In a hacking contest held at Tokyo, a duo of white-hat hackers known as Fluoroacetate breached pass devices of some of the most popular tech companies namely Amazon, Samsung, Sony, Xiaomi and others. On the first day itself, the team won prize money of $145,000 (around 1.02 crore) and 15 Master of Pwn points which secured them a dominant lead ahead of others in the competition. The contestants receive a bounty for each successful breach and points that add on to the total ranking. However, the overall winner obtains the grand title 'Master of Pwn'.

The leading team, Fluoroacetate which comprises Hacker Amat Cama and Richard Zhu, amassed a lot of success early on as they managed to bypass five devices. Making history, the duo cracked down Sony X800G, first-ever Television exploited in the contesting history of Pwn2Own. Moving onto their next targets, Amazon Echo Show and Samsung Q60 television, the hackers employed an integer overflow in JavaScript to compromise both the devices. While hacking Xiaomi Mi 9, the duo used a JavaScript exploit to extract a picture from the smartphone. Next up on their list was Samsung Galaxy S10, which the remarkable duo slashed down by pushing a file on the phone via a stock overflow. The last contributor for the team's winning streak was Netgear Nighthawk Smart Wi-Fi Router R6700 (LAN interface).

Points and bounty distribution 

Team Fluoroacetate piled up a total bounty of $145,000 and 15 Master of Pwn points at the end of the first day at Pwn2Own, in the following order.

Sony X800G smart TV: $15,000 and 2 Master of Pwn points.
Amazon Echo Show 5: $60,000 and 6 Master of Pwn points.
Samsung Q60 smart TV: $15,000 and 2 Master of Pwn points.
Xiaomi Mi9 smartphone: $20,000 and 2 Master of Pwn points.
Samsung Galaxy S10: $30,000 and 3 Master of Pwn points.

Pwn2Own is the top computer hacking contest that was first conducted in 2007 with the purpose of demonstrating the security flaws present in widely used software and devices. The hackers gather at the contest to demonstrate vulnerabilities for a pre-set list of software and devices, to earn points on successful discoveries the hackers must ensure that all the exploits put forth at the contest are new. After the contest, the event organizers take charge of all the bugs and vulnerabilities discovered throughout the competition and subsequently hand them over to the respective companies.

After the final day of the tournament, Fluoroacetate, accumulating total prize money of $195,000, 18.5 Master of Pwn points along with a shining trophy and other goodies, has emerged victorious and as the rightful owner of the title 'Master of Pwn'. Notably, the team's most striking accomplishment has to be the bypassing of Samsung Galaxy S10 that won the duo a whopping sum of $50,000 and 5 valuable Master of Pwn points.

Russian IT specialist Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled. The researcher believes that she has access to all such feeders, which are now active in the world.

Smart feeders work on the principle of a dispenser that gives a cat or dog a certain amount of dry food at a time. The owner of the animal can set the schedule of meals and the amount of portions in the mobile application. Thanks to this device, the animal can be left for a long time in an empty apartment, without worrying that it will die of hunger.

“I have logs running on the screen from all existing feeders, I see data on the Wi-Fi networks of poor Chinese who bought these devices. I can suddenly feed all the cats and dogs with a couple of clicks, but I can delete the schedules from the devices and not give them food. In addition, I see how much food is in the bowl now," writes the researcher. She has such a smart feeder at home.

Prosvetova did not provide a detailed description of the vulnerability because it is not yet closed. However, she reported that the feeders used a microcontroller ESP8266, which makes it possible to install special firmware on all devices.

As the programmer notes, the vulnerability in Furrytail is ideal for hackers who plan DDoS attacks: the whole process can be easily automated and scaled.

Prosvetova found almost 11 thousand of such gadgets on which she could change the feeding schedule without a password.

She sent a letter to Xiaomi with a detailed analysis of the vulnerability, indicating the method of finding it and advice on how to fix it. Xiaomi confirmed the bug in the smart feeders and promised to fix it. However, the company does not have a mechanism to reward researchers for finding vulnerabilities.

Last week, Russia-based security researcher Emil 'Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker - classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding "?a=" to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.

Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk. The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.

PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or Web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as Wordpress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.

Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.

The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.

Satnam Narang, Senior Security Response Manager at Tenable, explains that "The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,"

"Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server," adds Narang.

CERT/CC researchers found multiple vulnerabilities as they examined Satcom terminal Cobham EXPLORER 710 as an extension of IOActive’s findings in 2014. These new vulnerabilities could affect both the device and firmware.

These frailties could give attackers unauthentic access to sensitive information, control of the device, create or implant backdoor, DoS attack and more.

Cobham EXPLORER 710 is a portable satellite terminal, broadband global area network (bgan) through telephony. The device provides internet connection through satellite communications setting new standards for size, speed and features.

 EXPLORER 710 is a sophisticated communication tool for broadcasting, streaming and other IP based industry applications with a speed of 1 Mbps and higher. It is used in various sectors as Commercial aerospace, military defenses, space systems, SATCOM and more.

 The sat-com terminal, firmware version 1.07 is affected with 6 vulnerabilities listed below-

 • CVE-2019-9529 – Authentication Failure 

This failure arises due to the web portal having no authentication by default, this could lead to any attacker connected to the device to gain access to the portal and perform changes.

 • CVE-2019-9530 – Unrestricted Directory Access

There are no restrictions on access to the webroot directory, creating a liability as hackers can read, access or download any file in the webroot directory.

 • CVE-2019-9531 – Authentication Failure to port 5454 

This vulnerability allows attackers to connect to port 5454 through Telnet and execute 86 Attention (AT) commands, and gain illegal access.

 • CVE-2019-9532 – Text Data Exchange 

The web application portal passes the login password in cleartext, it could easily give way to miscreant to intercept the password.

 • CVE-2019-9533 – Default Login Credentials

The root password is the same for all devices, this could allow to reverse-engineer the password in all available versions.

 • CVE-2019-9534 – Validate Failure

According to CERT/CC researchers, "The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated, local attacker to upload their own firmware that could be used to intercept or modify traffic, spoof or intercept GPS traffic, exfiltrate private data, hide a backdoor, or cause a denial-of-service."

Apart from the above gaps in security, the researchers also discovered some configuration issues, missing security headers and problems in default wifi password ( being same as same as serial number) which are gravely dangerous to the device and leave it susceptible to cross-site scripting and clickjacking.

 The researchers said they currently don't have any practical solutions to these problems.

Yes, Bank filed a police complaint against fake news stating that misinformation was posted on social media concerning the bank's finance. The complaint was filed at Mumbai Police's Cyber cell when the investors withdrew their shares, and the capitals at the stock market hit a downfall. The bank's police complaint says that the fake news was scaring away its investors and depositors.



The rise of mobile internet in India has resulted in social tremors, with users falling prey to false information. Due to the lack of digital literacy, people are easily exposed to Fake News.

One of the biggest reasons is that fake news is usually engaging, and frightening which drives people to share them in a flash. It intends to create chaos among the general public. For a few days, some perpetrators are circulating fake news and ill-disposed falsehoods about Yes Bank on social networking sites and WhatsApp to generate fright among the bank's clients. The information seeks to present the bank in bad standing and is aimed to defame the bank's image among its clients, shareholders, and society.

"Yes Bank filed a charge by Mumbai Police and Cyber Cell on the propagation of fake news and advertising of lies about the bank's economic status on different social media platforms such as WhatsApp," said the bank in its report. The bank also asked the authorities to establish a committee of specialists to look over the issue of rumor-mongering and find the convict guilty of spreading fake news over social media platforms, they also requested the experts to find the origin of the fake news.

The bank requests its stakeholders and investors to be aware of false information. 'We assure our client that Yes Bank's financial standing is safe and reliable and would continue to be the same for a long time,' it says. It is no doubt that since the last few years, fake news has become a threat to Indian democracy and the people of India. Misinformation that is aggressively spread or shared through social media platforms causes chaos and distress among the public.

The world’s third-largest and fastest-growing hospitality and homestay chain, Oyo is reportedly leaving its customer data unprotected, which makes it vulnerable to a breach due to a flaw found in its security systems. A cybersecurity researcher, Jay Sharma, who used Oyo for the first time in his life, found a loophole in the service which was exposing confidential information of the customers availing the service.

Founded in 2013 by 25-year-old, Ritesh Agarwal, Oyo has confirmed the presence of security flaw in an email to the cybersecurity researcher who took to the professional networking site, LinkedIn to share his first time experience with the service and sent the report of the same to the company’s Cyber team on 22nd of August. The data at risk included booking IDs, contact numbers, the date of the booking, the number of people staying in the room and location.

Sharma was offered a bounty reward of Rs. 25,000, which is the increased amount after the officials, reviewed the severity involved, the initial amount offered was Rs. 5000.

Sharing the insights of the experience and the details of the vulnerability, Jay wrote on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the Wi-Fi”, “Why should anybody in the room be forced to share personal information via OTP (one-time-password) verification to use Wi-Fi?”

“I researched more and found that the HTTP & Ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random(). I created a way to brute force the login credentials while executing the captcha.”

“Once login was brute-forced all the historical data dating back to a few months was accessible. The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts.” He wrote.

Jay further warned the customers not to log in and “wait till OYO announces officially that they have fixed this issue” as “all the properties which use this login are vulnerable.”

Commenting on the matter, the company, headquartered at Gurugram, said “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy,”

“Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” a spokesperson told in a statement.

Previously, E Hacking News reported on the Simjacker vulnerability, which allows to monitor the owners of the phones.

Simjacker is the first real attack where the malicious instructions are sent directly in the SMS message. Interestingly, messages are not stored in either inbox or outbox, so everything happens completely unnoticed by the victim.

According to the researchers, attackers can exploit the vulnerability regardless of the brand of the user's device. A similar vulnerability was recorded on devices of many manufacturers, including Apple, Samsung, Google, HUAWEI and others.

According to Adaptive Mobile Security experts, the vulnerability has been exploited for at least two years by highly sophisticated cyber criminals (most likely working for the government) to spy on users.

Ginno Security Lab experts claim they identified similar kind of vulnerabilities in 2015 and this is the first time they are publishing the details.

Adaptive Mobile Security said that everything starts with sending a malicious SMS-message. It can be sent from a phone, GSM modem or even a computer. After opening, this malicious message launches the S@T Browser program installed on each SIM card, as mobile operators use it to provide their services. In this way, attackers can gain full control of the victim's phone.

The company Ginno Security Lab claims that they have found vulnerability in both WIB simcard-browser and S@T simcard-browsers.

"The Wireless Internet Browser (WIB) is specified by SmartTrust and is the market leading solution for SIM toolkit based browsing".

By sending a malicious SMS message to the victim's phone number, an attacker can exploit vulnerabilities in the WIB simcard-browser to remotely gain control of the victim's mobile phone to perform malicious actions.  In their demo, they remotely made a call from victim's phone to another phone.

The impact of the vulnerability in WIB is spreading around the world and putting hundreds of millions of telecommunication subscribers worldwide at risk. The security vulnerability comes from the SIM card, does not depend on mobile phones or the mobile phone operating system, so every mobile phone is affected.

According to the researchers, one of the main reasons for the existence of Simjacker vulnerability today is the use of outdated technologies in SIM cards, the specifications of which have not been updated since 2009. Experts have already information their findings to the GSM Association, a trade organisation that represents the interests of mobile operators around the world.

The Trusted Aircraft Information Download Station could have been shut down entirely due to a host of flaws discovered by hackers who were challenged to detect vulnerabilities in a system of a U.S military fighter jet known as F-15.

It was unprecedented in the history of the tech world that outside researchers were given physical access to such critical machinery, and were asked to detect vulnerabilities. It was a matter of two days for a group of 7 hackers to come up with a number of exploits which included bugs that were identified by the Air Force itself but they couldn't fix it, according to the Washington Post.

Hackers put the system through numerous attacks which included subjecting it to malware and testing with objects like screwdrivers and pliers, reported the DEF CON 27.

In the context of the vulnerabilities exploited by the hackers, Roper Technologies attributed, “decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.”

Usually, outsiders were not allowed such access to military equipment which is highly sensitive in nature and their operation; it came as a massive change in how the military and technological world works in synchronization, the gravity of which can be gauged by the fact that hackers physically approached the machine with tools.

As per Roper, American Air Force is of the belief that if it doesn't allow America's best hackers to find every single vulnerability present in their weapons, machinery and fighter jets, then they are at the risk of being exploited by other adversaries like Iran, Russia and North Korea.

Platform agnostic attack, Simjacker allows hackers to remotely exploit the victims' phone by sending a SMS which contains a malicious code; the code gives instructions to the universal integrated circuit card (UICC)/ SIM card placed inside the targeted device to retrieve and carry out sensitive commands.

The attack is set into motion as soon as the 'attack SMS' sent via another remote handset, is received by the targeted device. The process involves a series of SIM Toolkit (STK) directions particularly configured to be sent on to the SIM Card inside the victim's device.

To ensure a proper execution of these instructions, Simjacker exploits the S@T Browser, which is a software found in SIM cards. After receiving the 'attack SMS', SIM card resorts to the S@T Browser library for setting up the execution friendly environment which can trigger logic on the infected device.

S@T Browser, a legacy browser technology placed inside the SIM cards on a number of handsets, was typically used to send promotional messages or spam text messages. However, the attackers went on exploiting it for obtaining device's location and its unique International Mobile Equipment Identity (IMEI).

The attacker sends a SMS to the S@T browser asking it for the aforementioned information which it would obtain and store on to the SIM card. Then, the attacker would send another SMS to acquire the stored information. These messages are send and received in binary codes, unlike regular messages. It doesn't alert the victim in any manner and hence qualifies to be a highly effective tool for attacking mobile phones via messages.



Notably, the exploit is working as a lot of operators are failing to check the origin of these binary codes (SMS), which can be blocked by configuring the firewall technology in their corresponding networks, advises AdaptiveMobile.

Cyber security experts proved they can hack into Zwift and boost their performance on the indoor cycling gaming platform.

The hack works by intercepting and manipulating data sent between smart trainers and Zwift.

It underscores the need to tighten security in e-racing, a growing field with UCI-sanctioned events and Olympic ambitions.

By his own admission, cyber security consultant Brad Dixon is a bit of a cycling hack. He rides his bike for fitness and recreation, but he’s better at cracking computer codes than cranking out pro-level wattage on two wheels.

Dixon’s lack of high-end fitness might keep him off the podium IRL, but his ability to game virtual reality could help him rise through the ranks in the ever-growing arena of e-sports, where cyclists compete, often for actual cash and real-world prizes, on stationary trainers via platforms like Zwift.

Last month, Dixon gave a 40-minute presentation at DEF CON, a popular computer security conference, called Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks. He detailed how, with some standard hardware and an Xbox controller, he tricked the system into thinking he was humming around Watopia at race pace while doing nothing more strenuous than cracking open a beer.

“The game limits you to 2,000 watts of power, but for a recreational rider like me, that’s infinity,” said Dixon, who works at the New York-based consulting firm Carve Systems. “I can easily cruise around at 30-40 mph in the game at those watts, if not more.”

Such high speeds might immediately cause suspicion among anyone getting their Zwift kit blown off by a pixelated competitor. But smaller boosts, like a 5-10 watt gain here or there—enough to beat someone up a climb or to the line for a sprint—would be far less noticeable.

In the end, these numbers are all that determine how quickly your little cartoon cyclist pedals around the island. And numbers are exactly what gave Carve Systems CEO Mike Zusman, a former Cat 1 mountain bike racer, the notion for this particular hack.

Google has finally acknowledged vulnerability in the Google Calendar app that left more than a billion users open to a credential-stealing exploit.

In 2017, two cybersecurity researchers at Black Hills Information Security had informed and demonstrated how they exploited the vulnerability in gaining access to the users credentials.

The vulnerability has put 1.5 billion users at risk.

A Google spokesperson responded to the researcher’s findings that "Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse."

Google is informing all its users about ”security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."

The Vulnerability inside Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate with calendaring functionality.

When a user get an invitation on the calendar, a pop-up notification appears on their smartphone. Hackers could create a messages that include a malicious link, and these links can direct users to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.

"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," Javvad Malik, a security awareness advocate at KnowBe4.

Hackers are always finding new ways to exploit bugs and compromise sensitive user data, a recently discovered flaw in Google Chrome which could lead to arbitrary code execution, allows attackers to view, edit or even delete confidential data.

The vulnerability in the browser was initially reported by the Centre for Internet Security (CIS) and it could have allowed hackers to execute arbitrary code in the context of the browser. In order to keep the flaw in check, Google Chrome released an immediate update for its users round the globe.

In the upcoming week, Google will be releasing patches for Mac, Windows and Linux, as per the reports. However, the older versions of the search engine, which are the versions before 76.0.3809.132 are prone to attack.

To be on a safe side, users are advised to have their browsers updated and be aware of suspicious websites. The report also recommends users to avoid following the hyperlinks from unknown sources.

“A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” Reads the report.

Per sources, WhatsApp immediately shunned the reports and hinted that it was absolutely preposterous to even think that WhatsApp would harm its users in such a way.

The people behind the massively successful messaging application are always keen on advising users on updating and following every security measure.

iOS users are especially advised to be cautious of this bug specifically when they’re surfing unknown websites. They are suggested to securely click on websites.

Users per usual are strongly advised to update their devices to the latest, download anti-virus apps and software and keep the security on high alert.

Per the source reports, allegedly, the hacked messages from the WhatsApp chats are floated on other servers.

Users should steer clear of unauthorized websites for the sake of their safety.

Security researchers revealed the various vulnerabilities and flaws that the latest 4G routers have got leading to information leaks and command execution attacks.

In the DEF CON hacking conference the researchers came across a lot of flaws in the “existing 4G modems and routers”.

Per sources, a selection of all the products was made and then tested which resulted in detection of “critical remotely exploitable flaws”.

The part that happens to be a real point of concern is that quite a large number of flaws were found in a very limited stock of devices.From consumer-grade routers and dongles to super expensive devices that are designed to be used on mass level all of them were tested with flaws.The vendors were immediately informed about the security defects and mostly they were fixed well before the Pen Test Partners report got published.

Netgear 4G Routers
Security issues also existed in the case of 4G routers fabricated by TP-Link and Netgear with four of them being assigned CVEs.The Netgear Nighthawk M1 Mobile router got tracked as CVE-2019-14526 and a post-authentication command injection (CVE-2019-14527) which could lead to arbitrary code execution.

The attacker could exploit the above vulnerabilities by tricking the users into visiting a maliciously designed page.Some insight into the SCRF protection bypass flaw of the Netgear routers and breaking the encrypted firmware was also given by the researchers.

TP-LINK 4G Routers
The mobile wireless routers by TP-Link were also found to be compromised and with their very own CVE issues.

The M7350 4G LTE is the model that was vulnerable with mainly, CVE-2019-12103 (Pre-Authentication Command Execution) and CVE-2019-12104 (Post-Authentication Command Execution).ZTE 4G RoutersZTE was a vendor that got immediately in the limelight during the research as it had avoided security issues in its MF910 and MF65+. The website they were listed on was out of support.Per sources the MF920 shared the same codebase with another router that the researchers checked and ZTE decided to take things seriously and fix the reported flaws.Sources mentioned the following issues were discovered MF910 and MF65 that aren’t going to be patched:

· A Cross-Site Scripting point in an unused “test” page.

· In the pre-authentication process the administration password could be leaked.

· One of the debug endpoints during post authentication is vulnerable to command injection.If these issues were to amalgamate, arbitrary code execution on the router becomes all the easier and could be triggered by the user’s visiting a malicious web-page.Two other vulnerabilities that were discovered in the ZTE 4G routers were:

· CVE-2019-3411 (Information leak, 7.5 high severity CVSS v3.0 base score)

· CVE-2019-3412 (Arbitrary Command Execution with a critical severity of 9.8 CVSS v3.0 base score)

If the degraded condition of the already existing 3G and 4G routers is not to get better the 5G routers to come wouldn’t attract as many consumers.The market condition is so that the users are majorly dependent- and if they aren’t they’re soon to be- on cellular connections for full-time internet.