Security Vulnerability in McDonald's India allows hackers to access Customer data

 
If you are from India and have ordered Burger in McDonald's, your personal details are at risk.

Security researchers from  Fallible found a serious vulnerability McDonald’s India application that allows hackers to access millions of customer data.

There is no authentication or authorization check in API used in the application.   Sending request to "http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile" with customer id in the header allows to access customer details.

The customer id is a sequential number.  All an attacker needs to do is create a script and increase the number to dump all customer data.

"The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore has led to companies ignoring user data protection" The researcher said.

"We have in the past discovered more than 50 instances of data leaks in several Indian organizations." The researcher said.

The vulnerability allows attackers to obtain name, address, email address, phone number,  Date of birth, GPS Co-ordinates and social profile details.

The researchers reported the issue to McDelivery on 4th February, 2017.  After few days(13th Feb), they received an acknowledgement from the McDelivery IT Manager.  From 7th march,  Fallible tried to contact the McDelivery to know the status.  However, there is no response from their side.  The bug is still not fixed, at the time of writing.

In Jan 2017, a researcher Tijme Gommers found two critical bugs "an insecure cryptographic storage vulnerability" and XSS in McDonald.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.



While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.


Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.


Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

The POC Video:
https://www.youtube.com/watch?v=2kYm1G2jBcM

DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

Researcher discovers flaws in Telekom’s server


Ebrahim Hegazy, an Egyptian researcher, has found another vulnerability that affected the Web servers of Deutsche Telekom, Germany's biggest telecommunications provider.

He discovered the bug on the telekom.de website, on one of the subdomains that displayed a generic landing page. The subdomain umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an abandoned Web page left behind from previous site iterations.

According to the researcher, attackers could have gained full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most basic example of Remote Code Execution (RCE) vulnerability that allows attackers to gain full control of a Web server just by pinging its ports and open connections with malicious requests.

Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.

He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to umfragen2.telekom.de/upload.php. This allowed Hegazy to take a closer look at the code.

He came across a mechanism that acquired user input from the HTTP POST request without sanitizing it in any way and then attached the data as parameters to the PHP system function.

This particular function is modeled after the system function in C and allows PHP developers to execute shell commands from inside their PHP app and retrieve the results. Generally, it's considered a good practice not to use this function on any front-facing Web server.

He reported about the flaw to the telco's security team. The flaw has been patched.


As per a report published in Softpedia said that his research was carried out as part of the company's bug bounty program and received a €2,000 / $2,150 reward.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts



Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards



Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.

“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.

According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:

         -  Code execution on the web server.

          - Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).

         -  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.

The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and "Insecure Data Storage" vulnerability was detected.

While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.

“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.

However, Starbucks confirmed that it has fixed the vulnerabilities.