Why Changing eBay Passwords Won’t Protect You

Password Change Not Enough

Just days after eBay told everyone to change their passwords because their database was breached, new security issues have arisen.  Having a new eBay password is not going to protect you from these security problems as hackers take advantage of any security holes they find.

eBay’s Security Breach

On Thursday eBay admitted that they had a massive security breach that affected 145 million users. eBay urged their millions of users to change passwords, but was that enough? Security professionals are saying eBay’s breach happened mainly because of their vulnerable infrastructure, not weak passwords.

 eBay’s Worst Day

eBay’s day just went from bad to worst. Three Security professionals have just reported three more critical security flaws in eBay’s website. These flaws leave all 145 million users open to hackers.

Hacker Uploaded PHP Shell on eBay Server

Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a ‘shell.php’ file, a PHP script that allows the attacker to control the server – essentially a backdoor program.

In a blog post, Jordan has also reported about a cross site scripting vulnerability in the eBay Research Labs page (labs.ebay.com).

Persistent XSS Vulnerability on eBay

Michael E., another security researcher from Germany reported to The Hacker News that he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.

Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.

Cookie Re-use Vulnerability

In a separate experiment The Hacker News discovered that eBay accepts the same login cookies again and again, even if users have logged out or changed their passwords.

Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.

 eBay #Fail

Get it together eBay, I have accounts on your site!

Thanks to The Hacker News for the updates!

Apple iCloud and Activation Hacked

Hackers can Unlock iPhones

A Dutch-Moroccan team of hackers calling itself “Team DoulCi” have reportedly claimed to hack a protective feature on Apple’s iCloud system, that could leverage an attacker to remove security measures on lost or stolen iPhone devices.

According to a report from Dutch news organization De Telegraaf, the hackers purchased locked iPhone devices for $50 to $150 each and then bypassed Apple’s iCloud activation lock through a serious security vulnerability Apple has failed to patch with its most recent updates.

The critical vulnerability in the Apple’s iCloud allowed them to unlock stolen iPhones in an instant, which could then be sold for a large profit in the Blackmarket. This is the first time when any hacker group has managed to compromise the highly secured Apple’s iCloud service.

About iCloud

iCloud is a cloud storage and cloud computing service provided by the Apple Inc. to its users since October 2011 with more than 320 million users across the world. The service allows users to store and back-up data such as music, photos, applications, documents, bookmarks, reminders, backups, notes, iBooks, and contacts, and provides a platform for Apple’s email servers and calendars.

The Dutch hacker go by the name AquaXetine and Moroccan hacker with the name Merruktechnolog, claim to have unlocked more than 30,000 stolen iPhone devices in the last few days.

Old Form of Attack Used

In order to unlock those locked iPhones, the hackers use Man-in-the-Middle attack and tricked the iPhone apps into connecting with their server masquerading as an actual Apple server that’s used to activate Apple devices. Once connected to the hackers server, it will instruct the iPhone devices to unlock.

Security experts believed that with the use of this vulnerability, the hackers could do much more than just unlock the stolen devices. They believe it might be possible that the hackers can instruct the devices to read iMessages and even pull information including AppleID credentials.

5,700 Devices Hacked in 5 Minutes

It took the hackers five months to breach Apple’s iCloud system and a Twitter account that may be linked to the same ‘Doulci hacker’ group, yesterday posted a tweet which claims that the group have “processed” more than 5,700 Apple devices in just five minutes using the hack.

Apple New About Flaw

With the good intentions and just to be on a safer side, the group reportedly contacted Apple about this vulnerability back in March, but Apple never responded and remained silent on the matter, which stimulated the hackers to go public with the disclosure. The hackers say they finally decided to approach the Dutch media because Apple has not yet admitted publicly that its system has been compromised.

The pair of hackers are offering unlocking services via doulCi.nl website, according to information found on their website. doulCi is the world’s first Alternative iCloud Server, and the world’s first iCloud Activation Bypass.

Thanks to “The Hacker News” for story.

Microsoft Outlook App for Android has Security Issue

If you have an account with Microsoft’s popular free email service Outlook.com, and are using Outlook app for Android, then there is bad news for you. The Microsoft Android app for Outlook.com, provides users access to their Outlook emails on their Android devices but fails to provide security and encryption.

LOOPHOLES DISCOVERED

Researchers from ‘Include Security’ firm claim to have found multiple vulnerabilities in Microsoft’s Outlook app for Android, that leaves users’ email data vulnerable to hackers and other malicious third party apps.

  • By default, Email attachments are stored into easily accessible folders on the Android filesystem
  • Email Database (Body, Subject) is stored locally in an unencrypted manner
  • App’s ‘Pin Code’ feature doesn’t protect or encrypt email data.

EMAIL ATTACHMENTS ARE ACCESSIBLE TO ANY OTHER APPS

Researchers at Include Security found the Outlook app for Android downloads the email attachments automatically to ‘/sdcard/attachments’ folder on the file system, which could be accessed by any malicious application or person with the physical access to the user’s device. “Phones nowadays come with preinstalled apps on them that could grab those emails.” they added.

UNENCRYPTED EMAIL DATABASE

The Outlook app maintains a local backup database of your emails on the device file system at “/data/data/com.outlook.Z7/” location, which could be accessed only if the device is rooted and for non-rooted Android devices, Android Debug Bridge (adb) tool can extract it.

In this folder, the app stores a database file called ‘email.db‘, which keeps a backup of your every email, but  in an unencrypted form i.e. once an attacker is able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.

PINCODE CAN’T PROTECT YOU

Microsoft implemented a unique protection mechanism in its Outlook app that nobody else provides. It is the  PINCODE feature (application lock), which is intended to add an extra protection in case your device gets in the wrong hands.

But unfortunately this feature also fails to protect users’ data from the above listed two flaws, because it only locks the Graphical User Interface of the app, and does nothing to ensure the confidentiality of messages and attachments, which are themselves stored on the filesystem of the mobile device. 

Microsoft’s Response

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.” Microsoft said in a statement to The Hacker News.

Credit to ‘The Hacker News‘ for this information.

Hacker Update: Microsoft IE Browser Vulnerability

Microsoft confirmed yesterday that a new Zero Day hacker vulnerability exists in all versions of their Internet Explorer browsers. The issue (CVE-2014-1776) is being used in targeted attacks by APT groups but the currently active campaigns are targeting IE 9, IE10 and IE11 browsers.

Internet Explorer Zero-Day VulnerabilityZero Day Vulnerability APT Attack

According to the Microsoft Advisory, the browsers are vulnerable to remote code execution. This is from the way that Internet Explorer accesses an item in memory that has been deleted or has not been properly allocated.  Microsoft is working with security experts to fix the problem, but in the meantime don’t use Internet Explorer. Use  Chrome, Firefox, or other browsers.

How it works

An attacker can trigger the Zero-Day exploit through a malicious webpage that you, or the targeted user, has to access with the IE browser. If the exploit is successful, the attacker gets to execute code within the browser in order to get the same rights as the current user. This can give the attacker full use of a system and access to all it’s data.

Culprit: Adobe Flash Plugin

The exploit depends upon the execution of an Adobe Flash plugin SWF file that calls a Javascript to trigger the flaw. This allows the exploit to bypass the Windows’ code (ASLR and DEP) that protects the target system. According to the advisory, there currently is no security patch to this flaw.

What are APT groups?

An Advanced Persistent Threat (APT)  is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  The current forms of APT attacks are coming from groups of individuals that have shared agendas. Typically, the groups attack organizations that have valuable financial or security information.