Tech News

A German Security researcher has demonstrated a critical vulnerability on Ebay website, world\'s biggest eStore. According to David Vieira-Kurz discovered Remote code execution flaw "due to a type-cast issue in combination with complex curly syntax", that allows an attacker to execute arbitrary code on the EBay\'s web server. In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the web page, just by modifying the URL and injecting code in that. According to an explanation on his blog, he noticed a legitimate URL on EBay: https://sea.ebay.com/search/?q=david&catidd=1 ..and modified the URL to pass any array values including a payload: https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1 PenTester\'s Original Article: Here Submitted By: Vandal

Facebook wants to know why you didn’t publish that status update you started writing. A couple of months ago, a friend of mine asked on Facebook: Do you think that facebook tracks the stuff that people type and then erase before hitting ? (or the “post” button) Good question. We spend a lot of time thinking about what to post on Facebook. Should you argue that political point your high school friend made? Do your friends really want to see yet another photo of your cat (or baby)? Most of us have, at one time or another, started writing something and then, probably wisely, changed our minds. Unfortunately, the code that powers Facebook still knows what you typed, even if you decide not to publish it. It turns out that the things you explicitly choose not to share aren\'t entirely private. Facebook calls these unposted thoughts \"self-censorship,\" and insights into how it collects these nonposts can be found in a recent paper written by two Facebookers. Sauvik Das, a Ph.D. student at Carnegie Mellon and summer software engineer intern at Facebook, and Adam Kramer, a Facebook data scientist, have put online an article presenting their study of the self-censorship behavior collected from 5 million English-speaking Facebook users. (The paper was also published at the International Conference on Weblogs and Social Media.*) It reveals a lot about how Facebook monitors our unshared thoughts and what it thinks about them. The study examined aborted status updates, posts on other people\'s timelines, and comments on others\' posts. To collect the text you type, Facebook sends code to your browser. That code automatically analyzes what you type into any text box and reports metadata back to Facebook. Storing text as you type isn\'t uncommon on other websites. For example, if you use Gmail, your draft messages are automatically saved as you type them. Even if you close the browser without saving, you can usually find a (nearly) complete copy of the email you were typing in your Drafts folder. Facebook is using essentially the same technology here. The difference is that Google is saving your messages to help you. Facebook users don\'t expect their unposted thoughts to be collected, nor do they benefit from it.

Major sites have begun resetting passwords for compromised accounts, although researchers estimate that most targets were from the Netherlands. The attack has been described as \"fairly global\" with victims \"scattered all over the world\", although the vast majority of comprised users (some 96.66 per cent) were using computers with IP addresses located in the Netherlands. Security researchers employed by Trustwave stumbled upon the hoard of stolen data whilst investigating a botnet known as \'Pony\'. Botnets are networks of hacked computers created by criminal gangs to use for a number of illegal tasks online, although it’s thought that these passwords were stolen using keylogger software. A previous attack using the Pony botnet was described by the researchers as \"hit-and-run operation,\" whilst this attack was carried out over a number of weeks with the hackers taking in a \"fairly stable and consistent\" number of passwords each day.

Sheep Marketplace closed down over the weekend after someone got away with 96,000 bitcoins - and angry users are chasing him around the internet. One of the largest heists in bitcoin history is happening right now. 96,000 bitcoins - that’s roughly £60m as of the time of writing - was taken from the accounts of customers, vendors and administrators of the Sheep Marketplace over the weekend. Sheep was one of the main sites that came to replace the Silk Road when it closed in October, but it too has now closed as a result of this theft. It’s a little hard to work out exactly what’s happened, but Sheep customers have been piecing it together on reddit’s r/sheepmarketplace. Here\'s what happened: someone (or some group) managed to fake the balances in peoples’ accounts on the site, showing that they had their bitcoins in their wallets when they’d actually been transferred out. Over the course of a week the whole site was drained, until the weekend when the site\'s administrators realised what was happening and shut everything down. Originally it was thought that only 5,200BTC - or £3m - was taken, with a message posted on Sheep\'s homepage blaming a vendor called \"EBOOK101\" for finding and exploiting a bug. However, over the weekend it became clear that the amount stolen was much, much larger. In a normal robbery that money would be gone by now, but it isn\'t. Bitcoin is pseudonymous, not anonymous, and bitcoins can’t just disappear. It works because each and every transaction is public and visible to each and every other person using the Bitcoin network, and a person is only as anonymous as their link to their wallet. A couple of reddit users realised that the sheer size of the heist makes “tumbling” the coins - the normal method of laundering bitcoins - impossible, as long as they kept on their toes. Someone with bitcoin can send some to a tumbler like bitcoinfog, where it will be split into smaller subdivisions and mixed with other bitcoins from other places, recombining and splitting again several times over until the whole amount eventually comes out the other end, theoretically in such a way that it’s impossible to track. Silk Road’s in-built tumbler successfully foiled the FBI, allegedly. However, reddit user TheNodManOut managed to track where the first bunch of transfers out of Sheep went, and from there and silkroadreloaded2 worked out which tumbler that the thief was using. Here’s how silkroadreloaded2 describes what’s happened since (\"Tomas\" is the alleged owner of Sheep, and one of the suspects for many users)

Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanism CookieStore are at risk. The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users\' cookies via via cross site scripting or session sidejacking or with physical access. More than 10,000 websites are vulnerable to Ruby on Rails\'s cookie storage mechanism flaw, but this vulnerability requires your user\'s session cookies to be compromised in the first place. Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text. Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping. Source: HackerNews Submitted By: Vandal

Popular source code repository service GitHub has recently been hit by a massive Password Brute-Force attack that successfully compromised some accounts, GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts. “We sent an email to users with compromised accounts letting them know what to do,” “Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.” However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password. In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords. In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts. Common passwords i.e. Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 and more similar. "This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information." The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral. Source: http://thehackernews.com/2013/11/github-accounts-compromised-in-massive.html Submited by: Vandal