Microsoft Pays $13,000 to Hacker for Finding Authentication Flaw

A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts.

The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.

However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system.

Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.

Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.

How Does the Vulnerability Work?

If the particular user is already logged in, a POST request is made back to the domain specified in wreply with a value containing a login token for the user. The service the user wants to authenticate on consumes that token and logs the user in.

Whitton discovered that the authentication URL is vulnerable to cross-site request forgery (CSRF) attacks, allowing a malicious actor to create a specially crafted URL, which, when accessed by an authenticated user, would send the login token to a server controlled by the attacker.

The legitimate URL looks like this:

https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=4&wreply=https%3a%2f%2foutlook.office.com%2fowa%2f&id=260563

And the attacker could set the redirect to this:

https%3a%2f%2foutlook.office.com%252f@poc-ssl.fin1te.net%2fmicrosoft%2f%3f

The expert found that this would cause the login token to be sent to the attacker’s website, which in this case is poc-ssl.fin1te.net. Using the token, the attacker could have gained complete access to the targeted user’s account.

"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."

The good news is that Microsoft patched the vulnerability within two days after Whitton reported it to the company on January 24. The company also paid out $13,000 to the researcher as part of its bug bounty program.

Bug in NVIDIA GPU reveals all your browsing history even in Chrome Incognito mode

So far we have all found solace in the fact that the Chrome Incognito mode and Firefox Private Browsing exist to allow us keep our intimate encounters (read porn history) to ourselves. However, what came to the rescue while gaming could be putting us in trouble in this regard.

An Nvidia based bug has been plaguing your PCs for years that can expose our private browsing history to everyone.

So what happened was that a Diablo 3 fan, while loading the game, saw that images from his Chrome Incognito were being displayed on the screen. Technically, those details should not even be easily accessible on the device let alone being displayed openly.

The guy whose name is Evan Anderson took to Google and even submitted a bug report. On his blog he explained how exactly this is happening:

GPU memory is not erased before giving it to an application. This allows the contents of one application to leak into another. When the Chrome incognito window was closed, it’s framebuffer was added to the pool of free GPU memory, but it was not erased. When Diablo requested a framebuffer of its own, Nvidia offered up the one previously used by Chrome. Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself (as it should), the old incognito window was put on the screen again.

Sadly, Google says that Chrome Incognito mode does not guarantee that your private browsing data will be saved on a shared computer.

The bug is related to Nvidia and so long as it gets fixed, if you are using their GPU you could be next.

'Ridiculous' antivirus flaw made Windows PCs vulnerable to attack

Design Flaw in Trend Micro Security antivirus allows hackers to remotely hijacked, or infected with any malware wiped clean and have its stored passwords stolen -- even if they were encrypted .Thanks to a critical vulnerability in Trend Micro Security Software.Trend Micro has now issued a security patch for the flaw, which was contained in the password manager of the antivirus package. Users should update the software as soon as possible. 

Tavis Ormandy, of Google Project Zero -- an assembled team of security researchers whose mission is to track down and resolve security holes in the world's software -- discovered the design flaw. Google's Project Zero security researcher, Tavis Ormandy, discovered the remote code execution flaw in Trend Micro Antivirus Password Manager component, allowing hackers to steal users’ passwords.In short, once compromised, all your accounts passwords are gone. Ormandy posted his findings to the Google Security Research blog, urging that Trend Micro "should be paging people to get this fixed." 

"I don't even know what to say -- how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote in one of a series of emails -- repeated on the blog -- to Trend Micro after finding the vulnerability. "You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

One of Ormandy's findings was that any webpage could run commands directly onto PCs that had the flawed software installed. Such commands include wiping the computer, downloading and installing malware onto it, and uninstalling the Trend Micro antivirus software.

Digging further into the Trend Micro Password Manager, Ormandy discovered that a malicious script could steal all passwords stored in the browser, even if they were encrypted. Ormandy warned Trend Micro that it needed to hire a cybersecurity professional. 

"This means anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction," Ormandy wrote in another email to Trend Micro. "In my opinion, you should temporarily disable this feature for users, then hire an external consultancy to audit the code." 

"The worst thing you can do is leave users exposed while you clean this thing up," he continued.

Google's Project Zero gives companies 90 days to fix problems before releasing its findings to the public. Trend Micro patched up the vulnerability within a week. A new version of the antivirus software is now available. 

Trend Micro published a blog about the vulnerability after it had released the mandatory update. 

"The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," Christopher Budd, global threat communications at Trend Micro, wrote in the post. "We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week. We are not aware of any active attacks against these vulnerabilities in that time."

Ormandy has previously exposed vulnerabilities in security products from AVG, Kaspersky Lab, FireEye and Sophos.

Facebook bug welcomes new year by telling users they have been friends for 46 years

Facebook bug Tells Users They’ve Been Friends for 46 Years

As the world was celebrating New Year, Facebook seemed to be having its own celebrations. A bug in Facebook was telling users that they’ve been friends for 46 years.

It is silly to think that Facebook remembers who were friends with 46 years ago because Facebook wasn’t around that many years ago in 1969. In fact millions of FB users were not even born while computers were used only for military purposes.

The date Dec. 31, 1969 carries special significance for computer software, according to the Daily Dot. That date is the first to appear in time tracking software for Unix computer systems called Unix Epoch. Although not confirmed by Facebook, many are suggesting the bug originates with what’s known as the Unix epoch.

What? How long have I been asleep? pic.twitter.com/qYT0OC53an

— Byron Tau (@ByronTau) December 31, 2015

Facebook said in a statement that the company is working to address the issue. “We’ve identified this bug and the team’s fixing it now so everyone can ring in 2016 feeling young again,” said Facebook spokesperson Chelsea Kohler in an email.

Users were quick to pounce on Facebook for this glitch as can be seen from the tweets below :

Congratulations to the 46 Years Facebook glitch for making New Year’s Facebook even more insufferable than usual

— Jason O. Gilbert (@gilbertjasono) December 31, 2015

weird glitch on Facebook has given me a glimpse into the future and i don’t love it.pic.twitter.com/srCI7gtBiQ

— corey thomas (@ifUseekcorey) December 31, 2015

AVG's Chrome extension exposes personal data of 9 million users

According to Ormandy’s report, the Chrome extension, dubbed AVG Web TuneUp and featuring extension id chfdnecihphmhljaaejmgoiahnihplgn, is force-installed on the end-user systems along with the AVG AntiVirus application. The extension adds a series of vulnerabilities to the browser, thus putting its more than 9 million installed users at risk.

The extension, which has over 9 million active users, contains a serious flaw that exposes users' 

• Browsing history
• Cookies, 
• and Personal data 

....to attackers.

“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the "navigate" API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.

Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September and a critical vulnerability in FireEye network security devices earlier this month.

Ormandy wrote in a follow-up response to the bug report Monday, “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”

Now Crash Anyone's WhatsApp Just By Sending Smileys

According to a security researcher Indrajeet Bhuyan, there is a simple way to crash the popular instant messaging app WhatsApp by just sending an insane amount of smileys. This serious WhatsApp flaw can crash the mobile app as well as the WhatsApp Web.

In his discovery, Bhuyan found that by sending about 4,000 smileys to a target, the WhatApp app starts to slow down and crashes due to “buffer overflow”. This flaw targets both the desktop and mobile apps.

How WhatsApp smiley bug works?

“In WhatsApp Web, Whatsapp allows 65500-6600 characters, but after typing about 4200-4400 smiley browser starts to slow down,”But since the limit is not yet reached so WhatsApp allows to go on inserting…when it receives it overflows the buffer and it crashes.”

“….so it crashes while we type and send and in mobile too when it receives it overflows the buffer and it crashes,” Bhuyan explains.

This WhatsApp smiley bug affects Firefox, Opera, and Chrome PC browsers, along with iPhone and multiple versions of Android OS.

Video demonstration of WhatsApp smiley bug:

Here’s the video demonstration of the bug showing how the attack crashes WhatsApp:

Here’s how to protect yourself from WhatsApp smiley flaw?

Bhuyan has reported the smiley bug to WhatsApp. “This can also be used to do a Denial of service in the browser and it freezes the browser and gives a ‘not responding’ error,” he adds.

Till the issue is fixed, here’s a simple way to save yourself from the attack.

Once you receive this full-of-tons-of-smiley message from someone, you’ll have to open the messenger and delete the entire chat with the attacker.

Bhuyan is the same researcher who reported a very popular WhatsApp crash bug last year that required 2000 words (2kb in size) message in the special character set to remotely crash Whatsapp messenger app.

Vulnerability Discovered That Exposes Real IP-Addresses Of "Vpn Users"

We live in a world where everything we say, everything we do, everyone we talk to, everything we watch on the internet, every expression of creativity, or love, or friendship is recorded.We can be tracked by a many different organizations. 
By simply visiting a website can allow its operators to figure out your general physical location, identify details about your device information, and install advertising cookies that can track your movements around the Web.

So we often use VPN to hide our IP address while surfing the internet to maintain online anonymity, to access geo-restricted content, Bypass Government Censorship, Torrent Downloading(in some countries).

But a new vulnerability discovered can reveal real IP-addresses of VPN users with relative ease. The issue, that affects all VPN protocols and OS, was uncovered by "Perfect Privacy" who alerted many affected VPN providers to the threat before making it public.

For the past many years interest in encrypted and anonymous communications has increase to a far wider audience.VPN suppliers are significantly prominent among BitTorrent users, who by default broadcast their IP-addresses to many individuals once downloading a preferred file.

The goal of VPN is to protect one’s ISP IP-address, however a freshly discovered vulnerability shows that this can be simply bypassed on some providers.

The problem, uncovered by VPN provider Perfect Privacy, is a port forwarding trick. If an hacker/attacker uses a similar VPN than the victim actual IP-address is exposed by forwarding traffic on a particular port.

The security flaw affects all VPN protocols together with OpenVPN and IPSec and applies to all OS.

“Affected are VPN providers that provide port forwarding and don't have any protection against this specific attack,” Perfect Privacy notes.

For example, if an attacker activates port forwarding for the default BitTorrent port then a VPN user on a similar network can expose his or her real IP-address.

The same is true for normal internet traffic, however in this case the attacker needs to direct the victim to a page that connects to the forwarded port, as Perfect Privacy explains it.

The vulnerability affected many VPN providers, who were warned last week. This includes Private Internet Access (PIA), Ovpn.to and nVPN, who have all fixed the problem before public disclosure.

PIA’s Amir Malik said that their fix was comparatively easy and was enforced swiftly once they were notified.

“We enforced firewall rules at our VPN server level to block access to forwarded ports from clients’ real ip addresses. The fix was deployed on all our servers within twelve hours of the initial report,” 
In addition, PIA complimented Perfect Privacy for responsibly revealing the vulnerability before disclosing it public and awarded their competitor with a $5,000 bounty under its Whitehat Alert Security Program.

Mark Zuckerberg Quits His Job At Facebook, All Due To A Facebook Bug

Mark Zuckerberg Quits His Job At Facebook,Finding it hard to believe, check his Facebook post yourself: Mark Zuckerberg Quits His Job.

Okay, now that you’ve seen his post – and you are surprised and shocked, searching for some more proof on Google – let me tell you that it’s all due to a bug in Facebook. Yes, you’ve been misguided.

Well, this couldn’t be called a real bug as there is no technicality involved in this issue. However, an independent hacker Sachin Thakuri, outlining the same, has uncovered this flaw that is enough to fool people into believing some fake news.

So, how did he fake this Facebook post?

Here’s the original URL of Mark Zuckerberg’s original life event.

https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble

If you see the URL carefully and remove the ustart=1 parameter, the work status of ustart=1 parameter.

Take a look at the changed and misguiding Facebook post without ustart=1parameter:

https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&&__mref=message_bubble

As I mentioned above, this isn’t a technical flaw, but this must be fixed as it could be easily used for notorious purposes. “…although on a client side the post is coming from a valid user and there is no way to figure out that the post has been manipulated and  has not been posted by a user,” Sachin writes.

He has reported the bug to the Facebook security team, but Facebook hasn’t fixed this yet.

Also See:

• PHP 7:A New Version Of PHP With Biggest Update Released

• Bypass Windows Bitlocker Disk Encryption In A Few Seconds

• Large-Scale DDOS Attacks on TOR Exit Nodes

• Charge your smartphone to 50% in just five minutes

• 8 WayTo Hack Into Your Offline Computer and Phone

• #OpParis: 5,500 ISIS Twitter Accounts Taken Down By Anonymous Group
• Hackers Manipulate Barcodes to Execute Malicious Commands When Scanned

Flaws In Western Digital self-encrypting external hard disk drives could expose user data

Security Researcher Gunnar Alendal,Christian Kison and modg checked the working of WD self-encrypting external hard disk and discovered the design flaws which allow them to decrypt the data without user password.Even researcher discovered that ,flaw allow them to crack the user password using brute force attack.

Researchers easily found the design flaw based on the microchip used for encrypting the data of user.

In some cases,researchers found that,the encryption is performed by the chip that bridges the USB and SATA interfaces. In other cases the encryption is done by the HDD's own SATA controller, with the USB bridge handling only the password validation.

The researchers examined WD external drive models with six different USB bridges from JMicron Technology, Symwave, Initio and PLX Technology. Due to setup change between the different chips, Researchers Discovered serious security issues varied from device to device based on the implementation technique, the researchers said in a recently released paper.

How WD Encryption Works?

The way encryption works in these drives is that a user-selected password is used to create a key encryption key (KEK). This is a cryptographic hash of the password generated with the SHA256 function.

The KEK is then used to encrypt a separately generated data encryption key (DEK). This encrypted version of the DEK, known as the eDEK, is stored in the USB bridge's EEPROM, in a hidden sector on the hard disk itself or in a special disk region called the service area.

The eDEK is decrypted when the user inputs the correct password in the drive's software that runs on the host computer and the resulting DEK is then used by the chip to perform the encryption and decryption operations on the fly.

Here's the Flaw

For four of the tested USB bridges the researchers found methods of extracting the eDEK, allowing for offline brute-force attacks to guess the KEK and subsequently recover the DEK.

As Per Researchers, all WD drives use a hardcoded salt -- a unique string that gets combined with the user-supplied passwords before hashing for added complexity -- and a fixed iteration count for the hashing itself.

Attackers could use large collections of common passwords to pre-compute their corresponding KEKs. These could then be used to try to decrypt the extracted eDEKs and ultimately the data stored on the drives.But in some cases ,attacker need not have to use brute-force tool  and password guessing to decrypt the data because researchers also found authentication flaw in WD external hard drive which provide researcher backdoor access to the encrypted data.

Out of 6 chip,in one chip, KEK is stored in plain text in its EEPROM, making its recovery easy. In another chip, the KEK was stored in encrypted form, but it was encrypted with a hardcoded key that can also be extracted. For a third chip the KEK can be extracted from RAM using a vendor-specific command.

For one JMicron chip, the researchers managed to use a commercial data recovery tool to delete some bits from a drive's service area, completely unlocking the drive's data. This compromises the encryption without the need to recover any password or KEK.

The firmware update process on the tested hard drives does not use cryptographic signature verification and can therefore be hijacked. This could allow attackers to implant malware inside the firmware to infect host computers or to add cryptographic backdoors. There is no easy way to recover from such firmware modifications, the researchers said.

Just say no to Facebook's Free Internet Service "Internet.org", says inventor of "World Wide Web"

‘Just Say No’ To Internet.org, says Tim Berners-Lee, founder of World Wide Web

Attacking Facebook’s initiative known as Free Basics (formerly Internet.org), the English scientist, Tim Berners-Lee also widely known as the inventor of the World Wide Web said that consumers should say no to such initiatives. The initiative by Facebook aims at offering a limited set of websites and apps free of charge to users in developing countries. Berners-Lee added that if something is being offered in the name of the Internet that is not full Internet, then it’s not really free and public.

In an interview with The Guardian, Berners-Lee said people in prominent markets should “just say no” to the project. Speaking about the importance of privacy and the dangers of government snooping, he added that the initiative was not internet and that there were other ways of reducing the price of access.

“When it comes to compromising on net neutrality, I tend to say ‘just say no’,” he said.

According to the reports by The Guardian, Berners-Lee and the Web We Want festival came together to produce a Magna Carta for the 21st century on the 800th anniversary of the signing of Magna Carta. The Web We Want campaign is promoting five key principles for the future of the Web: freedom of expression online and offline, protection of user data and privacy, affordable access to the net, net neutrality, and a decentralised and open infrastructure.

“In the particular case of somebody who’s offering … something which is branded internet, it’s not internet, then you just say no. No it isn’t free, no it isn’t in the public domain, there are other ways of reducing the price of internet connectivity and giving something … (only) giving people data connectivity to part of the network deliberately, I think is a step backwards.”

Vulnerability In Netgear Router Allow Attacker To Gain Access To "Admin Page Without Credentials"

ShellShock labs researchers identified the vulnerability in the netgear routers.Vulnerability allow the researchers to access the admin page of router without entering the credential.

Researchers discovered the vulnerability in Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300-1.1.0.28_1.0.1.img

Vulnerability in router allow the attacker to gain complete access to admin page and setting.Further attacker could do:

• Man-in-the-middle-Attack
• Manage Browser Request
• Reconfigure DNS setting
• Traffic Redirection
• even,downgrade SSL to intercept and monitor the https traffic.

Here's how the attack works?

The attacker can easily exploit the router by reaching the web management interface, which is accessable by default in the internal network.With enabled remote administration,the attacker must have to be connected to the Internet and call a particular URL numerous times after initially failing to authenticate against the router; eventually they would gain access to the administration interface without prompting to enter credentials.

This vulnerability was already reported to netgear by Daniel Haake of Compass in the month of July.As per Daniel,vulnerability reported to netgear company by mail and chat.On Sept. 3,Almost after a month,Netgear sent daniel a beta firmware to determine if the issue had been patched adequately but before releasing the patch publicaly by netgear, Shellshock Labs disclosed the vulnerability publicaly on Sept. 29

Bitcoin Transactions Were Under Attack for a Week

Transactions were being duplicated in a malleability attack

A Russian man that calls himself "Alister Maclin" has been disrupting the Bitcoin network for over a week, creating duplicate transactions, and annoying users.

The attack was first noticed by Coinkite, a high-tech Bitcoin platform, and was eventually claimed by Maclin on one of the Bitcoin forums.

According to Bitcoin experts, the attack was not dangerous and is the equivalent of "spam" on the Bitcoin blockchain servers, known in the industry as a "malleability attack."

A malleability attack on the Bitcoin network duplicates transactions

What happens is that when User A sends a transaction to User B, an attacker could intercept the Bitcoin payment and alter its ID (from 0001 to 0002).

When the transaction reaches the Bitcoin blockchain, the technology that registers and logs the payment, it is recorded with both IDs, causing a serious delay in showing the payment as confirmed (usually takes 10 minutes).

Only the transaction ID is affected by a malleability attack, the sender, recipient, and the Bitcoin sum being left intact. All transactions are processed by the Bitcoin blockchain, funds are transferred only once, and eventually one of the duplicate transaction IDs gets invalidated, confirming the other transaction.

Affected users usually get annoyed, in the least serious cases, but some will also resend their transaction after not receiving the normal confirmation, spending double the amount what was usually needed.

The attacker was only performing a "stress test"

According to an interview Maclin gave Vice, he said that he was only performing a stress test on the Bitcoin network, by intercepting transactions and rebroadcasting them with a different ID. Maclin said he stopped for the moment, but he plans future tests in the upcoming weeks.

This attack type is well known in Bitcoin circles, and a fix is being developed for it for almost a year. Coinkit describes the attack as "a simple numeric tweak to one number (S) in the ECDSA signature [used to authenticate Bitcoin transactions]. It’s documented as part of BIP62 and is called the 'low S' requirement. Coinkite always uses the lower S value, but these pranksters have been replacing that with the higher S value."