February 16, 2019
Author

William Moseley

William Moseley is a brazil-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the co-founder of this website, Moseley is also into security gateway, consulting, reading and investigative journalism.


Technology
Google’s upcoming Chrome security feature will defend against DOM – based XSS attacks
William Moseley Posted On February 16, 2019

Google Chrome

Google announces a new defense against DOM-based XSS attacks, the Trusted Types browser API.

Google has created a new browser API to help Chrome combat certain types of vulnerabilities in cross-site scripting (XSS), adding another level of browser protection to protect users from hacking.

This new feature is called Trusted Types and Google has been working on this browser API for the past few months. The company’s engineers are planning to test Trusted Types throughout 2018, between Chrome 73 and Chrome 76, before rolling out and enabling it as a permanent security feature for all Chrome users later this year-if everything goes according to plan.

This new security feature was developed to protect users from one of three types of cross-site scripting defects-namely DOM-based XSS (or type-0). The other two XSS types are “reflected” and “stored.”

For readers who want to learn more about XSS, a detailed breakdown of all three XSS types is available here. DOM-based XSS is basically security vulnerability in a website’s source code. Hackers use so-called injection points to insert code into the DOM (source code) of the browser, which carries out unwanted malicious operations-such as stealing cookies, manipulation of page content, redirecting users, etc.

Trusted Types blocks such attacks by allowing website owners to lock in the code of a website known “injection points,” which are often the root cause of XSS based on DOM. Website owners can enable the upcoming protection of trusted types of Chrome by setting a certain value in the HTTP response header for content security policy (CSP).

Once enabled, Chrome’s built-in Trusted Types API will restrict access to DOM injection points, blocking attacks before the XSS exploit code can use the DOM (source code page) to attack users.

On the Google Developers blog, a tutorial on how owners of websites can enable Trusted Types via CSP headers and how users can configure Chrome to use early versions of the Trusted Types API. In the same tutorial, Krzysztof Kotowicz, a software engineer in the Google Information Security Engineering team, was so confident about the success of the Trusted Types API that he claimed that this new feature would “help eliminate DOM XSS.

More information on the Trusted Types API is available in the official specification of the Web Platform Incubator Community Group (WICG). Trusted Types will be the second XSS protection feature of Chrome after the XSS auditor, which Google shipped with Chrome 4 in 2010.

XSS vulnerabilities were the most common form of web-based attacks in 2014, 2015, 2016 and 2017, according to an Imperva report published last month.

It was last year’s second most common form of web-based attacks, missing only because of an unusual spike in SQL injection attacks in the top position. Companies and security experts often downplay XSS vulnerabilities because they do not always cause direct damage to users who access a website.

They are often the first step in complex routines of exploitation, which facilitates more damaging hacks. In many cases, the elimination of XSS attacks would keep users safe from more complex attacks that would not be possible without an initial XSS footprint.

For example, this week, a DOM-based XSS has affected Bootstrap, a UI framework used somewhere between 15 and 20 percent of all internet sites.


Continue Reading
0
19 Views


Technology
Google Chrome New Feature allows user to share a link that scrolls directly to selected text
William Moseley Posted On February 15, 2019

Hacking Facebook account

Users could soon share a link directly scrolling to the selected text.

Chrome developers are preparing a new desktop and mobile browser feature that allows users to share a link that takes the recipient to the exact word selected by the sender.

The incoming feature has been detected by Chrome Story and merged for future release into chromium source code. It is the text equivalent to sharing a link to a YouTube video that jumps to a pre-selected time.

As it is, Chrome does not have a tool to create a link to a certain location on a web page. A mobile browser also makes it difficult to find specific text using the fiddly’ Find in Page ‘ feature, which appears to be rarely used on mobile devices in Chrome.

The common answer to this problem is to take a screenshot of the relevant text and perhaps share a link to the page from which it originated. Or you can send a link and tell the recipient to find a word.

David Bokan, the developer of Chromium behind the feature, posted a GitHub page about the Scroll-To-Text project that explains why it would be useful and how it works. “If you follow a link to read a specific part of a web page, it can be cumbersome to find the relevant part of the document after navigation, especially on mobile phones, where it can be difficult to find specific content when scrolling through long articles or using the” Find in Page “feature of the browser.”

In order to enable direct scrolling to a specific part of a web page, we propose to generalize existing support for scrolling to elements based on the fragment identifier. We believe that a variety of websites (e.g. search engine results pages, Wikipedia reference links), as well as end users, could use this capability when sharing links from a browser.”

Boken proposes HTML adjustments to support the feature. As for the link, his project proposes to encode a text snippet in the URL with the prefix ‘targetText=’ followed by a keyword string. If a long phrase was selected by the user, the string would contain the start and end words.

The ability to send a link that scrolls directly to an image is one aspect that the project does not address. He also explores how users can highlight multiple text snippets to share.


Continue Reading
0
13 Views


How to
6 Ways to Hack Facebook with Android device [100% working] Step by Step procedure
William Moseley Posted On February 15, 2019


Android are more than the unbelievable features of the operating system.

In this article, I’ll guide you to step by step procedure to hack Facebook account using your Android phone. Just read it carefully, you did not need any technical knowledge. You can hack Gmail if you read it correctly, twitter accounts too.

Before I start, I would like to inform you that there is no universal hacking method for all FB accounts. It depends on the knowledge of the victim.

Google Play Store has many fake Facebook / FB hack name apps. Some of them are paid, but not one app can hack facebook. Recently Google spotted this type of apps and removed/ blocklisted, but still these apps are available to install through other apk downloadable medium.

Do you think the owner of Facebook is stupid? The company spends millions of dollars just for security alone every month.

App Name: Password Fb Hacker Prank

App Link: FB Hacker Prank

App Description:

Password Fb hacker Prank is a prank application for Android mobile phones to simulate hacking Facebook account password, so you’ll bother and surprise your friends and family that you can hack Facebook accounts and get passwords that the app simulates and generates a fake password, time to make them worry and enjoy a lot of fun.

In fact, it is difficult to hack a single account. You need a lot of information about programming and networking to hack someone’s account.

Except that you also have many years of experience in the field. Here we developed a prank application for fun purposes.

FYI:

Facebook pays at least $500 for finding a Facebook security hole. If all accounts can be hacked using a website / app, why do it free of charge.

Disclaimer:
Please be aware that Facebook hack is illegal unless you have permission from the account owner and the parties involved. This post should be used as a tool to help the public understand how hackers gaining access to your Facebook passwords (although designed as a safety tool). The CybersGuards team shall not be held responsible if any criminal charges are brought against any person who misuses the information on this website to violate the law.

6 Ways of Hacking Facebook Accounts using Android devices

  1. Making Fake Login Page (Simple Phishing Attack)
  2. Creating Fake Application to fool users
  3. Using Anomor website
  4. Hack through Spy & Keyloggers App
  5. Picking the credentials through Autosave options on browser.
  6. Changing credentials without knowing the current passwords.

Here is the step-by-step way to hack Facebook account

1. Making Fake Login Page (Simple Phishing Attack)

This is the old, best and most convenient way to hack your Facebook account and not only your mobile but also for desktop. It’s known as phishing in hacking.

To understand phishing, see this screenshot that looks like a Facebook login page, but is actually fake (the phishing page has a different URL). User must see the urls before they share their credentials into it.

This hacking methods start with downloading Facebook clone template,

  1. Download the following Facebook website from here
  2. This File includes 9 Files such as (data.php, data1.php, index.php, Mobile_Detect.php, desktop.jpg, follow.jpg, login.jpg, desktop_files(folder), users.txt)
  3. Using Free hosting providers to put up the code. There are so many free host providers online, we recommend 000webhost.
  4. People intent to hack you will create a subdomain like facebooklogins.domain.com so that victim unable to identify it.
  5. Once after completing the signup steps you may see the active status in it.
  6. That’s it; you got a domain and now upload the file you have downloaded in the step 1.
  7. It’s simple as like you create new website or subdomain. Simple upload the downloaded file and extract it.
  8. Open the following URL https://yourdomain-name.000webhostapp.com/responsive-facebook/index.php/id?=facebook and makesure you have changed the subdomain url as the url you have created with 000webhosting. The page looks similar to actual Facebook page, when your victim login using this path to login, email and passwords will be saved in user.txt file.
  9. Further you can see the credentials of them in the following path open file manager→public_html→users.txt

How Hackers send you a phishing link?

  1. It’s simple; they send you a message stating that you can now earn money with Facebook with shorten url. Yes, you may also have this kind of experience in last few years.
  2. Always keep this in mind, look at the url before you sign in for any account, not only FB, but also Gmail, instagram, etc., because hackers may also have cloned versions of almost all productive websites to steel your information.

Now learn how to prevent yourself being victim of this type of phishing attacks?

  • Use an updated version of browsers like chrome, Firefox.
  • Note* your familiar browser Opera Mini or UC browser doesn’t have knowledge on blocking such webpages.
  • Try using mobile app instead accessing accounts through Browsers.
  • Last but not least check the url of the website, before you do anything.

Now people know much more about phishing, anyway this post is dedicated to people who have not known how easily the hack is done just because of their lack of security knowledge.

2. Creating Fake Application to fool users

There are number of fake application hosted in Google playstore, Google is very keen on monitoring such app and blocking them from accessing it. But still there are easier ways in which people trick to install the fake app to steal your data.

Here is how they do it.

  • There are free and paid apk creator apps available online, for security reason we are not mentioning any apk creator here.
  • Just install the apk creator app and use the same url (https://yourdomain-name.000webhostapp.com/responsive-facebook/index.php/id?=facebook) to convert as app.
  • Yes, you can’t find the different between the actual app and fake app that’s always tricky. It needs special eye to find out.
  • Further you can see the credentials of them in the following path on same 000webhosting.
  • Open file manager→public_html→users.txt

How hack is performed in this way using Fake app?

Attackers share the shorten link to you either through message or on email saying that Advance business Facebook app or something that you make you attract (Hackers are really experts in knowing the way to attract you)

How to protect yourself being victim of this phishing app:

    • Don’t install app outside playstore.
    • Don’t allow your android devices to install anonymous apps.

1. Using Anomor website

Anomor.com is the website that helps hack the FB account [it is not automatically done]. Hacking Facebook from mobile is the easiest way. Either you use Android or iPhone that doesn’t matter, still your account is hackable.

Here are the steps to hack account through Anomor website

  1. Use your browser translator and access to Anomor website and complete the registration
  2. After sign in you will be able to access the dashboard in which you may the “link 1” under the column “Link
  3. Send this “link 1” to the victim, if they signin you be getting their username & password details.
  4. You can see the passwords & username under “My victim” on your anomor account.

4. Hack through Spy & Keyloggers App

These are some applications using the mobile user’s record of each keyword type. You just need to install or install in your victim phone and convince your friends to log in very easy to use.

When you log in, you will save your username and password as a text format. In the play store, both paid and free applications are available.

The paid apps can hide from the launcher, but a launcher that has the functionality to hide apps can be used to hide free apps.

How to perform keylogger hack to get Facebook credential through android device?

  • It starts with the installation of the following app “shadow – kid’s keylogger from play store” which is really smaller in its size, but the job it do is really magical.
  • Open it and click Activate Shadow in the dialog box select the button Proceed and select the keyboard Simple IME.
  • Turn on Simple IME
  • The last step is to open any application where you can type something like the message app. I open the mini – browser opera. Scroll down the notification bar and select the method of input and select English (Us)
  • Now you’re ready to see the victim’s keyword type. Tap the log to view this open shadow.
  • If you install it on the victim’s phone, you can hide it like a nova launcher with the launcher. Another good step is to apply a password. To use password open shadow and AUTHENTICATE

Some quick tips for hack

Tips: If your victim has a messenger, go to the Settings App and clear data from the messenger. When he/she logs in, his username and password are saved again.

How to secure your account from hack?

  • Never log in to the mobile phone of your friend if necessary, then check the keyword before logging in.
  • There are some apps available to install only trusted apps that can steal your information; there is no scan in the play store so hackers can quickly submit their apps.

Drawback:

  • You can’t ask people to login on your phone
  • It’s not easy to install some app on victim phone.

Advice: While servicing your mobile it is advisable to format the device completely before and after service. Since, they might install some tricky app that does some magical things without your knowledge.

5. Picking the credentials through Autosave options on browser.

There is an autosave option in some browsers that automatically saves passwords and username without user information.

It’s also easy to change a few settings in your browser. These are two browsers that have autosave functionality.

  1. UC Browser &
  2. UC Mini

How to get vicitim passwords using autosave function?

Let’s get started.

  1. Open your UC Browser/Mini and go to settings -> browser settings and change the feature to auto save on form and password settings.
  2. Now your browser is ready to get credentials for you, ask your friend to automatically save your password without your password.
  3. You can see the saved credential just by visiting Facebook.com and login.
  4. Just click on login it will show the auto saved data and upon selecting the username, password will be automatically retrieved in the password field that’s it.

6. Changing credentials without knowing the current passwords.

Assume that your friend logs in to your phone or knows the pattern of your friend in which browser the login account.

You can change the password of your account using this URL without knowing the current password. But don’t exaggerate because for all accounts it won’t work. You can try to the least.

Facebook Account hacked (Visit Now)

Drawback:

  1. You must need already logout account
  2. It won’t work on all account, as FB monitors the activities of the user clearly.

All the above methods will work 100% and also it doesn’t need any technical knowledge. It’s a simple and easy step on hacking called social engineering. Now don’t think you’re dumb. People try combinations of their victim name, place etc., But it’s going to take much longer (Brute force attack take more time to find out credentials).

Note* Please don’t ask us to hack someone account for you!


Continue Reading
0
31 Views


Data Breach
8 companies’ 127 million user records are on sale in the dark web
William Moseley Posted On February 14, 2019

127 million

The same person sold 620 million user accounts earlier this week from 16 other companies. An individual who sold 620 million user records stolen from 16 companies earlier this week has now put together a second batch of hacked data from eight companies totaling 127 million.

The data is currently being sold on the Dream Market, a dark web market where crooks sell a variety of illegal products, such as data on users, drugs, weapons, malware and others.

The person who sells the data is called Gnosticplayers, and it is currently unclear whether he/she has hacked the 24 companies or just a third party who has bought the data from the real hacker and is now re-selling it for a greater profit.

According to the tech news site TechCrunch, which first reported on the sale of this new batch of hacked accounts on the Dream Market, Gnosticplayers are asking for approximately four bitcoins, which are approximately $14,500 in fiat. Prices vary according to user data quality and the difficulty of cracking password hashes. This second batch of hacked accounts contains data from:

Image credit: ZDnet

  • Ge.tt (file sharing service) – 1.83 million accounts – 0.16 bitcoin
  • Ixigo (travel and hotel booking) – 18 million accounts – 0.262 bitcoin
  • Roll20.net (gaming) – 4 million accounts – 0.0582 bitcoin
  • Houzz (interior design) – 57 million accounts – 2.91 bitcoin
  • Coinmama (cryptocurrency exchange) – 420,000 accounts – 0.3497 bitcoin
  • Younow (live streaming) – 40 million accounts – 0.131 bitcoin
  • StrongHoldKingdoms (gaming) – 5 million accounts – 0.291 bitcoin
  • Petflow (pet food delivery) – 1 million – 0.1777 bitcoin

Houzz had already cleaned up his data breach from the companies listed above last week. Before today’s ads were published, the other seven companies did not publicly reveal any security breaches.

This new batch of stolen databases comes after the same user from Dream Market sold 16 other companies earlier this week:

  1. Dubsmash – 162 million
  2. MyFitnessPal – 151 million
  3. MyHeritage – 92 million
  4. ShareThis – 41 million
  5. HauteLook – 28 million
  6. Animoto – 25 million
  7. EyeEm – 22 million
  8. 8fit – 20 million
  9. Whitepages – 18 million
  10. Fotolog – 16 million
  11. 500px – 15 million
  12. Armor Games – 11 million
  13. BookMate – 8 million
  14. CoffeeMeetsBagel – 6 million
  15. Artsy – 1 million
  16. DataCamp – 700,000

Animoto, MyFitnessPal and MyHeritage reported breaches last year. DataCamp, 500px, and CoffeeMeetsBagel confirmed this week that they were also violated, giving the seller’s joy that this is real data and not just a scam.

These 16 databases are now out of stock. Gnosticplayers said he took them down after buyers complained that a prolonged sale would eventually lead to some of these databases being leaked online and available to everyone.


Continue Reading
0
42 Views


Vulnerability
WP Cost Estimation & Payment Forms Builder: A Popular WordPress Plugin creating a new attack surface
William Moseley Posted On February 14, 2019

Wordpress plugin vulnerability

The large number of commercial plugins for WordPress creates a new attack surface in the WordPress site landscape. In a commercial WordPress plugin, hackers use an old vulnerability to break into websites and plant backdoors.

At the end of last month, ongoing attacks were first detected by incident respondents from Defiant, the company behind the WordPress WordFence firewall plugin. The vulnerability exploited in the attacks affects “WP Cost Estimation & Payment Forms Builder,” a commercial WordPress plugin that has been sold on the CodeCanyon market for the last five years to build e-commerce-centered forms.

Defiant Threat Analyst Mikey Veenstra said that hackers used the hacked site they investigated to hijack incoming traffic and redirect it to other websites.

He did not rule out attackers who later abused the backdoor for other harmful activities. In a report published on Wordfence’s official blog, Venstra and his colleagues broke down the technical details of the exploited vulnerability.

He said hackers used an AJAX-related flaw in the upload functionality of the plugin to save files on targeted sites with absurd extensions (such as ngfndfgsdcas.tss). The attackers would then upload a.htaccess file associating the non-standard file extension with the site’s PHP interpreter in a second step of the operating routine, ensuring that the PHP code contained in the file would run and activate the backdoor when they later accessed the file.

In other cases investigated by Veenstra and his colleagues, attackers used another AJAX plugin-related function to delete the site configuration and reconfigure it to use its malicious database. According to Wordfence, all versions of WP Cost Estimate before v9.644 are vulnerable to such attacks.

The good news is that the developer fixed the bug in October 2018 with the release of v9.644, after a user complained that their website had been hacked. The bad news is that the developer did not publicly reveal this security problem except for a brief comment in the now buried CodeCanyon, leaving most of his users unaware of the danger they might be in.

According to CodeCanyon, more than 11,000 users purchased the plugin. However, CodeCanyon scripts and plugins are often pirated and made available for free on hundreds of other online sites, and the number of real-world installations is much higher.

Veenstra and the Wordfence team are still looking at the size and scope of these attacks. Backdoors that perform hidden redirects are usually part of the arsenal of cyber-criminal gangs that operate malicious botnets, so hacks that abuse this plugin fault could have been going on for a while.

Commercial plugins and WordPress themes are notorious bad apples. Web security experts often recommend buying and using one, because they are often abandoned after a few months or years.

The developer teams behind commercial plugins and themes also have no means or interest in shipping updates, as they are usually more focused on making one-time sales and then moving to another new plugin or theme from which they can make new money, rather than spending their time in unproductive ways such as patching bugs.

In this case, the WP Cost Estimate developer seemed to be much more reliable than the one behind the abandoned Total Donations plugin. The Wordfence team also identified a second vulnerability in WP Cost Estimation, which was revealed privately to the plugin author and immediately fixed. “Commercial plugins can connect to the WordPress plugin update feature, but they must provide their own repository to distribute the updates”.

“Many don’t go this way.” “In this case, the plugin [WP Cost Estimation] correctly displays an update in the dash, and the developer said he could push an automatic update.”

“If you see a developer responding constructively to questions and problems in reviews and comments, especially on CodeCanyon, it is a good sign that they are likely to be revealed by vulnerability and the following patch process.”


Continue Reading
0
45 Views


How to
How to hack your neighbors WiFi Password? – A Simple WPA / WPA2 attack (2019)
William Moseley Posted On February 14, 2019

Wifi hacked

Looking for a WiFi password hacking guide?

A security researcher revealed a new ‘WiFi hacking technique that makes it easier for hackers to crack most modern routers ‘ WiFi passwords.

The new WiFi hack, discovered by the lead developer of the popular Hashcat password cracking tool, Jens’ Atom’ Steube, explicitly works against WPA / WPA2 wireless network protocols with enabled roaming features based on the Pairwise Master Key Identifier (PMKID).

Steube accidentally discovered the attack to compromise the WPA / WPA2 enabled WiFi networks while analyzing the newly launched WPA3 security standard.

This new WiFi hacking method could potentially allow attackers to retrieve pre-shared key (PSK) login passwords, allowing them to hack into your Wi-Fi network and communicate with the Internet.

How to Hack WiFi Password Using PMKID

wireshark_pmkid

According to the researcher, attackers must wait for someone to log into a network and capture a full 4-way authentication handshake of EAPOL, which is a network port authentication protocol, according to previously known WiFi hacking methods.

The new attack does not require another user to capture credentials on the target network. Instead, it is carried out using a single EAPOL (Extensible Authentication Protocol over LAN) frame on the RSN IE (Robust Security Network Information Element) after requesting it from the access point.

The Robust Security Network is a protocol for secure communication over a 802.11 wireless network and one of its capabilities is PMKID, the key to connecting a client to an access point.

Step 1- An attacker can use a tool, such as hcxdumptool (v4.2.0 or above), to request the PMKID from the target access point and dump the received frame into a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

Step 2- The frame output (in pcapng format) can then be converted to a Hashcat- accepted hash format using the hcxpcaptool tool.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3- To get the WPA PSK (Pre-Shared Key) password, use Hashcat (v4.2.0 or higher) password cracking tool, and bingo, that’s how to hack the wifi password.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

This is the wireless network’s password, which can take time depending on its length and complexity. “We don’t know which vendors or how many routers this technique will work for at this time, but we think it will work against all 802.11i / p / q / r networks with enabled roaming functions (most modern routers),” said Steube.

Since the new WiFi hack only works on networks with enabled roaming functions and requires attackers to force brute passwords, it is recommended that users protect their WiFi network with a secure password that is difficult to crack.

This WiFi hack also does not work against the WPA3 wireless security protocol of the next generation, since the new protocol “is much harder to attack due to its modern key establishment protocol called” Simultaneous Authentication of Equals “(SAE).”

Disclaimer:
Please be aware that attacks by WPA / WPA2 are illegal unless you have permission from the network owner and the parties involved. This post should be used as a tool to help the public understand how hackers gaining access to your wifi passwords ( although designed as a safety tool). The CybersGuards team shall not be held responsible if any criminal charges are brought against any person who misuses the information on this website to violate the law.


Continue Reading
0
58 Views


Technology
Google is running auto-update-to fix HTTPS mixed content errors in Chrome
William Moseley Posted On February 14, 2019

Google HTTPS Mixed content Errors

Google engineers are looking for a solution to mixed content errors in HTTPS and they seem to have the right idea.

This week, the Google Chrome team will be carrying out an experiment to find solutions to an HTTPS problem that Mozilla also tried to solve last year. The problem Google is trying to solve is called “mixed content,” as described below by Google:

For browser makers and other organizations that have been pushing for HTTPS adoption, mixed content has been a major problem for the past few years.

Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.

Mixed content browser errors-sometimes known to block users from accessing a website-scared many website operators from migrating to HTTPS, many fearing that they would lose traffic revenue for no tangible benefit in supporting HTTPS.

Addressing mixed content errors in web browsers is probably the last major obstacle to persuading website operators to move to HTTPS.

This week, Google engineers launched a Chrome experiment in which they configured the browser to upgrade mixed content to full HTTPS automatically. Chrome would do this by secretly changing the resource URL (such as images, videos, style sheets, scripts) from HTTP to HTTPS.

If the same resource exists on an HTTPS link, it loads as usual. If an alternative HTTPS line does not contain the resource, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document).

The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change the source code of their sites, and some content was left to load via HTTP, even via HTTPS.

The purpose of this experiment is to enable Google engineers to gain insight into how many websites would break if Chrome automatically updated all mixed content sites to HTTPS by default, and what is the best fallback strategy for HTTP URLs breaking mixed content.

If the percentage of broken links and sites is small, Google engineers would probably think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take another step towards a safer web.

For now, Google intends to roll out the experiment to approximately one percent of its Chrome Canary user base (which has enabled the flag of Chrome / #enable-origin-trials). The experiment from Google won’t be the first of its kind. Mozilla tested last year in Firefox with a similar mixed content auto-update.

“They found a lot of breakage, but we hope things have improved since their experiment,” Google security engineer Emily Stark said. Other mixed content experiments are also planned.


Continue Reading
0
29 Views


Vulnerability
MacOS security defect allows malicious apps to steal Safari browsing history
William Moseley Posted On February 14, 2019

Mac os security defect

Vulnerability cannot be remotely exploited. Users need to install a malicious app in advance. Last week, operational details were shared privately with Apple’s security team.

A developer API bug allows malicious apps installed on Mojave macOS to access a normally protected folder from which attackers can extract data from the history of Safari browsing.

The bug affects all known macOS versions of Mojave and was discovered last week by Jeff Johnson, the developer of the Underpass Mac and iOS app and the extension StopTheMadness Safari. “Some folders have restricted access on Mojave, which is prohibited by default,” Johnson explained last week in a short blog post.

“For example, ~/Library / Safari”

You can’t even list the contents of this folder in[ the] Terminal app.” Johnson says that Mojave only provides access to this folder for a few selected system applications, such as Finder, by default. “However, I have found a way to bypass these protections in Mojave and allow apps to look inside ~/ Library / Safari without the system’s or user’s permission,” the developer said.

“There are no permission dialogs, it only works. TM In this way, a malware app could secretly violate the privacy of a user by examining the history of their web browsing.” Johnson described the source of the bug only as “a bug in a developer API.”

He refused to share any other details on the assumption that the problem has yet to be patched and he does not want to put macOS users at risk. Johnson said he reported the problem to the security team of Apple, who officially recognized his report. “They said they looked at my report and investigated it,” ZDNet told the developer.

“This is a standard answer. They usually don’t provide updates once you report a problem to them, so I don’t expect more communication from them until they fix it.” But while Johnson refused to share any other details-for now-he pointed out that the bug he discovered is not related to a trick that Rapid7 security researcher Bob Rudis shared online last week, and presumed to be the same as Johnson discovered.

 


Continue Reading
0
35 Views


Vulnerability
Cisco warning: Customers should install an update that fixes a high-severity issue affecting Network Assurance Engine (NAE)
William Moseley Posted On February 13, 2019

Cisco Patches

If the default admin password is changed, the password does not change at all.

Cisco urges customers to install an update to manage data center networks that fix a serious problem affecting its Network Assurance Engine (NAE).

The bug, tracked as CVE-2019-1688, could allow an attacker to knock out a NAE server and cause a service denial using a NAE password management system flaw.

NAE is an important network management tool for data centers, which helps administrators, evaluate the impact of network changes and prevent application failures.

As Cisco explains, the flaw is due to changes in user passwords from the web management interface to the command-line interface (CLI), leaving the old default password in the CLI. The problem only affects NAE version 3.0(1), so older versions are not affected.

A local attacker can exploit the bug by authenticating the CLI of the affected server with the default admin password. The attacker could view sensitive information from there and download the server.

Cisco NAE Release 3.0 (1a) fixes the bug, but Cisco notes that after upgrading to this version, customers should change the admin password to correctly fix the problem.

Cisco also has a bug workaround that requires changing the default admin password of the CLI. Cisco recommends, however, that customers contact the Technical Assistance Center to enter a secure remote support session with the default password.

The password change must be made for all nodes in the cluster, he notes. Fortunately, the security team at Cisco is not aware of live attacks using the fault found during internal security testing.


Continue Reading
0
13 Views


Technology
The massive update of Adobe patch fixes critical bugs in Acrobat, Reader
William Moseley Posted On February 13, 2019

Adobe Patches

The February release addresses 44 critical Adobe software vulnerabilities. Adobe has released a major security update addressing software vulnerabilities such as Acrobat, Reader, Flash, ColdFusion and Creative Cloud.

The main release affects Acrobat DC and Reader DC 2019.010.20069 and earlier, Acrobat Classic 2017 and Acrobat Reader 2017 2017.011.30113 and earlier, as well as Acrobat DC and Acrobat Reader DC Classic 2015, all of which are affected by Windows and MacOS.

A total of 43 vulnerabilities are considered critical for Adobe Acrobat and Reader. The tech giant has also patched 28 important bugs. Among the critical vulnerabilities, a zero-day flaw disclosed in Acrobat Reader in January could lead to theft of hacked password values.

A micropatch was released by 0patch this week. Other critical bugs solved in the update include buffer errors, sensitive data leakage, and an integer overflow vulnerability that could lead to information disclosure, a double-free bug, security bypass problems, and arbitrary code execution problems.

The key vulnerabilities resolved in the February update are a host of read-out issues, which could lead to information disclosure if attackers use it.

In the past, Flash has often received large batches of security updates to address serious vulnerabilities. In the February update, however, the software was only patched to resolve one important security flaw, an out – of-bound read problem that could lead to information disclosure. Adobe Flash version 32.0.0.114 and earlier, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge & Internet Explorer11 for Windows, MacOS, and Chrome OS are affected.

ColdFusion versions 2018, 2016 and 11 were also included in the latest batch of security fixes. The update resolves a critical deserialization of untrusted data issue and an important cross-site scripting (XSS) bug that could lead to arbitrary code execution and information disclosure, respectively. Adobe has also released a single fix for Creative Cloud desktop versions 4.7.0.400 and earlier.

The patch is applied to the installer of the application to fix an insecure library loading bug that, if exploited, could lead to privilege escalation.

Adobe thanked researchers who revealed the bugs through the Zero Day Initiative of Trend Micro, Cisco Talos, Check Point Research and Palo Alto Networks, among others.


Continue Reading
0
26 Views