Fake Instagram Desktop app offers Image Viewer

Instagram

With the advent of Instagram’s popularity, an entirely new opportunity for hackers and creators of malware has arisen. A popular fad among Instagram’s users is to use outside developer’s software in order to view and save photos off of the image site. Instagram has now surpassed Twitter in number of users, which means that there […]

Share Button

1.3 million customers have their personal data stolen – Orange telecom company hacked again

Orange-sign

The French phone company Orange has been the victim of a hack that risks the personal information of 1.3 million customers. That’s 1.3 million people’s names, phone numbers, e-mails, dates of birth, and more accessed by cyber criminals. Perhaps most shocking is the fact that this hasn’t happened once– but twice this year. Orange was […]

Share Button

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS amplification attacks.

dns-ddos-nominum

Researchers from nominum identified a massive set of of  DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers globally. ( A DNS amplification attack is a reflection-based distributed denial of service (DDos) attack )                   Home routers are the easiest vector of attack because […]

Share Button

3 Key Take Away’s from RSA Conference 2014 – San Francisco for CISOs and Security Enthusiasts

rsa-conference

Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month  Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions  and lot of new […]

Share Button

Hacking Facebook user “Access Token” using Man in the Middle Attack

facebook_security_https

Facebook had a long list of vulnerabilities and their Security team is incapable in dealing with the real world security. Unfortunately their mission of making the world open also aligns with Security principles as well. This is just the opinion and may not be the reality. This vulnerability still exists and the author says in […]

Share Button

Dendroid – Next Generation Crime-ware toolkit targeting Android

Dendroid

Dendroid, the next generation Crimeware toolkit which can  convert apps to malware , is available in underground market for only $300. It also comes with a 24 hour support if you are stuck up on your way.  Symantec mentioned that this is evolution of AndroRAT( first ever malware APK binder). Dendroid is a HTTP RAT that […]

Share Button

Flexcoin shuts down after targeted by Hackers loosing $600,000

flexcoin

One more bad news to the world of Bitcoin was announced today after Mt. Gox.   “Bitcoin bank” Alberta, Canada-based Flexcoin  and Bitcoin exchange Poloniex have announced that they have been targeted by hackers. The company said  “As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing […]

Share Button

Facebook Advertising “Suggested Posts” delivers Android Malware

Facebook_malware

Researchers have identified a tricky Android malware spreading via facebook advertising. When Facebook is accessed from an Android device, users may see messages under Facebook adverting under “Suggested Post”. Some of the identified ads read as “WhatsApp tips like: “Want to know how to see your contacts’ chats on WhatsApp?” “Want to hide your WhatsApp […]

Share Button

More than 360 million newly stolen credentials sold on black market

Hacking_blackmarket

Researchers from Hold Security LLC,have identified more than 360 million credentials in the underground market. The details of the data is not yet publicized nor any company name is identified as per the reports. Alex Holden, CISO of Hold Security LLC, said in an interview that the data was obtained over the past three weeks. […]

Share Button

Yahoo vulnerability could have allowed Hacker to delete more than 1.5 million records

yahoo-hacked

Ibrahim Raafat ( @RaafatSEC ) , a Egyptian security researcher identified an vulnerability which could have potentially deleted more than 1.5 million records form its database. He further demonstrated ‘Insecure Direct Object Reference Vulnerability’ on his blog which appeared to have been fixed by Yahoo. He performed the demo with his account. The vulnerability escalated the users privilege to delete the […]

Share Button
Prev 1 2 3 4 5 6 7 8 9 10 Next

Fake Instagram Desktop app offers Image Viewer

InstagramWith the advent of Instagram’s popularity, an entirely new opportunity for hackers and creators of malware has arisen.

A popular fad among Instagram’s users is to use outside developer’s software in order to view and save photos off of the image site. Instagram has now surpassed Twitter in number of users, which means that there are more people out there vulnerable to these schemes than ever before. How do these Potentially Unwanted Programs– or PUPs, as they’re called in tech jargon– work, and how do you avoid getting duped by them?

“The bundle” is never a good deal.

Much like how some telecom companies offer bundle deals with a lot of hidden baggage and fees, bundling software is the number one way for these potentially unwanted programs to find their way onto unassuming consumer’s computers and devices.

Basically, you may see a bit of software that looks cool– and when you download it, it comes with other programs cleverly hidden in the installation. Sometimes, these are shown in the install wizard if there is one– but only as very small check boxes with limited descriptions that can easily be missed if you’re in a hurry and happen to be the trigger happy type when it comes to the “next” button. Usually, there will be a check box and a mention of some “great” software that has been included (free of charge!) that’s in smaller text than everything else on the screen in wizard. More often than not though, these things will be attached and installed without giving you the courtesy of a choice in the matter.

Discretion isn’t always enough.

Sometimes, these malicious programs simply come with a neat-sounding name with Instagram in it and no other frills. They are disguised as these image viewing and image saving/downloading apps and programs. Everything about these Potentially Unwanted Programs is geared towards one thing: tricking users into downloading and running them. Even worse is the fact that some of these programs can be even more potentially dangerous to you and your information than the typical phishing websites out there. The harmful programs detected have ranged from just plain annoying to trojans and more harmful malware.

In the end, the best thing to do is try to use your best judgment when downloading these types of programs. Also, make sure you have a good, up-to-date anti malware program installed on your machine. If you do decide to download and use one of these types of programs, make sure that you keep an eye out for those sneaky extra programs that might be included in an installation; slow down and read everything in the install wizard carefully, and if it mentions installing something extra that isn’t the program you wanted, make sure you uncheck that box!

bundled_instagram

 

 

 

 

 

 

 

 

 

 

Here are some of the programs out there that the people at antimalwarebytes found to contain PUPs that carried harmful software in the form of trojans and malware:

  • File name: instagramdownloader-1.0.0.0.exe
  • SHA256: d6495ffb6a0c388ae4d5b81c16ef4bdaee4604491b21d857d0955378336d4c84
  • Detected as: PUP.Optional.OpenCandy (13/51)
  • File name: instagramdownloader-1.0.0.0.exe
  • SHA256: d6495ffb6a0c388ae4d5b81c16ef4bdaee4604491b21d857d0955378336d4c84
  • Detected as: PUP.Optional.OpenCandy (9/51)
  • File name: free-instagram-downloader-230-32-bits.exe
  • SHA256: d65fd9b672bfc1093df20f0b9a7c6f812426c7b45085d04137d07b4a794830ba
  • Detected as: PUP.Optional.InstallCore.A (12/52)
  • File name: Setup_Instagram_Hacker.exe
  • SHA256: ba2211beec48e3ea3e56b2e6374901133829c9451edb17a013cf0e3dadc4b37b
  • Detected as: Trojan.Hacktool.Agent (7/52)
  • File name: instagram-downloader-20-32-bits.exe
  • SHA256: 7a855afccb23dedbb722b322d960b70ff63aa1c4dcdacf7c8c65a6f60748c829
  • Detected as: PUP.Optional.InstallCore (12/51)
  • File name: Instagram_Downloader-2.3.0.exe
  • SHA256: 31538a48a02049d75facecec8d0ba028cbbe0e8e6918dab61346e7cdf926f62f
  • Detected as: PUP.Optional.OpenCandy (13/51)

Sources:

http://blog.malwarebytes.org/security-threat/2014/05/more-pups-sighted-using-instagram-as-lure/

http://www.tomsguide.com/us/fake-instagram-pups,news-18748.html

Share Button

1.3 million customers have their personal data stolen – Orange telecom company hacked again

Orange-sign

The French phone company Orange has been the victim of a hack that risks the personal information of 1.3 million customers. That’s 1.3 million people’s names, phone numbers, e-mails, dates of birth, and more accessed by cyber criminals. Perhaps most shocking is the fact that this hasn’t happened once– but twice this year. Orange was aware of the breach on April 18th, but waited until May to inform the customer base; and to make sure that the security failures used by the hackers were cleared up and fixed.

The first security breach was announced to the public in early February. In this attack, the hackers were able to access the “My Account” section of over 800,000 Orange customers in order to lift information.

Now, things like e-mails and phone numbers aren’t as sensitive as other types of information that could have been taken (such as credit card numbers and payment information– yikes!), but this type of information can still be used to harm the people it has been stolen from. This type of data can be sold on the underground market, and it can be used to orchestrate precision targeted phishing attacks. The stolen data can make it much easier for hackers to fake e-mails, making them appear as though they have come from the officials at Orange in order to mine even more sensitive information from the people whose data has been compromised.

Of course the telecommunication company says that security is one of its biggest concerns. For the CEO, Stéphane Richard, this must be especially embarrassing. Just last October, the company released a blog post about their dedication to information security. More than once, the CEO has made it clear that he has a very serious stance on this and yet as we can see, the holes were definitely there.

All of this news comes on the heels of other data breaches with some large U.S. companies as well, such as the mega retailer Target and Michael’s craft stores, begging the question: How can companies better foresee and patch up these holes in their defense before the cyber criminals find the holes for them?

Sources:Orange official blog-

http://live.orange.com/en/exclu-leweb-stephane-richard-proteger-les-donnees-de-nos-utilisateurs-cest-capital/

http://live.orange.com/en/wf13-vie-privee-numerique-comment-proteger-son-identite-en-ligne/

Share Button

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS amplification attacks.

Researchers from nominum identified a massive set of of  DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers globally.

( A DNS amplification attack is a reflection-based distributed denial of service (DDos) attack )

dns-ddos-nominum

 

 

 

 

 

 

 

 

 

Home routers are the easiest vector of attack because most users are unaware of the security implications. The router firmware are never updated which leaves it in the open to all kinds of attacks. Hackers use this as their target and find ways to infiltrate the vulnerable routers.

Nominum researchers observed that :

  • Tens of millions of home routers expose provider networks to DNS-based DDoS
  • Stealthy, low-skill attack evades existing defenses and Best Practices
  • Attackers constantly register new “purpose built” domains only for amplification
  • Substantial network impact: DNS servers, access networks, peering and transit
  • Subscriber-perceptible attacks spike support calls, reduce satisfaction, stress ops teams

Traffic from amplification amounts to trillions of bytes a day disrupts ISP’s, websites and individuals. Impacts of such attacks on on ISPs are fourfold:

  • Network impact generated by malicious traffic saturating available bandwidth
  • Cost impact generated by a spike in support calls caused by intermittent service disruption
  • Revenue impact as poor internet experience leads to increased churn or retention expenses
  • Reputation impact as unwanted traffic is directed toward peers
“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” explained Sanjay Kapoor, SVP of Strategy, Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies.” says Reuters
Share Button

3 Key Take Away’s from RSA Conference 2014 – San Francisco for CISOs and Security Enthusiasts

Author : Arun Hegde , Security Architect @arun25

Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month 

Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions  and lot of new companies building security solutions on the public cloud and Big Data. With billions of investments done by huge corporations like Amazon, Google, Microsoft and a lot more, the push will be more on Big Data security in the coming few years.  Financial corporations consider cloud as threatening but after speaking  to a lot of folks I realized that cloud has invaded the financial sector already. Its just a matter of time before things change as vendors start introducing more cloud based solutions which are regulatory complaint.

1.Future of Appliance based Security : Security solutions have been appliance oriented in the past couple of years, not that it is incorrect. For every security problem, providing appliance based solution has been a one stop enterprise solution. The overhead to maintain these appliances and labor can become very expensive and the current solutions that are available in the market are not helping for scalability point of view. C level executives at various corporations are facing the same challenges and looking for alternatives.

Many vendor companies are planning to change this by integrating multiple platforms & services to a single platform in solving this problem. Private clouds with strong security built in will play significant role in solving this issue. These will be regulatory compliant which of-course is the primary concern of most financial firms.

2. Future of Security : We all talk about modern computing age of inter-connected devices to provide single user experience, but current state of security devices still not there yet (are not inter-connected so far). Firewalls, proxy, mail servers, Anti-spam engine, endpoint protection and many more do not share intelligence with each other thereby act independently to issues.  We use data from all such devices and use SIEM products to correlate for appropriate alerting, making it an intelligence provider in most large enterprises. Again the bottleneck of intelligence is as strong as rules are and product limits are. This is the existing state of technology’s weakest implementation point and there is no turnaround for that.

Companies like Symantec are working on this areas to see how integration and intelligence can be unified as a single product. Visionaries are already thinking about such scenarios and working towards it. I found this as a very cool concept and hope to see it in action. Stephen Trilling, VP of Intelligence at Symantec explained something similar in his talk in detail and I have a link to the talk below.

3.Internet of Things Era: Most us have already heard of IoT. The future of the world will be surrounded around IoT and this will create a huge challenge in the Security world.  One of Cisco’s executive Padmashree Warrior mentioned “Every company becomes a technology company and every technology company will have security” potentially will change the way we operate things today. The world as we see has been changing rapidly in the world of interconnected devices and this will continue to change with the advancement in processing power. Hence based on these, there will be a tremendous shortage of Security minded professionals.

Interesting metrics from one of the Keynote presenters I noted on the number of connected devices :

  • ·         5 years back – connected devices  1 billion
  • ·         Current  Connected Devices (2014) – 10 billion (which is 1% of the world )
  • ·         Expected connected devices by 2020 – 50 billion connected devices
  • ·         Expected connected devices by 2040 – 77 billion connected devices

RSA survey on hiring Security Professionals :

RSA survey security professionals

 

 

 

Links to various talks and articles on the web :

o   Nawaf Bitar,GM – Juniper Networks _ Spoke about some of the ways how existing security has been handled and how it should have been. ( You may find details below )

o   Scott Charney, Microsoft – Response to NSA and Some of interesting notes of how information is handled by Microsoft. ( You may find details below )

o   Padmasree Warrior &  Christopher Young  from Cisco : A good talk about IoT ( You may find details below )

o   Art Gilliland , HP – Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy - http://www.rsaconference.com/events/us14/agenda/sessions/1344/stop-looking-for-the-silver-bullet-start-thinking#sthash.4xuesi8T.dpuf

o   Scott Harrison , Inspiration story about the Charity – WATER. How “WATER is changing the world with a good cause.http://www.rsaconference.com/events/us14/agenda/sessions/1372/the-story-of-charity-water

o   The Next World War Will be Fought in Silicon Valley : https://www.youtube.com/watch?v=XKkwL0gTN4w

 

o   KeyNotes at RSA is available here : http://www.rsaconference.com/events/us14/agenda/keynotes

o   Podcasts : Moving to the SHA-2 hashing algorithm, Protecting data against unwanted surveillance,Two-factor authentication with Duo Security and many more on net-sec RSA coverage http://net-security.org/event/rsaconference2014

o   Darkreading on RSA topics : http://www.darkreading.com/rsa-conference-2014-complete-coverage/240165938

Share Button

Hacking Facebook user “Access Token” using Man in the Middle Attack

Facebook had a long list of vulnerabilities and their Security team is incapable in dealing with the real world security. Unfortunately their mission of making the world open also aligns with Security principles as well. This is just the opinion and may not be the reality.

This vulnerability still exists and the author says in his blog that facebook repeatedly denied this since 2013.

Ahmed Elsobky (@MrEagle0x), a security enthusiast identified a flaw with the way how tokens are mobilized. As per the researcher, “Facebook allows the HTTP version of the Canvas URL to be used even if the app already has an HTTPS URI.  Facebook also allows the request without any special tokens so anyone can make a request. (i.e Although Skype has a HTTPS Canvas URL, Facebook allows the HTTP link in redirect_uri parameter)”

faceook_https_weak
Pic Source : CyberNews

 

 

 

 

 

 

 

 

 

Prerequisite for this exploitation :

The target user or victim must be logged into facebook  (Not applicable for : Facebook Messenger, Facebook Camera, Facebook for     android/ios/symbian since these are pre-authorized apps).

The Attack :

If the target user or victim is using apps such as Skype ,Spotify, Pinterest or anything similar, its possible to obtain access_token with the permissions of that application (Skype, Pinterest or similar ) by injecting this basic iframe into any webpage that this target user or victim visits :

<iframe src=https://www.facebook.com/dialog/oauth?redirect_uri=http%3A%2F%2Flogin.skype.com%2Flogin%2Foauth%3Fapplication%3Daccount&client_id=260273468396&response_type=token width=0 height=0>

Facebook allows the HTTP link at the redirect_uri parameter, so a GET request will be sent and the target user/victim observe a 302 redirect to that HTTP URL with the access_token value of the application with all of its permissions.

Access token with expires= [the current expiry value]
(usually zero with Skype and 0=never expires which will be in response which can be intercepted and exploited !!! BINGO

Considering above works you can use your own crafted urls in following format and replace anything you need without HTTPS.

URL/vector(http%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html&response_type=token&client_id=[app_id]) after the redirect_uri parameter[if the configuration of the application doesn't allow this URL(http%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html)then use the Canvas URL of the application with HTTP instead of HTTPS]

This vector can be used if the user has authorized Facebook Graph APIs Explorer app( official app of Facebook used by many developers!) then an attacker can get access_token via the link (https://www.facebook.com/dialog/oauth?response_type=token&client_id=145634995501895&redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_success.html) screenshot shown below of the same

facebook_security_https

 

“Generate a secret code/hash for every request(something like the gfid anti-CSRF token for users and a secret code for applications) that is required in order to accept the request before any access_token value get returned! something like this:

https://www.facebook.com/dialog/oauth?redirect_uri=<URL>&client_id=ID&secret_code=XXXXXX  ” — recommends by Ahamed  to fox this issue in his blog

Recommendation to protect yourself :

i) Using  “HTTPS’ Everywhere” Browser Extension which is available from EFF (https://www.eff.org/https-everywhere)
ii) Avoid using apps which doesn’t use SSL

The research on this post was extracted from Ahmed

Share Button

Dendroid – Next Generation Crime-ware toolkit targeting Android

Dendroid, the next generation Crimeware toolkit which can  convert apps to malware , is available in underground market for only $300. It also comes with a 24 hour support if you are stuck up on your way.

 Symantec mentioned that this is evolution of AndroRAT( first ever malware APK binder).

Dendroid is a HTTP RAT that is marketed as being transparent to the user and firmware interface, having a sophisticated PHP panel, and an application APK binder package. The APK binder used by Dendroid just so happens to share some links to the author of the original AndroRAT APK binder – says Symantec 

Seller of Dendroid in underground forums comes with the handle ‘Soccer”. The seller sells the support and accepts Bitcoin, Litecoin, BTC-e, or other services.

Dendroid

 

 

 

 

 

Dendroid_1

 

 

 

 

 

 

 

Dendroid toolkit is able to generate a malicious apk file that offers amazing features like:

  • Delete call logs
  • Call a phone number
  • Open Web pages
  • Record calls and audio
  • Intercept text messages
  • Take and upload photos and videos
  • Open an application
  • Initiate a HTTP flood (DoS) for a period of time
  • Change the command-and-control (C&C) server

The author of the Dendroid - APK binder is included with the package had assistance writing this APK binder from the author of the original AndroRAT APK binder -says Symantec 

Dendroid_21

Share Button

Flexcoin shuts down after targeted by Hackers loosing $600,000

flexcoinOne more bad news to the world of Bitcoin was announced today after Mt. Gox.   “Bitcoin bank” Alberta, Canada-based Flexcoin  and Bitcoin exchange Poloniex have announced that they have been targeted by hackers.
The company said  “As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately,” 

 

While Poloniex will continue to do business, Flexcoin administrators have decided to shut it down

Flexcoin site reads “On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC, dividing them into these two addresses:

1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu

1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6 “

Flexcoin said it would return bitcoins back to the uses  that are stored offline, or in cold storage.

More details can be see at

Share Button

Facebook Advertising “Suggested Posts” delivers Android Malware

Facebook_malwareResearchers have identified a tricky Android malware spreading via facebook advertising.

When Facebook is accessed from an Android device, users may see messages under Facebook adverting under “Suggested Post”.
Some of the identified ads read as

  • “WhatsApp tips like: “Want to know how to see your contacts’ chats on WhatsApp?”
  • “Want to hide your WhatsApp connection status?”.

When a Android user clicks on those ads , the user is taken to a malacious google play store with a free app on it. Once the user installs the app, his device will be infected with the Trojan. Once the device is infected, the Trojan checks for all inbound messages and if the sender is the premium-rate SMS service, the message is intercepted and deleted so the user is unaware.

Yet this technique doesn’t work with the latest 4.4 (KitKat) version of Android, so the creators have come up with an ingenious trick to overcome this: when the message is received, the phone volume is muted for two seconds and the inbound message is marked as read. The app includes an SMS counter, so when the first message is received from the premium-rate service, it reads it to get the confirmation PIN and registers the user on the corresponding website to activate the premium-rate SMS service.

“In this attack, cyber-criminals have taken advantage of Facebook’s targeted advertising options. In this case, the ad is only shown to Spanish Facebook users who are accessing the social network from an Android mobile device. We carried out tests using the same account from a PC, an iPad, an iPhone and Android and the ads were only displayed when using the Google operating system”, said Luis Corrons, Technical Director of PandaLabs at Panda Security.

Share Button

More than 360 million newly stolen credentials sold on black market

Hacking_blackmarketResearchers from Hold Security LLC,have identified more than 360 million credentials in the underground market. The details of the data is not yet publicized nor any company name is identified as per the reports.

Alex Holden, CISO of Hold Security LLC, said in an interview that the data was obtained over the past three weeks.

Last year the same firm uncovered 153 million stolen credentials from Adobe Systems. Later they uncovered another large breach of 42 million credentials from Cupid Media. The details of the what accounts are being sold or the potential impact is not known.

On the blog Hold Security mentioned that.

“To help our customers we tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if you count our Adobe find). But this month, we exceeded all expectations! In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses. These mind boggling numbers are not meant to scare you and they are a product of multiple breaches which we are independently investigating. This is a call to action, and if you are concerned about integrity of your company’s user credentials we encourage you to use our Credentials Integrity Services.”

Share Button

Yahoo vulnerability could have allowed Hacker to delete more than 1.5 million records

yahoo-hackedIbrahim Raafat ( @RaafatSEC ) , a Egyptian security researcher identified an vulnerability which could have potentially deleted more than 1.5 million records form its database. He further demonstrated ‘Insecure Direct Object Reference Vulnerability’ on his blog which appeared to have been fixed by Yahoo.

He performed the demo with his account. The vulnerability escalated the users privilege to delete the tables of topics, comments in the database, allowing the user to delete any topic or comment on Yahoo. Currently there is more than 1,155,000 comments and 365,000 Posts which potentially was in risk.

Ibrahim further explains how attack can be performed

As first step he added comment on a random post. Later he found that he can delete his comment which is allowed by Yahoo. Hence he analyzed  Live HTTP Headers to understand how traffic flows when his own comment is deleted.

POST Request

prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment

It consists of 5 parameters as stated below

prop= category
fid= topic id
crumb = something like session
cid = Comment id
cmd= the method

Later in another browser , he signed in with another account and posted the comment,

He changed the fid and cid parameter values which allowed him to delete other comments from the forum, that were posted by another user. Bingo !

He tried the same for topicdeletion and it worked :

POST cmd=delete_item&crumb=SbWqLz.LDP0 ( Without changes ) 

POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx ( After the attack)

With a loop statement yahoo would have lost 1.5 million records if exploited. Yahoo must be grateful to Ibrahim for this amazing finding and hope Yahoo’s conservative Mayer gives a big bounty to Ibrahim’s hard work.

Video of the attack is available here :

Share Button
Page 1 of 13123456»10...Last »

Monthly Newsletter

MobileSecurity Threat email subscription