geoip_country_code(), "cn": geoip_country_name(), "ct": geoip_city(), "re": geoip_region(), "rn": geoip_region_name(), "lat": geoip_latitude(), "long": geoip_longitude(), "pc": geoip_postal_code() }); } ) )(); var _geoip = document.createElement("script"); _geoip.src = "//j.maxmind.com/app/geoip.js"; _geoip.async = true; document.body.appendChild(_geoip); }); avantaje: asincron si gratis...