Tags Posts tagged with "Vulnerability"


by -
0 68

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook’s bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users’ log-in details.

Remote code execution bug was possible due to two weaknesses:

  1. The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token
  2. The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram’s Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

Weinberg had inadvertently stumbled upon almost EVERYTHING including:

  • Instagram’s source code
  • SSL certificates and private keys (including for instagram.com and *.instagram.com)
  • API keys that are used for interacting with other services
  • Images uploaded by Instagram users
  • Static content from the instagram.com website
  • Email server credentials
  • iOS/Android app signing keys
  • Other sensitive data

“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” Weinberg wrote in his blog. “With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data.”

Responsible Disclosure, but Facebook Threatens Lawsuit

Weinberg reported his findings to Facebook’s security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos “stated that he did not want to have to get Facebook’s legal team involved, but that he was not sure if this was something he needed to go to law enforcement over,” Weinberg wrote in his blog in a section entitled ‘Threats and Intimidation.’

In response, Stamos issued a statement, saying he “did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired.”

Stamos said he only told Kaplan to “keep this out of the hands of the lawyers on both sides.”

“Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk,” Stamos added.

Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here’s the full statement by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.

What if someone could access your graduation results and alter the same at will? Students of the region’s prestigious Gauhati University aren’t aware that their marksheets stored on the servers of the university could be easily accessed by a mid-level cyber expert with chances of serious compromise to the data. A Bongaigaon-based class XII student found flaws in the network server of the university and has access to their backend and complete database. Sounds scary?

Rony Das, a class XII student of Bongaigaon Railway HS School hacked into the servers of the Gauhati University website through his Android phone in December last year and informed the university registrar through a mail immediately. While Rony thought the vulnerabilities he pointed out to the university was rectified, he was shocked to find that the issue wasn’t resolved till last week. Rony again mailed to the university, but nothing was done.

“I am a web security enthusiast and while researching on security faults, I managed to access the Gauhati University control panel with ease through my Android phone. What if someone with bad intentions exploits the vulnerabilities and play with the future of thousands of students studying in the university?” Ronny said while talking to TOI.

When contacted, Gauhati University officials were caught unaware on the issue. While the system admin at the university said they will look into the matter on Thursday, VC Mridul Hazarika told TOI that he will take action at the earliest. “I should thank you for intimating me about the issue. I am not informed about the same but I am happy that the ethical hacker choose to inform us about the vulnerability beforehand,” Hazarika said. He added that if needed the hacker’s opinion in securing the servers will be sought and students shouldn’t worry as their data will be secured on priority.

Rony shared a video with TOI which showed how easily he could access the database of the university and everything – including marks – could be altered through a mobile device. While surfing for similar vulnerability, the information security enthusiast also managed to find flaws in the content management system of a political party’s website.

Rony’s father is a tailor in Bongaigaon. The young prodigy wishes to pursue higher education in information security from Mumbai/Pune. “I am a self-learner and hope that with proper education I will be able to be an information security expert and serve the country. With regular news of web hacks by hackers from other countries, India should better its stealth. Hope I achieve my aim some day,” he said.

Source : TOI


While talking to Professional Hackers India, Rony Shared the self captured image of TOI news paper cutting.

by -
0 24

A major vulnerability discovered by Mozilla lurking in an advertisement shown by a Russian news site could steal your files and upload them to a Ukrainian server without you ever knowing.

The flaw exploits Firefox’s PDF viewer and the JavaScript context to inject a script that can search for and upload local files. All you need to do is load the page with the exploit and it’ll silently steal files in the background.

Interestingly, the files it searches for on the local system are mostly developer focused. On Windows, the attack specifically looks for FTP configuration files, subversion, .purple and other account information. On Linux, it looks for global configuration files and user directories.

Mac users aren’t specifically targeted by the attack that was discovered, but wouldn’t be immune if targeted.

The attack doesn’t appear to be widespread right now, having only been spotted on a Russian ad network, but it’s likely only a matter of time until it spreads as more people discover it.

All versions of Firefox are affected and Mozilla says that to protect against the exploit you should update to version 39.0.3 right now. Enterprise users can patch to 38.1.1.


The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

Adobe Flash, the much-loathed, bug-plagued relic of a browser plugin, just got a big nail driven into its coffin.

Mozilla blocked Flash by default in its Firefox browser late Monday night, a day after Facebook’s security chief called for Adobe to kill Flash once and for all.

The Flash-bashing picked up last week after revelations that the spyware giant known as the Hacking Team had been using Flash to remotely take over people’s computers and infect them with malware. (That discovery took place after the hacking team hacked. Documents revealed in the breach showed that the Hacking Team exploited two critical vulnerabilities in Flash’s code.)

“It is time for Adobe to announce the end-of-life date for Flash,” tweeted Facebook security chief Alex Stamos on Sunday.

Mozilla’s support chief Mark Schmidt quickly followed suit by tweeting that all versions of Flash had been turned off in Firefox. That means Firefox users will not be able to turn on the plug-in to access Flash content — they’ll have to seek out another browser if they need to use Flash.

Adobe did not immediately respond to a request for comment.

The good news for Firefox users is that most won’t notice a change. Just under 11% of websites use Flash, according to W3techs, a technology survey company.

Flash is a type of software called “middleware,” an add-on extension to the browser that allows rich content to be viewed. It had been widely used a decade ago, powering most of the Web’s games, animations and videos. When YouTube launched in 2005, its videos were entirely Flash-based, requiring its audience to install the Flash plug-in software in order to watch YouTube media.

by -
0 62

Can Hackers turn a remote computer into a bomb and explode it to kill someone, just like they do in hacker movies? Wait, wait! Before answering that, Let me tell you an interesting story about Killer USB drive:

A man walking in the subway stole a USB flash drive from the outer pocket of someone else’s bag. The pendrive had “128” written on it. After coming home, he inserted the pendrive into his laptop and instead discovering any useful data, he burnt half of his laptop down. The man then took out the USB pendrive, replaced the text “128” with “129” and put it in the outer pocket of his bag… Amen!

I’m sure, you would really not imagine yourself being the 130th victim of this Killer perdrive, neither I.

This above story was told to a Russian researcher, nicknamed Dark Purple, who found the concept very interesting and developed his own computer-frying USB Killer pendrive. Dark Purple] recently heard a story about how someone stole a flash drive from a passenger on the subway.

The thief plugged the flash drive into his computer and discovered that instead of containing any valuable data, it completely fried his computer. The fake flash drive apparently contained circuitry designed to break whatever computer it was plugged into.

Since the concept sounded pretty amazing, [Dark Purple] set out to make his own computer-frying USB drive. While any electrical port on a computer is a great entry point for potentially hazardous signals, USB is pretty well protected.

If you short power and ground together, the port simply shuts off. Pass through a few kV of static electricity and TVS diodes safely shunt the power.

Feed in an RF signal and the inline filtering beads dissipate most of the energy. To get around or break through these protections, [Dark Purple]’s design uses an inverting DC-DC converter. The converter takes power from the USB port to charge a capacitor bank up to -110VDC.

After the caps are charged, the converter shuts down and a transistor shunts the capacitor voltage to the data pins of the port. Once the caps are discharged, the supply fires back up and the cycle repeats until the computer is fried (typically as long as bus voltage is present). The combination of high voltage and high current is enough to defeat the small TVS diodes on the bus lines and successfully fry some sensitive components—and often the CPU. USB is typically integrated with the CPU in most modern laptops, which makes this attack very effective.


Stuxnet worm is one of the real example of such cyber attacks, which was designed to destroy centrifuges at the Nuclear facility and all this started from a USB drive.

Also in 2014, a security firm demonstrated an attack on Apple’s Mac computer by overriding temperature controls, which can actually set the machine on fire. So if we say that a computer could be converted into a bomb, then of course it’s true, a hacker can probably make your computer explode as well.

Therefore, next time when you find an unknown USB flash drive, just beware before inserting it into your laptop. Because this time it will not fire up your important files or data stored on your laptop like what malwares do, instead it will fire up your Laptop.

It was Edward Snowden, the infamous former contractor for the National Security Agency who turned rogue and leaked thousands of pages of classified NSA intelligence documents, which included some speculation of Apple’s iPhone “special software” that authorities could activate remotely to be able to gather information about the user.  Your iPhone can now secretly spy on you.

It was not clear if this “special software” was made up of standard diagnostic tools, or if the NSA intelligence agency had found a way to compromise the iOS mobile operating system developed by Apple. Apple claims it does not allow government agencies to have direct access to its servers.

But NSA leaks from the Edward Snowden documents showed how the agency developed specific spyware to target iPhones, allowing information to be gathered from iPhone devices. Apple has denied being involved in any spyware development with the NSA.

With their latest operating system, iOS 8, Apple claims it is not even able to decrypt messages itself that come through its devices, as it values its emphasis on user security. But if these PRISM tools are already in place Apple may have plausible deniability with any compromise on current and future iPhone upgrades.

We do know that the documents leaked by Snowden revealed that iPhone security is an area of interest for the world’s spy agencies, specifically the British spy agency GCHQ where it was recently revealed to have used the UDID system to track iPhone users.

Apple was among the first company that was accused of participating in the PRISM data mining project of the NSA, but it was not the only one. The PRISM data-mining project allegedly involved extracting video, audio, pictures, documents, emails and connection logs from devices, allowing analysts to track the movement of the device’s user and the communications that they are receiving or sending out.   Let the buyer beware with future upgrades of Apple as the NSA has its eye on iPhones and their users.

by -
0 6
A Google security researcher, ‘James Forshaw‘ has discovered a privilege escalation vulnerability in Windows 8.1 that could allow a hacker to modify contents or even to take over victims’ computers completely, leaving millions of users vulnerable.
The researcher also provided a Proof of Concept (PoC) program for the vulnerability. Forshaw says that he has tested the PoC only on an updated Windows 8.1 and that it is unclear whether earlier versions, specifically Windows 7, are vulnerable.
Forshaw unearthed the bug in September 2014 and thereby notified on the Google Security Research mailing list about the bug on 30th September. Now, after 90 days disclosure deadline the vulnerability and Proof of Concept program was made public on Wednesday.
The vulnerability resides in the function AhcVerifyAdminContext, an internal function and not a public API which actually checks whether the user is an administrator.

“This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator,” Forshaw wrote in the mailing list. “It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID.”

“It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.”

The PoC contains two program files and some set of instructions for executing the files which, if successful, finally result in the Windows calculator running as an Administrator. According to the researcher, the vulnerability is not in Windows User Account Control (UAC) itself, but UAC is used in part to demonstrate the bug.
Forshaw tested the PoC on Windows 8.1 update, both 32 bit and 64 bit versions, and he recommended users to run the PoC on 32 bit. To verify perform the following steps:
  • Put the AppCompatCache.exe and Testdll.dll on disk
  • Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
  • Execute AppCompatCache from the command prompt with the command line “AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll”.
  • If successful then the calculator should appear running as an administrator. If it doesn’t work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.
A Microsoft spokesperson confirms the vulnerability and says that it’s already working on a fix:

“We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.”

At the time of posting this article, there’s no patch available and all Windows 8.1 systems are vulnerable to hackers.
Source : THN

by -
0 3
First time ever in the History, Apple Inc. has pushed out an automatic security update for Macintosh OS X computers to address a critical security issue that, according to the company, was too risky to wait for users to patch after seeking their prior approval.
Despite having the ability for years to silently and automatically update its users computers, Apple typically asks its users’ permission to approve them manually or automatically before installing any security update of this kind. But, the company has exercised its ability for the very first time to patch a critical security flaw in a component of its OS X operating system called the Network Time Protocol (NTP).
This newly discovered security vulnerability, assigned CVE-2014-9295, became public late last week and affects all operating systems, including OS X and other Linux and Unix distributions, running versions of NTP4 prior to 4.2.8. NTP is used for synchronizing clocks between computer systems and across the global internet.
Once exploited, the NTP vulnerability can allow an attacker to remotely execute an arbitrary code on a system using the privileges of the ntpd process. The security hole in NTP would give hackers ability to turn users’ Macs into DDoS zombies. However, no security firms have reported any cases of hackers exploiting this vulnerability.
NTP is a global way of synchronising time over a network, and because of its link to networks it has previously been exploited by hackers a number of times. At the beginning of the year, NTP was used to launch 300Gbps DDoS attack against Internet blacklist maintainer Spamhaus. Also in February 2014, the record breaking400Gbps DDoS attack was launched against content-delivery and anti-DDoS protection firm CloudFlare by leveraging weaknesses in NTP.
The Carnegie Mellon University Software Engineering Institute identified the critical flaw which was made public on Friday by the Department of Homeland Security. The vulnerability affects dozens of technology companies’ products including Apple’s.

As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” ICS-CERT wrote in an advisory published Tuesday. “Products using NTP service prior to NTP–4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

The company recommends that all users apply this patch “as soon as possible.” The update is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1 and is available for download via the “updates” section of the Mac App Store. The update doesn’t require a restart.