Hackers can covertly activate Macbook Webcams without Warning light


Recently, a Hacker has managed to take nude photos of his high school classmate by covertly activating the Webcam in Macboook without turning on the warning light.

Though it is designed to trigger a warning light near to the webcam whenever the webcam is turned on, researchers says it can be deactivated.

Researchers from Johns Hopkins University have published a paper entitled "iSeeYou: Disabling the MacBook Webcam Indicator LED", first reported by Washington Post, demonstrates how an attacker can disable the LED indicator.

According to the research, the vulnerability affects the Apple old version of apple products including the iMac G5 and early Intel-based iMacs, MacBooks, and MacBook Pros released before 2008.

However, security researcher Charlie Miller suggest the attack could be possible in newer machines.

Critical Vulnerability found in Apple Mac OS X Sandbox Mechanisms


CoreLabs Researchers discovered critical Vulnerability in Mac OS X's sandboxing mechanisms.They published the Advisory information on Nov 10,2011.

Vulnerability Description

Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.

It is worth mentioning that a similar issue was reported by Charlie Miller in his talk at Black Hat Japan 2008 . He mentioned a few processes sandboxed by default as well as a method to circumvent the protection. Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events but did not modify the generic profiles.

According to the Advisory,Apple Mac OS X 10.7.x,10.6.x,10.5.x are vulnerable .

Apple Mac OS X 10.4 is non-vulnerable. 


Non Persistent Cross Site Scripting(XSS) Vulnerability found in Apple Website

Apple Website is vulnerable to Non Persistent Cross site scripting(XSS). Vulnerability-Lab Team (Alexander F.) discovered a non-persistent input validation vulnerability on the famous Apple vendor website. This vulnerability allows an attacker to hijack user/mod/admin sessions of the portal.

Vulnerabilitiy Information:
  • Vulnerabiliity Type: XSS(Non-Persistent)
  • Alert Level : Medium
  • Status :   Fixed
  • Discovered by:  Vulnerability Lab Team
  • Website: https://discussions.apple.com

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with required user inter action. For demonstration or
reproduce ...

PoC:

<!-- BEGIN main body -->
<div id="jive-body-main">
    <!-- BEGIN main body column -->
<div id="jive-body-maincol-container">
        <div id="jive-body-maincol">   
<h1 class="apple-account-issue-reported">We're sorry.</h1>     
<div id="apple-sso-error">

    <iframe src="http://www.vulnerability-lab.com"; onload="alert(vulnerabilitylab)" height="800px" width="900px">   <=[x] 

</div><div id="apple-sso-home">
Return to
<a href="https://discussions.apple.com";>Apple Support Communities</a>.                 
</div>
        </div>
    </div>
<!-- END main body column -->
</div>
<!-- END main body -->  
</div>         
<div class="clear"></div>              
<div class="boot"></div>               
</div><!--/content-->  
</div><!--/#main-->

Apple Website Hacked and defaced by HodLuM

Hacker HoduM hacked the one of subdomain of Apple and upload a Image file to the domain.
Here is the link to:
http://edseminars.apple.com/seminars/eventfiles/668/0wnz.jpg
The hacker claimed that anonymous, Lulsec, Turkish Hackers, inj3ctor as n00bs.

The message from Hacker:
Special greetings to all those turkish 1337l4m3rz iskorptix,1923Turk, GHoST61 & Ashiyane crew, this is a special message for YOU.

Keep defacing some random websites that nobody gives a f'ck about. Are 1337day.com and exploit-db.com good enough to find some b0x3z to 0wn? LOL.
NOObz.;))

./EOF. SOuc3 c0d3 f0r d4 w1n. (w4nn4 h3Lp bUnny?) - 2011 baby!

oh.. and btw, Anonymous/Lulsec, go F'CK yourself too, your group is full of noobs and lamers. Don't think you're leets, as it not the case. At all.



Screenshot of Defacement:

Note:
Also HodLum hacked AOL website