Jump to content

Search the Community

Showing results for tags 'users'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. The information security news today is all about Lenovo’s default installation of a piece of adware called “Superfish” on a number of laptops shipped before February 2015. The Superfish system is essentially a tiny TLS/SSL “man in the middle” proxy that attacks secure connections by making them insecure — so that the proxy can insert ads in order to, oh, I don’t know, let’s just let Lenovo tell it: “To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” the representative continued. “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.” Whatever. The problem here is not just that this is a lousy idea. It’s that Lenovo used the same certificate on every single Laptop it shipped with Superfish. And since the proxy software also requires the corresponding private key to decrypt and modify your web sessions, that private key was also shipped on every laptop. It took all of a day for a number of researchers to find that key and turn themselves into Lenovo-eating interception proxies. This sucks for Lenovo users. If you’re a Lenovo owner in the affected time period, go to this site to find out if you’re vulnerable and (hopefully) what to do about it. But this isn't what I want to talk about in this post. Instead, what I’d like to discuss is some of the options for large-scale automated fixes to this kind of vulnerability. It’s quite possible that Lenovo will do this by themselves — pushing an automated patch to all of their customers to remove the product — but I'm not holding my breath. If Lenovo does not do this, there are roughly three options: Lenovo users live with this and/or manually patch. If the patch requires manual effort, I’d estimate it’ll be applied to about 30% of Lenovo laptops. Beware: the current uninstall package does not remove the certificate from the root store! Microsoft drops the bomb. Microsoft has a nuclear option themselves in terms of cleaning up nasty software — they can use the Windows Update mechanism or (less universally) the Windows Defender tool to remove spyware/adware. Unfortunately not everyone uses Defender, and Microsoft is probably loath to push out updates like this without massive testing and a lot of advice from the lawyers. Google and Mozilla fix internally. This seems like a more promising option. Google Chrome in particular is well known for quickly pushing out security updates that revoke keys, add public key pins, and generally make your browsing experience more secure. It seems unlikely that #1 and #2 will happen anytime soon, so the final option looks initially like the most promising. Unfortunately it's not that easy. To understand why, I'm going to sum up some reasoning given to me (on Twitter) by a couple of members of the Chrome security team. The obvious solution to fixing things at the Browser level is to have Chrome and/or Mozilla push out an update to their browsers that simply revokes the Superfish certificate. There's plenty of precedent for that, and since the private key is now out in the world, anyone can use it to build their own interception proxy. Sadly, this won't work! If Google does this, they'll instantly break every Lenovo laptop with Superfish still installed and running. That's not nice, or smart business for Google. A more promising option is to have Chrome at least throw up a warning whenever a vulnerable Lenovo user visits a page that's obviously been compromised by a Superfish certificate. This would include most (secure) sites any Superfish-enabled Lenovo user visits -- which would be annoying -- and just a few pages for those users who have uninstalled Superfish but still have the certificate in their list of trusted roots. This seems much nicer, but runs into two problems. First, someone has to write this code -- and in a hurry, because attacks may begin happening immediately. Second, what action item are these warnings going to give people? Manually uninstalling certificates is hard, and until a very nice tool becomes available a warning will just be an irritation for most users. One option for Google is to find a way to deal with these issues systemically -- that is, provide an option for their browser to tunnel traffic through some alternative (secure) protocol to a proxy, where it can then go securely to its location without being molested by Superfish attackers of any flavor. This would obviously require consent by the user -- nobody wants their traffic being routed through Google otherwise. But it's at least technically feasible. Google even has an extension for Android/iOS that works something like this: it's a compressing proxy extension that you can install in Chrome. It will shrink your traffic down and send it to a proxy (presumably at Google). Unfortunately this proxy won't work even if it was available for Windows machines -- because Superfish will likely just intercept its connections too So that's out too, and with it the last obvious idea I have for dealing with this in a clean, automated way. Hopefully the Google team will keep going until they find a better solution. The moral of this story, if you choose to take one, is that you should never compromise security for the sake of a few bucks -- because security is so terribly, awfully difficult to get back. Sursa: A Few Thoughts on Cryptographic Engineering: How to paint yourself into a corner (Lenovo edition)
  2. The sanctity of Apple iMessage end-to-end encryption has been challenged by white hats who in 2013 reverse engineered the protocol behind it, revealing that Apple controls the key infrastructure and could, in turn, be compelled to turn over messages via government order. CEO Tim Cook denied those charges last September in an interview, but nonetheless, confidence in the security of messages sent over iMessage hasn’t been 100 percent since. Researcher Moxie Marlinspike’s Open WhisperSystems today released version 2.0 of the free Signal app for Apple iOS, which now adds end-to-end encrypted messaging to the encrypted voice calling introduced last July with Signal 1.0. The private messaging support for iPhone is free and open source—and not the last step for Marlinspike, who is also responsible for RedPhone, an app that encrypts calls on the Android platform, and TextSecure for Android, a private text and chat app that is at the heart of today’s Signal 2.0 release for the iPhone. “We’re going to unify TextSecure and RedPhone into Signal on Android, release a desktop version of Signal, and keep working to push the envelope of secure protocols and private communication,” Marlinspike said of his planned product road map. For now, the availability of Signal 2.0 for iOS brings a measure of privacy and secure communication that’s been in question since the QuarksLab report of 2013. “It’s technically possible that someone in control of Apple’s servers could intercept your communication,” Marlinspike said, adding that Signal 2.0 now allows iPhone users to communicate privately with users on the Android platform. The protocol behind Signal 2.0 also supports forward secrecy, which essentially generates a new encryption key for each message, meaning that if a key were cracked in the future, not all messages would be in danger. Signal 2.0, Marlinspike also said, allows users to verify each other’s respective encryption keys, meaning that it would be an easy detect if an attacker was sitting in a man-in-the-middle position intercepting traffic between endpoints. For now, both ends of a conversation require Signal to be installed in order to assure secure communication, Marlinspike said. The simplicity of Signal should remove any impediment for privacy conscious users. The app uses the phone’s existing phone number and address book and does not require a separate log-in or authentication mechanism to manage. Users are able to send encrypted group messages (text, video, photos) and make encrypted phone calls worldwide without extra charges, Marlinspike said. “We cannot hear your conversations or see your messages, and no one else can either. No exceptions. You can even tap and hold on a contact’s name to see advanced identity verification options,” says Signal 2.0’s product description. “Everything in Signal is always end-to-end encrypted and painstakingly engineered in order to keep your communication safe.” The source code is available on Github for inspection, as well, Marlinspike said. Source
  3. It's been a long time coming, but now the users of Firefox and Opera browsers don’t need to rely on the Chrome browser to access WhatsApp Web client, as the most popular smartphone messaging service has announced that the Web-based version of its service now works on Firefox and Opera web browsers too. WHATSAPP WEB AVAILABLE FOR OPERA & FIREFOX Almost a month ago, WhatsApp launched the web client of its service but the access was limited only to the Google Chrome users. Now, the company is giving more choices to desktop users by launching WhatsApp Web Today for Opera and Firefox browsers, though you’ll still have to wait a little long if you’re a Safari user. WhatsApp Web is nothing than an extension of the core mobile WhatsApp application. It syncs conversations from your smartphone devices to your PCs, with everything stored on the mobile device itself. HOW TO USE WHATSAPP ON PC/DESKTOP In order to install WhatsApp web in your PC or laptop running Google Chrome, Mozilla Firefox or Opera browsers, you need to follow same steps, as the sign-up process is the same as with Chrome browser: Interested WhatsApp users simply need to open Chrome and navigate to WhatsApp Web A QR code will appear on the web page, which must be scanned using WhatsApp mobile application to activate the service. By scanning the QR code that appears, users will automatically have paired their mobile WhatsApp with the WhatsApp web client, as shown. For now, WhatsApp Web only works with Android, Windows Phone and BlackBerry devices, but unfortunately, iPhones still don't have the capability to scan the WhatsApp Web QR code because there's no web solution at this time for iOS users because of limitations of the platform. Currently, WhatsApp has 700 million users sending 30 billion messages per day, and is bigger than most of its competitors, including Facebook Messenger, Line and WeChat. Now, this new WhatsApp web client available for a wider range of browsers will definitely increase its market. Source
  4. Twitter has revised and simplified its rules and process for reporting abusive behavior on the service, and users now have the ability to report people who are posting their personal information. The change essentially gives Twitter users a method to combat doxing, which is the process of dumping a victim’s personal information online. This often is done as a form of revenge or to embarrass someone. Doxing used to be done in forums or on underground sites, but Twitter has made it possible to broadcast the information to a much larger audience more quickly. Twitter officials are well aware of this problem, as well as the issue of more traditional abusive behavior on the service. So the company has changed the way that users can report such behavior and what kind of things they can report. Twitter said it has greatly increased the size of its staff handling these reports and is processing many more reports than just a few months ago. “Over the last six months, in addition to the product changes, we have overhauled how we review user reports about abuse. As an example, allowing bystanders to report abuse – which can now be done for reports of private information and impersonation as well – involved not only an update to our in-product reporting process, but significant changes to our tools, processes and staffing behind the scenes. Overall, we now review five times as many user reports as we did previously, and we have tripled the size of the support team focused on handling abuse reports,” Tina Bhatnagar, vice president of user services at Twitter said in a blog post. The change is a significant one for Twitter, as the service has evolved into the place where many people not only get their news, but also where people share remarkable personal and private information. The new reporting option also allows users to report abusive behavior that’s targeted at other people and not themselves. Twitter also is changing the way that is enforces the rules against problematic accounts. “We are also beginning to add several new enforcement actions for use against accounts that violate our rules. These new actions will not be visible to the vast majority of rule-abiding Twitter users – but they give us new options for acting against the accounts that don’t follow the rules and serve to discourage behavior that goes against our policies,” Bhatnagar said. Source
  5. Lenovo has teamed up with Microsoft and McAfee to remove the Superfish adware from its machines, following concerns about security. Lenovo announced the partnerships in a public statement, promising that the tools will let users automatically block and remove the insecure, self-signing certificates used by Superfish. "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," the firm said. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem." The Microsoft removal tool will be integrated into Windows Defender version 1.193.444.0. The tools are the latest step in Lenovo's bid to allay customer concerns that the firm put personal data at risk. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user. Lenovo claims that the adware is installed on only a limited number of machines and does not affect its business-focused Thinkpad line. "We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience," read the statement. "While this issue in no way impacts our ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed." Lenovo apologised for causing concern, but argued that the company never knowingly compromised its customers' privacy. "We apologise for causing these concerns among our users. We are learning from this experience and will use it to improve what we do and how we do it in the future," read the statement. "Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted." Lenovo is one of many firms dealing with privacy and security concerns. Researchers at FireEye reported on 20 February that Apple had ignored a dangerous flaw in the iOS operating system, codenamed Masque Attack II. Source
  6. Am cautat pe forum si nu l-am gasit postat asa ca am zis sa-l postez ( bine inteles pentru cei interesati ) Adversaries are committed to continually rening or developing new techniques that can evade detection and hide malicious activity. Meanwhile, the defenders—namely, security teams—must constantly improve their approach to protecting the organization and users from these increasingly sophisticated campaigns. Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks. The Cisco 2015 Annual Security Report, which presents the research, insights, and perspectives provided by Cisco® Security Research and other security experts within Cisco, explores the ongoing race between attackers and defenders, and how users are becoming ever-weaker links in the security chain. Cybersecurity is a broad and complex topic that has a far-reaching impact on users, companies, governments, and other entities around the world. The Cisco 2015 Annual Security Report is divided into four areas of discussion. These sections, and the issues explored within them, may at rst glance seem disparate, but closer examination reveals their interconnectedness: Read more: https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2015_ASR.pdf
  7. Introduction In this last part of the Website Hacking series, we are going to list 18 common web vulnerabilities and flaws and we are going to briefly provide solutions to them. Some of them are described for the first time in the Website Hacking series and some we have discussed before but in greater depth. 1. Saving all user input If you are using a framework, for example, a PHP framework, you might be tempted to save all user input to your model or database since it has already been validated and escaped. Let us say that you are using CakePHP and have included a registration form using CakePHP’s Form helper. SNIPPET 1 Now, you might be tempted to save all data from CakePHP’s $this->request->data array/method as is if you do not read the docs carefully or view some of the examples provided there (the live blog site). SNIPPET 2 You just save all data and thank the framework creators. However, there are at least two things you did wrong: $this->request->data does not contain escaped/sanitized input, just the input from the superglobals. Firstly, you should use CakePHP’s h() function to prevent people inserting tags in their username: like this h($this->request->data) However, this is not enough and a wrong approach. If you save all user input in your Model (database) the user can add new input tags directly in his browser and try to guess some columns in your users table for which you have not provided an input in the website’s form. For example, many CakePHP’s applications have “role” column set to user/admin or something similar (it is used in the docs as well). The user can just open his Developer Tools, find the registration form or right click and select Inspect Element, click on Edit as HTML and add a new input like this: <input name=”data[user][role]” type=”text”> <input name=” [user][role]” type=”text”> Or whatever the current way for forms to interact with your Models is, guess column names and insert values to them. One way to solve this is to change your column that defines user’s roles and permissions name to something unpredictable. However, that is not the safest approach you can take. You can either insert the data into the database manually, which will ensure no extra columns will be saved: SNIPPET 3 Or alternatively, you could still save all user data but set explicitly the values of columns not found in the form: SNIPPET 4 2. Allowing user access to assets Many sites work with user input and user data and store this data. Clients can see where their assets are stored, so there is no need for them to guess. For example, a client could see that the images he uploaded were stored in /uploads/{username} because the images he uploaded were loaded to the page from that directory, so if he knows some usernames of different people he could just change the directory name to another user and browse through all of his data without having to brute-force directory names. The first way to tackle this issue that we discussed before is not enough (adding Options All –Indexes to the .htaccess file).It would prevent users from browsing directories and opening whatever they want but they would still know the directory exists and they can still guess directory names because the server will return a 403 Forbidden (which shows something exists in that path). Furthermore, they could guess file names from some patterns that the file names follow and open them. Therefore, you need to block access to the files in your uploads directory. If you are storing text files (let us say users can keep notes and view/edit them whenever they want) you could add to your .htaccess the following rule: RewriteEngine On RewriteRule ^uploads/.*.(txt|doc)$ – [F,L,NC] The F flag would return a 403 Forbidden response, the L flag causes the next rules to stop being processed, and the NC eliminates case-sensitivity. Figure 1: The page with only directory listing disabled. Figure 2: The page with only directory listing disabled. You cannot browse directories, but if each user has a notes.txt file, you can easily view user’s notes by knowing only their username. Figure 3: Trying to access the notes with both directory listing and controlled access to files. If you use the rewrite rule to disable users from browsing other users notes, your back-end would still be able to access the notes, show them to users or edit them. For example: SNIPPET 5 Where the $user variable would come from a session in a real-world application. 3. Running basic WordPress installation Common mistakes here are not limiting the login attempts on your wp-admin page. This would allow anyone to brute-force your credentials and destroy your blog/site. This becomes even easier because most people create their master username to be ‘admin’ which involves only brute-forcing the password to get full access to the WP website. Another mistake is that the wp-admin login page is left without a form of CAPTCHA or a protection against bots. This combined with no limitation of login attempts equals certain death of your online presence at some point in the future. You could avoid all 3 of these things and also change the default wp-admin path to be something different as well (obfuscation). 4. Relying too much on IP addresses while having weak bot protection Most ISPs provide dynamic IP addresses, and the IP address you have banned or stored may already be obsolete in less than a day. Furthermore, it is often not very difficult to change your IP address – use a proxy, release it from the router or from the OS, change locations. There are myriad ways to do it. To prevent bots from causing undesired consequences, it would be better to use alternative ways – enhance your CAPTCHAs, add inputs only bots will fill out, require JavaScript/cookies enabled to submit a form, and so on. 5. Improper redirects Let us say that you have a redirect page or a GET value (for simplicity’s sake) that redirects users to another page of your site or to another website. However, if you forget to disallow redirects to third-party websites or in case you allow those, if you do not create a warning page before redirecting that will tell the user where they are going and that they are leaving the site – users can easily abuse your site by giving links that seem to be pointing to your site but will redirect users to malicious websites. if (isset($_GET['redirect'])) { header("Location: " . $_GET['redirect']); } If we have something as simple as this, then users can easily get fooled to enter bad sites by following an URL like this: http://localhost:8079/articles/Website%20Hacking%20Part%20VII/?redirect=http://www.somemalicioussitehere.com 6. Cross Site Request Forgery If your site allows users to add comments/posts and insert tags such as <img> and load a third-party image, they can provide a link that is not an image but will fool the clients’ browsers (the users that will be reading them) to load the resource and perform an action on a website if they are authenticated in it. For example, if Facebook was sufficed with a couple of GET parameters or a particular URL to follow someone/something on their network, we could have added an image like that: my image And if the user is currently logged in he would have followed an arbitrary person. Of course, this would not work in this particular situation. 7. Insecure file handling A common mistake is to trust that a file does not contain something inappropriate. Code can be disguised as an image, so checking the file extension is not enough. At the very least, the MIME type should also be checked. Also, ASCII / text files should be escaped. Here is an example of such a vulnerability: SNIPPET 6 The vulnerability arises when at some point we display the contents of the .txt file in our page: SNIPPET 7 If the file we submit contains the following code: <script> alert(document.cookie); </script> Then all user cookies for that website will be shown in an alert. 8. Displaying and trusting HTTP headers These can be modified by users and can be malicious. For example, if you display the client’s User-Agent header, it might be changed to consist of code which would then be executed in your back-end. This is also valid for the referrer header, so it should not be used to determine whether the user can access a particular page by itself (for example, checking if the referfer is the login page and assuming the user has logged in successfully since he was redirected to the members area’s index page from the login page). 9. Information disclosure Your live apps should not be in debug mode. Errors should not be shown. 10. Directory traversal If you are using some parameter that opens different files on your website based on user input, your back-end should escape special characters such as the . (dot) or / (slash) from the input and preferably use whitelisting. 11. Using HTTP for semi-confidential data A common flaw is using HTTP for sites that include mechanisms such as registration/login. Even widely used online marketplaces in Bulgaria use simple HTTP (such as OLX.bg - ???? ?? ????????? ????? ). Using HTTP makes it easy for potential attackers in your network to sniff your traffic and get your credentials with no real efforts. For example, if you login to olx while in a Wi-Fi, you are subject to risk. 13. Sessions can be stolen Sessions can be stolen, making the attacker login as someone else. There are multiple vectors of defense here – such as checking the IP address, the user agent, and regenerating session, and adding cookies. 14. Be careful which third-party libraries, CDNs and plugins you use They might be simply outdated, opening a wide variety of security holes, or they might be malicious – giving access to the shady library’s creator to your server. 15. Bots are everywhere Take care of malicious bots not by banning their IP but by enhancing CAPTCHA, adding hidden form fields that users would not fill, and requiring JavaScript or cookies enabled to submit a form. 16. Use HTTP only cookies This would reduce the impact of some other attacks – such as XSS 17. Hashing Hash your passwords and try to avoid md5 or sha-1 algorithms (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know, hash - Why does some popular software still use md5? - Information Security Stack Exchange ). Use salts to prevent attacks with rainbow tables. 18. XSS Always escape input unless you really, really trust the source (admin panel). You can either remove tags or display them as entities depending on your needs. | PHP: strip_tags($input, $allowedTags); htmlspecialchars($input, ENT_QUOTES); htmlentities($input); | 19. SQL Injection Use prepared statements or do not perform a query which is not hardcoded without sanitizing it (PHP: PDO class or sanitize with mysqli_real_escape_string($conn, $str) if using mysqli. Do not use mysql_*). Conclusion This was the last part of the Website Hacking series. We have introduced some new vulnerabilities and briefly discussed them and have summarized our points for everything that we have talked about so far. We hope that now you will feel more confident when deploying your web apps by putting these strategies in use. Source
  8. If someone shares a porn video on Facebook, beware. The latest threat to users involves a fake Flash Player update which pops up during a preview of a pornographic video. Once you click on the link to update your video player, malware (the name given to malicious software), downloads onto your computer. This Trojan horse software gives the creator of the malware remote access to your computer. They can then download viruses onto your computer. Security researcher Mohammad Faghani alerted users to the threat in a post on the Full Disclosure blog, which flags up network vulnerabilities. "The Trojan tags the infected user's friends with an enticing post," he explained. Faghani warned that the malware then tags up to 20 friends of the victim in the malicious post, thus leading to a larger number of those who could be affected. He believes it could "infect more than 110,000 users in two days". Faghani also said the malware was able to hijack keyboard and mouse movement. In response, Facebook said it was aware of the problem and was working to block it. In a statement issued to security news website Threatpost, a Facebook spokesperson said: "We use a number of automated systems to identify potentially harmful links and stop them from spreading. "In this case, we're aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. "We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook." Last week, a hacker group called Lizard Squad had hinted it was responsible for the Facebook, Instagram and Tinder going down. Facebook denied it was hacked, saying the access issues were "not the result of a third party attack". Source
  9. Recent reports from our users have brought to light a security hole that can reveal your IP address to websites through WebRTC. WebRTC was originally developed to aid certain types of connections between browsers without the need for an additional plugin. The ‘RTC’ in WebRTC stands for Real-Time-Communication, and the API directory is used for voice calls, video chats, and p2p file sharing. Suspicions that WebRTC could be used to discover a user’s local IP, even under the presence of a VPN, have been around since 2013. Since WebRTC uses javascript requests to get your IP address, users of NoScript or similar services will not leak their IP addresses. If you are using a VPN or a Proxy and you would like to test this WebRTC Local IP leak, click here. source: https://www.privateinternetaccess.com/forum/discussion/8204/how-to-stop-webrtc-local-ip-address-leaks-on-google-chrome-and-mozilla-firefox-while-using-private-i Mozilla Firefox users can actually turn off the default WebRTC functionality directly in Firefox settings by typing ‘about:config’ into the search bar and browsing to the ‘media.peerconnection.enabled’ option and setting it to FALSE. Users of Canary, Nightly, and Bowser are also vulnerable to this IP leak. However, the local IP address leak should not affect Internet Explorer or Safari users unless they have manually added WebRTC themselves.
  10. A critical cross-site scripting (XSS) vulnerability in the Google Apps administrator console allowed cyber criminals to force a Google Apps admins to execute just about any request on the https://admin.google.com/ domain. The Google Apps admin console allows administrators to manage their organization’s account. Administrators can use the console to add new users, configure permissions, manage security settings and enable Google services for your domain. The feature is primarily used by many businesses, especially those using Gmail as the e-mail service for their domain. The XSS flaw allowed attackers to force the admin to do the following actions: Creating new users with "super admin" rights Disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains Modifying domain settings so that all incoming e-mails are redirected to addresses controlled by the attacker Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes This new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. In exchange for the report, Google paid the researcher $5,000 as a reward under its bug bounty program. According to the researcher, when users access a service that hasn’t been configured for their domain, they are presented with a "ServiceNotAllowed" page. This page allows users to switch between accounts in order to log in to the service. However, when one of the accounts was selected, a piece of JavaScript code was executed in an attempt to redirect the user’s Web browser. JavaScript code could be supplied by the user in the "continue" request parameter of the URL, which allowed XSS attacks. Patching the vulnerability on the 17th day after reported to the company shows the search engine giant’s concern to secure its software and users as well. However, the recent vulnerability troubles visited Microsoft exposed one-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 operating systems, reported by Google’s Project Zero team. Microsoft wasn't able to fix the security flaws in its software even after a three-month-long time period provided to the company. Source
  11. Chinese hackers have launched a wave of man-in-the-middle (MITM) attacks capable of stealing emails, contacts and passwords is targeting Microsoft Outlook users in the country. Greatfire.org, a group that reports on and works to combat Chinese government online censorship and surveillance, reported uncovering the campaign this week. "On January 17, we received reports that Microsoft's email system, Outlook (which was merged with Hotmail in 2013), was subjected to a MITM attack in China," read the Greatfire threat advisory. "This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers." The attack reportedly uses a bogus certificate to push a malicious alert to Outlook users that siphons information from the victim's account if it is opened. "Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a 'continue' button and ignore the warning message," explained the advisory. "If users do click on the 'continue' button, all of their emails, contacts and passwords will be logged by the attackers." The number of affected Outlook users remains unknown, although a Microsoft spokesperson confirmed to V3 that the firm is aware of the attacks. "We are aware of a small number of customers impacted by malicious routing to a server impersonating Outlook.com. If a customer sees a certificate warning, they should contact their service provider for assistance," they said. Greatfire believes that the Chinese government is responsible for the attacks, citing similarities to previous attacks it believed were state sponsored. "Because of the similarity between this attack and previous, recent MITM attacks in China on Google, Yahoo and Apple, we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack," it said. "If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor." The attack on Apple's iCloud occurred at the end of 2014 and was serious enough for CEO Tim Cook to fly to China. F-Secure security advisor Sean Sullivan told V3 that the Outlook attacks follow a similar pattern to the iCloud campaign and warned business users visiting China to be extra cautious. "This case appears similar to the move against iCloud back in October. Any business person travelling or working in China should use a VPN (or other measures) to access their email - or else pay very careful attention to warning messages," he said. "If you're doing business in China, be very mindful of the situation. I'd even recommend using separate hardware for the trip." Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's sentiment, pointing out that, even if focused on monitoring Chinese citizens alone, the attacks could cause trouble for Western professionals visiting the country. "I suspect this attack is more about gathering intel on Chinese citizens - using international mail systems to communicate information that they could not do with a Chinese web platform due to censorship," he told V3. "However, many other people are collateral damage with information exposed that I'm sure they would prefer not to be picked up. "Anything sent or received, such as usernames, passwords, holidays, journalist sources, new stories, personal information etc, would all have been exposed during the time of the attack. "All of that information can be collected and used for intel, surveillance etc." The attack on Outlook comes less than a month after Chinese authorities began blocking local access to Google services including Gmail. Prior to the Google blockade the Beijing government mounted a mass censorship campaign that cut off access to thousands of websites, applications and cloud services in November 2014. Source
  12. Several reports from the popular news websites had suggested that WhatsApp, the widely popular messaging application, is working on a new version of its instant messaging client, called WhatsApp PLUS, in order to provide its users a lot of handy new features. However the news seems to be completely fake!! WhatsApp Plus has already been launched a long ago and is not at all genuine as it is not associated with the Facebook-owned WhatsApp. Many users claimed to have already used WhatsApp Plus before. The latest news reports insist that WhatsApp Plus will bring 700 new themes and more number of emoticons, as well as will provide users with an option to change the font, and color among other things in an attempt to make the app look and feel more personalized. Moreover, the app will provide better privacy compared to the existing one. But, here you need to have a second thought. If we talk about better privacy, the only genuine report about WhatsApp came late last year, when WhatsApp partnered with Open Whisper Systems, a collaborative open source project to offer end-to-end encryption in its Android client. But, that was also with the same label, WhatsApp. The domain of WhatsApp Plus wasn't registered by WhatsApp, Inc, according to the Whois information of the alleged Whatsapp website. In order to find links to shady websites, BGR reports that they decompiled the WhatsApp Plus APK file circulating around the web, which revealed that the "app is communicating with illegitimate sources." Beware those who find the app genuine and interesting to download. There are many fake and malicious messaging apps that trick users to download and install, what could potentially be a malware. WhatsApp Plus is also not a genuine, but an effort by unauthorised websites to trick people into downloading it. We will strongly advise people to not download WhatsApp Plus, or any app that claims to be a new rather different version of WhatsApp. It has been confirmed that WhatsApp hasn’t launched any such app. The app could be a malware that can trouble your phone and downloading an alternative, would be laying your privacy and security at risk. Source
  13. Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way. Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test. Download: https://github.com/infobyte/faraday
  14. Document Title: =============== Facebook Bug Bounty #19 - Filter Bypass Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1381 Facebook Security ID: 221374210 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/01/14/facebook-bug-bounty-restriction-filter-bypass-vulnerability-id-221374210 Release Date: ============= 2015-01-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1381 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The independent Vulnerability Laboratory Researcher Paulos Yibelo discovered a limitation bypass vulnerability in the official Mobile Site and mobile app (android/ios). Vulnerability Disclosure Timeline: ================================== 2014-12-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) 2014-12-11: Vendor Notification (Facebook Security Team - Bug Bounty Program) 2014-12-15: Vendor Response/Feedback (Facebook Security Team - Bug Bounty Program) 2015-01-12: Vendor Fix/Patch (Facebook Developer Team - Reward: Bug Bounty) 2015-01-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A restriction/limitation bypass web vulnerability has been discovered in the official Facebook Mobile web-application framework. Facebook limits a name change for 60 days before a new name is applied. The advisory explains how i was able to bypass the restriction to change my `Alternative name` using parameter session tampering. First the attacker uses a restricted account (60 day) and review the changes by using a session tamper. By a permanent exchange of the name values the service updates the name value through the mobile service without usage of the secure restriction mechanism. Remote attackers are able to bypass the restriction to exploit the vulnerability. The attack vector of the issue is location on the application-side and the request method to inject is POST. Using this bug, a local attacker (a logged in user) can impersonate other users to manipulate their friends and change back to their account name (bypassing the 60day restriction). The security risk of the filter bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the filter mechanism vulnerability requires a low privileged web-application user account without user interaction. Successful exploitation of the bypass issue results in unauthorized account name changes through alternative name inputs. Request Method(s): [+] POST Vulnerable Service(s): [+] Facebook - Mobile Website [+] Facebook Apps - Apple iOS & Android Vulnerable Module(s): [+] ./settings/account/ Vulnerable Parameter(s): [+] name Proof of Concept (PoC): ======================= The bypass vulnerability can be exploited by remote attackers with a restricted user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Requirements: Attacker needs an account that changed its name and is limited for 60 (x) days before making any other changes Manual steps to reproduce the vulnerability ... 1. Go to https://m.facebook.com/settings/account/?name&refid=70 2. Click review changes and tamper the request, change the value of alternative name to anything 3. Continue the request and save the changed value 4. Submit request, then enter your test account password 5. Name value is changed even if time restriction was set Note: Alternative name shall then be updated too 6. Facebook vulnerability successful exploited! Reference(s): https://m.facebook.com/settings/account/?name&refid=70 Security Risk: ============== The security risk of the restriction/limitation bypass vulnerability in the change name function is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Paulos Yibelo (paulosyibelo.com) Source
×
×
  • Create New...