Hacking Your Application May Be Easier Than You Think

I noticed a suspicious behavior on the weekly email from my coffee shop’s subscription; it was offering me to edit my preferences directly through a dedicated link. I was able to bypass the cookie and authentication token (no tricks) and was able to reach an account details panel changing password/account email, etc. Essentially the shop was exposed to severe authentication and authorization issues, leading to IDOR of PII (exposure of private identifiable information). On top of that, no CORS nor CSRF mitigations were in place, allowing me to create a malicious link leading to a one-click account takeover.

Disclaimer: I am not suggesting anyone do any testing without clear consent. I noticed a vulnerability as a happy customer of one of my favorite shops and was intrigued by how easily my account could be manipulated. From there it was curiosity that took me further to find the bugs. I tried to keep it to as few “offensive” actions as possible and reported everything in detail to the shop to help them mitigate the risks, offering my help.

How it all started

I have a subscription to one of the best coffee shops in London. I’m being sent a bag of freshly roasted beans once a week, along with an email suggesting I change the preferences of beans or delivery schedule.

I have used the link many times; when I wanted to skip a delivery or push it forward; it was a quick and easy way to access my account. No login barriers or interference - slick and easy customer experience.

For some reason, last week after updating my preference to an earlier shipment as I was out of coffee, I noticed something weird: accidentally removing one character of the link’s token did not matter. I was still able to view the contents of my preference, make changes and update my account.

#devops

What is GEEK

Buddha Community

Hacking Your Application May Be Easier Than You Think
Tech Hub

Tech Hub

1628430590

How to find WiFi Passwords using Python 2021|Hack WiFi Passwords|Python Script to find WiFi Password

Hack Wifi Passwords easily..

https://youtu.be/7MwTqm_-9Us

 

#wifi #python #passwords #wifipasswords #linux #coding #programming #hacking #hack

#wifi #hack #using #python #python #hacking

Einar  Hintz

Einar Hintz

1594638720

Smartwatch Hack Could Trick Dementia Patients into Overdosing

Attackers could hack the smartwatch and send dementia patients alerts for taking their medication.

Researchers are warning vulnerabilities in a smartwatch application for dementia patients could allow an attacker to convince patients to overdose.

The vulnerabilities stem from the SETracker application, which is developed by Chinese developer 3G Electronics (based out of Shenzhen City). The app, which is available on iOS and Android and has been downloaded over 10 million times, is used to power various third-party smartwatch devices. These smartwatches are utilized by elderly patients with dementia who need reminders for taking their medication and to carry out everyday tasks. The apps are also used by parents to track their children – expanding the impact of the security issues.

“Is this yet another cheap Chinese kids GPS watch story? No, this is much more than just kids watches. The SETracker platform supports, automotive trackers, including both car and motorcycle, often embedded in audio head units and dementia trackers for your elderly relatives,” said Vangelis Stykas, with Pen Test Partners, in a Thursday post. “The vulnerabilities discovered could allow control over ALL of these devices.”

Researchers discovered an unrestricted server-to-server application programming interface (API) behind the app that allowed them to carry out a number of malicious activities. Specifically, the API had no authentication required to send commands, other than the requirement of a semi-random string that was already hardcoded to the code. That means a remote, unauthenticated attacker could send commands freely as if they were on a “trusted” server, said researchers.

“This was trivial to discover, all we had to do was just read through the compiled javascript code in the node file to understand what the API was doing,” said Stykas. “With no API restrictions and knowing the API structure we could take over all the devices.”

This issue allows an attacker – who knows the device ID of the smartwatch – to make a device call for any phone number or send SMS with any text from the watch, spy on any smartwatch, or fake a message from a “parent” to the smartwatch or access its camera. Worse, an attacker could send a “TAKEPILLS” command to the smartwatch that uses the app, to remind a relative to take medication (even if the target already took his pills).

#hacks #iot #3g electronics #credentials #exposed password #hack #hacking #internet of things #mobile app #setracker #smartwatch

Ron  Cartwright

Ron Cartwright

1603526400

Researcher: I Hacked Trump’s Twitter by Guessing Password

Dutch ethical hacker Victor Gevers claims it only took five attempts to guess the password to President Donald Trump’s Twitter account — “maga2020!”.

That’s all he needed to hijack the @realdonaldtrump handle, according a report from Dutch newspaper de Volksrant, because it lacked even the most basic two-factor authentication (2FA), exposing major flaws in the digital security surrounding the President.

While Threatpost has not been able to independently verify the veracity of Gevers’ claim of the Oct. 16 hack of Trump’s Twitter, several professionals have analyzed screenshots and vouch for their authenticity, according to Dutch magazine Vrij Nederland, which added that Gevers works for the Dutch government by day and runs the ethical hacking GDI Foundation in his spare time — and so is well regarded within the country’s security community.

Twitter Safety & 2FA

Twitter, however, said it is dubious about the report.

“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson said in a statement responding to Threatpost’s inquiries. “We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”

An announcement on Sept. 17 from Twitter Safety said the company was sending in-app notifications “requiring” or “strongly recommending” enhanced security measures, including a requirement for a strong password, to members of government and journalists in the run-up to the election.

The policy goes on to “strongly encourage” these accounts enable 2FA but does not say it’s a requirement.

2FA requires users have a one-time generated code, sent by email or text, which needs to be entered to login. This keeps bad actors from accessing the account even if they have the username and password.

Duty to Report

Gevers said that after he successfully hacked the president’s Twitter account he went to great lengths to report the vulnerability, sending emails, screenshots and social-media messages to various U.S. government entities through Twitter, Parler and other platforms, de Volkskrant reported. Days later, he found the 2FA to be in place and two days after that, he received a friendly email from the Secret Service thanking him.

While that didn’t do much to explain how it came to be that Trump didn’t have basic protections on his Twitter account, Gevers speculated to de Volkskrant that it has something to do with his age, adding, “…elderly people often switch off two-step verification because they find it too complicated.”

This isn’t the first time Gevers was reportedly able to commandeer the infamous Twitter handle. In 2016, he was part of a group of self-described “grumpy old hackers” who accessed Trump’s Twitter account by guessing the password “yourefired,” Vrij Nederland reported. The group tried to alert team Trump that, “he had his digital fly open,” with no response at the time, Vrij Nederland added.

Gevers told de Volkskrant that it was recent headlines about presidential candidate Joe Biden’s son, Hunter Biden being hacked that inspired him to start spot-checking accounts for U.S. political figures.

“Doing spot checks, that’s my work: Look for any leaks in security,” he said. When he got to Trump’s account, he tried a few variations, expecting to get locked out after the fourth failed attempt, instead he hit the jackpot on try number five, according to de Volkskrant.

Gever’s reaction, according to Vrij Nederland? “Not again!”

Election & Data Security

This report comes at a time when U.S. law-enforcement officials warn Russia and Iran are actively engaging in election interference through hacked voter-registration information.

Cybercriminals are “going after the minds of the American people and their trust in the democratic institutions that we use to select our leaders, “Matt Olney, director of Talos’ Threat Intelligence and Interdiction at Cisco told Threatpost this week.

The good news is that the public is getting smarter about information security.

“Everybody has a role in election security,” Olney explained. “And that includes the election community who have gone at that problem aggressively over the last four years; [and] the public, which has largely adopted a more skeptical eye towards information as it comes out, for better or worse.”

#breach #hacks #web security #2fa #dutch researcher #hack #password #trump #trump hack #twitter #two factor authentication #victor gevers #weak password

Gerhard  Brink

Gerhard Brink

1624006278

The Rising Value of Big Data in Application Monitoring

In an ecosystem that has become increasingly integrated with huge chunks of data and information traveling through the airwaves, Big Data has become irreplaceable for establishments.

From day-to-day business operations to detailed customer interactions, many ventures heavily invest in data sciences and data analysis  to find breakthroughs and marketable insights.

Plus, surviving in the current era, mandates taking informed decisions and surgical precision based on the projected forecast of current trends to retain profitability. Hence these days, data is revered as the most valuable resource.

According to a recent study by Sigma Computing , the world of Big Data is only projected to grow bigger, and by 2025 it is estimated that the global data-sphere will grow to reach 17.5 Zettabytes. FYI one Zettabyte is equal to 1 million Petabytes.

Moreover, the Big Data industry will be worth an estimate of $77 billion by 2023. Furthermore, the Banking sector generates unparalleled quantities of data, with the amount of data generated by the financial industry each second growing by 700% in 2021.

In light of this information, let’s take a quick look at some of the ways application monitoring can use Big Data, along with its growing importance and impact.

#ai in business #ai application #application monitoring #big data #the rising value of big data in application monitoring #application monitoring

Fannie  Zemlak

Fannie Zemlak

1603058400

How to Hack WhatsApp Chats

If you’ve come across this article, you probably need to read somebody’s messages on WhatsApp or view shared media files. In this article, you’ll find the best 7 ways to hack WhatsApp chats. I recommend you to look through all of them and choose the one that meets your technical skills and monitoring needs.

_DISCLAIMER: The article is intended to be used and must be used for informational purposes only. _

1. Hack WhatsApp by syncing the web version with the device via the QR code.

The main WhatsApp vulnerability is the web version of the service known as WhatsApp Web. To access the target’s account, all you need to do is to accurately configure WhatsApp analog in the web browser and, further, use the captured data for your own purpose. The only con of this hacking method is a requirement of physical access to the target smartphone. However, it’s necessary only for a moment.

To hack WhatsApp, do the following:

1. Decide how you are going to read the target’s chats: from your PC or smartphone.

2. If you want to access the messages from your desktop, simply open the web version of the website and enable the “keep me logged in” option.

3. If you want to view WhatsApp chats on your smartphone: install a special app on your smartphone allowing you to launch the web version. Go to Play Market, enter “WhatsWeb” in the search, find the app, and install it.

4. The most challenging step. Access the target device. If the device is password-protected, this would be rather difficult :)

WARNING! The target device must be online otherwise you’ll fail to hack the messenger and read WhatsApp chats.

#whatsapp #whatsapp-web-hacks #hacking #spyware #spy-apps #hacks #security #hackernoon-top-story