Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "vulnerability"
The spam denier
An old phone conversation with a client:
Me : Hello
Client : My website and server are suspended? why is that?
Me : Your server sends spam messages.
Client : We do not send spam messages, we are on vacation, there is none in the office.
Me : Yes, but it is not necessarily you, according to our logs, your server sent spam messages in Chinese and Russian, so someone from Russia or China....etc.
Client : I do not believe you, we do not speak russian or chinese, how could we then write spam messages in those languages?
Me : I told you, maybe someone exploited some vulnerability in your website or server firewall. And if you want to activate your services, please check with your webmaster and sysadmin to secure your ....
Client: I tell you my son, because I am old and I have more life experience than you ... I am 60 years old and I tell you, spam does not exist, and YOU suspended my website and server, and created issues to sell me more of your solutions and services.
I won't check my server, I won't hire a webmaster or a sysadmin, AND YOU WILL ACTIVATE MY SERVER NOW !
(I suddenly realized that I am talking to a wall, so I switched to a robotic tone).
Me : Please resolve the issue to activate your services..
Client : YOU WILL ACTIVATE MY S...
Me : Please resolve the issue to activate your services...
Client : WHAT IS THIS SPAM STORY ANYWAY, I DO NOT BELIEVE YOU ...
Me : Please google that word and you will understand what is spam is...
Client : YOU ARE F**ING LIARS, SPAM DOES NOT EXIST... ACTIVATE MY WEBSITE N.... Beeeep !
I hang up.
Well, I thought about configuring an automatic response for this client, or a for-loop.
His voice was really unpleasant, as if he is a heavy smoker.8
CW: The SQL injection vulnerability isn't important because our code is proprietary so hackers won't find it.
https://git.kernel.org/…/ke…/... sure some of you are working on the patches already, if you are then lets connect cause, I am an ardent researcher for the same as of now.
So here it goes:
As soon as kernel page table isolation(KPTI) bug will be out of embargo, Whatsapp and FB will be flooded with over-night kernel "shikhuritee" experts who will share shitty advices non-stop.
1. The bug under embargo is a side channel attack, which exploits the fact that Intel chips come with speculative execution without proper isolation between user pages and kernel pages. Therefore, with careful scheduling and timing attack will reveal some information from kernel pages, while the code is running in user mode.
In easy terms, if you have a VPS, another person with VPS on same physical server may read memory being used by your VPS, which will result in unwanted data leakage. To make the matter worse, a malicious JS from innocent looking webpage might be (might be, because JS does not provide language constructs for such fine grained control; atleast none that I know as of now) able to read kernel pages, and pawn you real hard, real bad.
2. The bug comes from too much reliance on Tomasulo's algorithm for out-of-order instruction scheduling. It is not yet clear whether the bug can be fixed with a microcode update (and if not, Intel has to fix this in silicon itself). As far as I can dig, there is nothing that hints that this bug is fixable in microcode, which makes the matter much worse. Also according to my understanding a microcode update will be too trivial to fix this kind of a hardware bug.
3. A software-only remedy is possible, and that is being implemented by all major OSs (including our lovely Linux) in kernel space. The patch forces Translation Lookaside Buffer to flush if a context switch happens during a syscall (this is what I understand as of now). The benchmarks are suggesting that slowdown will be somewhere between 5%(best case)-30%(worst case).
4. Regarding point 3, syscalls don't matter much. Only thing that matters is how many times syscalls are called. For example, if you are using read() or write() on 8MB buffers, you won't have too much slowdown; but if you are calling same syscalls once per byte, a heavy performance penalty is guaranteed. All processes are which are I/O heavy are going to suffer (hostings and databases are two common examples).
5. The patch can be disabled in Linux by passing argument to kernel during boot; however it is not advised for pretty much obvious reasons.
6. For gamers: this is not going to affect games (because those are not I/O heavy)
Meltdown: "Meltdown" targeted on desktop chips can read kernel memory from L1D cache, Intel is only affected with this variant. Works on only Intel.
Spectre: Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution, by allowing malicious processes access to the contents of other programs mapped memory. Works on all chips including Intel/ARM/AMD.
For updates refer the kernel tree: https://git.kernel.org/…/ke…/...
For further details and more chit-chats refer: https://lwn.net/SubscriberLink/...
(Originally written by Adhokshaj Mishra, edited by me. )23
Alright fuck it, let's release this fucker!
https://lynkz.me is the main domain. The interface is *usable* and nothing more than that. I'll invest more time in that soon but for now, hey, it works.
Api is located at https://api.lynkz.me.
Documentation for this (literally some echoes to the screen but it contains the needed information for now) is at that api url.
Found a bug or a security vulnerability? Please let me know!
Yeah I use mariadb but sql injection is luckily not possible due to quite some sanitization ;)
WARNING: if you make a shortened url and forget the delete key, you won't be able to delete it.
Let's see how this goes 😅115
*Facebook Hackers follow the Rules*
TL;DR: sorry, not available, can't do spoilers
One night I was with a group of friends out at a pub. A guy and his girlfriend show up, I didn't know them but they were my friend's friends.
The girl kept bragging the whole time about his boyfriend being a professional programmer, trying to remind it to everybody whenever possible (don't ask me why!).
So, after a while, the discussion moves towards "suspect Facebook activities" and the guy starts saying that he can hack Facebook.
- "What do you mean?", I ask.
- "Hacking into other people's accounts, even with 2 factor authentication. I did it a lot of times"
- "Wait, and they don't notice?"
- "Of course not! ^_^ He's a hacker", the girl replies.
Ok, time to do a coming out.
- "Hey, I'm a developer myself. Can you give me an idea of what you did in technical terms? Did you find a vulnerability? Used a virus? Maybe a keylogger?"
- "No... Uh... Well... The secret is to read the terms of service"
- "Yes... yes it's all in the facebook terms of service..."
- "Uhm, I'm not really sure I'm following. Could you prove it by hacking my Facebook account? I'm giving you the permission".
In less than a minute the discussion flew completely away and they never mentioned computers again.
A fellow intern recommended the use of windows server for security and speed reasons.
Few details about the situation: windows server got hacked due to a vulnerability which had no patch released yet and this had happened multiple times that year. Also, the company was migrating everything to Linux (servers).
The senior/lead programmer literally gave him a GTFO face and pointed at the door.
Everyone was giving him the GTFO face by the way, he didn't know how fast he had to get out 🤣9
⚠️ DEVRANTRON ALERT ⚠️
Make sure you've updated devRantron to v.1.3.6 since previous versions contains an XSS vulnerability.
<b>If this text is BOLD you're vulnerable.</b>
You can download the latest version at https://github.com/tahnik/...21
A quite severe vulnerability was found in Skype (at least for windows, not sure about other systems) allowing anyone with system access (remote or local) to replace the update files skype downloads before updating itself with malicious versions because skype doesn't check the integrity of local files. This could allow an attacker to, once gaining access to the system, 'inject' any malicious DLL into skype by placing it in the right directory with the right file name and waiting for the user to update (except with auto updates of course).
From a company like Microsoft, taking in mind that skype has hundreds of millions of users worldwide, I'd expect them to take a very serious stance on this and work on a patch as soon as possible.
What they said about this: they won't be fixing it anytime soon as it would require a quite big rewrite of skype.
This kinda shit makes me so fucking angry, especially when it comes from big ass companies 😡. Take your fucking responsibility, Microsoft.24
The awesome moment when a client claims that you are nothing but a script kiddy only minutes before you reveal a $1400 vulnerability on his site 😂4
This happened at my last internship. There was this other intern and he was a TO THE FUCKING MAX windows fanboy and whenever someone said something bad about windows he'd go full rage. Also, he'd sometimes spend half an hour at my desk explaining why windows was the best and Linux sucked.
This one time, I read about a newly discovered windows vulnerability and told the employees so they'd update quickly and they were like ' thanks for the notification mate!' And then that guy came up to me telling that 'Linux also has severe vulnerabilities sometimes'. YES I FUCKING KNOW THAT I'M JUST TRYING TO GET PEOPLE TO UPDATE FOR THEIR SECURITY YOU FUCKING ASSHAT. I got really mad. Still, fuck that guy.10
A group of Security researchers has officially fucked hardware-level Intel botnet officially branded as "Intel Management Engine" they did so by gathering it all the autism they were able to get from StackOverflow mods... though they officially call it a Buffer Overflow.
On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.
It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
For more of the complete story go here:
I post mostly daily news, commentaries and such on my site for anyone that wish to drop by there25
It's funny, whenever the subject of facebook vs privacy comes up (mostly I don't even initiate those convo's), people always start to defend facebook when I say that I THINK that facebook is build to get people addicted to it and get them to stay on facebook as long as possible.
Haha, one of facebook's early investers/ex facebook presidents said the following in an interview:
“It’s a social-validation feedback loop, exactly the kind of thing that a hacker like myself would come up with, because you’re exploiting a vulnerability in human psychology.”
So even an ex president of facebook is admitting this.
I also found the folloing a good one:
The underlying thought process while creating platforms like Facebook or Instagram is something like “How do we consume as much of your time and conscious attention as possible?”
Last but not least, the part I found the most scary:
“God only knows what it’s doing to our children’s brains.”
Yes, I find this scary.
Oh yeah and for the people who are going to call bullshit on this one, I've got one source and if you search engine on the title of that article then you'll find loads of websites having that story:
So WPA2 has been broken.
That's quite a bad news coming so shortly after the BlueBourne vulnerability was discovered
Read more here if interested:
A critical vulnerability was detected in Electron and I urge all the devRantron users to update their app manually.
Please go to https://www.devrantron.com get the latest version which has the necessary patches.
Due to a request, we added compact mode in the app, which can be used to view a distraction-free mode of the UI. Notifications screen is a little bit more readable now. The read notifications are now greyed out.
Again, the auto update will not work for this version. Please manually update as soon as possible.6
The change log from notepad++ update. The last paragraph is the cream!
" The issue of a hijacked DLL concerns scilexer.dll (needed by Notepad++) on a compromised PC, which is replaced by a modified scilexer.dll built by the CIA. When Notepad++ is launched, the modified scilexer.dll is loaded instead of the original one.
It doesn't mean that CIA is interested in your coding skill or in your sex message content typed in Notepad++, but rather it prevents raising any red flags while the DLL does data collection in the background.
It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it. If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch.
Checking the certificate of DLL makes it harder to hack. Note that once users’ PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.
Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a f**king corrupted world, unfortunately. "1
What is the worst thing that can happen if you report a security vulnerability to a company?
Get banned by them!
I reported a vulnerability to a company on their Facebook page(cause they don't have an email id where I can report this) and they just banned me from their page. It's really annoying me now.
And the worst thing is that they have still not fixed the issue, I wonder why the hell they banned me then.
I am planning to exploit the vulnerability and teach them why security is so important now.22
--- URGENT: Major security flaw in Kubernetes: Update Kubernetes at all costs! ---
Detailed info: https://github.com/kubernetes/...
If you are running any unpatched versions of Kubernetes, you must update now. Anyone might be able to send commands directly to your backend through a forged network request, without even triggering a single line in the log, making their attack practically invisible!
If you are running a version of Kubernetes below 1.10... there is no help for you. Upgrade to a newer version, e.g. 184.108.40.206
Long story short, I'm unofficially the hacker at our office... Story time!
So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)
So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.
Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.
As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.
So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.
It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.6
10 years ago, I found a vulnerability in the connection between an insurer I was working for, and the network of databases of municipalities. I was only a hacker in so far as kids who watched Hak5 are considered hackers, so I always carried this laptop with a fake access point, package sniffer, wep crack, sslstrip, etc with me.
The vulnerabilities allowed me to register a new identity, for which I requested a passport.
Walking up to the town hall desk with two passports with different names, both mine, was pretty cool.
I did not do anything malicious, and was hired to fix the issues (wep encryption on insurers trusted wifi, and municipality postgres gave write access to all third parties)
For a few days I was the coolest kid in school though!2
Forgive me father, for I have sinned. Alot actually, but I'm here for technical sins. Okay, a particular series of technical sins. Sit your ass back down padre, you signed up for this shit. Where was I? Right, it has been 11429 days since my last confession. May this serve as equal parts rant, confession, and record for the poor SOB who comes after me.
Ended up in a job where everything was done manually or controlled by rickety Access "apps". Many manhours were wasted on sitting and waiting for the main system to spit out a query download so it could be parsed by hand or loaded into one of the aforementioned apps that had a nasty habit of locking up the aged hardware that we were allowed. Updates to the system were done through and awful utility that tended to cut out silently, fail loudly and randomly, or post data horrifically wrong.
Fuck that noise. Floated the idea of automating downloads and uploads to bossman. This is where I learned that the main system had no SQL socket by default, but the vendor managing the system could provide one for an obscene amount of money. There was no buy in from above, not worth the price.
Automated it anyway. Main system had a free form entry field, ostensibly for handwriting SELECT queries. Using Python, AutoHotkey, and glorified copy-pasting, it worked after a fashion. Showed the time saved by not having to do downloads manually. Got us the buy in we needed, bigwigs get negotiating with the vendor, told to start developing something based on some docs from the vendor. Keep the hacky solution running as team loves not having to waste time on downloads.
Found SQLi vulnerability in the above free form query system, brought it up to bossman to bring up the chain. Vulnerability still there months later. Test using it for automated updates. Works and is magnitudes more stable than update utility. Bring it up again and show the time we can save exploiting it. Decision made to use it while it exists, saves more time. Team happier, able to actual develop solutions uninterrupted now. Using Python, AutoHotkey, glorified copy-pasting, and SQLi in the course of day to day business critical work. Ugliest hacky thing I've ever caused to exist.
Flash forward 6 years. Automation system now in heavy use acrossed two companies. Handles all automatic downloads for several departments, 1 million+ discrete updates daily with alot of room for expansion, stuff runs 24/7 on schedule, most former Access apps now gone and written sanely and managed by the automation system. Its on real hardware with real databases and security behind it.
It is still using AutoHotkey, copy-paste, and SQLi to interface with the main system. There never was and never will be a SQL socket. Keep this hellbeast I've spawned chugging along.
I've pointed out how many ways this can all go pearshaped. I've pointed out that one day the vendor will get their shit together they'll come in post system update and nothing will work anymore. I've pointed out the danger in continuing to use the system with such a glaring SQLi vulnerability.
Noone cares. Won't be my problem soon enough.
In no particular order:
Fuck management for not fighting for a good system interface
Fuck the vendor for A) not having a SQL socket and B) leaving the SQLi vulnerability there this long
Fuck me for bringing this thing into existence6
I once had to literally hack a Joomla 1.5.x site for a client, because they did not find the passwords (hosting, cms, ftp, mysql). After 5 minutes and a SQL injection I was in like flynn.
The site was already full of hidden links to viagra sellers and stuff... 😂1
I think we're going two sides:
For one, more and more technology is being developed/engineered which is even more and more and more intrusive as for personal privacy, I'm genuinely worried how this'll go as privacy isn't just a about not exposing certain things like passwords/bank account details and so on, it's also about being an individual who has their own thoughts, opinions and so on. If we keep taking that away more and more often, society will change and go towards the Orwell scenario (we're on our way there right now). We can change this as software/design/server engineers but that's up to us and I sadly don't see that happening quickly, also due to the 'nothing to hide' bullshit.
Second one is that were going more and more towards open source.
This is a good thing as this:
- gives freedom to devs around the world to improve software and/or modify it to suit their needs.
- gives people the opportunity to look through the source code of softwares in order to verify it as for backdoors and find security vulnerabilities which otherwise can remain hidden for the general public while spying agencies have way more resources to go vulnerability hunting.
For the people who think this isn't a good idea (even more open source), without it we'd be completely fucked as for moving forward/security/privacy. (I can give examples if wanted).7
I have a Kali Linux VM running on my Windows machine. I decide to try and exploit the Windows machine (THAT THE VM WAS RUNNING ON) because of a vulnerability with smb that requires NO user interaction. I decided to make my computer shoot its own legs and I thought "Hey, this is gonna be fine."
Aaaaand the whole system crashed on me.3
I found a vulnerability in a food delivery app api that allows me to add credit to my account. I ate my first free meal today but i feel bad about it. What should i do 😞.
1- continue hacking free credit and eating free food.
2- stop and forget i found this bug
3- report the bug in exchange for money/credit
4- report the bug for free30
Really cool. Tesla gave two hackers that found a vulnerability in the Model 3 free cars as a reward. More companies should do that, instead of getting all pissy. I would hope a company wants to know what their vulnerabilities are so that they can avoid embarrassment and the loss of money.3
Me: reports vulnerability that can be used to steal thousands of dollars from a company.
Stingy company: gives me 66 USD voucher as a reward. :)13
I think the hardest thing about being a programmer in college with a security emphasis is when I approach a business for a penetration test or for a vulnerability analysis (your pick) is that they almost always say, "you are pretty young don't you think?"
Ummmm not sure what that has to do with it. If it would make you feel better I have claimed bug bounties from an antivirus company, a bank, several local businesses in my area and I do this for work at my 9-5.
And this week I got this, "I think I would like someone older so we can define the goals better."
Oh so rules of engagement, yeah of course I understand that and that's something we would discuss and draw up a contract for...
"Well we really need someone more skilled."
---- End of story ----
I don't understand, you haven't asked about certifications or schooling and you glanced at my resume for exactly 5 seconds what the hell do you want? Me to double my age over night?7
Really ugly to release it a day after telling AMD about it11
Friends, hear the good news, somebody figured out how to turn off Intel ME. Rejoice!
I fucking hate how intel reps say “they don’t participate in lowering security or shipping back doored or compromised systems, but yet ME is designed such that any vulnerability in it equals total gang busters for gaining access. It’s introducing your best friend to a serial killer, handing the killer a un, and offering him a million dollars to shoot your friend, and then when he does, saying you had nothing to do with it because it was his choice. Go fuck yourselves Intel, I’m already never buying a cpu or nic from you as long as I shall live, the least you can do is not lie to us.11
Okay, That right there is pathetic https://thehackernews.com/2019/02/... .
First of all telekom was not able to assure their clients' safety so that some Joe would not access them.
Second of all after a friendly warning and pointing a finger to the exact problem telekom booted the guy out.
Thirdly telekom took a defensive position claiming "naah, we're all good, we don't need security. We'll just report any breaches to police hence no data will be leaked not altered" which I can't decide whether is moronic or idiotic.
Come on boys and girls... If some chap offers a friendly hand by pointing where you've made a mistake - fix the mistake, Not the boy. And for fucks sake, say THANK YOU to the good lad. He could use his findings for his own benefit, to destroy your service or even worse -- sell that knowledge on black market where fuck knows what these twisted minds could have done with it. Instead he came to your door saying "Hey folks, I think you could do better here and there. I am your customes and I'd love you to fix those bugzies, 'ciz I'd like to feel my data is safe with you".
How on earth could corporations be that shortsighted... Behaviour like this is an immediate red flag for me, shouting out loud "we are not safe, do not have any business with us unless you want your data to be leaked or secretly altered".
Yeah, I know, computer misuse act, etc. But there are people who do not give a tiny rat's ass about rules and laws and will find a way to do what they do without a trace back to them. Bad boys with bad intentions and black hoodies behind TOR will not be punished. The good guys, on the other hand, will.
Whre's the fucking logic in that...
P.S. It made me think... why wouldn't they want any security vulns reported to them? Why would they prefer to keep it unsafe? Is it intentional? For some special "clients"? Gosh that stinks6
I make a typo in the username
"username doesn't exist"
I fix the typo and mess up the password
... I smell a potential exploit here...7
Anyone hear about the emergency patch that Microsoft just released? Its a RCE vulnerability CVE-2017-11937 which ironically targets all of Microsoft's security products.
Basically when Windows defender scans a specially crafted file the attacker can run code as the LocalSystem. Nice one Microsoft!2
For all you Googlefags, "Serious Chrome zero-day – Google says update right this minute":
I recently found a vulnerability in a food delivery app where i can add credit to my account. as some of u suggested I decided to report it. Here is their response of me asking (before explaining the bug) if i will be legally prosecuted and if ill be rewarded. this was their response. I feel they were mean. Thoughts ?15
Guess what? 😱 WordPress has probably an SQL injection vulnerability. Check it out and fix your installations, when more info will be known:
I mean how thick do you have to be to not understand what CSRF is? I almost lost a gig to this supposedly 'seasoned' dev who kept bragging about how she takes web security very seriously. I pointed out this flaw in her work and she fucking flipped out and refused to even acknowledge that she might have made a mistake. She kept insisting how it isn't even a vulnerability.
Well, too bad I got the gig for pointing it out.20
Reported an important security vulnerability inside our organization, right before getting off work. A security team member contacts me over chat asking for some details on my investigation. At the end, he tells me: "thanks, I will copy and paste this conversation on the ticket so that everyone can see".
What I imagined: he would copy and paste the conversation as is, so that every line written by me is prefixed with my name.
What he does: he writes a summary of our conversation, barely mentioning my name, making it look like that part of the investigation was done by him.
Now I have so much anger inside of me that my internal organs are boiling.6
I really wanna share this with you guys.
We have a couple of physical servers (yeah, I know) provided by a company owned by a friend of my boss. One of them, which I'll refer to as S1, hosted a couple of websites based on Drupal 7... Long story short, every php file got compromised after someone used a vulnerability within D7's core to inject malicious code. Whatver, wasn't a project of mine, and no one bothered to do anything about it... The client was even happy about not doing anything about it. We did stop making backups of such websites however, to avoid spreading the damage (right?). So, no one cared about this for months!
But last monday? The physical server was offline. I powered it on again via its web management interface... Dead after less than an hour. No backups. Oh well, I guess I couls keep powering it on to check what's wrong with it and attempt to fix it...
That's when I've learned how the web management interface works: power on/reboot requests prompted actual workers to reach the physical server and press the power on/reboot buttons.
That took a while to sink in. I mean, ok, theu are physical servers... But aren't they managed anyhow? They are just... Whatever. Rebooting over and over wasn't the solution, so I asked if they could move the HDD to another of our servers... The answer was it required to buy a "server installation" package. In short, we'd have had to buy a new physical server, or renew the subscription of one we already owned for 6 months.
So... I've literally spent the rest of the day bothering their emoloyeea to reboot S1, until I've reached the "daily reboot reauests limit" (which amounts to 3 reauests. seriously), whicj magically opened a support ticket where a random guy advised to stop using VNC as "the server was responsive" and offeres to help me with the command line.
Fiiine, I sort of appreciate it. My next message has been a kernel log which shows how the OS dying out was due to physical components becoming unavailable after a while, and how S1 lacked a VNC server, being accessible only via ssh. So, the daily reboot limit was removes for S1. Yay.
...What to do though? S1 was down, we had no backups, and asking for manual rebooting every time was slow as Hell. ....Then I went insane. I asked for 1 more reboot. su. crontab -e. */15 * * * * /sbin/shutdown -r +5. while true; do; rsync --timeout=20 --append S1:/stuff .; sleep 60; done.
It worked. We have now again access to 4 hacked, shitty Drupal 7 websites. My boss stopped shouting. I can get back to my own projects.
Apparently, those D7 websites got back online too, still with malicious php code within them. Well, not my problem (for now).
Meanwhile, S1 is still rebooting.3
Yet another Intel vulnerability. Who_would_have_thought.png.
FYI to anyone following the Krack WPA2 vulnerability
A testing suite in python has made its way to github.
Putty remote executuon vulnerability(no patch yet)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to unspecified input validation error when processing data, received from SSH server. A remote attacker can trick the victim to connect to a specially crafted SSH server and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.7
Yet another funny bug for your iPhone friends. Oh Apple...
"The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs)."
DigitalOcean released this public message in response to Intels MDS. Definitely worth reading if you run servers at DO. https://blog.digitalocean.com/may-2...3
FYI if you have ES file explorer get rid of it cause it has a major vuln that lets other extract files from your phone
There are many better alternatives, i personally use FX.
...WHY TF DOES A FILE EXPLORER RUN AN HTTP SERVER IN BACKGROUND ?!25
watching the online course for CEH... dude used the Death Star as a tangible example of how exploits work.
IDK if I should love it for the nerdiness, or be slightly sad that someone needs that type of example of what a vulnerability vs an exploit is, when they're going for the Certified Ethical Hacker certification...
Might be better in an introduction to Network Security class?
Also, while discussing the security, usability, and functionality triangle, he reference the Staples "Easy Button" - does one thing, not very secure, and not very functional (in that it has more than one function)...1
Reddit comment on a thread about Joomla! sites being vulnerable to SQL-injections:
"Joomla sites are so infested they became sentient.
Joomla sites needs no webmaster, some one else will administer it for you.
Joomla sites have very good SEO, specially in "v1agra c1alis p3nis size"
Traffic count with Joomla is high, all the bots breaking all the vulnerabilities count for somethin'."
😂 Pure gold.1
Paranoia. Programming affected my life by making me paranoid. Creating a new account on any website that even needs rudimentary information about me has to go quite some vulnerability testing since I've seen enough hack jobs that throw around sensitive data because they're too incompetent to follow simple must dos.3
Few months back, I reported a vulnerability in an open source project due to the fake alarm from Github without understanding it's consequences. The author of that project immediately locked, and closed the issue and deleted the detail.
Though he was annoyed with my this act but he taught me a good lesson of responsibility.
So my dad is watching some movie from the nineties titled "Hackers". Here are some lines from it:
"So I got into a server, looked around, run some commands. Only then did I realize that it was a bank server"
How can you not know what server are you hacking? And how did you later find out that it was a bank? For all you know you might be hacking into somebody's blog.
Hacker 1: So how are you gonna hack that database?
Hacker 2: I don't know yet.
H1: I would use a vulnerability in their security
That's like saying you would enter a building using the front doors.
Did whoever wrote the script for this movie even consulted somebody that knows at least something about hacking?6
Do you know the auto-generated heroku sample app? The very complex demo app you automatically get following the tutorial?
It has a vulnerability.
I laughed a lot2
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2
A few days back I read an article about ethical hacking and get rewarded for bug bounty. I thought that might be interested.
I'm about to send out my first ethical hack report to a company! I'm nervous because I don't know how they'll respond. It's an xss vulnerability, and I really hope they'll fix it.5
PSA: If you use jQuery and BlueImp's jQuery File Upload there is a big potential vulnerability you need to be aware of. If you use NPM to pull the repo into your public folder, the "server" folder will be available for people to take advantage of. "Hackers" may be able to upload malicious code and replace parts of your site.
I had a site hacked and later saw on Google Analytics that people were posting to random URLs in that folder. The fix is to simply delete that folder, but if you use NPM, you need to be extra careful it doesn't come back.
Also, I didn't investigate further. So I'm not sure what (if anything) is vulnerable in there, or if it was just the specific version I had. To be safe, if you use this plugin (as MANY people do), just delete the folder.
Link to the repo for your reference: https://github.com/blueimp/...4
To put the WPA2 thing in perspective:
The new handshake capture vulnerability is undeniably concerning, but I'm still more afraid of bad actors who have the resources to gain network access without getting in range of APs.
Everything will be about the same, but faster. Quantum computing will allow brick-shitting speeds of data processing, Nvidia will at some point develop a quantum GPU and call it Fuckall architecture or something that will allow to simulate all the atomic-level physics of a whole car (and stuff), 1Tb network speeds will be common, websites and databases work in a blink of an eye.
Also someone will find a spectre/meltdown-level vulnerability in quantum CPUs and everyone will get f-d in the a. Again. Almost.14
jQuery < 3.4.0 is a known moderate severity vulnerability now and Github just send me about 20 alert mails for repos which are using jQuery that I had used for side projects.
Like thanks but damn.4
Today I had a problem with a JS framework. The only person who was available who could help me was the one I avoid, because he always knows everything better.
Well, after I asked if he had time for me, he sits next to me and I started to explain.
After looking around, he started blaming my backend code.
(I belong to the kind of dev that tries to write small and simple code. But I also often use the more complex features of the languages.) He suddenly started accusing everyday things in the backend like inheriting a class or using objects and basic data types together as parameters of a method (WTF???) Hell, all I could say at that moment was that I had a problem with this JS framework and not with the backend that worked well. He probably tried for over an hour to find the bug in the backend and just wouldn't listen, after that he gave up. I wonder what this bitch has learned over the years. Can it really be that he forgot the basics of a programming language? Or has the fool never worked with an inheritance before? I think he's an incapable piece of shit, he hasn't even patched my reported vulnerability in his project in the last half year, which allows to inject own code onto the server.
Because of such fucking morons I get a headache when I think about it. How can it be that he's got a higher degree and earns about 50% more. I should leave this company!3
Has anyone read the latest rant from Microsoft?
<<Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.>>16
My new colegue at work was tasked with getting familiar with some Java code that had security vulnerability. He complained about slow build time for the first hour and then I stopped paying attention. At the end of day I checked on him and was like wtf how are you still trying to build this.
Turns out he ran Gradle task bootRun and watched logs of working app for 8 hours because he thought that's build xD1
A few days ago, I saw a topic from hackernews about Xiaomi phones having a high risk vulnerability because of analytics.apk. I didn't mind it (I'm using a Xiaomi phone).
After about 2 days, I had a notification on my screen having a message 'test' made by my browser.
I immediately installed a firewall blocking all Xiaomi related services.
I've been interested in security for years but despite knowing the theory I've always had this disconnect with actually doing it, about two years ago I finally managed to find and exploit my first cross-site scripting vulnerability in my companies Product whilst doing some routine acceptance testing. It was a penny drop moment for me which has led to some very interesting projects and It was pretty badass.
Old unused military satellite to make international calls free. Local tv station to leak episodes. 4500 hosts zombie net with autoreplicant bots that scans for vulnerability to populate the net to do distributed denial of service attacks. Jumper on the neighborhood cabin to redirect the school's call for being absent, an older friend pretended to be my father.
The feel when you remember you have left any vulnerability in your code.
a wired wave arise in your body.1
Attention guys and gals! If you are using grafana in your home setup, update it asap to 4.6.4 or 5.2.3. versions before those two are affected by an authentication bypass vulnerability. CVE 2018-15727
In the meanwhile, my nginx config is blocking everything but the LAN ips :)
our website got hacked somebody downloaded the whole source code and sent an email to us.
seems like that person would demand ransom or anything.
We still can't find where is the door ( vulnerability ) through which he pulled all files.17
Not a good year for Intel, is it? First the two Spectre variants and Meltdown, now the AMT vulnerability.
/Hugs his AMD systems while unplugging the Intel ones.7
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
NSO group even sell a spyware application based on that vulnerability to governments.
Listen!!!!! I'm going to the toilet with my phone!!! Listen!!!3
Our ISP, that also offers us Television is smart, very smart... “One option is to provide an anonymous mailbox (eg. Gmail, Hotmail”
Wtf... Gmail != anonymous.
I was about to report a vulnerability I found in their system, with that I could access the whole digibox, recover recordings, copy the on demand things, and watch films.2
Hey fellow devRanters,
I'm sure some of you have read about the newest vulnerabilities in Intels Management Engine (ME). I feel like ME and similar "features" are unacceptable backdoors into our systems. Unfortunately Intel and AMD do not offer their customers the option to acquire CPUs that lack these backdoors and make disabling them rather impossible 😒
Thus my question: Do you guys know of any 64-bit "open-source" CPU on the market that is production-ready and suitable for high-traffic web applications? Please note that I don't consider FPGAs to be viable options, since I don't trust Xilinx and Altera either.15
The first time i've scripted something and found a vulnerability on a production web application was one of the best moment i've ever had, never been so excited!
(mmh, maybe i need to switch to security :D)
Me currently in my 3rd year of university: hears about blockchain from my friends, reads 5 pages of ethereum white paper; sees a cool machine learning project, watches 2 weeks of Andrew Ng's course; plays a cool game, downloads Unity and makes a hello world game; hears about wifi vulnerability, purchases an ethical hacking course.
Number of things mastered: 05
I just remembered that 2 years ago I found an open-redirect vulnerability in one of Google's old pages.
I decided to not submit it to Google because it's too much effort (even though I knew they pay for these things) and told about it to a friend who deals with these things.
I was SO. DAMN. STUPID.1
Why does the point of sale machine open the cash drawer for a credit card sale ? Seems like a vulnerability to me.2
Y'all might wanna update your Win7, Win8 amd Win Server 2008.
RDP RCE with a CVSS pf 9.8.
I once had a manager who demanded I physically print all of the Kanban cards and tape them to the office whiteboard. I was told to move the cards across the board after they were moved in TFS. I still had to keep up with my other duties in the QA department too!
Despite that, I still stayed on board with the company (the pay was good, and the work was simple.) As a QA teeter, I uncovered a rather nasty security vulnerability that would have put all of our customers data at reach to anybody. I advised my manager, and was told - just ignore it and ship the code please. I refused.
I was threatened with being fired, verbally assaulted, and challenged at the most trivial ways in everything I did after that.
Jokes on him now. I work from home in my dream job, doing what I love, with a manager who actually gives a rats ass about my concerns.
Moral of the story here - you don't have to agree with your subordinates , but you do need to validate their concerns.4
Everybody when a forced update is released: "I hate forced updates!! They can't force me to do shit!!"
Everybody when a massive ransomware attack happens: "You should've updated when the update came out, so you aren't vulnerable!"
If they made the fix for the WannaCry vulnerability forced, the attack wouldn't have been as big as it was.
Confession: I wish they made more forced updates :/
Also, I'll probably get a lot of hate about this...2
WordPress File Delete to Code Execution
The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched.
Trustico CEO emailed private key which is used to sign TLS certificates, making more than 23k certificates compromised!
This makes me think, that we should not trust others for our security (like ca), failure of CA can put our website at risk. What is the better way to do it?
Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.
Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.
And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.
And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".
Yes I am pissed
Today I found a vulnerability in an local agency website. It's one of the famous and biggest that if I would applied they wouldn't even look at my cv. Long story short, I managed to login to their admin dashboard and sent a screenshot of it as a twitter mention to them. All they did was to like the tweet while I had the chance to fuck up the website.6
The company I work in recently made a subdomain where you need to figure out how to hack the page using a vulnerability they subtly put there. If u are successful u get an interview. I looked it over for fun and was able to do it. But since i already work there i was thinking of telling a friend id love to join us but was rejected a month ago when they interviewed him about how i did it so he can apply maybe they give him another chance. do you think I should do that?
Note that i referred him last month and hes a fresh grad with not much experience4
This from a conference speaker:
"The most common Windows and Linux vulnerability is pictures on Facebook. It downloads the pictures and executes embedded code."
IBM cultists are insane.17
I've always considered myself a stalwart proponent of strong, effective security. But I'll be damned if my company's security policy isn't choking it's developers out.
It's like whenever a developer requirement and potential security vulnerability meet, the company doubles down on the security side, ignores their dev's needs entirely, and then takes a privilege away just to punish us for having the audacity to try and do our God damn jobs.6
You must've heard of recent unfamous CVE-2019-5736 vulnerability. This morning one of my hosting providers forcefully updated k8s version because of that. They also provide terraform module for k8s, which has "version" field required.
So during regular CI/CD process, TF decided it wants to recreate all existing clusters on that provider, basically wiping out everything there is.
No dataloss or operations disruption was registered, but a day was ruined. Guess nobody to blame except me.2
USB ports are such a vulnerability.
Using a device as cheap as a Teensy you can easily execute whatever malicious software you'd like on a person's computer.4
If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github
If you discovered a vulnerability affecting multiple of the big dogs, would file a cve and report it immediately or have some *fun* first?
Gaining root in Macs by not using a password, a vulnerability in HomeKit devices allowing unauthorized remote access.
Next you tell me FaceID isn't as secure as you want me to believe.
For one of my exams, from a couple of meager code snippets and hints, without any prior domain knowledge, we had to find and carefully describe a vulnerability, as well as suggest a fix.
Well, I wouldn't complain, but what the actual fuck, it turns out that we had to come up with and "carefully describe" this whole shit: https://googleprojectzero.blogspot.co.uk/...
No, we did not study it in class, nor have seen it before in the recommended reading or provided links. Also, according to the point distribution, we only had 20 minutes for this part.
I don't usually complain about stuff and take it my lack of preparation or something, but fuck all now. I never want to look at another security-related piece of code ever again.
iOS 11 have a vulnerability allowing attacker to bypass your lock screen and brick your phone via prepared “dev profile”. Do not download any utrusted stuff untill official fix ;)7
I want to know if there is possibility to find a vulnerability on a .jar file.
I tried to install Kali on VM (for now) and tried to use metasploit but I found that it attacks the inter system on a indicated ip address.
There are many application or video (and so on) for my problem?
This .jar file is an application and I want to do pentesting...
Sorry for my poor english but it isn't my native language.
I'm new in pentesting wolrd 🤣8
How to discover and exploit vulnerabiliy in program or IoT firmware?C++, asm, writing zero-days, i have always been amazed by that. Art.1
Hey ... Is it possible to figure out the clients path (f.e. C:\Users\...) to a file he uploaded to a website on the server side?
My boss thinks it could be done and wants me to programm it. But I think we'd need a zero day vulnerability in a specific (and probably very old) browser to do something like that... That would be a huge security issue...
What do you think?15
Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.
At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.
PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.4
Target #1 - Aim to further develop my university security project (A python based vulnerability scanner), and move this over to GitHub.
Target #2 - Aim for reaching ten contributions on open source projects and start building up my developer profile pre-graduation in September!
So I discovered a Microsoft Exchange vulnerability due to settings at company well doing a project. Would you classify it resume worthy for a software developer?
When the pen testers find a "vulnerability" and say it would be very difficult for someone to exploit it. Yeah, in that case they might as well say if you solve p vs np you can break it but it would be very difficult.
I recently recommended that we fix a gap in the current CSRF implementation.
I’m asked by a fucking business guy that if we haven’t seen an issue till now, why is this a priority?
Should I demo the vulnerability? Why can’t they fucking trust the people that they hire? It’s not like I wanna do it for some selfish motive.
Finally I finished the exams, now I have to write my thesis. An agency who wants remain anonymous at the moment told my supervisor to choose a student who will works out on the ransomware argument. The relator was a little bit scared about consequences but I'm pressing to write a controlled ransomware in a closed network brtween virtual machines. What qualities a good ransomware should has?
Mutable structure to avoid antivirus detection? Good exploits and vulnerability scanners to make itself viral? The payload should stay in the code or should be downloaded from a server? I need some reference on analysis of vx codes, any help?
I attempted on national competition in an IT field, where there were tens of great projects (in other fields as well, like chemistry and so..). We had to push everything to their portal, so they can study it in advance. While pushing the docs, I found that there were SQL injections that allowed me to list everyone's rating and to download every single doc / additional sources.
Worst part is, that even after I reported vulnerability, they obviously didn't had time to fix it.
"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4"
Let's see how this unfolds. While there is chaos I trink some tea and laugh, because I never send critical information over e-mail. 🧐🍵4
Somebody forgot to correctly match the external url on login success and failure, now google may use my cookies for the better good.
Great feeling when the pen testers couldn't find the "unfixable" vulnerability your new feature created, and you go on holiday soon.
Which one comes first? vulnerability or threat? 🤔🤔 I would go with vulnerability how about you guys?5
Anyone use docker in production handling monies and hundreds accounts? In Django in my case but doesnt matter the framework. More concerned with security and stability moving from paas to docker based paas. Worried I'll move everything to docker and end up moving back to vms bc of some issues or some vulnerability.
Just discovered someone I told about a hack for the computers in school (nothing difficult just booting from a USB) had a link to C2K the company that provides the system and told them about it and now they've patched it up, so in a way, it's my first security vulnerability report, in another way, I can no longer play games and program in free
Tried out the node.js code demo in this book.
Terrible format, use tab for indentation, very very long function, redundant code (eg: new Buffer vulnerability)...
The major issue is none of the total.js nosql code works. Eg:
Without any asynchronous call, how do you expect this to work?!
Just fixed the code and updated npm modules for demos in Chapter 3 btw... Took way longer than expected.3
Recently there is a vulnerability bug related to some php page.
Here comes a super genius front end dev. Disables a apply button in that php page, which causes the feature unusable and said fix done.
Now I got another bug which needs to set some settings via that php page where apply button is disabled. Great job. U won.
Sometimes I'll block a code submission with the words security vulnerability", then go have a 10 minute break to see if the others can spot it on their own.