Search This Blog

Showing posts with label Vulnerability. Show all posts

Experts have found the most vulnerable places in Runet


Personal accounts of Runet users in various services, including Internet banks, turned out to be the worst protected from hackers. This is the opinion of Positive Technologies specialists.
After analyzing 38 websites of various organizations, including IT companies, government agencies, financial and telecommunications organizations, Positive Technologies employees concluded that nine out of ten web applications in Runet are vulnerable to hacker attacks.

Despite the fact that the situation has improved compared to the previous year, half of the sites contain "high-level" vulnerabilities. In 2019, there were 22 vulnerabilities per application, which is one and a half times lower than in 2018. According to Positive Technologies, the probability that data will leak from applications to the network is 68%, unauthorized access is possible in 39% of cases and authentication system weaknesses were found in 45%.

Also, hackers often hack applications in the banking sector. The protection of apps of credit organizations works only in 40% of cases.

According to experts, this is due to the fact that the dynamics of the main updates of the program is quite high. He noted that the system does not have time to “undergo full training” and automatic configuration.

Applications of government agencies turned out to be the most vulnerable to hacker attacks. Experts stressed that funding for this sector was low. At first, the tenders were won by those who requested the lowest price. And then expenses were reduced even more — by hiring students, for example.
Experts noted that it is quite difficult to protect web applications. Sometimes systems are used in monitoring mode, and real people monitor this. They have to determine whether the attack occurs or not.

“A 24-hour web service requires at least four operators, and this is from five million rubles a year ($78,700),” said Rustem Khairetdinov, vice president of InfoWatch Group. There is no way to hire such a staff of specialists in small companies and regional government agencies.

Computers can be hacked through a "smart" light bulb


Smart light bulbs can not only make the lighting in an apartment and house more convenient and cheaper but also threaten the safety of their owners.

Experts have proven that hackers can hack computers through smart light bulbs. The vulnerability in the smart home system was noticed by cybersecurity company Check Point.

Experts have discovered a way to hack computers through a lamp using a Philips smart home system. At the first stage, the virus program is downloaded to the victim's smartphone and causes the lighting to fail. Experts have noticed that the only way to fix the problem is to reinstall the app, so the user deletes the program and re-downloads it to their phone.

At the stage when the owner of the lamp connects it to the smart home system, attackers take advantage of the vulnerability in the ZigBee protocol, which Philips uses. At the moment of pairing between the lamp and the smart hub, the malicious algorithm causes an overflow of the system buffer, which bypasses the antivirus and is installed on the computer's disk. After that, the device goes under the remote control of hackers.

Check Point experts said that the study has already attracted the attention of the manufacturer of smart lamps and eliminated the gap in the system. Experts advised owners of the Philips smart home system to update their software.

Experts have found vulnerabilities in Philips smart bulbs (at the moment, the problem with these devices has already been solved), but it is possible that similar vulnerabilities are found in many other smart home devices.

Earlier EHackingNews reported that in the fall of 2019, an IT specialist from Russia and blogger Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled.

Pavel Durov again warned about the danger of using WhatsApp


Pavel Durov claims that the hacking of the iPhone of Jeff Bezos, the richest man in the world, occurred due to vulnerabilities in WhatsApp. Facebook which owns the messenger insists that the leak is related to the Apple device itself.

The reason for the leak of personal photos and correspondence of the founder of Amazon and the richest man in the world, Jeff Bezos, is a vulnerability in the encryption system of WhatsApp, not problems with Apple gadgets. Telegram founder Pavel Durov wrote about this in his Telegram channel.

This is how he reacted to an interview with Vice President of Facebook's Global Policy Department Nick Clegg, who said that Bezos confidential data leak was due to the iPhone. "We are confident that end-to-end encryption technology cannot be hacked," he said.

Durov recalled that a few months ago he talked about the vulnerabilities of WhatsApp, which, in his opinion, eventually led to the hacking of Bezos smartphone. At the same time, Facebook then assured that there is no evidence that attackers used this vulnerability. According to the founder of Telegram, the backdoor in WhatsApp allowed access to personal messages and photos of the richest man in the world.

Durov explained that the vulnerability used during the hacking of Bezos phone existed not only on iOS, but also on smartphones with Android and Windows. In addition, it is not available in other messengers.

Durov also accused WhatsApp management of using the phrase "end-to-end encryption" as a "magic spell" that automatically makes correspondence secure. He pointed out that the technology itself does not guarantee complete privacy. For example, WhatsApp developers may intentionally leave vulnerabilities in the app at the request of security forces from different countries. As a result, WhatsApp has no problems with the authorities, and Telegram is banned in some countries like Russia and Iran.

An Ex-Operating System Hit by an Exploit Found In Audio Files



A crypto-mining exploit attack, has as of late been discovered in Windows 7 , the ex-operating system which ceased to exist only a couple of days back as per the official announcement by Microsoft, hidden away in sound WAV records.

Ophir Harpaz and Daniel Goldberg, two security analysts at Guardicore Labs, have uncovered how a medium-sized medical tech sector business was attacked by cryptominers utilizing WAV audio files to muddle the malware.

While trying to exploit the EternalBlue vulnerability the attackers focused on the organization's system, running Windows 7 machines in December 2019. The EternalBlue exploit has been around for quite a few years now and was even behind the scandalous WannaCry attacks that hit the U.K. National Health Service (NHS) in 2017.

The Guardicore research journey started in October 2019, when a number of blue screens of death began coming up on Windows machines in the target network. Further investigations unveiled that over half of the system, some 800 endpoints, were getting to suspicious data in a registry key.

And soon enough the Guardicore researchers found a Monero crypto-mining module, utilizing steganography to hide within the audio WAV files.

Daniel Goldberg, a senior cybersecurity researcher at Guardicore Labs and one of the report authors, when asked to comment on the risk-level for those still running Windows 7 replied that, "The risks are crazy high to organizations facing this WAV-based attack if they are running a Windows 7 system after EoL. Before the quarter is over, there will be other vulnerabilities discovered in Windows 7 too that will not be fixed by Microsoft and will also be easy to exploit."

Further going on to describe the WAV-based attack threat to Windows 7 as being "like a hot knife through butter." 

Apart from updating to Windows 7 , whether there exists any other way for those who will not or cannot make a move away from Windows 7, Goldberg points out, "Segment machines you can't support away from the internet and the rest of your network, your old windows 7 machine running this critical but obsolete application should not be accessible from the internet, or most of the machines in your networks."

Additionally arguing that the best offense is a good defense, Terry Ray, senior vice-president and fellow at Imperva, a cyber-security software and services company, says, "Businesses must be responsible, and act in favor of their customers, who trust them with their information, by updating their systems, if not, they will face severe consequences which will come at a huge cost to the customer, and the future of the business. Simply put, don’t fall victim and instead, upgrade to up to date systems which generate regular security updates and have the right systems in place to deter attacks."

Vulnerability has been found in the Xiaomi Feeder through which thousands of cats and dogs around the world can be left without food


Russian IT specialist Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled. The researcher believes that she has access to all such feeders, which are now active in the world.

Smart feeders work on the principle of a dispenser that gives a cat or dog a certain amount of dry food at a time. The owner of the animal can set the schedule of meals and the amount of portions in the mobile application. Thanks to this device, the animal can be left for a long time in an empty apartment, without worrying that it will die of hunger.

“I have logs running on the screen from all existing feeders, I see data on the Wi-Fi networks of poor Chinese who bought these devices. I can suddenly feed all the cats and dogs with a couple of clicks, but I can delete the schedules from the devices and not give them food. In addition, I see how much food is in the bowl now," writes the researcher. She has such a smart feeder at home.

Prosvetova did not provide a detailed description of the vulnerability because it is not yet closed. However, she reported that the feeders used a microcontroller ESP8266, which makes it possible to install special firmware on all devices.

As the programmer notes, the vulnerability in Furrytail is ideal for hackers who plan DDoS attacks: the whole process can be easily automated and scaled.

Prosvetova found almost 11 thousand of such gadgets on which she could change the feeding schedule without a password.

She sent a letter to Xiaomi with a detailed analysis of the vulnerability, indicating the method of finding it and advice on how to fix it. Xiaomi confirmed the bug in the smart feeders and promised to fix it. However, the company does not have a mechanism to reward researchers for finding vulnerabilities.

HP Patches a Critical Vulnerability Targeting Windows Pcs


A critical vulnerability that uses unmonitored privilege escalation in the Open Hardware Monitor tool in order to infect Windows PCs that run software's dependent on it was as of late discovered by security research firm SafeBreach.

HP has already issued a patch fixing the said flaw after it came to their notice.

Among others, one of the most commonly discovered bundled software that utilizes the Open Hardware Monitor is HP TouchPoint Analytics, an apparatus that keeps running on many HP laptops and desktops around the world and along these lines putting a similar number of customers in danger.
Since devices, for example, HP TouchPoint Analytics are stacked assigned services and are accordingly whitelisted by numerous 'anti-malware' tools and this is most likely one of the main reasons why the flaw is said to be a 'potentially critical' one.

Because HP's laptops and desktop systems while being utilized for personal use, are additionally broadly utilized in enterprises that manage conceivably very sensitive data. This makes the disclosure considerably more sensitive, since, through this privilege escalation process, attackers could essentially target IT administrator setups, enter specific terminals, introduce 'arbitrary and malicious' DLL files into the framework and access the machines being referred to, and thusly gain access to the high sensitivity data.

For this situation, the HP TouchPoint Analytics tool had high, root-level framework access, and being a whitelisted instrument, enabled attackers to escalate the 'system privilege' to access critical parts of the system. Potential use cases for hackers here incorporate "data theft, undetected tracking of users and critical surveillance activities."

"These types of vulnerabilities are alarming because they indicate the ease with which malicious hackers could mount supply-chain attacks targeting and breaching highly trusted elements of our software ecosystem. This should be a clear signal to security teams that they need to increase their frequency of testing and analysis of their security envelope, in order to match the pace of criminals who are constantly innovating ways to hack into the most vulnerable parts of IT systems," said Itzik Kotler, co-founder and chief technology officer of SafeBreach.

The flaw has since been patched by HP, although SafeBreach warns and makes reference to any other organization utilizing the Open Hardware Monitor tool is still possibly in danger.


Major Breach of Biometric Systems Exposes Information of More Than 1 Million People



In a vulnerability found by Israeli security researchers there occurred a rather major breach of biometric systems that left data of more than 1 million individuals 'exposed' in an openly accessible database.

The frameworks influenced were said to have been utilized by the UK Metropolitan police, defence contractors, and banks, for fingerprint and facial recognition purposes.
It all started when the researchers found that the biometric data on 'Suprema's web-Biostar 2 platform' that controls access to secure facilities, was unprotected and 'mostly unencrypted.'

The affected database included 27.8 million records, totalling 23 gigabytes of data. A small and simple manipulation of the URL search criteria enabled access to the data as well as allowed room for some changes.

Purportedly, the researchers have now been searching for familiar IP blocks to further use these in order to discover holes in company’s frameworks that could conceivably prompt data breaches.
We were able to find plain-text passwords of administrator accounts. The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users,” – Rotem and Locar, the security researchers.

Despite the fact that the vulnerability has been fixed, be that as it may, it is still in the news as the size of the breach was disturbing because the affected service is currently in use in approximately 1.5 million areas over the world.

Vulnerability in allows hackers to steal private pictures from digital cameras




The International Imaging Industry Association has devised a 'standardised protocol' known as  Picture Transfer Protocol  (PTP) to move digital pictures from camera to PC seeing as Modern Cameras which connect with a PC by means of USB or WiFi systems are said to have been vulnerable against ransomware and malware attacks.

A research report from Check Point Research ascribes the danger to Picture Transfer Protocol (PTP) used to transfer digital pictures from camera to PC.

For their research, Check Point utilized Canon's EOS 80D DSLR camera which supports both USB and WiFi, and basic vulnerabilities in the PTP were found. Given that the protocol is standardized and installed in other camera brands, it is reasonable for expect that comparable vulnerabilities can be found in cameras from different sellers too.

The transfer protocol was at first centered around picture transfer, but it evolved further to incorporate many various commands that support anything from taking a live picture to overhauling the camera's firmware.

Eyal Itkin, Security Researcher, Check Point Software Technologies says that, “Any ‘smart’ device, including the DSLR camera, is susceptible to attacks; cameras are no longer just connected to the USB, but to the WiFi network and its surrounding environment. This makes them more vulnerable to threats as attackers can inject ransomware into both the camera and PC it is connected to. The photos could end up being held hostage until the user pays the ransom for them to be released.”

Here are some important measures the camera owners can take in order to avoid being infected:

  • Ensure your camera is utilizing the most recent firmware version, and install a patch if available.
  • Turn off the camera's WiFi when not being used
  • When utilizing Wi-Fi, take a stab at utilizing the camera as the Wi-Fi___33 access point (basically, design the camera to go about as a Wi-Fi hotspot), instead of connecting your camera to an open Wi-Fi network.


Flaw in Palo Alto VPN Solution Puts Uber and Other Enterprises at Risk




A critical vulnerability has been discovered in Palo Alto GlobalProtect SSL VPN software, the bug, somewhat unusual and is apparently said to be utilized by big enterprise companies over the globe, including the 'ride-hailing platform' Uber.

Used to make secure channels and Virtual Private Network (VPN) tunnels for remote workers - however was discreetly existing in more established adaptations i.e. the older adaptations, the bug has been fixed with the release of recent solutions.

Researchers depict the bug as format string vulnerability in the PAN SSL Gateway, which handles clients/server SSL handshakes.

The issue lies in how the gateway handles specific value parameters without legitimate sanitization, and an attacker sending a 'crafted request' to a vulnerable SSL VPN target is sufficient to trigger an exploit easily.

As per Palo Alto's security advisory, ‘the remote code execution flaw, tracked as CVE-2019-1579, is present in GlobalProtect portal and GlobalProtect Gateway products…’
The vulnerability in old renditions of the product was first discovered and revealed by Devcore researchers Orange Tsai and Meh Chang in a blog entry just a week ago, a further examination found that there was no assigned CVE.

The "silent fix" RCE was not replicable on the most recent rendition of GlobalProtect, regardless of the success with the older variations.

After investigation and exploring a bit the researchers revealed just about 22 Uber-owned servers utilizing a vulnerable version of GlobalProtect.

Nevertheless Uber tackled the issue as soon as it was made aware of it and further clarified that, “Palo Alto SSL VPN was not the primary VPN in use by the majority of staff members, and the software was hosted in AWS rather than embedded within core infrastructure and so the potential impacted was deemed ‘low’...”
A partial proof-of-concept (PoC) has likewise been released after the discoveries provoked Palo Alto to publish a warning and the vulnerability's CVE was then assigned.

Indeed, even after Uber's potential exposure may have been low as the older software was facilitated in AWS, yet that does not mean other enterprises and companies may not be vulnerable. It is therefore, prescribed that users update to a much recent version as fast as they could given the circumstances.

Google Confirms Several Android Devices Shipped With a Malware




Google tackles yet another vulnerability dubbed as Triada, a malware in the form of a code that affected some Android devices even before they shipped.

The malware is such cunningly structured by the hackers, that it displays ads and spam on a cell phone, on endless Android smartphones and stays undetected for long.

Google, in a rather detailed blog post, clarifies "Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren't part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development...Based on analysis; we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada."

The activities of Triada were first discovered by Kaspersky Labs through the two posts which had stayed profound into the workings of the malware, first was back in March 2016 and the other in a consequent post in June 2016.

What makes this Trojan progressively perilous is simply the way that it hides itself from the list of applications running and installed on the Android smartphone, making it unimaginable for the anti-virus applications and anti-malware applications to identify it, then again it makes it hard for the framework to distinguish if a peculiar or an undesirable procedure is running in the background.

Triada is additionally known to modify the Android's Zygote process too.

Google, upon finding out about the functions and workings of Triada in 2016, had immediately removed the malware from all devices utilizing Google Play Protect. In any case, the malevolent actors amped up their endeavors and discharged a much smarter version of the Trojan in 2017.

What's more, since this more 'smarter version' was implanted in the system libraries it could furtively download and run noxious modules. The most concerning fact being that it can't be erased utilizing the standard techniques and methods.

As indicated by a well-known software suite Dr.Web, the modified version of Traida is known to be found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

A Critical Vulnerability Assisting Attackers in Gaining Access to Live Video Streaming




Researchers discover a rather critical vulnerability in the D-Link cloud camera that enabled attackers to hijack and intercept the camera in order to gain access to the live video streaming as well as recorded videos by means of communicating over unencrypted channel between the camera and the cloud and between the cloud and the client-side viewer app.

The communication request between the application and the camera built up over a proxy server utilizing a TCP tunnel which is the only place the traffic is encrypted. This blemish enables an attacker to play out a Man-in-the-Middle attack and intercept the said connection with the intend to spy on the victims' video streams.


 Rest of the sensitive content, like the camera IP and MAC addresses, version information, video and audio streams, and the extensive camera information are going through the unencrypted tunnel.

The vulnerability dwells in D-Link customized open source boa web server source code file called request.c which is dealing with the HTTP solicitation to the camera. For this situation, all the approaching HTTP demands or requests that handle by this file elevated to admin enabling the attacker to gain a total device access.

According to ESET Research, “No authorization is needed since the HTTP requests to the camera’s web server are automatically elevated to admin level when accessing it from a localhost IP (viewer app’s localhost is tunneled to camera localhost).”

What's more, this weakness lets the hackers to supplant the real firmware with their own fixed or backdoored variant.

An attacker, who is sitting amidst the system traffic between the viewer application and the cloud or between the cloud and the camera, can see the HTTP demands or requests for the video and audio packets utilizing the data stream of the TCP connection on the server and accordingly answer and recreate these captured packets whenever wherever.


Broadcom WiFi Chipset Driver Defect Takes Its Toll On OSs, IoTs, Phones and Other Devices.




Reportedly, the flaws in the Broadcom WiFi chipset drivers are causing a lot of trouble for phones and operating systems that are exposed to it.


This means, attackers could be allowed to execute arbitrary code and initiate DOS. (Denial of Service)

As reported by an intern of a reputed lab, the Broadcom drivers and the open source “brcmfmac” driver possess several vulnerabilities.

As it turns out, the Broadcom drivers are susceptible to “two heap buffer overflows.” Whereas, the ‘brcmfmac’ drivers are susceptible to frame validation bypass as well as heap buffer overflow.

Per the Common Weakness Enumeration database, the heap buffer overflows could cause the software to run in an infinite loop, system crashes, along with execution of arbitrary code.


These above activities are evidently beyond the security policies and security services.

The aforementioned Broadcom WiFi chips are insidiously used by almost everyone without their knowing it. From a laptop through the IoT devices to the smart TVs all the devices have these chip drivers.


As these chips are enormously prevalent, they comprise of an even more enormous target range. Any simple vulnerability or flaw found in them could be a matter of serious risk.

The Broadcom WiFi chipset drivers could be easily exploited by the unauthenticated attackers by way of sending malicious “WiFi packets”.

These packets would later on help in initiating the arbitrary code execution. All the attacks would simply lead to Denial of Service.

In the list of the risks that stand to vulnerable devices, Denial of Service attacks and arbitrary code execution are on the top. These flaws were found also in Linux kernel and the firmware of Broadcom chips.

According to the source note, the four brcmfmac and Broadcom wl drivers vulnerability is of the sort, CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

·       CVE-2019-9503: When the driver receives the firmware event frame from the remote source, it gets discarded and isn’t processed. When the same is done from the host the appropriate handler is called. This validation could be bypassed if the bus used is a USB.

·       CVE-2019-9500: A malicious event frame could be constructed to trigger a heap buffer overflow.



·       CVE-2019-9501: The vendor is supplied with the information with data larger than 32 bytes and  a heap buffer overflow is triggered in “wlc_wpa_sup_eapol”

·       CVE-2019-9502: when the vendor information data length is larger than 164 bytes a heap buffer overflow is triggered in “wlc_wpa_plumb_gtk”

If the wl driver’s used with SoftMAC chipsets the vulnerabilities are triggered in the host’s kernel whereas, when used with FullMAC chipset, they are triggered in chipset’s firmware.

There are approximately over 160 vendors that stand vulnerable to Broadcom WiFi chipsets within their devices.

Two of Broadcom’s vulnerabilities were patched which were found in the open source brcmfmac Linux kernel.

CVE-2019-8564 vulnerability had been patched by Apple as a part of their security update, a day before the developer revealed the vulnerabilities.

Chrome Utilized for iOS Vulnerability by a Threat Group to Bypass the Browser's Built-In Pop-Up Blocker



eGobbler, a threat group recently targeted iOS users from the U.S. alongside various European Union Countries through numerous massive malvertising attacks for almost a week and utilized Chrome for iOS vulnerability to sidestep the browser's built-in in pop blocker.

The said threat group utilized "8 individual campaigns and more than 30 fake creatives" all through their push, with every one of the fake ad crusades having life spans of somewhere in the range of 24 and 48 hours.

As per the Confiant researchers who found and observed eGobbler's iOS-targeted attacks, approximately 500 million users' sessions were somehow exposed to this extensive scale coordinated campaign pushing counterfeit promotions i.e. fake ads.


As found by Confiant's specialists eGobbler's campaigns more often than not remain active for a maximum limit of 48 hours, quickly pursued by brief times of hibernation which unexpectedly end when the next attack begins.

Some of them are even seen to have used landing pages facilitated on .world domains utilizing pop-ups to hi-jack users' sessions and divert the unfortunate casualties to vindictive pages, as this technique helps the attackers in phishing as well as in malware dropping purposes.

Anyway this campaign was not the first of its kind designed by the eGobbler malvertising group to explicitly target iOS users, as in November 2018, Confiant observed one more campaign kept running by the ScamClub group which figured out how to capture approximately 300 million iOS user sessions and diverted them all adult content and gift voucher tricks.

Be that as it may, as Confiant said in their report, "This really was a standout campaign compared to the others that we track based not only on the unique payload, but the volumes as well?"
They later included that “With almost half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months."

Multiple VPN Applications Allow Attackers to Sidestep Authentication; Assists in Taking Control of Affected Systems




Enterprise VPN applications created by Palo Alto Systems, Pulse Secure, Cisco, and F5 Networks are reportedly known to have been 'storing' authentication and session cookies that too insecurely, as indicated by a DHS/CISA alert with a vulnerability note issued by CERT/CC, conceivably enabling attackers to sidestep authentication.

The caution issued on the 14th of April by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) additionally expresses that a potential "attacker could exploit this vulnerability to take control of an affected system."

As detailed in the Common Weakness Enumeration database in CWE-311, the way that an application neglects to "encrypt sensitive or critical information before storage or transmission" could permit would-be attacker to intercept traffic information, read it and infuse malignant code/information to play out a Man-in-the-Middle (MitM) attack.

CERT/CC says:
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
-Cisco AnyConnect 4.7.x and prior

As indicated by this note "It is likely that this configuration is generic to additional VPN applications," which suggests that many VPN applications from an aggregate of 237 vendors can conceivably be affected by this data divulgence vulnerability.

Additionally, the vulnerability note composed by Carnegie Mellon University's Madison Oliver says that - "If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session."

While VPN applications from Check Point Software Technologies and pfSense were found to not be 'vulnerable', Cisco and Pulse Secure haven't yet issued any data with respect to this vulnerability. Palo Alto Networks have thusly published a security advisory with additional information on this data revelation vulnerability tracked as CVE-2019-1573.

F5 Networks then again, while being "aware of the insecure memory storage since 2013" chosen not to fix it and gives the following solution as a relief measure: "To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication."

TP-Link's SR20 Smart Home Router Discovered To Come With a Vulnerability As Per Google Security Researcher




TP-Link's SR20 Smart Home Router is recently discovered to come with a vulnerability allowing arbitrary command execution from a local network connection as per a Google security researcher Matthew Garrett. The router, launched in 2016, uncovered various commands that come with root privileges and do not even require validation.

The endeavor was uncovered by the researcher after he was unable to request a reaction from TP-Link, and even published a proof-of-concept to exhibit the said weakness.

Garrett took to twitter to clarify that the TP Link SR20 Smart Home Router accompanying TDDP (TP- Device Debug Protocol), which is influenced with a few vulnerabilities, and one of them is that version 1 commands are 'exposed' for attackers to exploit.

He says that these uncovered directions enable aggressors to send an order containing a filename, a semicolon, to execute the procedure.

 “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialized earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test () is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on his blog.

In spite of the fact that Garrett says he reported to TP-Link of this vulnerability in December, by means of its security disclosure form, the page disclosed to him that he would get a reaction within three days, however hasn't heard back from them till date. He additionally said that he tweeted at TP-Link with respect to the issue, yet that gathered no reaction either.


Tesla Gives Away EV-Maker Model 3 Cars Along With a Hefty Cash Prize to Hackers



Amat Cama and Richard Zhu a team of hackers, who took part in the Pwn2Own 2019 hacking competition, organized by Trend Micro's "Zero Day Initiative (ZDI)" and exposed vulnerability in the vehicle's framework and bagged themselves an Electric Vehicle (EV) - maker Tesla Model 3 cars along with a cash prize of $35,000.

The hackers focused on the infotainment framework on the Tesla Model 3 and utilized a "JIT bug in the renderer" in order to take control of the framework.

In the course of recent years as a part of Tesla's bug bounty program, the company had given away thousands of dollars in remunerations to those hackers who successfully uncovered vulnerabilities in its frameworks and the EV maker was ' fairly quick ' to fix those vulnerabilities uncovered by white hat hackers.

David Lau, Vice President of Vehicle Software at Tesla says, "Since launching our bug bounty programme in 2014, we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,"

He further adds, “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle– we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems,”


Facebook Exposes Passwords of Hundreds of Millions of Its Users



A rather shocking vulnerability was uncovered by security researcher Brian Krebs, who reports that Facebook left the passwords of approximately 200 to 600 million users simply ‘stored’ in plain text.

A huge number of Facebook, Facebook Lite, and Instagram users may have had their passwords exposed as the aftereffect of a disturbing oversight by the social networking company.

Facebook just previously learned of the issue this past January and has since affirmed the shocking security failure, yet persists it has fixed the issue and has not discovered any proof that the data was 'abused.'

Albeit all users whose passwords were exposed will be informed, the 'shocking flaw' comes so far another blow to the already melting away trust of numerous Facebook users in the midst of the two years of consecutive privacy scandals.

The firm is as yet attempting to decide precisely the exact number of passwords which were exposed and to what extent, assures a source at Facebook who cautioned Krebs of the issue in the first place.

 ‘It’s so far unclear what caused some users’ passwords to be left exposed. To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them, we estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.'
            - Facebook released a public statement with Krebs' report and affirms that it revealed the plain text passwords amid a standard security review in January.

In any case while Facebook says no password reset is as such required, it will caution the users if their information has been abused or will be abused in any way, the security experts still recommend the users to change their current passwords.


Facebook Messenger vulnerability exposed your private texts




A new security flaw in the web version of Facebook Messenger could be allowing any website to see the names of people to whom you have been texting.

The security researcher Ron Masas from Imperva, an online privacy monitoring website, reported the vulnerability as “Cross-Site Frame Leakage” (CSFL)—a side-channel attack,  performed on an end user’s web browser', which was first spotted in November.

“As happens with applications I regularly use, I felt the need to understand how Facebook Messenger works,” Masas wrote in a blog post.

The flaw exploits an element called 'iframe', it is used to see notice whether a user is active or passive on the Facebook messenger.

“I started poking around the Messenger Web application and noticed that iFrame elements were dominating the user interface,” he continued. “The chat box, as well as the contact list, were rendered in iFrames, opening the possibility for a CSFL attack.”

"This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy.'

'By recording the frame count data over time, I found two new ways to leak cross-origin information.

'By looking at patterns instead of a static number, I was able to leak the “state” of a cross-origin window.'

Facebook messenger has now removed all the active iFrames from its website.

'The bug is a browser issue related to how they handle content embedded in webpages and could affect any site, not just Messenger.com,' a Facebook spokesperson told MailOnline.

'We already fixed the issue for Messenger.com last year to safeguard our users and made recommendations to browser makers to prevent this type of issue from happening.'

Clickjacking Vulnerability Spamming the User’s Facebook Wall


A Polish Security Researcher who works under the name of Lasq, found a malevolent spam campaign that spams the users' Facebook wall by exploiting the vulnerability. The said vulnerability came into his notice after he saw it repeatedly being abused by a Facebook spammer group.

The vulnerability as indicated by Lasq is known to reside in the mobile version of the Facebook for the most part through popups while the desktop version stays unaffected.

The link that is the root of all the spamming gives off an impression of being facilitated in an Amazon Web Services (AWS) bucket and diverts the user to a comic website, after they are requested to confirm their ages in French. In any case, even after the user has tapped on the link and done whatever it requested, it was still found to show up on the user's Facebook wall.

At the point when Lasq researched about this issue he found that the spammers were utilizing codes to abuse the IFrame component of Facebook's mobile sharing dialog. He tested for it then with the popular browsers, like the Chrome, Chromium, Edge, IE, Firefox and every other program which displayed X-Edge-Options error and thusly published a blog post with the technical subtleties. He suspected clickjacking.

Later he gathered that because Facebook had disregarded the X-Edge-Options header for the mobile sharing discourse, the "age verification" popup which displayed prior, skirted Facebook's system.


Lasq reached out to Facebook, yet shockingly they declined to fix the issue contending that it is operating in as intended and the case has been closed within 12 hours from an underlying report and clickjacking is an issue just when an attacker some way or another alters the state of the users' account.

On being reached by ZDNet, Facebook essentially stressed on the part that they are consistently enhancing their "clickjacking detection systems" to forestall spam.

Address Bar Spoofing Attacks by Safari Browser





Security researcher Rafay Baloch as of late discovered vulnerability in the Safari browser that purportedly enabled the attackers to take control of the content shown on the address bar. The method enables the 'bad actor' to perform phishing attacks that are extremely troublesome for the user to recognize. The program bug is said to be a race condition which is enabling the JavaScript to change the address bar before even the website pages are loaded completely.

In order to exploit the vulnerability, with tracking id CVE-2018-8383 the attackers were required to trap the victims onto a specially designed site which could be accomplished quite easily and Apple, despite the fact that Baloch had instantly informed both Apple and Microsoft about the bug, deferred this fix even after its three-month grace period prior to public exposure lapsed seven days back.
While Microsoft reacted with the fix on Edge on August 14th as a major aspect of their one of the security updates. The deferral by Apple is what may have left the Safari browser defenseless thusly enabling the attackers to impersonate any site as the victim sees the legit domain name in the address bar with complete confirmation and authentication marks.

At the point when the bug was tested with Proof-Of-Concept (P.O.C) Code, the page could stack content from Gmail while it was hosted on sh3ifu.com and worked perfectly fine in spite of the fact that there are a few components that continued loading even as the page loaded completely, demonstrating that it is an inadequate  and incomplete procedure.

The main trouble on Safari though, Baloch clarified, is that user can't type in the fields while the page is as yet loading, nevertheless he and his group overcame this issue by including a fake keyboard on the screen, something that banking Trojans did for years for improving the situation and are still discovering new and inventive approaches to dispose of the issue at the earliest opportunity.