Hacker Finds XSS on Cartoon Network, Disney and Master Chef Sites (Exclusive)

Posted: 20th May 2012 by carbon in Uncategorized
Tags: , , , ,
0

A security researcher called ProtocoL has found that sites such as the one of Cartoon Network (cartoonnetwork.com), Disney (disney.go.com) and Master Chef Australia (masterchef.com.au) contain cross-site scripting (XSS) vulnerabilities.

None of them is persistent, but that doesn’t make them far less dangerous. Because the sites are popular, cybercriminals could easily leverage the flaws to lure users to their malicious operations, but why not let the hacker himself explain the risks posed by XSS issues.


XSS may help to compromise users by the execution of client sided arbitrary code. Under certain conditions, XSS can also be used to produce redirects,” he said.

“This could direct targets to specially crafted pages which are designed to steal user names or passwords or in severe circumstances, lead to browser exploit packs which leverage overflow vulnerabilities in the browser. The possibilities with client sided injections are severe, it shouldn’t be taken lightly.”

Although XSS flaws are highly common, many website owners and administrators still fail to see the dangers they pose, especially for their customers.

“I find it quite disappointing to find easily fixable vulnerabilities such as XSS in large companies. Do they not pay their companies enough to escape input and output? Don’t they realize that XSS is essentially the execution of arbitrary client sided code, in fact it can lead to session hijacking. Embarrassing, wouldn’t you think,” ProtocoL told us.

So, we’ve asked the hacker to tell us how he believes these vulnerabilities should be handled. It’s a question we’ve been asking quite often lately, but since this is becoming a growing concern, any piece of advice could prove to be useful for webmasters.

“I hate it when minute web application vulnerabilities affect users. Companies should focus towards protecting their customers because they are who really matter, the ability to trust and the integrity of web applications plays a vital role in 2012,” he added.

“They should employ administrators who actually bother spending time fuzzing the web application, then escaping input and output via PHP validation functions which are already built in, it is all down to data validation.”

DMCA.com

Security Expert Finds Open Redirection Bug on Google Books

Posted: 20th May 2012 by carbon in Uncategorized
Tags: , , , , , ,
0

Deepanker Verma, a security research at the Infosec Institute, has uncovered a potentially dangerous redirection vulnerability that affects Google Books (books.google.com), a site that has been recently integrated into Google Play.

According to Verma, Google has been notified on the existence of the flaw and even confirmed it, but so far nothing has been done to address the issue.


The expert explains that these types of security holes appear when the website has “unvalidated redirection.”

If exploited successfully, the vulnerability could allow an attacker to launch phishing attacks and even redirect their victims to malware-infested sites. The cybercriminal only needs to convince the victim to click on a cleverly crafted link.

However, this may prove to be a simple task since internauts might be easily fooled into thinking that the link points to a legitimate Google site.

Verma also warns that the attacker can hide his malicious intentions by adding fake tokens and parameters next to the redirection URL.

Here’s a small proof-of-concept. Simply paste it into your browser’s address bar and you will find that you are being redirected from the legitimate Google Books site and taken to Softpedia.com.

http://books.google.com/search?btnI&q=http://www.softpedia.com

Spammers and fraudsters would simply have to change the name of the site and they could dupe many individuals into thinking that there’s nothing malicious involved.

In case you ever stumble upon such a link and you see a shady-looking website URL at the end, be sure to avoid clicking on it, since most likely you’ll end up on a pharmacy site or even worse.

For our readers who don’t remember Deepanker Verma, he is the security researcher who along with Shadab Siddiquiidentified a number of security holes on Guruji, India’s number one search engine, and on Pinterest, the social media websites whose popularity has considerably grown in the past period.

DMCA.com

Harvard website Database Leaked by Indian Hackers

Posted: 15th May 2012 by carbon in facebook, Google, Uncategorized
Tags: , , , ,
0
  1. Indian Hackers Codie root & Harsh Vardhan Boppana Managed to Hack into a sub-domain of Harvard & leaked all the users login & the admin Details of the website . According to the Hackers “The website was vulnerable to Sql Injection” . In the past they have also leaked many users database of Stanford University. Harsha vardhan boppana and codie root found vulnerabilities in sub domain.
    Target Website :- http://steele.mgh.harvard.edu
DMCA.com

UGNazi Hackers Leak Data from Washington Military Department

Posted: 14th May 2012 by carbon in FBI
Tags: , , , , , , , , , , ,
0

UGNazi hackers, the ones who usually protest against the United States government by launching distributed denial-of-service (DDOS) attacks against major websites, changed their tactics. This time they breached the site of the Washington Military Department (mi.wa.gov).

From the website’s databases, the hackers leaked name servers, MX records, and the names and IP addresses of the subdomains used by the state of Washington.

Also, they leaked around 16 user account details, consisting of usernames and password hashes, including the ones of the site’s administrator.

“This is just a continuation of our attack against wa.gov, but other than that, like we said we’re not done with the government or anyone to be exact. We’re going to come after every dirtbag we can get our hands on. Freedom is a right not a privilege but the US government makes it seems like it’s a privilege that we have the ‘freedom’,” ThaCosmo told us.

“Well we’re going to make our own freedom and we’re just beginning. We are not here to make friends, but to make history. ‘All men are equal’ is the quote, our pitiful government comes by, but it seems like they believe they are above the average everyday human.”

UGNazi hackers became known after their involvement in the Dana White incident, when the UFC president revealed his support for the Stop Online Piracy Act (SOPA).

More recently, they kept themselves busy by taking down sites such as the ones of New York City, State of Columbia, NASDAQ, and many others.

After these operations, 4 of their members were arrested by authorities, but that didn’t discourage them from continuing their campaign. Right after their release, they launched an attack on the site of the US Department of Education (ed.gov) to show that they’re not giving up.

DMCA.com

University of New Brunswick Hacked, Login Data Leaked

Posted: 14th May 2012 by carbon in Uncategorized
Tags: , , , , , ,
0

Hackers from Team Dig7tal gained unauthorized access to the systems of University of New Brunswick by leveraging an SQL Injection vulnerability. After they leaked some data, they’ve sent emails to the institution’s staff to notify them of the breach.

“I did not take nor did I leak any of the student’s sensitive information. However, your site is terribly vulnerabile and I suggest you patch it ADMIN. It’s your damn job! Information leaked is only to demonstrate how pathetic your security is,” Th1nkT0k3n said in the email he sent to the university.

“Also, I hope you have a great Monday Admin! Students and their parents give their hard earned money to this University and they should not have to worry about their sensitive information being leaked! Person in charge of your IT should be let go,” he added.

The leaked information the hacker is referring to consists of 234 database names, 68 table names from the budget_managementdatabase, and 96 records from the employers table. From the user table, the hacker leaked 159 password hashes and usernames.

The dump also contains some sensitive information, including the administrator’s username and password (in clear text), and 202 employer entries comprising email addresses, IDs, names, passwords and websites.

Th1nkT0k3n also published the exact location of the security hole he used to gain access to the systems of University of New Brunswick.

Because the leak contains clear text passwords, we will not be providing a link.

Other sites hacked by the Team Dig7tal collective include the ones of the National Film Board of CanadaUniversity of PalermoUniversity of Massachusetts, the Los Alamos National Laboratory.

The hackers usually try to raise awareness on the existence of vulnerabilities, but occasionally they leak some sensitive information to make their point.

DMCA.com

Hacker Helps Pakistani Singer Zaain Ul Abeedin Recover His Facebook Page

Posted: 1st May 2012 by carbon in facebook
Tags: , , ,
0

The famous Pakistani singer Zaain Ul Abeedin recently found that his Facebook page was taken over by a cybercriminal. Authorities failed to help the celebrity so he turned to ethical hacker Himanshu Sharma, who in less than 24 hours managed to recover the account.

This is not the first time when a celebrity’s social media account is hijacked, but this time the hacker didn’t phish his credentials as in most of the other scenarios. Instead, the cybercrook relied on the zero day vulnerability in Hotmailto gain access to his email account, from which he was able to reset the passwords.

According to Zaain, the ill-intended hacker who breached his social media account started urging his friends to Like another Facebook page, but didn’t cause any other damage.

It’s believed that, most likely, this was a case ofsabotage ordered by the competition with the purpose of ruining the reputation of Zaain.

So how did he manage to regain his accounts?

Initially, the star went to Pakistani authorities to report the crime, but they couldn’t help him so they suggested that he contact the ethical hacker Ankit Fadia.

In the end, Zaain and his manager contacted another well-known ethical hacker, Himanshu Sharma, or ??¢???. Only 18 years of age, Himanshu is already famous for finding security holes in the sites owned by Apple, Google, Microsoft and even Facebook.

The security expert not only managed to recover the Facebook account, but he was also able to track down the hacker’s location and phone number.

“It was a hard task the hacker left almost no trace , but i was lucky enough to find a keylogger posted by him online which upon some reverse engineering took me to the hacker,” Himanshu said.

The attacker’s identity was not made public, but the point is that he was stopped before he could cause any serious damage.

Zaain made this story public because he felt that ethical hackers are not as appreciated as they should be.

On the other hand, we wanted to highlight once again that hackers are not all bad. White hats and ethical hackers are the ones that keep everything in balance, making sure that profit-driven cybercriminals can’t go too far with their wrongdoings.

DMCA.com

1700+ Indian Sites Hacked by 3xp1r3 Cyber Army

Posted: 27th April 2012 by carbon in Bangladesh, Cyberwar, Uncategorized
Tags: , , , , , , , , , , , , , , , , ,
0

cyberleaks

1700+ Sites Hacked By 3xp1r3 Cyber Army!

Bangladeshi Underground Hacking Team “3xp1r3 Cyber Army” Hacked 1700+ Indian websites by single click from a Indian Server on 24/04/2012 to Protest against BSF Brutality ..
They said on Their Deface, “This war ‘ll never end. It’s will be continued until BSF (Indian Border Defense Force) stop killing Bangladeshi people on Bangladesh-India Border!”

The hacks were announced on April 24 on a Their official Facebook Group http://www.facebook.com/groups/3xp1r3/ and through a list posted to the programmer website Pastebin (http://pastebin.com/M58j1E2F) ..

The 3xp1r3 Media also said that mass defacement is being completed by using their own mass defacement tools named ’3xp1r3 AK 47′.

“3xp1r3 AK 47″ is a script based most powerful tools invented by 3xp1r3 and we are using many other personal tools like it to continue.

After Announcing Cyber War between Bangladesh and India, 3xp1r3 Hacked About 10,000+ indian websites..

 

COMPLETE LIST OF WEBSITES  http://pastebin.com/M58j1E2F

DMCA.com

Google will pay you, if you hack Google Services.

Posted: 24th April 2012 by carbon in Google
Tags: , , , , ,
0

Hack google

In an effort to cut down on hacking, bugs, and vulnerabilities, Google offers dollar rewards for people to hack into its Web services.

The Internet giant began swapping security research for cash over the past couple of years, but today it announced that it was upping the ante.

“In just over a year, the program paid out around $460,000 to roughly 200 individuals,” Google security team members Adam Mein and Michal Zalewski wrote in a blog post. “We’re confident beyond any doubt the program has made Google users safer.”

As of today, hackers can get up to $20,000 for “qualifying vulnerabilities,” $10,000 for SQL injection and certain kinds information disclosure, authentication, and authorization bypass bugs, and around $3,000 for XSS, XSRF, and other high-impact flaws in sensitive applications. Before now, Google’s highest payout was $3,133.70, according to Forbes.

Many Google products are susceptible to attacks that could potentially tap into users’ private information. Take Google Wallet — vulnerabilities could lead hackers to accessing users’ fundsvia prepaid card information. Mein and Zalewski say higher rewards will be paid for finding flaws in services where there is higher risk to user data, such as Google Wallet.

 

Since the Web company launched itsVulnerability Reward Program in November 2010, it has received more than “780 qualifying vulnerability reports that span across the hundreds of Google-developed services,” according to the blog post.

 

The program was devised to recruit external researchers to find system bugs and flaws. Newly acquired companies and Google client applications, such as Android, Picasa, and Google Desktop, are not included in the rewards program.

DMCA.com

University of the Philippines hits hacking of its website

Posted: 24th April 2012 by carbon in anonymous
Tags: , , , , , ,
0

The University of the Philippines has denounced last week’s defacing of its website but assured the public that no sensitive data was damaged or  compromised.

In a statement, the state university on Monday apologized to the public for the inaccessibility of the UP System website on Friday.

The cyber attack, which left a map of China on the main page with the words “We are from China! Huangyan Island is ours!,” was launched amid the ongoing standoff over the Panatag Shoal between the Philippines and China.

In a statement, UP president Alfredo Pascual said the cyber attack deprived the public of vital information especially related to the recent UP commencement exercises.

But he assured that no private data such as constituents’ data from the UP Webmail, computerized registration system, etc. were compromised.

Various UP departments worked until Saturday to restore the website.

According to a report by the University Computer Center, the hacker struck at 2:20 a.m. and uploaded the “unwarranted content.”

The UCC team discovered the hacking at 4:50 a.m. and immediately acted by closing all access to the web server.

“The UCC has already made adjustments to the restored site to prevent a similar incident from happening again, details of which we opt not to divulge for security reasons,” Pascual said.

The top UP official said they were able to trace the IP address of the hacker to a specific country but he declined to identify it.

Pascual explained that the IP address might have been masked to appear as if someone was working from that location, or someone compromised a machine to deface the website.

He also cited news reports of hackers claiming to be from the Philippines who defaced the websites of several institutions in China.

The actions were supposedly in retaliation for the hacking of the UP System website.

Pascual appealed to the public to “avoid jumping to conclusions and taking actions that could further inflame the people’s sentiments.”

“Hacking selected websites in the suspected country of the hacker or hackers does not objectively articulate any political issue and only subjectively fulfills a personal desire to ‘get even,’” he said.

He added that hacking other websites achieved nothing but unproductive counter-actions

DMCA.com

British and Australian Users Targeted with “My Apple ID” Phishing Scam

Posted: 24th April 2012 by carbon in Apple, facebook
Tags: , , , , ,
0

Apple customers from the United Kingdom and Australia are being targeted with a cleverly designed phishing scheme that tries to dupe them into handing over sensitive information as part of an Apple Discount Card purchase process.

The scam is not new. We’ve seen it at the beginning of April but, at the time, reports only mentioned Australia. Now, according to Symantec, internauts from the UK are also targeted.

So let’s take a look again at how the scam works.

First, the user is presented with a My Apple ID site that tries to replicate the genuine website. Here, the unsuspecting victim is requested to provide his/her Apple ID.

In the next phase of the scam, Apple customers are presented with a form in which they have to fill in their name, address, date of birth, driver’s license, credit card number, card expiration date, and theVerified by MasterCard password.

Apparently, by completing this process, the user receives a discount card that’s worth 100 Australian dollars or 100 British pounds, depending on the victim’s location.

Because this particular plot seems to be enhanced to target more and more individuals from different parts of the world, we will take this opportunity to remind everyone to be careful when providing sensitive information online.

In this case, the site may look much like the original Apple website, but the domain it’s hosted on is certainly one that clearly doesn’t belong to Apple. Always remember that apple.com is not the same thing as apple.maliciousdomain.com.

Also, when making payments, check to ensure that the site you are on utilizes a secure connection represented by the small padlock icon or by the HTTPS string in the browser’s address bar.

Finally, be sure to keep your antivirus solution permanently updated. Security firms do a decent job in flagging malicious sites, saving you the hassle of checking for yourself if the site is genuine or not.

DMCA.com

The patch batch is even larger than the last one

Posted: 17th April 2012 by CyberLeaks in Uncategorized
0

Oracle is planning to release 88 patches on Tuesday, covering vulnerabilities affecting a wide array of its products, according to a pre-release announcement posted to its website on Thursday.

Tuesday’s scheduled patch release is larger than Oracle’s last quarterly critical patch update in January, when it released 78 fixes.

DMCA.com

Chinese authorities temporarily halted microblogging in a government crackdown on rumours

Posted: 17th April 2012 by CyberLeaks in Uncategorized
Tags: ,
0

China has taken down more than 210,000 online posts and closed 42 websites since mid-March as part of a crackdown on Internet rumours, which authorities claim represent a danger to society, officials said Thursday.

The Chinese government strictly censors any sensitive or anti-government content. But the political chatter online has grown in recent weeks because of a controversy surrounding a top official, Bo Xilai, who has seen his career plummet and is now linked with an investigation of alleged homicide of a British businessman.

DMCA.com
Older Entries