Twitter fixed a bug that allows a third-party app to read the user message without user consent. The bug resides in the apps that uses PIN to complete the authorization instead of OAuth token-based procedure.
Terence Eden discovered the Twitter bug and submitted to Twitter through HackerOne platform. He was awarded $2,940 for reporting the bug.
Twitter bug Allows Unauthorized Access
Eden says the Twitter API keys are available freely, which allows an unapproved Twitter app can still use the Twitter API.
Twitter has enforced some security restriction for the apps, the important one is the callback URLs which limits the apps access only to the predefined URLs.
But not every app has the URL or supports callbacks, instead some app use secondary authorization which lets users log in by typing a PIN into your app and the PIN app don’t display the correct OAuth information to the user.
For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do! In short, users could be tricked into allowing access to their DMs, reads Eden’s blog post.
The bug has been reported to Twitter by Eden on 2018-11-06 and Twitter fixed the issue by 2018-12-06. Here you can find the proof-of-concept python code.
Twitter reported that we do not believe anyone was mislead by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. To our knowledge, there was not a breach of anyone’s information due to this issue. There are no actions people need to take at this time.
Recently Facebook fixed and revealed a new photo API bug that may have been affected by nearly 68 million users and 1,500 apps built by 876 developers.
Passwords are the strings of cards used to verify the identity of the user, when the passwords are extracted they are free simple and viable approach to gain access to unapproved individuals accounts.
After evalvating millions of passwords SplashData determines the common passwords used by Internet users during that year. The most terrible password used are “123456” and “password”. They continue to hold the #1 and #2 spots, respectively, the easily hackable password will put a substantial risk of getting beig hacked.
Also a new password debuted this year list “donald” ranked 23rd position, “Sorry, Mr. President, but this is not fake news – using your name or any common name as a password is a dangerous decision,” said Morgan Slain, CEO of SplashData, Inc.“ Every year SplashData evaluate millions of old password from data breaches to determine the weakest passwords.
According to the SplashData almost 10% of the people used one of the most 25 worst passwords on the year’s list and only 3% of people have used the worstpassword, “123456”. Here is the list of top 25 passwords used in year 2018
123456 (Rank unchanged from last year)
123456789 (Up 3)
12345678 (Down 1)
1234567 (Up 1)
qwerty (Down 5)
admin (Down 1)
welcome (Down 1)
football (Down 7)
monkey (Down 5)
qwerty123 (New) “Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” said Morgan Slain, CEO of SplashData, Inc.
Here is the video shows the worst 100 passwords of 2018.
Tips to Stay Safe
1. Use a complex password, enforce strong password policy.
2. Check the password regularly, Use two-factor authentication(2FA) for vital sites like managing an account and Emails, make sure all the passwords are unique.
3. Change the Manufactures default Password that gadgets are issued with before they are conveyed to the IT Department.
4. Configure using password Manager only for your less important websites and accounts.
People who are used to trading in Bitcoin and Ethereum among other cryptocurrencies already know the lucrative opportunities that are available. Cryptocurrency is a popular opportunity in which almost everyone involved in trading is interested. According to reports, Bitcoin is now an accepted form of payment in many places including retail outlets.
However, trading in cryptocurrency calls for some measures to manage cryptocurrency and reduce the risk of loss. You must track your money and the portfolios that hold various transactions constantly.
Use a Reputable 3rd Party Agent
Sometimes, trading in cryptocurrency could prove to be an uphill task especially if you are a beginner. Therefore, you need to have a skilled expert on your side to help you make the right decision. A reputable 3rd party agent may have the best solution for you. Even if they do not have the best technology solution, they can recommend excellent tracking and cryptocurrency portfolio apps for you to use. Look at their websites and assess the possible solutions they are likely to offer you.
Get the Right Software and Apps
Cryptocurrency trading becomes easy and less risky when one identifies the best technology to use. Our interest is in tracking and managing the portfolio. It is important to note that there are numerous options, and all you need to know is which one best suits you. Some options use a lot of automation while others will require you to make most of the entries manually. The most important thing is that they can securely store your data and assist you in achieving your goals with ease.
Make All Entries
The best way to manage your trading portfolios and become a pro manager is to make all entries in time. Even though your tracking software or app may automate some data entries, most of them will have to be entered manually. However, it all depends on the activities that you have been doing. If you want to learn more about cryptocurrency and its management, you will find what you are looking for when you visit Trybe for the best guidance. It is important to mention that your entries will determine the reports that you get and the decisions that you make.
Researchers recently observed that cyber criminals using a weaponized memes in order to communicate with malware for various malicious operations.
Memes are nowadays using for fast communication methods to spreading news which is now abused by cyber criminals to reach victims in a very effective way.
Attackers using Steganography to embed the malicious payload inside of the image to bypass the security solutions to compromise vicitms.
Similarly last year, attackers using 2 memes that was posted in twitter that contain embedded link which point to the command & control server where malware dropped into victims system.
Currently observed campaign being delivered via legitimate service, a popular social media service where attackers posted a meme that looks like very benign.
Malware Infection Process
Initially, once users infected by malware which download malicious memes from Twitter account to the victim’s machine
Further analysis reveals that the memes contain a “/print” command hidden inside that will be extracted and helps malware to take a screenshot of the infected victim’s machine.
The later moment it communicates with Command & control server from pastebin and send the collected screenshots of the victim’s machine.
Also, researcher observed that Pastebin URL points to an internal or private IP address, which is possibly a temporary placeholder used by the attackers.
Attackers parse the malicious memes from the twitter account where the file posted using a specific pattern. “” According to Trend Micro, There where 2 memes were posted which contains a command that helps malware to perform various malicious operation such as capture screenshots, collect system information, among others.
Following commands used by malware to retrieve the information from the infected machine.
Indicators of Compromise
Shipping signed copies of the "#hacker methodology #handbook " always feels so nice. Sending packages full of #infosec and #pentesting knowledge all over the world makes me happy.
Want a copy check it out at https://www.amazon.com/Hacker-Methodology-Handbook-Thomas-Bobeck/dp/1731258380/ref=mp_s_a_1_1?ie=UTF8&qid=1544914539&sr=8-1&pi=AC_SX236_SY340_FMwebp_QL65&keywords=hacker+methodology&dpPl=1&dpID=31Z3lgHzSKL&ref=plSrch
Pen-test das canetas em gel que o pessoal mais comenta. Avaliei quatro quesitos: pigmentação, suavidade, secagem rápida e preço, lembrando que o preço pode variar de lugar para lugar, coloquei os que mais encontrei. Bom, aí vai a minha opinião sobre cada uma delas:
“Pilot G-2” - Desliza muito bem no papel, a tinta é bem pigmentada e seca rápido. Porém, o preço varia entre R$9 a R$14, o que não a torna muito acessível
“Pilot Pop’lol” - Também desliza super bem no papel, a tinta também é bem pigmentada, mas demora um pouco mais para secar por sair uma quantidade maior de tinta, entretanto, o preço é mais em conta variando entre R$6 a R$9
“Pentel EnerGel” - Desliza muito bem no papel, bem pigmentada e a tinta seca rápido. Ela é bem parecida com a “Pilot Pop’lol”, mas a vantagem é que ela seca instantaneamente. O valor dela varia de R$9 a R$15
“Uni-ball Signo” - Dentre as quatro ela é a que mais demora para secar, pois tem um fluxo de tinta muito forte, mas não deixa de ser bem pigmentada. A escrita dela é MUITO suave, mas o valor não é tão em conta, variando entre R$11 a R$18
*Dentre as quatro, as que eu mais uso são a Pilot G-2 e a Pentel EnerGel. Acho que ambas têm o melhor custo benefício.
Bom, é isso! 😬😉🤘🏼
Old Faithful. I found this laptop in the trash a few years back. (Dumpster diving isn't just good for information gathering sometime you get some real gems) Its a Lenovo T450 with an i5 and 8gb of ram, it also has a million cracks in the case that are stickered back together and a Disc Drive that falls out constantly. This was the first machine I ever loaded Kali up on and boy was that a ride.
Always take opportunities that jump out in front of you like this old laptop did for me. It allowed me to start learning about the cyber world and explore something foreign to me. I now work in the field and have a drive to always get better and learn more and it all started with someone else's trash.
#Repost @gmaestres (@get_repost)
Existen miles de amenazas de seguridad para tu PC, sin embargo existe una que está creciendo y que se posiciona como una de las principales para el próximo año, hablamos del Fileless o malware sin archivos. Este tipo de amenaza carece de soporte en un archivo y se ejecuta a través de la memoria RAM.
Este es un ataque que prácticamente se esconde detrás de nuestra RAM, lo que significa que si apagamos el ordenador, el malware se borraría, pero, ¿qué sucede cuando estos cibercriminales atacan dispositivos corporativos que deben estar encendidos las 24 horas del día? Debido a este motivo es que el porcentaje de éxito es tan alto cuando se trata de ataques a sistemas de empresas, quienes manejan información de mayor valor. Tal y como ha sucedido con el Ramsoware, los hackers se han dado cuenta que es más rentable atacar empresas que a usuarios.
Según informes, el Malware Fileless representa el 35% del total de ataques registrados en 2018 y se estima que pudiera llegar a 50% el próximo año.
Debido a su difícil detección de comportamiento y posterior bloqueo y eliminación, hace que este ataque, requiera un antivirus lo antes posible para frenar su crecimiento imparable para el 2019.
Are you using phpmyadmin 4.0 through 4.8.3 version to manage MySQL Database? Multiple vulnerabilites found such as CSRF and XSS. Time to upgrade to 4.8.4 version and do additional testing with precog team: email@example.com more info on vulnerabilities: https://thehackernews.com/2018/12/phpmyadmin-security-update.html