Researcher discovers flaws in Telekom’s server

Ebrahim Hegazy, an Egyptian researcher, has found another vulnerability that affected the Web servers of Deutsche Telekom, Germany's biggest telecommunications provider.

He discovered the bug on the website, on one of the subdomains that displayed a generic landing page. The subdomain translates to, and seems to be an abandoned Web page left behind from previous site iterations.

According to the researcher, attackers could have gained full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most basic example of Remote Code Execution (RCE) vulnerability that allows attackers to gain full control of a Web server just by pinging its ports and open connections with malicious requests.

Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.

He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to This allowed Hegazy to take a closer look at the code.

He came across a mechanism that acquired user input from the HTTP POST request without sanitizing it in any way and then attached the data as parameters to the PHP system function.

This particular function is modeled after the system function in C and allows PHP developers to execute shell commands from inside their PHP app and retrieve the results. Generally, it's considered a good practice not to use this function on any front-facing Web server.

He reported about the flaw to the telco's security team. The flaw has been patched.

As per a report published in Softpedia said that his research was carried out as part of the company's bug bounty program and received a €2,000 / $2,150 reward.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts

Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards

Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.

“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.

According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:

         -  Code execution on the web server.

          - Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).

         -  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.

The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and "Insecure Data Storage" vulnerability was detected.

While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.

“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.

However, Starbucks confirmed that it has fixed the vulnerabilities.

Apple claims to have fully fixed a critical iOS Airdrop vulnerability, which researcher says it doesn’t

Some days ago, Mark Dowd, a security researcher, discovered a critical flaw in iOS 9 that allows an attacker within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.

A report published in Ars Technica confirms that after that, the researcher privately reported it to Apple.

Then, Apple released a press statement on Wednesday informing that the vulnerability has been mitigated in iOS 9.

However, the researcher did not stop his research and revealed that the bug still hasn't been fixed.

The mitigations available in Wednesday's release of iOS 9 are one more benefit that security-conscious iPhone users should consider when deciding whether to install the update.

The researcher exploited a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want.

The researcher used an enterprise certificate that Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones.

During his research, his technique installs did not generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed.

“Another method for bypassing iOS code-signing restrictions would be to combine my Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS,” he said.

He posted a video to show how thw bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.

Security Bug allows Hackers to take Control of Curiosity Rover's OS

Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network  routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.

A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."

The researcher discovered the flaw after an Istuary client requested about the understanding of the critical  infrastructure industry.

The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."

One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.

WhatsApp fixed a security flaw that could allow attackers to Hack WhatsApp accounts

Hey people! In order to make sure you are protected, update your WhatsApp Web right now.

Kasif Dekel, a security researcher at Check Point, discovered significant vulnerabilities that exploit the WhatsApp Web logic, allowing attackers to trick victims into executing arbitrary code on their machines .

“All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares,” the researchers wrote in a blog.

As per the researcher, in order to target an individual, the attacker needs is the phone number associated with the WhatsApp account.

According to Kasif, WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.

While doing the research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file. This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.

The researcher said that they were surprised to find that WhatsApp failed to perform any validation on the vCard format or the contents of the file, and when they crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory.

WhatsApp verified and have deployed deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client.