Dorkbot is a IRC based worm that spreads via instant message programs, social networks that can steal login credentials and blocks security updates.
The malware has been uploaded with '.JPG' extension in file sharing website mediafire. Once the malware compromised the victim's system, it sent links to the malware to the victim's friends via chat service, according to Computer world report.
Researchers said the malware is capable of spying on users’ browsing activities and stealing their personal details.Bitdefender discovered links to the malware circulating in the United States, India, Portugal, the UK, Germany, Turkey and Romania.
The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.
The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.
According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.
The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.
Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.
"As you may know, last month Facebook has closed many bugs leading to security reinforcement of 'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all 'redirect_uri' that has '#' or '#!'." Researcher wrote in his blog.
"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as aredirect_uri and it’s not rejected… So I said let’s use it too!!!"
Amine successfully generated a poc that redirects to another facebook page with the access token. But he faced some problem while redirecting to external website.
Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.
POC video
Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.
"As you may know, last month Facebook has closed many bugs leading to security reinforcement of 'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all 'redirect_uri' that has '#' or '#!'." Researcher wrote in his blog.
"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as aredirect_uri and it’s not rejected… So I said let’s use it too!!!"
Amine successfully generated a poc that redirects to another facebook page with the access token. But he faced some problem while redirecting to external website.
Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.
POC video
Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.
WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.
Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.
How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.
"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.
Information Security Researchers Parveen Yadav and Mayank Bhatodra have identified a critical security flaw in Adobe website that exposes the sensitive internal data of Adobe Systems Inc.
Adobe uses an application called P4web which provides convenient access to versioned files through popular web browsers. Files can be viewed as icons or thumbnails and all standard operations can be performed in the browser.
Unfortunately, the Adobe fails to restrict the Perforce P4web web client being accessed by users , it results in exposing the internal data.
For a security reasons, we are not providing the vulnerable link here. The URL allows us to read the internal data including email IDs of Employees, Full Name. It also exposes the Internal system directory and computer names, Source codes.
"An application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." Researcher said.
The researcher notified Adobe before few months but they failed to respond to them. We have also notified Adobe about the vulnerability but there is no response from their side.
The Reserve Bank of Australia has been infected by a piece of malicious software that allegedly developed in China, Reuters report says.
The bank was targeted by a suspicious emails purporting to be send from a senior bank staff member regarding "Strategic Planning FY2012 on November, 2011, according to Documents released by RBA.
The cyber criminals embedded a link to virus payload instead of attaching the malware in the email. The link leads to a zip file that contains a Trojan , the antivirus used by the Bank fails to detect this malware.
To Bypass the existing security controls, the cybercrimanl included a legitimate signature, plausible subject &content and had no attachments in the email.
"It was also found that six users had clicked on malicious link , potentially compromising their workstations". the report noted.
The Bank said the affected PCs didn't have local admin rights, this prevented the virus from spreading around the network. Bank spokesperson told Reuters that nothing was stolen.
An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By Acquia.com and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shiksha.com,Times Of India, News Bullet Sub Domain Of Start News Channel.
Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)
Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.
TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.
In all these websites search fields are found to be vulnerable to the XSS injection.
POC code for Times Of India Tv:
POC FOR Shiksha.com :
Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN.
Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)
Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.
TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.
In all these websites search fields are found to be vulnerable to the XSS injection.
POC code for Times Of India Tv:
http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakthesecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0
POC FOR Shiksha.com :
http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurity.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5Narendra also found that shiksha.com is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .
Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN.
It seems like Paypal is running out of Money in its Bug Bounty budget. Bug Hunters started to report that the Paypal stopped to give Bounties.
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php. POCs for these vulnerabilities can be found here.
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Sites to be decommissioned in coming months:
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
 |
| XSS vulnerability in Paypal-marketing |
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.
Sites to be decommissioned in coming months:
- paypal-deutschland.de
- paypal-danmark.dk
- paypal-promo.es
- paypal-europe.com
- paypal-france.fr
- paypal-nederland.nl
- paypal-norge.no
- paypal-marketing.pl
- paypal-sverige.se
- paypal-turkiye.com
- paypal-business.co.uk
- paypal-marketing.co.uk
- paypal-shopping.co.uk
- paypal-australia.com.au
- paypal-biz.com
- paypal-business.com.hk
- paypal-marketing.com.hk
- paypal-offers.com.hk
- paypal-shopasia.com
- paypal-japan.com
- paypal-apac.com
- paypal-plaza.com
- thepaypalblog.com
- www.paypal-brasil.com.br
- paypal-marketing.ca
Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.
There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain. The vulnerability is click based xss . When i click the flash, it will display the xss code.
Poc code:
http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);
The above finding is really interesting one. Just load the url and click in the flash content and it results in the code being executed.
At the time of writing, the vulnerability is still there .
A Security Researcher Michael Messner has identified multiple vulnerabilities in D'Link DIR-600 and DIR-300 routers that allows hackers to execute arbitrary shell commands.
According to researcher blog post, the vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter .
The OS Command Injection vulnerability allows attacker to start telnetd to compromise the device.
CSRF vulnerability: For changing the password, there is no request to the current password. So, a hacker can change the password without knowing the current password, by sending malicious script to victim that sends request to change the password.
The researcher identified that there is no password hashing implemented and saves root password in plain text in the var/passwd file.
According to H-online report, a hacker can exploit the vulnerability for redirecting a router's entire internet traffic to a third-party server.
Messner send notification about the vulnerability to D-Link but they responded that the issue is browser related and they will not provide a fix.
A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)
The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.
When you enter the this code in the username field with any password , it results in XSS :
The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.
Recently, I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and reported to them. It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.
The POC code for my finding:
The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.
Recently, I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and reported to them. It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.
The POC code for my finding:
http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/reach+airtel/PG_FY_MB_Prepaid_ReachAirtel/?page=cs_m&CIRCLE=2&CIRCLENAME="><script>alert("BreakTheSec")</script>
An Information Security Researcher , Mahadev Subedi, from coolpokharacity.com has claimed to have discovered a Persistent Cross site scripting vulnerability in the Mediafire website(mediafire.com)
It seems like the vulnerability exists in the File uploading feature in the Mediafire. The developers fails to sanitize the file name of the uploaded file.
"Whenever we upload file names containing encoded or decoded malicious XSS codes, it results in Cross Site Scripting ." The researcher said in the email.
For instance, if you create a file name with this code and upload it , it results in xss:
It seems like the vulnerability exists in the File uploading feature in the Mediafire. The developers fails to sanitize the file name of the uploaded file.
 |
| Persistent xss vulnerability in Mediafire |
"Whenever we upload file names containing encoded or decoded malicious XSS codes, it results in Cross Site Scripting ." The researcher said in the email.
For instance, if you create a file name with this code and upload it , it results in xss:
"><img src=x onerror=alert(1)>.jpg.txtRecently A security Researcher Frans Rosén discovered similar kind of vulnerability in the DropBox .
The Tunisian Hacker, Human Mind Cracker, has claimed to have discovered SQL Injection vulnerability in Top Bangladesh Government websites.
In an email sent to E Hacking News, hacker mentioned that he found SQLi in three Government sites.
Affected Government sites are the official site of Bangladesh Railway(railway.gov.bd) , National Institute of Mass Communication of Bangladesh(NIMC.gov.bd) and Jiban Bima Corporation(JBC.gov.bd).
Hacker managed to breach the database server belong to National Institute of Mass Communication and leaked the stolen data in Hey paste it (heypasteit.com/clip/0NUH)
The database dump contains database table name, name of users, hashed passwords. It contains more than 650+ entries of user data.
The hacker claims that the Bangladesh Gov websites are not secure at all . As far as i know, not only Bangladesh but also other countries government sites are vulnerable. More than 90% Government websites are vulnerable.
In an email sent to E Hacking News, hacker mentioned that he found SQLi in three Government sites.
Affected Government sites are the official site of Bangladesh Railway(railway.gov.bd) , National Institute of Mass Communication of Bangladesh(NIMC.gov.bd) and Jiban Bima Corporation(JBC.gov.bd).
Hacker managed to breach the database server belong to National Institute of Mass Communication and leaked the stolen data in Hey paste it (heypasteit.com/clip/0NUH)
The database dump contains database table name, name of users, hashed passwords. It contains more than 650+ entries of user data.
The hacker claims that the Bangladesh Gov websites are not secure at all . As far as i know, not only Bangladesh but also other countries government sites are vulnerable. More than 90% Government websites are vulnerable.
An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of Aircel website(aircel.com).
Aircel group is an Indian mobile network operator headquartered in Chennai, that provides wireless voice, messaging and data services in India.
The vulnerability exists in the Search field of the website. Injecting the xss code in the Search box will execute successfully the injected code.
For instance, injecting the following code in the search box will display the alert box:
"><script>alert("E Hacking News")</script>Narendra also found that the field allows user to run the iframe code also. So , possibly, a hacker can inject phishing page to scam innocent visitors.
"/><iframe src="http://www.google.com" width=1000 height=1000></iframe>
Security Researchers from WebRoot has found that cyber criminals compromising the legitimate websites for spreading their malwares. One of the popular Bulgarian websites for branded watches has been compromised and redirects to malicious page.
The malicious page serves the premium rate SMS Android malware when user visits from their android devices.
The same cyber criminals also involved in few other campaigns. In one of the campaign, they lure Russian-speaking users into installing fake Adobe Flash player.
The other campaigns include fake Android browser as a social engineering theme and fake Google Play.
When the malicious app is being executed, the malware collects information such as IMEI, brand, operator, IMSI and sends it back to remote server.
A Security Researcher Ankit Bharathan (aka lonely-hacker) has discovered a Non-persistent Cross site scripting vulnerability in Adobe website.
The vulnerability resides in one of the adobe sub domain "dbln-speedtest.adobe.com"
The POC for the vulnerability:
Ankit notified Adobe about the vulnerability but they failed to respond for his mail.
The vulnerability resides in one of the adobe sub domain "dbln-speedtest.adobe.com"
The POC for the vulnerability:
http://dbln-speedtest.adobe.com/index.php?lang="><SCRIPT>alert("E Hacking News")</SCRIPT>The Researcher claim to have discovered a path disclosure vulnerability in the same link and have 90+ open directory in Adobe.
Ankit notified Adobe about the vulnerability but they failed to respond for his mail.
 |
| Vulnerabilities in Adobe |
A SQL Injection vulnerability has been discovered in official website of Bangladesh Post Office (bangladeshpost.gov.bd). The vulnerability was discovered by the Grey-hat hacker "Human Mind Cracker".
In an email sent to EHN, the hacker provided the vulnerable link and claimed that the site is vulnerable to lot of vulnerabilities.
The hacker breached the site by exploiting the SQL injection vulnerability and compromised the database.
"I get into their database,and the most funniest thing is that The passwords is not encrypted with any hash, and this so bad for a website related to a government." the hacker said in the email.
The database dump(heypasteit.com/clip/0N9U) contains database details, username, plain-text format password. It also includes the admin username and password.
In an email sent to EHN, the hacker provided the vulnerable link and claimed that the site is vulnerable to lot of vulnerabilities.
The hacker breached the site by exploiting the SQL injection vulnerability and compromised the database.
 |
| Screenshot of Admin Panel |
"I get into their database,and the most funniest thing is that The passwords is not encrypted with any hash, and this so bad for a website related to a government." the hacker said in the email.
The database dump(heypasteit.com/clip/0N9U) contains database details, username, plain-text format password. It also includes the admin username and password.
Security Researcher, Rafay Baloch, the founder of Rafay Hacking Articles, has discovered a Cross Site scripting (XSS) Vulnerability in ShareCash website(sharecash.org). ShareCash is the highest paying Pay-Per-Download network around.
The vulnerability affects the "Manage Widget" page of ShareCash. The XSS vulnerability found to be stored one.
Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.
In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept. From the POC, I come to know that the "Widget Name" is vulnerable to xss attack. It seems like the developer fails to validate the input.
Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.
The vulnerability affects the "Manage Widget" page of ShareCash. The XSS vulnerability found to be stored one.
 |
| Stored XSS Vulnerability |
Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.
In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept. From the POC, I come to know that the "Widget Name" is vulnerable to xss attack. It seems like the developer fails to validate the input.
Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.
A Hacker named VandaTheGod from UGNazi hacker group, has breached several Government websites and other websites.
Recently, he hacked Ecuador government website "Technical Secretariat for Vocational Training (setec.gob.ec), Argentina govt site "Ministry of Education of the Province of Corrientes (mecc.gov.ar)", official site of Escalante City ,Philippines(escalantecity.gov.ph).
The hacked sites simply displays a text "Deface By @VandatheGod or @CosmoTheGod" with a email address of the hacker.
The hacker keep defacing more websites every minutes. He also hacked subdomain of "The International Bank for Trade and Finance(mail.ibtf.com.sy).
HostGator is one of the leading Web hosting provider found to be vulnerable to Non-Persistent Cross Site scripting vulnerability. The vulnerability was discovered by Indian Security Researcher "Manjot Gill". The finding was intially published in one of my Friend Aarshit Mittal Security News portal Cyber-N.
The Researcher Manjot discovered the vulnerability in Subdomain of Hostgator. He also claimed that lot of sites hosted in Hostgator are vulnerable to.
Poc for the Subdomain XSS:
http://www.cluster2.hostgator.co.in/"><script>alert("HACKED BY ICH ")</script>Aarshit Mittal analyzed the finding and he discovered few more interesting things.
Search for "site:.hostgator.co.in", you will get more than 64,600 results. All of those subdomains are affected by this vulnerability. For Example take the first site from the result, "chahat.hostgator.co.in". It is affected by the XSS.
POC:
chahat.hostgator.co.in/"><script>alert(document.cookie)</script>Also, you can search for the list of sites hosted by searching for the IP dork in Bing. For Instance , search for "ip:119.18.48.78" in Bing will result the list of affected sites.
You can find the rest of vulnerable sites by changing the ip from "119.18.48.12" to "119.18.48.86".
Also the main domain is also affected by this vulnerability:
http://www.hostgator.co.in/"><script>alert(document.cookie)</script>
The affected sites are created and hosted via the IndiaGetOnline (www.indiagetonline.in). "Get India Business Online" is an initiative by Google that allows you to create a website for your business in 15 minutes, for free. HostGator is providing you with hosting, their leading site building tool, and support.
All the sites created by Hostgator "Site building tool" are affected by this vulnerability because of the main "site building" site(hostgator.co.in) itself affected by this security flaw.
