Trend Micro discovers vulnerability in Android debugger "Debuggerd"


Trend Micro has found a new vulnerability that exists in phones running Android IceCream Sandwich to Lollipop.

The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view the device's memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the debugger and then you can view the dumps and log files of content stored on the memory.

The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead to a difficult situation.

Google is said to be working on a fix in the next version of Android for this.

Vulnerability found in Apple devices that puts your password at risk

A group of security researchers have come forward with startling news that passwords and other data on your Apple devices might not be safe. The group has published their findings in a paper where they explain how Apple's devices could be hacked.

The paper explains that the way Apple writes its code to communicate between devices, they were able to hack in to the system by uploading an app with malware onto the Apple Store.

The app in turn downloaded secure data, that should not be accessible to anyone, to the hacker. The confidential data that the app was able to steal included passwords of bank accounts, emails and iCloud.

The team's lead researcher said that his team was able to gain unauthorized access to other applications on a Apple device.

The devices affected by this problem are the iPhone, iPad and Mac.

Researcher discloses a flaw in Samsung Keyboard leaves 600m Android devices vulnerable to hacking attack

A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.

Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”

Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.

NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

 The researcher pointed out the flaw could attacker to do:

-         - Access sensors and resources like GPS, camera and microphone.
-         -  Secretly install malicious app(s) without the user knowing.
-          - Tamper with how other apps work or how the phone works.
-          - Eavesdrop on incoming/outgoing messages or voice calls.
-          - Attempt to access sensitive personal data like pictures and text messages.

According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.

“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.

Zomato fixed a Security bug that allowed hackers to access Personal data of 62 Million users


Zomato, an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife to various cities across India and 21 other countries, has fixed a bug which could allow an attacker to gain access to personal information of million users.

Anand Prakash, discovered Insecure Direct Object Reference(IDOR) vulnerability in the Zomato website.

IDOR occurs when an application provides direct access to objects based on user-supplied input. The vulnerability allows the attackers to bypass authorization and access resources in the system directly by modifying the value of a parameter used to directly point to an object, for example database records or files.

One of the API calls used for retrieving the users information is insecurely coded.  It gets the information only based on the "browser_id" parameter passed in a HTTP GET request and fails to verify the user is authorized to access the requested data.

By sequentially changing the 'browser_id' value, an attacker is able to access the users' personal information, such as Names, Email addresses, phone numbers, Date of birth.

"The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users,” Prakash wrote in his blog.

Prakash reported the vulnerability to Deepinder Goyal, CEO of Zomato, On June 1. And the next day (June 2), the flaw was fixed by Gunjan Patidar along with his engineering team.

You can also check the Proof of concept Video:


Privacy bug found in Gaana.com allows hackers to access your details


A Privacy bug was found in the largest Indian online music streaming service Gaana website, which allowed access to private details of users including the date of birth.

A Security researcher Avinash, found an Insecure direct object reference vulnerability, and reported it to the Gaana.com. Gaana.com fixed the bugs after three weeks.

Avinash said a bug in an Internal API gave him access to 11 Million records.  A simple HTTP Get request with the corresponding User ID is enough to get their details.

The researcher said he was able to access full name, profile picture, email address, date of birth and last song they listened on Gaana. 

In his blog post, he wrote “ On 12th of May I had discovered a vulnerability on Gaana.com. I contacted their team and it was fixed recently.”

When EHN contacted the author about why the original article has been removed from the blog by the author. He replied that "he removed it after getting a request from Gaana.com."

You can find the cached version of the Blog post in Google Cache

Emerson fixes SQL injection bug in AMS Device Manager


Emerson Process Management has released a patch for SQL Injection vulnerability in its AMS Device Manager application.

Emerson AMS Device Manager is a software used worldwide primarily in the oil and gas and chemical industries.

The Advisory (ICSA-15-111-01) released on the ICS-CERT website quoted that the vulnerability is not exploitable remotely and cannot be exploited without user interaction. It also stated that an attacker’s access to the vulnerability is of medium difficulty level.

"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.

The vulnerability affects AMS Device Manager, V12.5 and earlier.


Emerson advises the users of this application to take some steps to avoid exploitation to this vulnerability.

For AMS Device Manager application v12.5; it suggests the users to apply a patch, upgrade to v13, or apply the workaround below. For the earlier versions, the software can be configured by adding another user with full administrative privileges and making the default administrative user have read-only privileges.

ICS-CERT also recommends the users to limit user privileges on ICS running software machines, reduce network exposure for all control system device, locate control system networks and remote devices behind firewalls, and isolate them from the business network.