Ola leaks personal information of its customer, claims a girl

A girl from Chennai claimed that OlaCabs, famous as Ola, a mobile app for personal transportation in India, had sent personal information of more than 100 customers to her via SMS.

Swapnil Midha posted on Facebook that the Ola, which started as an online cab aggregator in Mumbai, now based out of Bangalore and is among the fastest growing businesses in India, leaked personal details such as mobile numbers, locations of users.

However, the company regarded it as a technical fault and confirmed that it has been fixed now.

“About three weeks ago, I booked an Ola cab for a long distance drive. After the ride I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed,” she wrote on Facebook.

She added, “My phone beeped throughout the night. 1:06, 2:34, 2:37, 2:38, 4:05, 5:17. I couldn't get my head around why these were coming at these times. I then called their call centre the next day to explain that there was probably some sort of bug and my number had somehow gotten into their highly cryptic message transmission systems, whatever secrets they were trying to transmit.”

Although, the Ola assured her to fix the problem soon, she had been receiving SMS after SMS. She received text between 300 and 400.

“I received no further communication from them, no update, no email, just more garbled messages,” she explained. I reached out to them through every channel possible. I called their call centre at least 5 times, demanded to speak to the senior managers, and had to explain my problem each time in great detail, answering the same annoying questions.”

She said that the company shared personal details of their customers throughout the day and throughout the night.

“What scares me the most, is that THIS should be their number one priority. I questioned their lack of concern for privacy and data protection. I threatened to report them to the authorities and TRAI. Nothing seemed to work which makes you think - do they even care about protecting customer information? If they are sending all this to me, who are they sending MY booking details to? Whose number is receiving all of my data? Which creepy criminal knows my full name, my mobile number, my door number, my account details, when I'm home and when I'm out?” she added.

The girl has raised a serious question which the company concerned need to answer as soon as possible. If this, one of the most trusted companies like the Ola does such careless, what do we expect from others?  

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

Samsung smart Fridge vulnerability can expose Gmail Credentials, says experts

(PC- google images)
A recent update by a team of security researchers have identified potential threat to gmail credentials via the Samsung Smart Fridge.

A ‘Man in The Middle’ (MiTM) vulnerability was discovered during an IoT(Internet of Things) hacking challenge in a recent DEF CON conference. Samsung’s RF28HMELBSR smart fridge was targeted for the confirmation of the potential credential breach to gmail accounts. The fridge implemented SSL, it faces trouble in validating SSL certificates thus giving rise to MiTM vulnerabilities.

The Internet connected device has the ability to automatically download the Google calendar to an on-screen interface and the MiTM vulnerability facilitates the hacker to jump into the same network and steal gmail credentials of its neighbours.

Ken Munro, a security researcher at Pen Test Partners stated that "The internet-connected fridge is designed to display Gmail Calendar information on its display," and thus "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on" he added.

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

While the research team failed to breach the software update server and the fridge terminal at DEF CON hacking spree, the mobile app had shown glitches that have potential security problems.

(pc- google images)
The coding in the mobile app contains a certificate that enables the encryption of credentials between the fridge and the mobile app. The certificate is correctly passworded, but the credential to the certificate appeared to be stored in the mobile app in an obfuscated form. So, if the codes of the certificates are broken down, it will allow the hacker to send commands to the fridge.

Pedro Venda of Pen Test Partners remarked “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds."

This fiasco has created a tensed atmosphere in the Samsung Headquarters. In an open statement, the company ensured that "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”


Developer finds unpatched exploit in OS X 10.10.5

Luca Todesco, a developer, has found a loophole in the OS X 10.10.5 update released by Apple that can get a hacker root access of a Mac computer.

Todesco shared the information on Github and the loophole works on all versions of OS X Yosemite.

The developer did not give Apple a heads up before putting the information out on the internet and so Apple will not be immediately able to patch the vulnerability found by Todesco.

The vulnerability found by the developer is similar to the DYLD_PRINT_TO_ACCESS vulnerability which took Apple less than a month to fix.

Until the update comes out, Apple users can protect themselves by only downloading apps from the Apple Store and trusted developers.

Bug allows Hackers to open locked Biometric Fingerprint Doors


Researcher has uncovered various flaws in a Taiwan-based Chiyu Technology's fingerprint access controller which could allow hackers to easily open the locked doors.

The researcher, Maxim Rupp has said that the vulnerabilities allow the attacker to view and modify the existing configuration of the device without authentication by directly accessing known paths. 


The path (CVE-2015-2871) varies slightly depending on model and services available.

According to an advisory published on July 31, the paths for accessing communications, fingerprint and other setup pages vary depending on the model and the services that are available, CERT/CC.

“It has identified models BF-660C, BF-630, BF-630W as being vulnerable; other models may also be vulnerable. The CERT/CC has been unable to verify this information with the vendor. The CVSS score below is based on CVE-2015-2871,” the advisory read.

According to a story published in SecurityWeek, the researcher said that by gaining access to the controller’s fingerprint setup page, an attacker could modify settings, such as “security level” and “sensitivity,” to make it easier to open the door protected by the device. An attacker can also change the device’s network settings and disconnect it from the targeted organization’s network.

“The researcher has also found that some of the vulnerable biometric devices are accessible via the Internet, which allows an attacker to exploit the weakness remotely. An attacker might be able to carry out other actions as well once he gains access to the controller’s configuration pages, but the expert says he hasn’t conducted further tests,” the report read.

The researcher said that there were several other companies that which sold the same devices under a different brand.

The flaws were reported by the researcher to Chiyu Technology via CERT/CC on May 29. CERT/CC. However, the company concerned has not managed to get in touch with the manufacturer.

It is still unclear that when the company will fix the flaws in the fingerprint access controller.

Attackers can crash Your Android Device, says Trend Micro

 
Researchers from TrendLabs Security Intelligence have discovered a vulnerability in Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop) that could help an attacker to turn a phone “dead silent, unable to make calls, with a lifeless screen”.

Researchers have said that the flaw would cause phones to have no ring, text or notification sounds and be unable to make calls.

According to a post in its blog, “This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.”

The researchers said that the vulnerability was similar to the recently discovered Stagefright vulnerability. Both vulnerabilities were triggered when Android handles media files, although the way these files reached the user differs.

Researchers from Zimperium Mobile Security, a security firm, had discovered Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

 “The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” the blog post read.

Although, the flaw was reported to the Google in May, the company concerned has been able to fix the issue.

Valve fixes a bug which allowed hackers to access its users account

Valve’s Steam, an American video game development and digital distribution company headquartered in Bellevue, Washington, United States which has millions of accounts all over the world, has fixed a loophole which could allow an attacker easily take over an arbitrary account by using account's username.

According to a report published in Master Herald, a flaw in the Steam’s password recovery feature was the reason behind the exploitation. As per a demonstration in a video posted on YouTube, the feature sends a recovery code to the registered e-mail address linked with the account. The code needs to be entered on a form through the Steam website.

However, the attacker could skip that code entry step, leaving the recovery code area blank, and have full access to the password change dialog. Although, the company has fixed the loophole, the vulnerability had done a lot of damages many users’ account.

“Now, the users, who actively trade on the Steam Market, are worried as they think their accounts have been compromised.

However, it is said that the Valve hasn’t commented on the situation yet.

The company has urged its users to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.

It is important to note that the information contained in the e-mail itself is not necessary to carry out the attack.


“Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them,” the report added.

Your life is in the hands of the hackers, they can remotely hijack your Jeep


Image Credits: Wired
When we think of a term ‘hacking’, computers, bank accounts and websites are the things which come in our mind. One can barely think of hacked vehicles. However, a recent case in which a car was hijacked by hackers has shown that the hackers have left nothing safe in our life.

According to a report published on Wired, zero-day exploit for Chrysler vehicles allow hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

It has been found out that the Uconnect software, which manages the vehicle’s entertainment and navigation systems, provides a Wi-Fi hotspot, and allows drivers to make phone calls. It is said that if anyone who knows the car's IP address can hijack the car.

In the report, Andy Greenberg, senior writer, explained that he signed up to be a guinea pig for security researchers Charlie Miller and Chris Valasek. He was strapped into a Jeep and directed to head onto the highway. From 10 miles away, Miller and Valasek proceeded to hack into his car's software, toggling the windshield wipers, blasting the radio, and, eventually, cutting the transmission.

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun,” Greenberg said.

After that, the hackers successfully took over the jeep’s brakes as a result it went into a ditch.

“Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route,” he explained.

According to the news report, on Tuesday Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) announced legislation that would ensure automobile companies to meet privacy measures to protect against cyber attacks.

In order to prevent the car hacking, Miller and Valasek reported about the flaw in the vehicles to the company concerned, months ago.

The Chrysler has come up with an updated version of the software however, the company has to manually download it and upgrade their cars through a USB drive.

United Airlines awards hackers millions of miles for reporting bugs

United Airlines  has awarded “millions of frequent flier miles” to hackers who have found out gaps in the carrier's web security, in a first for the U.S. airline industry, according to a report published on Reuters.

However, some tweets from those hackers have said that they have got small awards than the company had announced.  

“Well that answers that question. Found out which of my two bugs was worth a million because the other is apparently worth 250k,” one of the tweets posted by Jordan Wiens @psifertex.

It is also said that some terms of the agreement does not allow Wiens from disclosing the bug he had discovered.

On the other hand, the company concerned confirmed with Reuters that it has paid out two awards worth 1 million miles each, worth dozens of free domestic flights on the airline.

 "We believe that this program will further bolster our security and allow us to continue to provide excellent service," the United said on its website.

“It has hoped to trailblaze in the area of airline web security by offering "bug bounties" for uncovering cyber risks. Through the program, researchers flag problems before malicious hackers can exploit them. The cost can be less than hiring outside consultancies,” the news report read.

The Trade group Airlines for America said in a statement that all the United State carriers should conduct tests to make sure, if their systems are secure.

Beyond the Bug bounty program, the company also has tested systems internally and engaged cyber security firms to keep its websites secure.


Software bug affects cars, opens doors without warning

A software bug has been discovered by Land Rover in two of its cars. The issue is about a bug in the system that can unlock the doors of the car without warning to the driver.

The company will recall vehicles and do the necessary repairs without any charge to the customers.

The bug affects two models of Land Rover, the Range Rover and Range Rover Sport. 65,000 vehicles have been recalled due to this.

The company has placed ads in newspapers and is contacting the owners to call them in for the recall.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Update Your Flash Player or Remove from Plugins

(PC- Google images)
Adobe has issued another update for Flash Player to patch a critical vulnerability which has been revealed in documents disclosed from the spyware maker Hacking Team.

The Adobe Flash update patches 36-CVE listed flaws including the Hacking Team’s CVE-2015-5119 bug in which a malicious flash file, can run malware on a user’s computer. The other 35 security flaws allow hackers to create remote-coded execution attacks on vulnerable computers.

Users of Windows, Linux, and OS X were advised to updated to the latest version of Adobe Flash. The update is considered essential for both OS X and Windows users.

The alternative to this is uninstalling Adobe Flash or disabling the plugin. You can also set your web browser to run Flash files only if you right-click on them and select “run this plugin.”

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published”, Adobe quoted in its security Bulletin.

Adobe’s Security Bulletin https://helpx.adobe.com/security/products/flash-player/apsb15-16.html#table gives the security updates for the Adobe Flash Player.

Trend Micro discovers vulnerability in Android debugger "Debuggerd"


Trend Micro has found a new vulnerability that exists in phones running Android IceCream Sandwich to Lollipop.

The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view the device's memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the debugger and then you can view the dumps and log files of content stored on the memory.

The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead to a difficult situation.

Google is said to be working on a fix in the next version of Android for this.

Vulnerability found in Apple devices that puts your password at risk

A group of security researchers have come forward with startling news that passwords and other data on your Apple devices might not be safe. The group has published their findings in a paper where they explain how Apple's devices could be hacked.

The paper explains that the way Apple writes its code to communicate between devices, they were able to hack in to the system by uploading an app with malware onto the Apple Store.

The app in turn downloaded secure data, that should not be accessible to anyone, to the hacker. The confidential data that the app was able to steal included passwords of bank accounts, emails and iCloud.

The team's lead researcher said that his team was able to gain unauthorized access to other applications on a Apple device.

The devices affected by this problem are the iPhone, iPad and Mac.

Researcher discloses a flaw in Samsung Keyboard leaves 600m Android devices vulnerable to hacking attack

A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.

Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”

Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.

NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

 The researcher pointed out the flaw could attacker to do:

-         - Access sensors and resources like GPS, camera and microphone.
-         -  Secretly install malicious app(s) without the user knowing.
-          - Tamper with how other apps work or how the phone works.
-          - Eavesdrop on incoming/outgoing messages or voice calls.
-          - Attempt to access sensitive personal data like pictures and text messages.

According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.

“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.

Zomato fixed a Security bug that allowed hackers to access Personal data of 62 Million users


Zomato, an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife to various cities across India and 21 other countries, has fixed a bug which could allow an attacker to gain access to personal information of million users.

Anand Prakash, discovered Insecure Direct Object Reference(IDOR) vulnerability in the Zomato website.

IDOR occurs when an application provides direct access to objects based on user-supplied input. The vulnerability allows the attackers to bypass authorization and access resources in the system directly by modifying the value of a parameter used to directly point to an object, for example database records or files.

One of the API calls used for retrieving the users information is insecurely coded.  It gets the information only based on the "browser_id" parameter passed in a HTTP GET request and fails to verify the user is authorized to access the requested data.

By sequentially changing the 'browser_id' value, an attacker is able to access the users' personal information, such as Names, Email addresses, phone numbers, Date of birth.

"The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Prakash wrote in his blog.

Prakash reported the vulnerability to Deepinder Goyal, CEO of Zomato, On June 1. And the next day (June 2), the flaw was fixed by Gunjan Patidar along with his engineering team.

You can also check the Proof of concept Video:


Privacy bug found in Gaana.com allows hackers to access your details


A Privacy bug was found in the largest Indian online music streaming service Gaana website, which allowed access to private details of users including the date of birth.

A Security researcher Avinash, found an Insecure direct object reference vulnerability, and reported it to the Gaana.com. Gaana.com fixed the bugs after three weeks.

Avinash said a bug in an Internal API gave him access to 11 Million records.  A simple HTTP Get request with the corresponding User ID is enough to get their details.

The researcher said he was able to access full name, profile picture, email address, date of birth and last song they listened on Gaana. 

In his blog post, he wrote “ On 12th of May I had discovered a vulnerability on Gaana.com. I contacted their team and it was fixed recently.”

When EHN contacted the author about why the original article has been removed from the blog by the author. He replied that "he removed it after getting a request from Gaana.com."

You can find the cached version of the Blog post in Google Cache

Emerson fixes SQL injection bug in AMS Device Manager


Emerson Process Management has released a patch for SQL Injection vulnerability in its AMS Device Manager application.

Emerson AMS Device Manager is a software used worldwide primarily in the oil and gas and chemical industries.

The Advisory (ICSA-15-111-01) released on the ICS-CERT website quoted that the vulnerability is not exploitable remotely and cannot be exploited without user interaction. It also stated that an attacker’s access to the vulnerability is of medium difficulty level.

"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.

The vulnerability affects AMS Device Manager, V12.5 and earlier.


Emerson advises the users of this application to take some steps to avoid exploitation to this vulnerability.

For AMS Device Manager application v12.5; it suggests the users to apply a patch, upgrade to v13, or apply the workaround below. For the earlier versions, the software can be configured by adding another user with full administrative privileges and making the default administrative user have read-only privileges.

ICS-CERT also recommends the users to limit user privileges on ICS running software machines, reduce network exposure for all control system device, locate control system networks and remote devices behind firewalls, and isolate them from the business network.

Security and Privacy flaw in UC Browser leaks personally identifiable information


A visual summary of privacy and security issues presented by UC Browser. PC: Citizen Lab
A report has shown that a security and privacy flaw in a popular mobile web browser in India and China - Transmits users' personal and other information without encryption.

The report titled “A Chatty Squirrel: An Analysis of Privacy and Security Issues with UC Browser” has revealed that Chinese and English-language versions of UC Browser for Android, a mobile web browser which is owned by a China-based company Alibaba.com, allows any network operator or in-path actor on the network to get the user’s personally identifiable information like location, search details and mobile subscriber and device ids.

The application is using symmetric AES/CBC encryption for sending device IDs,location data, Wi-Fi Mac Address, SSID and other information rather than encryption. The key 'autonavi_amaploc' used for the encryption is Hard-coded in the application.

"The use of symmetric encryption with a hard-coded key means that anyone who knows the key can decrypt UC Browser (Chinese) traffic in transit. Moreover, key holders can also retroactively decrypt any historical data that they have collected or obtained." The report reads.

Personal identifiers like IMEI, IMSI, android id, build serial number is being transferred to Umeng (a mobile analytics service) in an unecrypted form.

The transmission of unencrypted search engine queries enables third parties to monitor searches. Sensitive personal information can be inferred from search results including health conditions like pregnancy, disease, mental and psychological conditions, marital relations, and medical information. Third parties can use it to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.

“We informed our findings to Alibab on April 15, 2015 and we would publish this report on or after April 29, 2015. The company responded on April 19, 2015, indicating that Alibaba security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015,” the report said.

The report added that on May 19, 2015 they tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. However, the version does not appear to send location data insecurely to AMAP.

Security Explorations reveals several vulnerabilities in Google App Engine


Security Explorations, a Poland-based security firm, on May 15 disclosed technical details and Proof of Concept (PoC) codes for unconfirmed and unpatched vulnerabilities presence in Google App Engine for Java.

In October 2012, the company started its research on Google App Engine for Java however it could not continue it. Then, in October 2014, it resumed the project.

The company confirmed more than 30 vulnerabilities in December.

According to a report published on SecurityWeek, it had identified and reported a total of 41 issues to the authority concerned, but the Google said it internally fixed those flaws.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Adam Gowdiak, founder and CEO of Security Explorations, told SecurityWeek.

Till the date, Google has confirmed a total of 36 vulnerabilities. However, the Security Explorations confirmed that a few of them were still left unpatched.

Although, in Mid-March Security Exploration revealed 31 flaws which were later fixed by Google, Gowdiak, wrote in a mail that there are seven different vulnerabilities still exist in the Google service which he briefly discussed in his mail.

He said that the flaws have been reported to Google three weeks ago. However, he has not received confirmation from the Google officials. Nor, the authority concerned has not fixed any of them.

"It has been three weeks and we haven't heard any official confirmation or denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”

He added that it is easy to exploit the flaws by attackers. They could use the freely available cloud platform to run a malicious Java application. The app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.

The hackers could use the restricted environment to attack lower-level assets and to retrieve sensitive information from Google servers.

Google had decided to award Security Explorations with $70,000 for disclosing the vulnerabilities. The total amount of $50,000 was already paid to the company on March 20.

Gowdiak said that now, Google might not give them remaining $20,000 as they have disclosed the unpatched and unconfirmed vulnerabilities. However, the company believes that rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.


“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” he said.