Search This Blog

Showing posts with label Vulnerabilities and Exploits. Show all posts

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub



Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”

Expert finds a Bug in Twitter that can Expose your Account Information


As if it wasn't enough already, the famous social networking and microblogging website Twitter has suffered yet another data vulnerability recently. In a recent data breach incident, an expert claimed that he was able to exploit a Twitter bug and used it to match more than 17 Million mobile numbers to user profiles. The list of the accounts targeted includes prominent lawmakers and officials. This hack was achieved by exploiting a bug in Twitter's Android application.


According to the reports of TechCrunch, Safety expert, Ibrahim Balic discovered that it is attainable to post complete records of created contact information via the contact upload option in the Twitter app. "If you put your contact information .i.e the phone number, the app in return, retrieve user information," says Ibrahim. The users whose phone numbers were matched were from countries like Germany, France, Armenia, Iran, Greece, Turkey, and Israel. In one particular incident, the user whose number was matched was found to be a prominent Israeli politician, reports TechCrunch.

About the Bug-
Ibrahim Balic started to alert the users of this issue 2 months earlier, through a WhatsApp group. When Twitter came to know this, the micro-blogging platform immediately obstructed his attempts. Ibrahim was able to create more than 2 Billion mobile numbers, steadily, after rearranging the numbers created, he uploaded them online via the Twitter Android application. However, the vulnerability didn't exist in the web-based Twitter app. It is yet to confirm whether Ibrahim's activity was associated with what Twitter issued in a statement earlier this week, saying it had suffered a data exploit. Twitted admitted that a malicious bug was implanted into its application by an anonymous cyber-criminal, which could've jeopardized numerous Twitterites information across the world, including Indian users. Twitter, however, did not reveal the person responsible for the exploit.

What can this Vulnerability do? 
This exploit in the Twitter android application can allow hackers to see personal information of the users, and also gives them the command of user accounts, by allowing hackers to tweet or send messages. The researcher Balic is known for exposing the security flaw in Apple's developer center in the year 2013. "We are working our best to ensure that the bug couldn't be exploited again," said the Twitter spokesperson. Twitter has faced various security issues in the past this year.

All Android Users Beware! All The Android Versions Vulnerable To This New Bug 'StrandHogg'


Android is vulnerable anew owing it to a new bug that goes by the name of “StrandHogg”. It is a serious issue as the bug could penetrate the entire security mechanism with a single wrong click of the user.

This bug has a special provision where it allows malicious applications and malware to pose as legitimate applications. The applications look so real that the user is unaware at all times.

The fake applications then find a way to the users’ sensitive data that too in real-time. Per reports, all the versions of Android are susceptible to this bug even the latest Android 10.

Surprisingly, the worst part about the bug is that the users would have no idea at all that they have been attacked and they’d be completely unaware of the malicious applications on their device.

Listening in on conversations and recording them, accessing login credentials, read/sending unwanted texts and even complete control of the photo album, call logs and contacts are allegedly a few of the many things the bug can do.

“StrandHogg” can let the hackers have a complete hold over the affected device’s camera which is pretty disconcerting given the hackers could turn on visuals whenever they find fit which could be a massive breach of privacy.

All of the senior police personnel have been alerted regarding the hazard. Several measures have also been scheduled to be taken along the lines of public awareness about the bug.

Things to steer clear off include pop up notifications asking permission for sending notifications, messages or other related things and applications asking to log in again despite being already logged in.

If such requests are allowed, the bug would let the hackers have almost complete access to the device from the camera to live conversations be it a cell phone or a tablet.

Other warning signs include suddenly non-functional links and permissions being asked by applications that have never needed them before.

The Home Ministry’s Cyber Crime Coordination Centre reportedly cited that over 500 Android applications are under the peril of an attack by this bug. They also released to all the states, a list of the plan of action of the bug.

Intel Chips Now Exploitable? Sensitive Data Could Be Compromised By Reducing Chips' Voltage!



Hackers can now allegedly, exploit Intel chips via voltage alterations which could lead to a messed up flow of electricity only to weaken the security mechanisms of the chips.

Two research teams from Europe and America had realized that this disruption in the voltage could cause sensitive information stored on the Intel chips to leak using the “Secure Guard Extensions” feature.

The researchers were asked to keep these facts concealed for the last half-year. Intel then sent out updates of its firmware to thwart any possibilities of attack.

“Plundervolt”, per source is the technique named by the researchers which comprises of planting malicious software on the target device to temporarily reduce the voltage of its electrical flow to the Intel chip.

The drop in voltage referred to as “undervolting” generally lets genuine users to conserve power when not needed and to vary the voltage to “overclock” the processor for more strenuous tasks.

But reportedly, by transitorily “undervolting” a processor and timing it accordingly could easily aid a hacker to make the chip dance to their tunes and falter, in turn revealing sensitive data stored within the “SGX enclave”.

Per the researchers, the CPU voltage when reduced could cause a “computation” error in the Intel chips. A “bit-flip” or a “fault injection” in the chips can change a “zero” to “one” on the SGX enclave.

In these potentially exploitable chips, if cryptographic computations are done, the “secret key” could be easily discover-able. The entire chip’s security would become times weaker, leading the data to decipher easily.

The attack in question is undoubtedly not easy to execute. It requires the target computer to already have the malware installed on it by the attacker. The SGS feature of Intel which was vastly advertised as corruption and threat proof in terms of sensitive data. This attack happens to present a startling position of compromise.

ARM Chips other than Intel’s were also experimented upon by artificially fluctuating their voltage much like “Plundervolt” to destabilize the security of the processors.

Intel chips haven’t always had a good record in ensuring security if the processors. Per reports, previous attacks “Spectre” and “Foreshadow” also abused the “speculative execution feature” of the chips way before the patched were released.

“Return-oriented programming” is another technique that could be used to exploit the chips which could make an “already planted” malware invisible to the anti-virus software.

Intel though, did send out an update for its Chips’ firmware which helps the user to freeze the voltage settings to cancel out any further possibilities of the above-mentioned attack.

Although, the way of counteracting the issue of “over-clocking” and the details as to the elaborate details of the update haven’t been sent out by Intel, yet. All that could be said is that keep the processors well updates and all patched up.

Anti-Virus Maker Discovers A Bug within Ryuk Ransomware


An antivirus maker discovered a bug in the decrypter application of the Ryuk Ransomware, the application "the Ryuk gang" basically provides to victims to recoup their files after they paid the ransom.

While the bug causes a deficient recuperation of certain types of documents, prompting data loss, regardless of whether the victim paid the ransom demand, the primary issue, as elaborated by the antivirus maker Emsisoft in a blog post, is that the decrypter shortens one byte from the end of each file it decodes.

The secondary issue is that the Ryuk gang's decryptor additionally erases the original encoded files, which means that the victims can't re-run the 'decryption operation' again with a "fixed" decryptor. 

While the last byte in many records is there for cushioning and is generally unused, for some file extensions those bytes contain essential data that when expelled will permanently degenerate that information and thusly prevent the document from being opened.

"A lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted," Emsisoft says.

"We're hoping to get the word out about this as quickly and widely as possible so that affected organizations can avoid data loss,"
 - Emsisoft representative Brett Immature told ZDNet. 

Emsisoft advised the victims to connect by means of ryukhelp@emsisoft.com to have its analysts fix the decrypter they got from the Ryuk gang.

 In any case, while Emsisoft is the organization who discharged the most "free ransomware decrypters" in the past, this is a 'paid service', as it infers its experts attempting to address each decrypter partially, a very tedious undertaking.

Infections attributed to Ryuk include - manage service provider T-Systems, financial service provider ASD Audit, insulating technology manufacturer TECNOL, automation tool manufacturer Pliz, city of New Bedford (US), Tribune Publishing, managed service provider PerCSoft, healthcare provider CorVel, IT service provider CloudJumper, the city of Lake City (US), and many other more.

Vulnerabilities Discovered In Four Popular Open Source VNC Systems


Numerous vulnerabilities in the four well-known open sources virtual network computing (VNC) systems have been as of late identified by Kaspersky researchers however luckily most of them have just been patched.

After breaking down the four broadly utilized open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC, the cybersecurity firm says UltraVNC and TightVNC are frequently prescribed by industrial automation system vendors for associating with human-machine interfaces (HMIs).

A sum of 37 CVE identifiers has been allowed to the vulnerabilities discovered by Kaspersky in server and client software.

A portion of the defects are said to have been exploited for remote code execution, enabling the attacker to make changes to the targeted system and more than 20 of the security bugs have been thusly identified in UltraVNC.

Sometimes, the security firm noticed, the flaws were found as a major aspect of the research project were varieties of previously distinguished weaknesses. While the majority of the 37 vulnerabilities have been fixed, on account of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not discharged any fixes, in spite of being advised of in January 2019.

Pavel Cheremushkin, a scientist at Kaspersky ICS CERT said that, Kaspersky called attention to that while a portion of these vulnerabilities can represent a genuine hazard, especially on account of industrial systems, exploitation of the server-side bugs much of the time requires verification, and the software might be structured not to allow authentication without a password.

This implies setting a strong password on the server can avoid numerous attacks. On the client-side, the best defense prescribed is to ensure that users don't associate with untrusted VNC servers.

The Russian Railways information system got hacked in 20 minutes


Specialists of Russian Railways will conduct an investigation after the statement of the Habr user that he hacked the Wi-Fi network during a trip on the Sapsan high-speed train and gained access to the data of all its users in 20 minutes. According to the company, the hacked network did not contain personal data, but only entertainment content.

On Friday, November 15, user keklick1337 on the portal Habr.com was returning from Saint-Peterburg, where he visited the ZeroNights information security conference, to Moscow. The programmer became bored, and he decided to check the reliability of the Wi-Fi and easily gained access to the hidden data of Russian Railways. He noted that " the same passwords and free security certificates are used everywhere, and the data is stored in text documents."

"It is not difficult to access the data of the passengers of the train and it takes at most 20 minutes", noted the author of the post.

"The server of the information and entertainment system of Sapsan trains does not store personal data of passengers. The multimedia portal provides information and entertainment content: news of Russian Railways, movies, books, music and other information, " — said the representative of Russian Railways.

According to the spokesman, for authorization in the system, the user must enter only the last four characters of the document, which he used to buy a ticket, as well as the rail car and the seat number. These data are not personal and in accordance with the current legislation of the Russian Federation are stored on the server for no more than one day.

"The infotainment system server is not connected to the internal network of Russian Railways or other internal control services on the train, it is designed exclusively for entertainment and information topics and does not store any confidential customer data," added the company.

The Russian Railways plans to conduct a technological investigation on the fact of hacking the train system Sapsan.

Earlier, E Hacking News reported that the personal data of 703 thousand employees of Russian Railways, from the CEO to the drivers, were publicly available.

Amazon, Sony, Xiaomi, Samsung Devices Hacked at Pwn2Own Hacking Contest at Tokyo


In a hacking contest held at Tokyo, a duo of white-hat hackers known as Fluoroacetate breached pass devices of some of the most popular tech companies namely Amazon, Samsung, Sony, Xiaomi and others. On the first day itself, the team won prize money of $145,000 (around 1.02 crore) and 15 Master of Pwn points which secured them a dominant lead ahead of others in the competition. The contestants receive a bounty for each successful breach and points that add on to the total ranking. However, the overall winner obtains the grand title 'Master of Pwn'.

The leading team, Fluoroacetate which comprises Hacker Amat Cama and Richard Zhu, amassed a lot of success early on as they managed to bypass five devices. Making history, the duo cracked down Sony X800G, first-ever Television exploited in the contesting history of Pwn2Own. Moving onto their next targets, Amazon Echo Show and Samsung Q60 television, the hackers employed an integer overflow in JavaScript to compromise both the devices. While hacking Xiaomi Mi 9, the duo used a JavaScript exploit to extract a picture from the smartphone. Next up on their list was Samsung Galaxy S10, which the remarkable duo slashed down by pushing a file on the phone via a stock overflow. The last contributor for the team's winning streak was Netgear Nighthawk Smart Wi-Fi Router R6700 (LAN interface).

Points and bounty distribution 

Team Fluoroacetate piled up a total bounty of $145,000 and 15 Master of Pwn points at the end of the first day at Pwn2Own, in the following order.

Sony X800G smart TV: $15,000 and 2 Master of Pwn points.
Amazon Echo Show 5: $60,000 and 6 Master of Pwn points.
Samsung Q60 smart TV: $15,000 and 2 Master of Pwn points.
Xiaomi Mi9 smartphone: $20,000 and 2 Master of Pwn points.
Samsung Galaxy S10: $30,000 and 3 Master of Pwn points.

Pwn2Own is the top computer hacking contest that was first conducted in 2007 with the purpose of demonstrating the security flaws present in widely used software and devices. The hackers gather at the contest to demonstrate vulnerabilities for a pre-set list of software and devices, to earn points on successful discoveries the hackers must ensure that all the exploits put forth at the contest are new. After the contest, the event organizers take charge of all the bugs and vulnerabilities discovered throughout the competition and subsequently hand them over to the respective companies.

After the final day of the tournament, Fluoroacetate, accumulating total prize money of $195,000, 18.5 Master of Pwn points along with a shining trophy and other goodies, has emerged victorious and as the rightful owner of the title 'Master of Pwn'. Notably, the team's most striking accomplishment has to be the bypassing of Samsung Galaxy S10 that won the duo a whopping sum of $50,000 and 5 valuable Master of Pwn points.

Vulnerability has been found in the Xiaomi Feeder through which thousands of cats and dogs around the world can be left without food


Russian IT specialist Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled. The researcher believes that she has access to all such feeders, which are now active in the world.

Smart feeders work on the principle of a dispenser that gives a cat or dog a certain amount of dry food at a time. The owner of the animal can set the schedule of meals and the amount of portions in the mobile application. Thanks to this device, the animal can be left for a long time in an empty apartment, without worrying that it will die of hunger.

“I have logs running on the screen from all existing feeders, I see data on the Wi-Fi networks of poor Chinese who bought these devices. I can suddenly feed all the cats and dogs with a couple of clicks, but I can delete the schedules from the devices and not give them food. In addition, I see how much food is in the bowl now," writes the researcher. She has such a smart feeder at home.

Prosvetova did not provide a detailed description of the vulnerability because it is not yet closed. However, she reported that the feeders used a microcontroller ESP8266, which makes it possible to install special firmware on all devices.

As the programmer notes, the vulnerability in Furrytail is ideal for hackers who plan DDoS attacks: the whole process can be easily automated and scaled.

Prosvetova found almost 11 thousand of such gadgets on which she could change the feeding schedule without a password.

She sent a letter to Xiaomi with a detailed analysis of the vulnerability, indicating the method of finding it and advice on how to fix it. Xiaomi confirmed the bug in the smart feeders and promised to fix it. However, the company does not have a mechanism to reward researchers for finding vulnerabilities.

Attackers Exploiting Bugs in PHP7 to Hijack Web Servers


Last week, Russia-based security researcher Emil 'Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker - classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding "?a=" to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.

Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk. The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.

PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or Web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as Wordpress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.

Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.

The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.

Satnam Narang, Senior Security Response Manager at Tenable, explains that "The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,"

"Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server," adds Narang.

Multiple Vulnerabilities found in SATCOM internet access terminal Cobham EXPLORER 710



CERT/CC researchers found multiple vulnerabilities as they examined Satcom terminal Cobham EXPLORER 710 as an extension of IOActive’s findings in 2014. These new vulnerabilities could affect both the device and firmware.

These frailties could give attackers unauthentic access to sensitive information, control of the device, create or implant backdoor, DoS attack and more.

Cobham EXPLORER 710 is a portable satellite terminal, broadband global area network (bgan) through telephony. The device provides internet connection through satellite communications setting new standards for size, speed and features.

 EXPLORER 710 is a sophisticated communication tool for broadcasting, streaming and other IP based industry applications with a speed of 1 Mbps and higher. It is used in various sectors as Commercial aerospace, military defenses, space systems, SATCOM and more.

 The sat-com terminal, firmware version 1.07 is affected with 6 vulnerabilities listed below-

 • CVE-2019-9529 – Authentication Failure 

This failure arises due to the web portal having no authentication by default, this could lead to any attacker connected to the device to gain access to the portal and perform changes.

 • CVE-2019-9530 – Unrestricted Directory Access

There are no restrictions on access to the webroot directory, creating a liability as hackers can read, access or download any file in the webroot directory.

 • CVE-2019-9531 – Authentication Failure to port 5454 

This vulnerability allows attackers to connect to port 5454 through Telnet and execute 86 Attention (AT) commands, and gain illegal access.

 • CVE-2019-9532 – Text Data Exchange 

The web application portal passes the login password in cleartext, it could easily give way to miscreant to intercept the password.

 • CVE-2019-9533 – Default Login Credentials

The root password is the same for all devices, this could allow to reverse-engineer the password in all available versions.

 • CVE-2019-9534 – Validate Failure

According to CERT/CC researchers, "The device does not validate its firmware image. Development scripts left in the firmware can be used to upload a custom firmware image that the device runs. This could allow an unauthenticated, local attacker to upload their own firmware that could be used to intercept or modify traffic, spoof or intercept GPS traffic, exfiltrate private data, hide a backdoor, or cause a denial-of-service."

Apart from the above gaps in security, the researchers also discovered some configuration issues, missing security headers and problems in default wifi password ( being same as same as serial number) which are gravely dangerous to the device and leave it susceptible to cross-site scripting and clickjacking.

 The researchers said they currently don't have any practical solutions to these problems.

'Yes Bank' registers a complaint against fake news, alleging it of frightening investors


Yes, Bank filed a police complaint against fake news stating that misinformation was posted on social media concerning the bank's finance. The complaint was filed at Mumbai Police's Cyber cell when the investors withdrew their shares, and the capitals at the stock market hit a downfall. The bank's police complaint says that the fake news was scaring away its investors and depositors.



The rise of mobile internet in India has resulted in social tremors, with users falling prey to false information. Due to the lack of digital literacy, people are easily exposed to Fake News.

One of the biggest reasons is that fake news is usually engaging, and frightening which drives people to share them in a flash. It intends to create chaos among the general public. For a few days, some perpetrators are circulating fake news and ill-disposed falsehoods about Yes Bank on social networking sites and WhatsApp to generate fright among the bank's clients. The information seeks to present the bank in bad standing and is aimed to defame the bank's image among its clients, shareholders, and society.

"Yes Bank filed a charge by Mumbai Police and Cyber Cell on the propagation of fake news and advertising of lies about the bank's economic status on different social media platforms such as WhatsApp," said the bank in its report. The bank also asked the authorities to establish a committee of specialists to look over the issue of rumor-mongering and find the convict guilty of spreading fake news over social media platforms, they also requested the experts to find the origin of the fake news.

The bank requests its stakeholders and investors to be aware of false information. 'We assure our client that Yes Bank's financial standing is safe and reliable and would continue to be the same for a long time,' it says. It is no doubt that since the last few years, fake news has become a threat to Indian democracy and the people of India. Misinformation that is aggressively spread or shared through social media platforms causes chaos and distress among the public.

Oyo Leaves Customers’ Confidential Data Unprotected Due to a Security Flaw



The world’s third-largest and fastest-growing hospitality and homestay chain, Oyo is reportedly leaving its customer data unprotected, which makes it vulnerable to a breach due to a flaw found in its security systems. A cybersecurity researcher, Jay Sharma, who used Oyo for the first time in his life, found a loophole in the service which was exposing confidential information of the customers availing the service.

Founded in 2013 by 25-year-old, Ritesh Agarwal, Oyo has confirmed the presence of security flaw in an email to the cybersecurity researcher who took to the professional networking site, LinkedIn to share his first time experience with the service and sent the report of the same to the company’s Cyber team on 22nd of August. The data at risk included booking IDs, contact numbers, the date of the booking, the number of people staying in the room and location.

Sharma was offered a bounty reward of Rs. 25,000, which is the increased amount after the officials, reviewed the severity involved, the initial amount offered was Rs. 5000.

Sharing the insights of the experience and the details of the vulnerability, Jay wrote on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the Wi-Fi”, “Why should anybody in the room be forced to share personal information via OTP (one-time-password) verification to use Wi-Fi?”

“I researched more and found that the HTTP & Ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random(). I created a way to brute force the login credentials while executing the captcha.”

“Once login was brute-forced all the historical data dating back to a few months was accessible. The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts.” He wrote.

Jay further warned the customers not to log in and “wait till OYO announces officially that they have fixed this issue” as “all the properties which use this login are vulnerable.”

Commenting on the matter, the company, headquartered at Gurugram, said “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy,”

“Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” a spokesperson told in a statement.

Vulnerability in the WIB SIM-browser allows attackers to take control of millions of mobile phones around the world


Previously, E Hacking News reported on the Simjacker vulnerability, which allows to monitor the owners of the phones.

Simjacker is the first real attack where the malicious instructions are sent directly in the SMS message. Interestingly, messages are not stored in either inbox or outbox, so everything happens completely unnoticed by the victim.

According to the researchers, attackers can exploit the vulnerability regardless of the brand of the user's device. A similar vulnerability was recorded on devices of many manufacturers, including Apple, Samsung, Google, HUAWEI and others.

According to Adaptive Mobile Security experts, the vulnerability has been exploited for at least two years by highly sophisticated cyber criminals (most likely working for the government) to spy on users.

Ginno Security Lab experts claim they identified similar kind of vulnerabilities in 2015 and this is the first time they are publishing the details.

Adaptive Mobile Security said that everything starts with sending a malicious SMS-message. It can be sent from a phone, GSM modem or even a computer. After opening, this malicious message launches the S@T Browser program installed on each SIM card, as mobile operators use it to provide their services. In this way, attackers can gain full control of the victim's phone.

The company Ginno Security Lab claims that they have found vulnerability in both WIB simcard-browser and S@T simcard-browsers.

"The Wireless Internet Browser (WIB) is specified by SmartTrust and is the market leading solution for SIM toolkit based browsing".

By sending a malicious SMS message to the victim's phone number, an attacker can exploit vulnerabilities in the WIB simcard-browser to remotely gain control of the victim's mobile phone to perform malicious actions.  In their demo, they remotely made a call from victim's phone to another phone.

The impact of the vulnerability in WIB is spreading around the world and putting hundreds of millions of telecommunication subscribers worldwide at risk. The security vulnerability comes from the SIM card, does not depend on mobile phones or the mobile phone operating system, so every mobile phone is affected.

According to the researchers, one of the main reasons for the existence of Simjacker vulnerability today is the use of outdated technologies in SIM cards, the specifications of which have not been updated since 2009. Experts have already information their findings to the GSM Association, a trade organisation that represents the interests of mobile operators around the world.

Hackers Now Allowed to Find Flaws in US Fighter Jets and Security System


The Trusted Aircraft Information Download Station could have been shut down entirely due to a host of flaws discovered by hackers who were challenged to detect vulnerabilities in a system of a U.S military fighter jet known as F-15.

It was unprecedented in the history of the tech world that outside researchers were given physical access to such critical machinery, and were asked to detect vulnerabilities. It was a matter of two days for a group of 7 hackers to come up with a number of exploits which included bugs that were identified by the Air Force itself but they couldn't fix it, according to the Washington Post.

Hackers put the system through numerous attacks which included subjecting it to malware and testing with objects like screwdrivers and pliers, reported the DEF CON 27.

In the context of the vulnerabilities exploited by the hackers, Roper Technologies attributed, “decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.”

Usually, outsiders were not allowed such access to military equipment which is highly sensitive in nature and their operation; it came as a massive change in how the military and technological world works in synchronization, the gravity of which can be gauged by the fact that hackers physically approached the machine with tools.

As per Roper, American Air Force is of the belief that if it doesn't allow America's best hackers to find every single vulnerability present in their weapons, machinery and fighter jets, then they are at the risk of being exploited by other adversaries like Iran, Russia and North Korea.




Simjacker Exploits S@T Browser to Affect a Billion Users



Platform agnostic attack, Simjacker allows hackers to remotely exploit the victims' phone by sending a SMS which contains a malicious code; the code gives instructions to the universal integrated circuit card (UICC)/ SIM card placed inside the targeted device to retrieve and carry out sensitive commands.

The attack is set into motion as soon as the 'attack SMS' sent via another remote handset, is received by the targeted device. The process involves a series of SIM Toolkit (STK) directions particularly configured to be sent on to the SIM Card inside the victim's device.

To ensure a proper execution of these instructions, Simjacker exploits the S@T Browser, which is a software found in SIM cards. After receiving the 'attack SMS', SIM card resorts to the S@T Browser library for setting up the execution friendly environment which can trigger logic on the infected device.

S@T Browser, a legacy browser technology placed inside the SIM cards on a number of handsets, was typically used to send promotional messages or spam text messages. However, the attackers went on exploiting it for obtaining device's location and its unique International Mobile Equipment Identity (IMEI).

The attacker sends a SMS to the S@T browser asking it for the aforementioned information which it would obtain and store on to the SIM card. Then, the attacker would send another SMS to acquire the stored information. These messages are send and received in binary codes, unlike regular messages. It doesn't alert the victim in any manner and hence qualifies to be a highly effective tool for attacking mobile phones via messages.

Referencing from the findings of mobile carrier security company AdaptiveMobile Security, 

"The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands." 

"We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated attacker group." The report reads. 

Notably, the exploit is working as a lot of operators are failing to check the origin of these binary codes (SMS), which can be blocked by configuring the firewall technology in their corresponding networks, advises AdaptiveMobile.





Kraken Bug: Traders Buy Bitcoins and Sell Them For Almost Double?



Kraken, the world’s oldest crypto-currency exchange medium recently revealed that a bug allegedly allowed specific customers to purchase and then resell $8,000 worth Bitcoin for $12,000.

It was mentioned on Twitter that the bug was found in an “unreleased advanced order type”.

The bug caused the orders to automatically execute without having cleared the requisite liquidity. Stop orders were immediately activated and filled at market rate.

The victims of this incident were strongly advised to submit “support tickets” with their questions. Nevertheless, the exchange was vehemently condemned.

Kraken’s CEO in response tweeted that he’s not sure how a “legitimate” trade takes place for pricing reasons or at least what boundaries it exists within.

The charts tell the story that a few over-fortunate traders quickly bought for a low price and sold for a fairly higher amount but the tweets tell another story.

User Accounts and Phone Numbers Exposed; Confirms Instagram


Social Media Giant and Instagram senior, Facebook affirms that a newfound security vulnerability may have put the user data in danger, leaving many open to attack by 'threat actors'.

The vulnerability is said to be so strong to the point that through it the attacker would effectively access 'secure' user data like the users' real names, Instagram account numbers and handles, and full phone numbers.

An Israeli hacker known by the handle @ZHacker13 found the vulnerability with Instagram and said that misusing it would empower an attacker utilizing a multitude of bots and processors to manufacture an accessible/attackable database of users, bypassing protections protecting that information.

The attacker utilizes a simple algorithm against Instagram's login form, checking each phone number in turn for those linked to a live Instagram account, and since there is no restriction on the number of algorithms that can be kept running in parallel, the attacker can do it as many number of times as he wants.


After this while exploiting the advantages of Instagram's Sync Contacts feature he can figure out how to discover the account name and number linked to the phone number.


Anyway as of now, there is no proof that any user data has been misused or mishandled via utilizing this vulnerability—in any case; on the other hand, there is no proof that it hasn't.

Probably the fact that the endeavour required two separate procedures may imply that the attackers have chosen to withdraw.

Meanwhile, @ZHacker13 tested his Instagram exploit post Facebook's fix and affirmed that it no longer worked.

Zwift hackers expose next generation of cycling doping


Cyber security experts proved they can hack into Zwift and boost their performance on the indoor cycling gaming platform.

The hack works by intercepting and manipulating data sent between smart trainers and Zwift.

It underscores the need to tighten security in e-racing, a growing field with UCI-sanctioned events and Olympic ambitions.

By his own admission, cyber security consultant Brad Dixon is a bit of a cycling hack. He rides his bike for fitness and recreation, but he’s better at cracking computer codes than cranking out pro-level wattage on two wheels.

Dixon’s lack of high-end fitness might keep him off the podium IRL, but his ability to game virtual reality could help him rise through the ranks in the ever-growing arena of e-sports, where cyclists compete, often for actual cash and real-world prizes, on stationary trainers via platforms like Zwift.

Last month, Dixon gave a 40-minute presentation at DEF CON, a popular computer security conference, called Cheating in eSports: How to Cheat at Virtual Cycling Using USB Hacks. He detailed how, with some standard hardware and an Xbox controller, he tricked the system into thinking he was humming around Watopia at race pace while doing nothing more strenuous than cracking open a beer.

“The game limits you to 2,000 watts of power, but for a recreational rider like me, that’s infinity,” said Dixon, who works at the New York-based consulting firm Carve Systems. “I can easily cruise around at 30-40 mph in the game at those watts, if not more.”

Such high speeds might immediately cause suspicion among anyone getting their Zwift kit blown off by a pixelated competitor. But smaller boosts, like a 5-10 watt gain here or there—enough to beat someone up a climb or to the line for a sprint—would be far less noticeable.

In the end, these numbers are all that determine how quickly your little cartoon cyclist pedals around the island. And numbers are exactly what gave Carve Systems CEO Mike Zusman, a former Cat 1 mountain bike racer, the notion for this particular hack.

Google Calendar vulnerability affects 1 billion users


Google has finally acknowledged vulnerability in the Google Calendar app that left more than a billion users open to a credential-stealing exploit.

In 2017, two cybersecurity researchers at Black Hills Information Security had informed and demonstrated how they exploited the vulnerability in gaining access to the users credentials.

The vulnerability has put 1.5 billion users at risk.

A Google spokesperson responded to the researcher’s findings that "Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse."

Google is informing all its users about ”security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."

The Vulnerability inside Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate with calendaring functionality.

When a user get an invitation on the calendar, a pop-up notification appears on their smartphone. Hackers could create a messages that include a malicious link, and these links can direct users to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.

"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," Javvad Malik, a security awareness advocate at KnowBe4.