A Security Researcher Michael Messner has identified multiple vulnerabilities in D'Link DIR-600 and DIR-300 routers that allows hackers to execute arbitrary shell commands.

According to researcher blog post, the vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter .

The OS Command Injection vulnerability allows attacker to start telnetd to compromise the device.

CSRF vulnerability: For changing the password, there is no request to the current password. So, a hacker can change the password without knowing the current password, by sending malicious script to victim that sends request to change the password.

The researcher identified that there is no password hashing implemented and saves root password in plain text in the var/passwd file.

According to H-online report, a hacker can exploit the vulnerability for redirecting a router's entire internet traffic to a third-party server.

Messner send notification about the vulnerability to D-Link but they responded that the issue is browser related and they will not provide a fix.

A Security Researcher from crackhackforum.com, Rynaldo, has discovered multiple Vulnerabilities in one of the Biggest Antivirus company called "BitDefender".

The researcher claimed that he sent several emails to BitDenfender's team, butthey haven't responded nor fixed the vulnerabilities neither.

"The website is having several reflected XXS vulnerabilities and the CSRF
vulnerability. Also I have found a way to cause DOS attack on the local
server to take BitDefender temporarely down." Rynaldo said.

CSRF attack : https://my.bitdefender.com/en_us/my/#page=account.index hacker is able to perform CSRF attack to change the details on the user's profile.CSRF tokens aren't implemented and password isn't required to change information on the profile.

Reflected XSS

XSS attack :
"my.bitdefender.com/en_us/", this page will set the language specifications on the URL (en_us), but haven't secured it very well. That means by removing the language specification with our XSS payload then our XSS script will be executed. Language specifications are being forced on the URL on every page and that means we can inject our XSS in every page on "my.bitdefender.com".

I have discovered Cross Site Request Forgery (CSRF) Vulnerability in Top Online-based SMS sending service websites 160By2.com and Way2SMS.com.  Let me start with security flaw in the 160By2 because it is critical one.

CSRF  in 160By2:
The vulnerability allows hackers to send SMS from the target victim account to any mobile. I've discovered this flaw when i was sending New Year wishes to my friends.

The vulnerability resides in the "SMS alerts" page.  This page allows user to send Schedule SMS. Unfortunately, this page fails to check whether the request is coming from the user or not with the help of CSRF token.

So It is easy for an attacker to lure victim into click a crafted-link that sends malicious request to server.

CSRF Vulnerability in 160BY2

Hackers can modify the request such that it can send sms to anyone at any time.

Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.


CSRF in Way2SMS:
This vulnerability just allows hacker to change the name of the victim with a crafted-request.



Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.

I tried to notify both websites regarding the issue with solution to fix the vulnerability.  But there is no response from their side.  So i planned to publish the details .

Note: Previously, i discovered Persistent XSS vulnerability and notified 160By2 . But they failed to respond that time also.

The Hacker group called as 'The Wiki Boat Brazil' has discovered three critical vulnerabilities in the official websites of U.S Department of Transportation(dot.gov).

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request to the server. 

The site found to be vulnerable to Cross-site request forgery(CSRF) attack. The hackers provided us the POC for the CSRF attack. This vulnerability allows attackers CSRF to change user to admin , if admin user click the specially-crafted link .

They've also discovered SQL Injection vulnerability in the ITS Deployment Statistics sub domain of U.S. Department of Transportation (www.itsdeployment.its.dot.gov).

Environmental Review Toolkit page(www.environment.fhwa.dot.gov) vulnerable to Non-persistent Cross site scripting(XSS) attack.

They've also leaked some data compromised from Federal Highway Administration(www.fhwa.dot.gov).

Few days back, they have attacked the  Ministry of Finance and Federal Police sites in Brazil.

The details can be found here:
http://thewikiboatbrazil.com.br/DOT

The "Account Settings" page of Twitter Translation center has two options; First one toggles the Twitter Badge setting on Twitter.com and second one  toggles the badge related notification.

When a user click the Save changes button, it will send a post request to server.  In the post content, there is parameter 'authenticity_token'.

Normally, to prevent CSRF attacks, authenticity_token needs to be verified on server-side but twitter team failed to verify the authenticity_token.  It results in CSRF vulnerability..

Researcher sent notification to Twitter Security Team with a proof-of-concept. The Twitter immediately replied and said the team is investigating the issue.

The vulnerability has been fixed on 16th october; Now authenticity_token gets checked on the server-side . Any modification to the token results in an error page.

An Indian Security Researcher, AMol NAi, has discovered a critical vulnerability in the Social network giant Facebook. He earned $5000 for notifying Facebook about the vulnerability.

He has discovered a cross-site request forgery (CSRF) vulnerability that allows an attacker to execute actions as a logged-in user by accessing specific URLs.

After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user.

"There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app." Researcher said in his blog.

"Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!"

To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.

Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore can not generate valid requests. In Facebook's case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted.


The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.