Search This Blog

Showing posts with label Bug. Show all posts

Microsoft Alerted Azure Customers of Bug That Could Have Allowed Hackers to Access Data

 

Microsoft alerted some Azure cloud computing users that a vulnerability uncovered by security experts might have given hackers access to their data. 

In a blog post from its security response team, Microsoft stated it had patched the issue identified by Palo Alto Networks and had no sign malicious attackers had exploited the technique. It further stated that certain users have been asked to change their login passwords as a preventive measure. 

The blog post was in response to an inquiry from Reuters regarding Palo Alto's technique. Microsoft refused to respond to any of the inquiries, including whether or not it was assured that no data had been accessed. 

Palo Alto researcher Ariel Zelivansky told Reuters in a previous interview that his team had cracked Azure's widely used platform for so-called containers, which store applications for users. 

According to him, the Azure containers utilized code that had not been updated to address a known vulnerability. As a result, the Palo Alto team was finally able to gain entire authority over a group that comprised containers from other users. 

Ian Coldwater, a longtime container security expert who evaluated Palo Alto's work at the request of Reuters stated, "This is the first attack on a cloud provider to use container escape to control other accounts." 

In July, Palo Alto reported the problem to Microsoft. Zelivansky added it took his team several months to complete the project and agreed that malicious hackers were unlikely to apply a similar approach in real-world attacks. 

Nonetheless, this is the second significant issue discovered in Microsoft's fundamental Azure infrastructure in less than a month. Wiz security specialists revealed a database vulnerability in late August that would've let one client modify the data of another. 

In both situations, Microsoft's remarks were directed to customers who may have been harmed by the researchers' work, rather than everyone who was put in danger by its own code. 

Microsoft wrote, "Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher's activities."

According to Coldwater, the issue stemmed from a failure to deploy fixes on time, something Microsoft has frequently faulted on its customers. He said that certain cloud security tools would have identified malicious assaults similar to the one predicted by the security firm and that logs would also indicate evidence of such activity. 

The research emphasized that security is a collective responsibility between cloud providers and clients. Cloud architectures, according to Zelivansky, are typically safe, Microsoft and other cloud providers can make improvements themselves rather than relying on customers to do so. 

He further added, cloud attacks by well-funded opponents such as sovereign governments, are a legitimate concern.

McDonald’s Password for the Monopoly VIP Database Leaked

 

The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game. 

McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game. 

McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift. 

Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers. 

Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application. 

The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords. The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials. 

The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons." 

Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards. 

Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed. 

Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok. 

McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.

In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties." 

"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

SteelSeries Software Flaw Gives Windows 10 Admin Rights

 

A security researcher discovered that the official application for installing SteelSeries devices on Windows 10 can be abused to acquire administrator privileges. 

The vulnerability can be exploited during the device setup process by clicking a link in the License Agreement page that is loaded with SYSTEM capabilities. It is not essential to have an authentic SteelSeries device to exploit the problem. 

Possible to Emulate a Gadget?

The finding came after the disclosure of the news last week that the Razer Synapse software may be exploited to gain permissions when pairing a Razer mouse or keyboard. 

Driven by Jonhat's study, security researcher Lawrence Amer (research team leader at 0xsp) discovered that the same may be accomplished with the SteelSeries device installation software. 

Amer discovered a link in the License Agreement page that gets opened with SYSTEM rights during the device setup process, allowing complete admin privileges to a Windows 10 computer. He accessed the URL in Internet Explorer, it was then just a matter of using Internet Explorer to save the web page and launching elevated privileges Command Prompt from the right-click menu of the “Save As” box. 

One can then move around the PC with enhanced privileges and perform whatever an admin can do. This is applicable for all SteelSeries peripherals, including mouse, keyboards, and headsets. 

István Tóth, a penetration testing researcher, published an open-source script that can replicate human interface devices (HID) on an Android phone, particularly for testing local privilege escalation (LPE) situations. 

Despite being an experimental version, the script is capable of effectively emulating both Razer and SteelSeries devices. Tóth released a video after Amer published his study proving that the LPE discovered by Amer can be attained. 

Amer informed BleepingComputer that he attempted to notify SteelSeries about the vulnerability but was unable to locate a public bug reward program or a contact for product security. 

In response to the request from BleepingComputer for comment on the topic, a SteelSeries representative stated that the firm was aware of the problem and has eliminated the danger of exploitation by restricting the installation software from starting whenever a SteelSeries device is plugged in.

SteelSeries spokesperson stated, "We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon." 

As per the researcher, the vulnerability may still be abused even after it has been patched. When plugging in a SteelSeries device, an attacker could save the vulnerable signed executable dropped in the temporary folder and do it in a DNS poisoning attack.

12-Year-Old Authentication Bypass Vulnerability Could Allow Network Compromise

 

At least 20 router models have been found to have a 12-year-old authentication bypass vulnerability that might allow attackers to hijack networks and devices, possibly affecting millions of users. The critical path traversal bug was discovered by Evan Grant of Tenable and is tracked as CVE-2021–20090 with a CVSS of 9.8. It can be exploited by unauthenticated, remote attackers. Grant discovered the problem in Buffalo routers, notably the Arcadyan-based web interface software.

Grant discovered that bypass check() only checked as many bytes as there were in the bypass_list strings. Grant was able to circumvent authentication by exploiting this flaw, letting unauthenticated users view pages they shouldn't be able to. Two more vulnerabilities, CVE-2021-20091 and CVE-2021-20092, were discovered, however, they only target specific Buffalo routers at this time. 

According to Grant, this latest revelation raises concerns about the danger of supply chain attacks, which are becoming a more common and serious threat to businesses and technology users. “There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote. "Consequently, we were surprised they hadn’t been discovered and fixed by the manufacturer or vendors who are selling affected devices over the past decade." 

On Friday, just three days following the bug's disclosure, Juniper Networks cybersecurity researchers announced that they had detected active exploitation of the bug. “We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”

Mirai is a long-running botnet that can be used to launch distributed denial-of-service (DDoS) attacks by infecting linked devices. It first appeared in 2016, when it overloaded Dyn web hosting servers, bringing down over 1,200 websites, including Netflix and Twitter. Its source code was disclosed later that year, prompting the emergence of additional Mirai versions. 

According to Juniper, several of the scripts used in the latest wave of assaults are similar to those used in prior attacks in February and March. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote.

Low-Risk iOS Wi-Fi Naming Issue can Compromise iPhones Remotely

 

According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone's network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. 

On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. 

The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as "%p%s%s%s%s%n." 

While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. 

Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern " % @" to the Wi-Fi hotspot's name, which may have had far-reaching repercussions. 

The issue was termed "WiFiDemon" by ZecOps. It's also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). 

"As long as the Wi-Fi is turned on this vulnerability can be triggered," the researchers noted. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack." 

"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk," the company stated. "

After turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked.

The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple "silently" fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. 

Given the vulnerability's exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

This iPhone Bug Exists Even After Network Settings Reset

 

Two weeks after the iphone wifi bug was found, the same cybersecurity analyst Carl Schou discovered a similar different case. The expert in a tweet said that if an iPhone comes within a wifi network range called ‘%secretclub%power,' then the connected iphone wouldn't be able to use wifi or any other features related to it. The bug exists even if the user resets network settings, says Schou. 

9TO5Mac reports "Obviously, this is such an obscure chain of events that it is highly unlikely that any person accidentally falls into this unless a load of Wi-Fi pranksters suddenly pop up in the wild with open Wi-Fi networks using the poisoned name. Until Apple fixes this edge case in a future OS update, just keep an eye out for any Wi-Fi networks with percent symbols in their name." The only solution to fix the bug would be a factory reset of the iphone. 

However, the experts advise not to do it as it is not tested. The earlier problem was related to iPhones facing a network name with the SSiD “%p%s%s%s%s%n," however, the issue could be fixed by simply resetting the iphone in the network settings option. But the new problem has more threat as it can affect any device which comes into the range of the infected public wifi named 'secretclub%power.' However, it is clear that both the bugs are somewhat related as ‘%secretclub%power’ and ‘%p%s%s%s%s%n' exploit string format code vulnerability which lies somewhere in the iOS network stack. Schou tweeted "You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power. Resetting network settings is not guaranteed to restore functionality." 

As of now, it is clear that there exist many variants of network name bugs that use ‘%s’, ‘%p’, and ‘%n’ character sequences. From the user's perspective, the best way to stay safe from the bug is to avoid connecting your device to wifi networks that contain '%' symbols in their names. iOS users can only wait for the next update when Apple will fix the OS bug. "Here’s a funny bug: a security researcher has found that a carefully crafted network name causes a bug in the networking stack of iOS and can completely disable your iPhone’s ability to connect to Wi-Fi," reported 9TO5Mac previously.

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

Indian Hacker Discovers a New Instagram Bug

 

Instagram has addressed a new flaw, which allows everyone to access private profiles without having to follow them and also lets them view archived posts and stories. 

The Facebook group recently rewarded an Indian programmer and Bug Bounty Hunter with Rs 22 lakh to identify the Instagram bug that can permit anybody, without following, to view different posts on a private Instagram account. The issue that the programmer, Mayur Fartade, has just reported on a media post might've been a big privacy violation that leads to target identity fraud and harassment given the hazards posed by it. On April 15, 2021, this flaw was notified to Instagram and now it is patched. 

The flaw might have enabled hackers or those intending to cyber spy – to target particular users' posts and gain access without having to follow their private account, according to Fartade. 

Fartade noted in his post that the high privileges which attackers may have gained would be utilized for looking at elements like “private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image. uri, Facebook linked page(if any) and other particulars, without following the user and by using Media ID”. 

The flaw may allow any brute person to force a "Media ID" post which is an ID for any post created on Instagram and then use it to regenerate legitimate links to archived posts and private posts. For this purpose, attackers can use the Instagram GraphQL tool on their developer library, input any targeted post's brute-forced media ID, and execute the tool to gain access to information such as the post link and other related details.

This issue might have revealed numerous sensitive facts and surely breached privacy, as non-followers having access to content on a private account could result in many untoward occurrences including identity theft, challenges, or harassment. 

Facebook in its letter to Fartade thanked him for his report: “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future,” the company said. 


M1RACLES Bug Impacts Apple M1 Chips

 

A security researcher identified the first-ever vulnerability in Apple M1 chips that requires a silicon redesign to fix. The good news is that the flaw is considered low-risk, and even the security researcher who identified it believes the flaw is insignificant and has sought to avoid exaggerating the problem while presenting his findings. 

The vulnerability was codenamed M1RACLES and is presently tracked as CVE-2021-30747. It was discovered by Hector Martin, a software engineer at Asahi Linux, a project that works on porting Linux for Mac devices. 

In a simplified explanation, Martin explained that the vulnerability allowed two apps running on the same device to exchange data via a hidden channel at the CPU level, circumventing memory, sockets, files, and other standard operating system features. While the discovery is notable because of the amount of time, work, knowledge, and proficiency required to find bugs in a CPU's physical design, Martin states that the problem is of no benefit to attackers. 

The only way Martin can see this bug being abused is by dodgy advertising businesses, which could abuse an app they already had installed on a user's M1-based device for cross-app tracking, which would be a really bizarre scenario since the ad industry has many other more reliable data collection methods. 

Even though the M1RACLEs bug violates the OS security model by allowing a CPU process to transfer data to another CPU process over a secret channel, Martin believes the flaw was caused by a human error on Apple's M1 design team. 

“Someone in Apple’s silicon design team made a boo-boo. It happens. Engineers are human,” he said. Martin further added that he has informed Apple of his discoveries, but the firm has yet to clarify whether the flaw will be fixed in future M1 chip silicon versions. Martin revealed and debunked his own findings on a dedicated website that ridiculed similar sites developed in the past to advertise CPU vulnerabilities—many of which, like M1RACLEs, were similarly meaningless and insignificant to people's threat models. 

Martin concludes that exploitation on iOS may be used to overcome privacy protections adding that a malicious keyboard app may act as a keylogger by transferring typed text to another malicious app, which could subsequently transfer the information to the internet. 

However, he suggests that because of Apple's constraints on creating code at runtime, the firm could detect exploit attempts if it subjected App Store submissions to static analysis. The hypervisors disable guest access to the vulnerable register by default, the flaw can be mitigated by utilizing a virtual machine, but there aren't many other solutions, particularly on macOS.

Ransomware Qlocker Encrypts QNAP Devices with 7Zip

 

A huge ransomware campaign seems to be underway to attack QNAP devices globally and customers can now locate their files in password-protected 7zip archives. The ransomware is known as Qlocker and on 19 April 2021, it was aimed at attacking QNAP computers. Ever since the help platform of bleeping computers has had enormous development, and the victims' requests have increased in ID-Ransomware. 

However, as per the victims in the Qlocker support department of Bleeping Computer, hackers use 7-zip to transfer files to password-protected archives on QNAP computers. During locking of the files, multiple 72 processes are displayed on the QNAP Resource Monitor, which can be executed on the 7zip command line. Once ransomware is completed, files of the QNAP computer will be saved in a password-protected 7-zip file with a.7z extension. Victims must enter the password identified by the perpetrator only to retrieve those archives. 

As soon as one has encrypted the QNAP devices, they then have a !!!READ ME.txt ransom note with a special client key to sign on to the Tor ransomware payment platform. All victims are expected to pay Bitcoins of roughly 0.01, which is around $557.74, from the Qlocker restitution notes shown to get a password for their archived data. After payment is made and an invalid Bitcoin Tax ID has been entered, a 7Zip archive password will be displayed on the Tor Payments website. This password is exclusive to the victim that cannot be used on computers of all the other victims. 

On April 22, a security investigator, Jack Cable, announced a bug found in the Qlocker Tor platform that allows users to freely retrieve their 7zip passwords. This bug could allow victims to obtain a Bitcoin transaction ID from someone who has previously paid but changed it slightly. When the modified transaction ID was sent to the Qlocker Tor site, the payment was acknowledged, and the victim's password was displayed. 

Jack Cable also helped victims secretly recover their passwords and Emsisoft arranged to build a support system to further exploit this vulnerability. Unfortunately, the ransomware developers took it and patched it an hour after they heard of the error. There is no way to download files without a password that is not available for free anymore at this stage.

QNAP has lately solved critical vulnerabilities which enable a mobile player to access a device completely and to run ransomware. 

The following descriptions were found for these two vulnerabilities by QNAP on 16 April: 
CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On 

"QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices," QNAP stated in a security advisory.

Wi-Fi Mouse Application Detected with Bug

 

According to a researcher named, Christopher Le Roux, the smartphone app named Wi-Fi Mouse, which enables users to monitor the mouse movements on their PC or Mac with a phone or tablet, has an unpatched bug, which encourages opponents to sabotage computers. The impact of the associated "server software" of the Android app is the Wi-Fi Mouse, which is required for installation on a Windows system, that enables the moving desktop app to regulate the mouse. The bug enables an opponent with a popular Wi-Fi network to fully access the Windows PC via a software-opened communication port. 

The unpatched bug doesn't affect the Android smartphone operating the Wi-Fi Mouse program, as per Le Roux's analysis. The application has been installed more than 100,000 times, according to the developer's overview of the Google Play platform for Wi-Fi Mouse. And according to the developer, the bug is linked to the Windows desktop applications which have a poor password and PIN protection. 

“The password/PIN option in the Windows Desktop app does not prevent remote control of a target running the software,” stated Le Roux. “I believe this may be an oversight on the part of the developer.” 

While attempting to pair the smartphone operating on Wi-Fi Mouse with the corresponding Wi-Fi Desktop Program, the researcher said that the application doesn't really appropriately request smartphone app users to enter a password or PIN. The absence of encryption gives a possible rogue user the chance to use Wi-Fi Mouse's open data port, Le Roux added.

“The Wi-Fi Mouse mobile app scans for and connects to hosts with TCP port 1978 open. Upon connecting the desktop server responds with OS information and the handshake is complete,” he wrote. “From within the mobile app, you have a mouse touchpad option as well as a file explorer. The file explorer allows a user to ‘open’ any file on the System. This includes executable files such as cmd.exe or powershell.exe, which will open each command terminal, respectively.” 

It is as simple to send ASCII characters as HEX with covering on either side accompanied by a packet to type the main unrestricted access to the targeted device. Particularly since there's no authentication between server and application this procedure is fast and simple to program. An opponent only requires the Wi-Fi Mouse application, which can be used on a targeted PC – no smartphone application is necessary. 

“Sadly, the app can be easily mimicked even if it is not installed or on the network. The Wi-Fi Mouse desktop server will accept any connection so long as it is running on an endpoint and the firewall isn’t blocking its listening port 1978,” Le Roux said. An opponent will use the Windows system to run a simple command, to download a running program from an HTTP server, and execute it on the PC of the goal to get the remote shell. 

“An attacker could still feasibly exploit a Unix-based system with minimal effort,” he wrote.

Node.js Detected with Vulnerability encountered by Captain Freak

 

Node.js is a cross-platform, open-source, JavaScript back-end operating environment running on Chrome V8 and running JavaScript programming from outside a Web browser. Recently a vulnerability in Node.js could have been used to exploit the framework and achieve remote code execution (RCE). 

A report published on January 23, by Shoeb 'Captain Freak' Patel a self-described 'want to be' security researcher, says that the analysis indicates that Express.js might be prone to read local file errors. In conjunction with an old version of the Handlebars engine (Handlebars is a popular templating engine for web applications.), the malicious code may be run remotely. “If you are using Express.Js with Handlebars as templating engine invoked via hubs view engine, for Server Side Rendering, you are likely vulnerable to Local File Read (LFR) and potential Remote Code Execution (RCE),” stated Captain Freak. 

Further Captain Freak has claimed that because of his experience with the developer's code he wanted to search for flaws in Node.js, Express.js, and Handlebars. He said that he "stumbled" last week over a vital local security file that demanded a payload of fewer than 10 lines of code for the RCE exploit, and “To be honest, I should not have been that surprised.” 

“The betrayal by in-built modules, dependencies, and packages have been the reason to introduce numerous security bugs. This is a recurring theme in software security,” added Captain Freak. 

He elucidated that if the target user is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that Node.js with server-side templating is being used. For which the user can attach a layout to the discovery for the GET or POST body parameter in their wordlist. If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, then the user has hit the LFR. 

The treason of built-in modules, dependencies, and applications has contributed to various security vulnerabilities. In software safety, this is still a recurrent issue. Captain Freak created a CTF challenge to verify whether or not this was understood, and he shared it with several of his talented friends from different Network security, Node, Backend Tech, CTF, and Bug Bounty internet forums. 

Later this turned out to be a not known vulnerability, only 4 people (all CTFers) were able to solve this problem even after providing the whole source code. Captain Freak discovered, strange code at Node.js, that any file with an extension could be read from the root view directory, + layout and forwarded to handlebars; Compilation of which lets us use the HTML file that we fully monitor after compiling the file. RCE will then be triggered with particular specifications, requiring the use of versions 4.0.3 and below. This issue has been patched in Handlebars versions 4.1.2, 4.0.14, and later. 

“I wrote about it so that the whole Node.js and web development community [would] know about this quirky behavior in this stack,” stated Captain Freak.

Firefox expected to release a fix for their "Camera active after phone locks" bug this October


A bug in Mozilla Firefox enabled websites to keep the smartphone camera active even after leaving the browser or locking the phone. The company is working on fixing the bug and are planning to release the fix around October this year.


The bug was first reported by Appear TV, a video delivery platform last year in July. The bug activates when a user opens a video streaming app from their Mozilla Firefox browser in their Android smartphone.

It was first noticed by Appear TV when the video kept playing in the background even when it should have stopped that is the video kept playing in the background even when the user moved out of the browser or pushed it to the background or locked the phone. This raised concerns over user's privacy and bandwidth loss. "From our analysis, a website is allowed to retain access to your camera or microphone whilst you're using other apps, or even if the phone is locked," said a privacy app, Traced in talks with ZDNet. "While there are times you might want the microphone or video to keep working in the background, your camera should never record you when your phone is locked".

On Fixing the Issue

 "As is the case with dedicated conferencing apps, we provide a system notification that lets people know when a website within Firefox is accessing the camera or microphone, but recognize that we can do better, especially since this gets hidden when the screen is locked," a Mozilla spokesperson said in a statement.

"This bug [fix] aims to address this by defaulting to audio-only when the screen is locked," Mozilla added. "[The fix] is scheduled for release at the platform-level this October, and for consumers shortly after."

Mozilla has been working on a next-generation browser Firefox Nightly with more focus on privacy to replace their current browser for Android. The update is out for testing.

"Meanwhile, our next-generation browser for Android, now available for testing as Firefox Nightly, already has a prominent notification for when sites access this hardware as well," said Mozilla.

HP Issues Advisory Informing Users to Expect SSD Failure around October 2020


Computer enterprise company HP (Hewlett Packard Enterprise) warns its customers about a bug that it has recently found in its SSD (Solid State Drives). The company HP has made a new firmware patch to prevent some of its hard drives from crashing after 40,000 hours of consumer use. In a firmware incident last week, HP informed its consumers about a bug in some of its hard drives that will cause them to stop working after 40,000 hours of use, which is around four years and 200 days. SAS SSDs (Serial-Attached SCSI solid-state drives) is the model of the hard drives that are likely to be affected by this firmware bug.


According to HP, the hard disks manufactured during that period will crash around October this year, and these will be among the earliest failures. To solve this issue, HP has released some firmware updates to fix this bug last week. It has asked the companies to update to the latest firmware updates, and if they fail to do so, the companies might risk losing both the SSD and the data. If the SSD crashes, users can't restore their data, says HP in its security advisory.

This firmware bug incident is similar to another hard drive crash incident that happened in November last year. In the latter event, the HPE SAS SSDs crashed after nearly three years and 270 days of use. This time, however, this bug will affect far fewer SSDs than it did last year. According to HP, the company learned about this issue from a different SSD company that uses HP's SSDs, similar to last year. The list of SAS SSD models affected by the bug is available on HP's customer support website.

"This HPD8 firmware is considered a critical fix and is required to address the issue detailed below. HPE strongly recommends the immediate application of this crucial fixture. Neglecting to update to SSD Firmware Version HPD8 will result in drive failure and data loss at 32,768 hours of operation and require restoration of data from the backup in non-fault tolerance, such as RAID 0 and fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive," reads HP's notification.

Tor Browser Bug Executes Uncalled for JavaScript Codes!


The well-known Tor is allegedly experiencing some kind of bug in its mechanism. It has hence warned the users to stay vigilant as regards to the “Tor Browser Bug”, which runs JavaScript codes on various unexpected sites.

Tor (originally Team Onion Router) is a free and open-source software which chiefly works on allowing anonymous communication to users.

Reportedly, the team has been working on a solution and would roll it out as soon as it is done, but there isn’t a particular time to expect it.

One of the most critical features for the security of the Tor Browser Bundle (TBB) happens to be the ability to block the code execution of the JavaScript, mention sources.

TBB is a browser that has a set of superior privacy features majorly for concealing real IP addresses to maintain the anonymity of online users and their devices’ locations.

Owing to these features, the browser has become a go-to for the working people, especially the journalists, citizens of repressive countries and people with political agendas because after all, it is a great instrument to dodge online censorship and firewalls.

People who are against the anonymity of the users and just can’t let things be, have in the past tried several times to expose Tor Browser users’ actual IP addresses via exploits that functioned on JavaScript code.

Sources cite that while few attempts of the better nature have been successfully employed to track down criminals, others were pretty strangely executed.

And then recently, a bug was discovered in the much appreciated TBB’s security mechanism. When the browser was set to allow the use of the most supreme security level and still permitted the execution of the JavaScript code when instead it should have barred it.

It is a relief that the team of Tor is well aware of the bug and is, with dedication working towards developing a patch for it. Per sources, they also mentioned that if a user requires to “Block JavaScript” they could always disable it entirely.

As per reports, the procedure for doing the above-mentioned is to open the “about config” and search for “javascript.enabled”. If here the “Value” column mentions “false” it means that the JavaScript is disabled and if it mentions “true” then right-click to select “Toggle” or double click on the row to disable it.

Glitch in Tax Service Exposed 1.2 Million Danes' CPR Numbers




A bug in the TastSelv Borger tax service which falls under the management of the US company DXC Technology has exposed almost 1.2 million CPR numbers of Danish citizens to the American multinational companies – Google and Adobe. The leak has been discovered by The Danish Agency for Development and Simplification for the first time, however, the researchers claim that CPR numbers along with other sensitive information have been exposed for around 5 years now.

People who have a tax liability to Denmark are allowed by TastSelv's services to see and alter their tax returns, annual statements and pay residual tax. As per the findings of the security researchers at the agency, all the exposed data was found to be encrypted and hence reportedly, Google and Adobe were not able to view the same due to encryption which barred them.

Other sources have it that in an attempt to downplay the entire incident, The Danish Agency for Development and Simplification put forth a solid confirmation on the CPR numbers being encrypted when accessed by the companies. Meanwhile, cybersecurity specialist and founder of the CSIS group, Peter Kruse asserted that Google did access those 1.2 million CPR numbers as there was no encryption, according to him the numbers were rather in plain text.

How was the glitch exploited?

It was when the users who were logged into TastSelv Borger happened to click on the text displayed as 'Correct contact information' and consequently rectified the contact information, faced an error in the app. The error triggered the process of transferring the CPR numbers to Google and Adobe, as per DR news website.

Referencing from the statement given by the government agency, “We take this kind of case very seriously. And of course, we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them.”

“The data received by Google is unencrypted. Google has been able to read data in unencrypted form,” he added.

“Google Hosted Libraries have been designed to remove all information that allows identifying users before logging on. Thus, no user information is shared with Google in this process.” Google told the website which first reported the incident.

Expert finds a Bug in Twitter that can Expose your Account Information


As if it wasn't enough already, the famous social networking and microblogging website Twitter has suffered yet another data vulnerability recently. In a recent data breach incident, an expert claimed that he was able to exploit a Twitter bug and used it to match more than 17 Million mobile numbers to user profiles. The list of the accounts targeted includes prominent lawmakers and officials. This hack was achieved by exploiting a bug in Twitter's Android application.


According to the reports of TechCrunch, Safety expert, Ibrahim Balic discovered that it is attainable to post complete records of created contact information via the contact upload option in the Twitter app. "If you put your contact information .i.e the phone number, the app in return, retrieve user information," says Ibrahim. The users whose phone numbers were matched were from countries like Germany, France, Armenia, Iran, Greece, Turkey, and Israel. In one particular incident, the user whose number was matched was found to be a prominent Israeli politician, reports TechCrunch.

About the Bug-
Ibrahim Balic started to alert the users of this issue 2 months earlier, through a WhatsApp group. When Twitter came to know this, the micro-blogging platform immediately obstructed his attempts. Ibrahim was able to create more than 2 Billion mobile numbers, steadily, after rearranging the numbers created, he uploaded them online via the Twitter Android application. However, the vulnerability didn't exist in the web-based Twitter app. It is yet to confirm whether Ibrahim's activity was associated with what Twitter issued in a statement earlier this week, saying it had suffered a data exploit. Twitted admitted that a malicious bug was implanted into its application by an anonymous cyber-criminal, which could've jeopardized numerous Twitterites information across the world, including Indian users. Twitter, however, did not reveal the person responsible for the exploit.

What can this Vulnerability do? 
This exploit in the Twitter android application can allow hackers to see personal information of the users, and also gives them the command of user accounts, by allowing hackers to tweet or send messages. The researcher Balic is known for exposing the security flaw in Apple's developer center in the year 2013. "We are working our best to ensure that the bug couldn't be exploited again," said the Twitter spokesperson. Twitter has faced various security issues in the past this year.

All Android Users Beware! All The Android Versions Vulnerable To This New Bug 'StrandHogg'


Android is vulnerable anew owing it to a new bug that goes by the name of “StrandHogg”. It is a serious issue as the bug could penetrate the entire security mechanism with a single wrong click of the user.

This bug has a special provision where it allows malicious applications and malware to pose as legitimate applications. The applications look so real that the user is unaware at all times.

The fake applications then find a way to the users’ sensitive data that too in real-time. Per reports, all the versions of Android are susceptible to this bug even the latest Android 10.

Surprisingly, the worst part about the bug is that the users would have no idea at all that they have been attacked and they’d be completely unaware of the malicious applications on their device.

Listening in on conversations and recording them, accessing login credentials, read/sending unwanted texts and even complete control of the photo album, call logs and contacts are allegedly a few of the many things the bug can do.

“StrandHogg” can let the hackers have a complete hold over the affected device’s camera which is pretty disconcerting given the hackers could turn on visuals whenever they find fit which could be a massive breach of privacy.

All of the senior police personnel have been alerted regarding the hazard. Several measures have also been scheduled to be taken along the lines of public awareness about the bug.

Things to steer clear off include pop up notifications asking permission for sending notifications, messages or other related things and applications asking to log in again despite being already logged in.

If such requests are allowed, the bug would let the hackers have almost complete access to the device from the camera to live conversations be it a cell phone or a tablet.

Other warning signs include suddenly non-functional links and permissions being asked by applications that have never needed them before.

The Home Ministry’s Cyber Crime Coordination Centre reportedly cited that over 500 Android applications are under the peril of an attack by this bug. They also released to all the states, a list of the plan of action of the bug.

Manipur Engineer Enters Facebook’s “Hall Of Fame 2019” By Discovering a Privacy Breach Bug



Zonel Sougaijam, a 22-year-old civil engineer, was recently honoured by Facebook for discovering a WhatsApp bug that violated the privacy of a user.

Mr. Sougaijam told PTI, in the wake of discovering the bug, that he had reported the issue to the Bug Bounty Program of the Facebook, which manages infringement of privacy matters, in March.

“During a voice call through WhatsApp, the bug used to allow the caller to upgrade it to a video call without the authorisation and knowledge of the receiver. The caller was then able to see what the other person was doing, violating the privacy of the receiver,” he said.

Zonel Sougaijam, the 22-year-old civil engineer

His report was hence acknowledged by the Facebook Security Team the immediate next day and its technical department fixed the bug under 15-20 days. The social media giant then proceeded to award him with a bounty of $5000 at the same time incorporating him in the 'Facebook Hall of Fame 2019', for detecting the WhatsApp bug.

Sougaijam's name is right now at the 16th position in a rundown of 94 people, in the 'Facebook Hall of Fame' for the current year.

Facebook had obtained Instagram in 2012 and WhatsApp in 2014. The organization has been entangled in data privacy concerns and political ramifications of its calculations throughout the most recent couple of years.


Bug in Microsoft RDP allows hackers perform WannaCry level attack


A critical remote execution vulnerability in Microsoft remote desktop services enables let attackers compromise the vulnerable system with WannaCry level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old version of Windows.

A WannaCry attack was one of the notorious cyber attacks in this decade, and it shut down million of computer around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create a malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out of support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.