Ebay: From CSRF to Full Takeover Account of any user
After the Ebay Data Breach i started looking for that bug that may have been exploited from hackers to steal credentials of more that 100 million Ebay user’s account.So i focused my attention on the Ebay recovery account procedures.If you are already a Ebay user you can reset the password of your account through three procedures:
1) Email Address:An email to the registered email-address will be sent with a reset link
2)SMS: An SMS with a 4-digits PIN will be sent from Ebay to the registered phone number
3)Phone call: A phone call will be made from Ebay to reset password of the Ebay user’s account Leggi tutto “Ebay: From CSRF to Full Takeover Account of any user”
Google:From Privilege Escalation Vulnerability to Full Takeover Account
In this Write-Up i’ll explain how i was able to reset password and have full access to any Google user’s account that haven’t security question enabled.
This is the Bug Report i sent to Google Security Team.
I’ve found a huge bug in Gmail.I’ve found a way to have full access to a Gmail account with no victim’s interaction.This bug can be exploited if the victim hasn’t setted the security question. Leggi tutto “Google:From Privilege Escalation Vulnerability to Full Takeover Account”
Yahoo! SSRF/XSPA Vulnerability
First of describing how i was able to find this bug, i would prefer to introduce the SSRF/XSPA Vulnerability.
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.XSPA allows attackers to target the server Leggi tutto “Yahoo! SSRF/XSPA Vulnerability”
Yahoo! Unrestricted File Upload Vulnerability
Hi all,
In this Write-Up i’ll explain how i was able to find an Unrestricted File Upload in https://reports-as.web.analytics.yahoo.com/
This is the PoC i sent to Yahoo! Security.
These are the steps to reproduce the issue:
1)Login at yahoo.com Leggi tutto “Yahoo! Unrestricted File Upload Vulnerability”
PayPal Merchant Launch Site: Authentication Bypass Vulnerability
While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed. Leggi tutto “PayPal Merchant Launch Site: Authentication Bypass Vulnerability”
WhatsApp: LFD Vulnerability
Before starting to describe the issue found on WhatsApp I want to introduce the LFD Vulnerability.
The Local File Disclosure vulnerability allows an attacker to read the content of files and get important information like ftp, mysql credentials, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to: Leggi tutto “WhatsApp: LFD Vulnerability”
AT&T : From CSRF to Full Takeover Account of any user
This is the PoC i sent to AT&T
I’ve found a CSRF bug that may lead to full takeover account of a M2X AT&T user account
These are the steps to reproduce the issue:
1)Login into https://m2x.att.com/login Leggi tutto “AT&T : From CSRF to Full Takeover Account of any user”
Facebook’s Parse OAuth2 Bug
In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account. Leggi tutto “Facebook’s Parse OAuth2 Bug”